Analysis
-
max time kernel
432s -
max time network
437s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
LB3_ReflectiveDll_DllMain-cyt.dll
Resource
win7-20220901-en
General
-
Target
LB3_ReflectiveDll_DllMain-cyt.dll
-
Size
2.0MB
-
MD5
a0238fac8e650339116bbb380066d949
-
SHA1
fcd5d98edcc42d320694185c7224a8168b1e8db2
-
SHA256
5428902b4c844160cb0ee6282a078cbf24d87d46b061ede83ef21682d474cc15
-
SHA512
5cc4adad36858a340edff775cc46d2b16515a919231cd4a8cb75929fd2ac02e2037a00c7a4c5620af05e5d842ea5f8a04ef7e2597cdddeb35f23465fac36f48d
-
SSDEEP
24576:As6VSLLsktePr7vfObQywjVhK6at0EO1Z/wMmM6z/OQb2iZIiylxvl6tqbSwbWV:xgSLJmXviQyK/F1x6DBUN6Dq0
Malware Config
Extracted
C:\1GLtau6EZ.README.txt
filedecryptionsupport@msgsafe.io
https://t.me/bl00dy_Ransomware_Gang
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
53EB.tmppid process 1900 53EB.tmp -
Modifies extensions of user files 17 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ExpandGet.png.1GLtau6EZ rundll32.exe File renamed C:\Users\Admin\Pictures\MountGrant.raw => C:\Users\Admin\Pictures\MountGrant.raw.1GLtau6EZ rundll32.exe File opened for modification C:\Users\Admin\Pictures\ShowGrant.tiff rundll32.exe File opened for modification C:\Users\Admin\Pictures\ShowGrant.tiff.1GLtau6EZ rundll32.exe File renamed C:\Users\Admin\Pictures\ExpandGet.png => C:\Users\Admin\Pictures\ExpandGet.png.1GLtau6EZ rundll32.exe File renamed C:\Users\Admin\Pictures\ShowGrant.tiff => C:\Users\Admin\Pictures\ShowGrant.tiff.1GLtau6EZ rundll32.exe File renamed C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.1GLtau6EZ rundll32.exe File opened for modification C:\Users\Admin\Pictures\UpdateGet.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\PushUnregister.raw => C:\Users\Admin\Pictures\PushUnregister.raw.1GLtau6EZ rundll32.exe File renamed C:\Users\Admin\Pictures\UnblockExit.tif => C:\Users\Admin\Pictures\UnblockExit.tif.1GLtau6EZ rundll32.exe File opened for modification C:\Users\Admin\Pictures\UnblockExit.tif.1GLtau6EZ rundll32.exe File renamed C:\Users\Admin\Pictures\UpdateGet.tiff => C:\Users\Admin\Pictures\UpdateGet.tiff.1GLtau6EZ rundll32.exe File opened for modification C:\Users\Admin\Pictures\UpdateGet.tiff.1GLtau6EZ rundll32.exe File opened for modification C:\Users\Admin\Pictures\StopSet.tiff rundll32.exe File opened for modification C:\Users\Admin\Pictures\PushUnregister.raw.1GLtau6EZ rundll32.exe File opened for modification C:\Users\Admin\Pictures\StopSet.tiff.1GLtau6EZ rundll32.exe File opened for modification C:\Users\Admin\Pictures\MountGrant.raw.1GLtau6EZ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Deletes itself 1 IoCs
Processes:
53EB.tmppid process 1900 53EB.tmp -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 820 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
rundll32.exe53EB.tmppid process 820 rundll32.exe 1900 53EB.tmp -
Drops file in Program Files directory 64 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\1GLtau6EZ.README.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_hover.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\1GLtau6EZ.README.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\settings.css rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\1GLtau6EZ.README.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\1GLtau6EZ.README.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\gadget.xml rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\1GLtau6EZ.README.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\1GLtau6EZ.README.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\1GLtau6EZ.README.txt rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\1GLtau6EZ.README.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\1GLtau6EZ.README.txt rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\1GLtau6EZ.README.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\1GLtau6EZ.README.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\1GLtau6EZ.README.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\1GLtau6EZ.README.txt rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\1GLtau6EZ.README.txt rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\1GLtau6EZ.README.txt rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\1GLtau6EZ.README.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png rundll32.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
rundll32.exepid process 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
53EB.tmppid process 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp 1900 53EB.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rundll32.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeDebugPrivilege 820 rundll32.exe Token: 36 820 rundll32.exe Token: SeImpersonatePrivilege 820 rundll32.exe Token: SeIncBasePriorityPrivilege 820 rundll32.exe Token: SeIncreaseQuotaPrivilege 820 rundll32.exe Token: 33 820 rundll32.exe Token: SeManageVolumePrivilege 820 rundll32.exe Token: SeProfSingleProcessPrivilege 820 rundll32.exe Token: SeRestorePrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSystemProfilePrivilege 820 rundll32.exe Token: SeTakeOwnershipPrivilege 820 rundll32.exe Token: SeShutdownPrivilege 820 rundll32.exe Token: SeDebugPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeBackupPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe Token: SeSecurityPrivilege 820 rundll32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exe53EB.tmpdescription pid process target process PID 1260 wrote to memory of 820 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 820 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 820 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 820 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 820 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 820 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 820 1260 rundll32.exe rundll32.exe PID 820 wrote to memory of 1900 820 rundll32.exe 53EB.tmp PID 820 wrote to memory of 1900 820 rundll32.exe 53EB.tmp PID 820 wrote to memory of 1900 820 rundll32.exe 53EB.tmp PID 820 wrote to memory of 1900 820 rundll32.exe 53EB.tmp PID 820 wrote to memory of 1900 820 rundll32.exe 53EB.tmp PID 1900 wrote to memory of 1936 1900 53EB.tmp cmd.exe PID 1900 wrote to memory of 1936 1900 53EB.tmp cmd.exe PID 1900 wrote to memory of 1936 1900 53EB.tmp cmd.exe PID 1900 wrote to memory of 1936 1900 53EB.tmp cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LB3_ReflectiveDll_DllMain-cyt.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LB3_ReflectiveDll_DllMain-cyt.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Modifies extensions of user files
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\53EB.tmp"C:\ProgramData\53EB.tmp"3⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\53EB.tmp >> NUL4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\53EB.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\ProgramData\53EB.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
\ProgramData\53EB.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
memory/820-57-0x0000000074160000-0x000000007465E000-memory.dmpFilesize
5.0MB
-
memory/820-68-0x0000000074160000-0x000000007465E000-memory.dmpFilesize
5.0MB
-
memory/820-59-0x0000000074160000-0x000000007465E000-memory.dmpFilesize
5.0MB
-
memory/820-60-0x0000000077550000-0x00000000776D0000-memory.dmpFilesize
1.5MB
-
memory/820-61-0x0000000074160000-0x000000007465E000-memory.dmpFilesize
5.0MB
-
memory/820-62-0x0000000002160000-0x00000000021A0000-memory.dmpFilesize
256KB
-
memory/820-58-0x0000000074660000-0x0000000074B5E000-memory.dmpFilesize
5.0MB
-
memory/820-70-0x0000000004CF5000-0x0000000004D06000-memory.dmpFilesize
68KB
-
memory/820-56-0x0000000074660000-0x0000000074B5E000-memory.dmpFilesize
5.0MB
-
memory/820-55-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/820-54-0x0000000000000000-mapping.dmp
-
memory/820-69-0x0000000077550000-0x00000000776D0000-memory.dmpFilesize
1.5MB
-
memory/1900-71-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1900-64-0x0000000000000000-mapping.dmp
-
memory/1900-72-0x00000000020E5000-0x00000000020F6000-memory.dmpFilesize
68KB
-
memory/1936-73-0x0000000000000000-mapping.dmp