Analysis
-
max time kernel
86s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe
Resource
win10v2004-20220721-en
General
-
Target
45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe
-
Size
831KB
-
MD5
b6eb62288ca782e26d71236994995d57
-
SHA1
ed5080d2301df02600b3ec0d3e4de91541bb32e8
-
SHA256
45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f
-
SHA512
0b2f11dd857390155a8520aaa64693bae19caa67b27da8026937f2aec491861da761841e9c309142b1a0e7d3aa87d13ac1be0904481ed8be9dbf48be1b9276fd
Malware Config
Extracted
djvu
http://acacaca.org/test2/get.php
-
extension
.vvyu
-
offline_id
rE5LpDv2ftYRXAo7bC18EpzfRMTHSGjgfyIMfZt1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-QsoSRIeAK6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0531Jhyjd
Signatures
-
Detected Djvu ransomware 10 IoCs
Processes:
resource yara_rule behavioral1/memory/4680-131-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4680-132-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1736-134-0x00000000023B0000-0x00000000024CB000-memory.dmp family_djvu behavioral1/memory/4680-135-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4680-136-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4680-140-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4664-143-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4664-145-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4664-150-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4664-151-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
build2.exebuild2.exepid process 3148 build2.exe 3152 build2.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4f94771b-3544-4389-90a9-60fa436cc1c6\\45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe\" --AutoStart" 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 api.2ip.ua 19 api.2ip.ua 27 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
Processes:
45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exebuild2.exedescription pid process target process PID 1736 set thread context of 4680 1736 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 444 set thread context of 4664 444 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 3148 set thread context of 3152 3148 build2.exe build2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
build2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exebuild2.exepid process 4680 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 4680 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 4664 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 4664 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 3152 build2.exe 3152 build2.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exebuild2.exedescription pid process target process PID 1736 wrote to memory of 4680 1736 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 1736 wrote to memory of 4680 1736 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 1736 wrote to memory of 4680 1736 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 1736 wrote to memory of 4680 1736 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 1736 wrote to memory of 4680 1736 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 1736 wrote to memory of 4680 1736 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 1736 wrote to memory of 4680 1736 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 1736 wrote to memory of 4680 1736 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 1736 wrote to memory of 4680 1736 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 1736 wrote to memory of 4680 1736 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 4680 wrote to memory of 3248 4680 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe icacls.exe PID 4680 wrote to memory of 3248 4680 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe icacls.exe PID 4680 wrote to memory of 3248 4680 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe icacls.exe PID 4680 wrote to memory of 444 4680 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 4680 wrote to memory of 444 4680 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 4680 wrote to memory of 444 4680 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 444 wrote to memory of 4664 444 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 444 wrote to memory of 4664 444 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 444 wrote to memory of 4664 444 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 444 wrote to memory of 4664 444 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 444 wrote to memory of 4664 444 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 444 wrote to memory of 4664 444 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 444 wrote to memory of 4664 444 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 444 wrote to memory of 4664 444 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 444 wrote to memory of 4664 444 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 444 wrote to memory of 4664 444 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe PID 4664 wrote to memory of 3148 4664 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe build2.exe PID 4664 wrote to memory of 3148 4664 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe build2.exe PID 4664 wrote to memory of 3148 4664 45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe build2.exe PID 3148 wrote to memory of 3152 3148 build2.exe build2.exe PID 3148 wrote to memory of 3152 3148 build2.exe build2.exe PID 3148 wrote to memory of 3152 3148 build2.exe build2.exe PID 3148 wrote to memory of 3152 3148 build2.exe build2.exe PID 3148 wrote to memory of 3152 3148 build2.exe build2.exe PID 3148 wrote to memory of 3152 3148 build2.exe build2.exe PID 3148 wrote to memory of 3152 3148 build2.exe build2.exe PID 3148 wrote to memory of 3152 3148 build2.exe build2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe"C:\Users\Admin\AppData\Local\Temp\45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe"C:\Users\Admin\AppData\Local\Temp\45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\4f94771b-3544-4389-90a9-60fa436cc1c6" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe"C:\Users\Admin\AppData\Local\Temp\45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe"C:\Users\Admin\AppData\Local\Temp\45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\e9438ebc-ba64-45ca-b4c9-880e4384a0c9\build2.exe"C:\Users\Admin\AppData\Local\e9438ebc-ba64-45ca-b4c9-880e4384a0c9\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\e9438ebc-ba64-45ca-b4c9-880e4384a0c9\build2.exe"C:\Users\Admin\AppData\Local\e9438ebc-ba64-45ca-b4c9-880e4384a0c9\build2.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
2KB
MD5eba45bc75daf7421d4767f04582068ca
SHA1e2d2b46d3780a8b7cdde6e542430f0da28684ce8
SHA25687f79123a6048371f5e4eccca848509ff8315dea4be740c8480fe945c02b4f38
SHA5120c081c029224806b1f1f200da673a9554e5d40756736f9ca8bc073c25703092c6d1e72a2fd971b41bedeba26e6ca9fa85486df39f852505925a49d8b94e0e330
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD54f74b1c3f52834fb5d5d0946410f286a
SHA1e8b1734733535d236f422c282271e97b784b5261
SHA25656b6f9f565e620e3cc377ac2265180c96efff2844f11cbb229eef977327869f1
SHA512b84101ebe8570b2f0ecbefafcf58b941100ac6efc9cbbfc711e57bedf6cb6fc62141bd2d66c34f4b316568948ff6448c96ddef2cfde625965a9ea5968beefb2c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
488B
MD53e4ef29cd1de943981bd9435ee45ac72
SHA169583b8a61dae202d406fb5d2df9f275d7c9edec
SHA25658c4af63f7211c810347d75ae0325991eb8720849128ccd5d3cc5efee326bf1c
SHA512bdac65ff54ef12e3cbf66b6cd154677d84861a7201564c06856e27b3ac91ac18ac8ede4be23a283a5d015429868de917a2f20866deada28cc528850f670c289a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
396B
MD521c8d349ac19efb6e10e57d1bd16873a
SHA1cb6b7a1352997980d6dd3f717dd1b3bbab5ad001
SHA256044220854711204698c6ecf3d6fd131a72bb2a57377097747c698562ab714c17
SHA51291296102fef2a311202d1cf4b56f5b63433a314d4c49735d7efd3ef232726fe9142429b338cab6d3e88cdaf7bbfedaae3bbc9acb5a4d00d577f50fb8c9b1d5ea
-
C:\Users\Admin\AppData\Local\4f94771b-3544-4389-90a9-60fa436cc1c6\45376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f.exeFilesize
831KB
MD5b6eb62288ca782e26d71236994995d57
SHA1ed5080d2301df02600b3ec0d3e4de91541bb32e8
SHA25645376600c8e5307a742d759f359c63a8bcfff11cd45b1ac6d01e1c76a4fa632f
SHA5120b2f11dd857390155a8520aaa64693bae19caa67b27da8026937f2aec491861da761841e9c309142b1a0e7d3aa87d13ac1be0904481ed8be9dbf48be1b9276fd
-
C:\Users\Admin\AppData\Local\e9438ebc-ba64-45ca-b4c9-880e4384a0c9\build2.exeFilesize
438KB
MD52f3d0323ba962334ef87ed098ad02289
SHA15b4c70e331af83eaf384f45a01e322b094353375
SHA25612a51367c5c85ff3c1dc73743cface2e01accecf2879a36adbddf566d52987b3
SHA5121e33ace1068f614bfac35aa67733c2806328b586be273a611409df87be03c5edc9e312ab213004c8fab71453ef5e34e474d9273c4a97d95d135c18f440674ad3
-
C:\Users\Admin\AppData\Local\e9438ebc-ba64-45ca-b4c9-880e4384a0c9\build2.exeFilesize
438KB
MD52f3d0323ba962334ef87ed098ad02289
SHA15b4c70e331af83eaf384f45a01e322b094353375
SHA25612a51367c5c85ff3c1dc73743cface2e01accecf2879a36adbddf566d52987b3
SHA5121e33ace1068f614bfac35aa67733c2806328b586be273a611409df87be03c5edc9e312ab213004c8fab71453ef5e34e474d9273c4a97d95d135c18f440674ad3
-
C:\Users\Admin\AppData\Local\e9438ebc-ba64-45ca-b4c9-880e4384a0c9\build2.exeFilesize
438KB
MD52f3d0323ba962334ef87ed098ad02289
SHA15b4c70e331af83eaf384f45a01e322b094353375
SHA25612a51367c5c85ff3c1dc73743cface2e01accecf2879a36adbddf566d52987b3
SHA5121e33ace1068f614bfac35aa67733c2806328b586be273a611409df87be03c5edc9e312ab213004c8fab71453ef5e34e474d9273c4a97d95d135c18f440674ad3
-
memory/444-144-0x000000000219E000-0x0000000002230000-memory.dmpFilesize
584KB
-
memory/444-139-0x0000000000000000-mapping.dmp
-
memory/1736-133-0x000000000227D000-0x000000000230F000-memory.dmpFilesize
584KB
-
memory/1736-134-0x00000000023B0000-0x00000000024CB000-memory.dmpFilesize
1.1MB
-
memory/3148-159-0x00000000005DD000-0x0000000000606000-memory.dmpFilesize
164KB
-
memory/3148-161-0x0000000001FA0000-0x0000000001FE6000-memory.dmpFilesize
280KB
-
memory/3148-152-0x0000000000000000-mapping.dmp
-
memory/3152-155-0x0000000000000000-mapping.dmp
-
memory/3152-164-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/3152-163-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3152-162-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3152-156-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3152-160-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3152-158-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3248-137-0x0000000000000000-mapping.dmp
-
memory/4664-143-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4664-151-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4664-150-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4664-141-0x0000000000000000-mapping.dmp
-
memory/4664-145-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4680-130-0x0000000000000000-mapping.dmp
-
memory/4680-136-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4680-135-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4680-131-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4680-132-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4680-140-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB