Analysis
-
max time kernel
152s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 07:43
Static task
static1
Behavioral task
behavioral1
Sample
7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
Resource
win7-20220812-en
General
-
Target
7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
-
Size
596KB
-
MD5
3bd0f5a04952c1f522e51b509c12a370
-
SHA1
0c788da376cc061c393d9deec22b759c195020fb
-
SHA256
7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0
-
SHA512
838184f5f20ec29fda8965447be81eb254fb5f49c1468a83654a868ee7d8fcce75d651252f1781e3998810658d489498b5de2bd76c59c1f0cd051d671b05ad23
-
SSDEEP
12288:ko0ZjcnNr3SP4Ybgob0vSZcVm/IMnfiNAKrObQnOxTYS:kPZjcnx64eIvFMIQ6PrOcnCYS
Malware Config
Extracted
pony
http://osinachi.site40.net/helo/gate.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bCnqnn.exepid process 3080 bCnqnn.exe -
Processes:
resource yara_rule behavioral2/memory/3028-139-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/3028-141-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/3028-142-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/3028-145-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/3588-155-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3588-157-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3588-158-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3588-159-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3028-164-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/3588-165-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3588-166-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WScript.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svchost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
bCnqnn.exesvchost.exedescription pid process target process PID 3080 set thread context of 3028 3080 bCnqnn.exe svchost.exe PID 3028 set thread context of 3588 3028 svchost.exe svchost.exe PID 3028 set thread context of 2448 3028 svchost.exe svchost.exe PID 3028 set thread context of 2216 3028 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4204 2216 WerFault.exe svchost.exe 3372 2448 WerFault.exe svchost.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
bCnqnn.exesvchost.exepid process 3080 bCnqnn.exe 3080 bCnqnn.exe 3080 bCnqnn.exe 3080 bCnqnn.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe 3028 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
svchost.exedescription pid process Token: SeImpersonatePrivilege 3588 svchost.exe Token: SeTcbPrivilege 3588 svchost.exe Token: SeChangeNotifyPrivilege 3588 svchost.exe Token: SeCreateTokenPrivilege 3588 svchost.exe Token: SeBackupPrivilege 3588 svchost.exe Token: SeRestorePrivilege 3588 svchost.exe Token: SeIncreaseQuotaPrivilege 3588 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3588 svchost.exe Token: SeImpersonatePrivilege 3588 svchost.exe Token: SeTcbPrivilege 3588 svchost.exe Token: SeChangeNotifyPrivilege 3588 svchost.exe Token: SeCreateTokenPrivilege 3588 svchost.exe Token: SeBackupPrivilege 3588 svchost.exe Token: SeRestorePrivilege 3588 svchost.exe Token: SeIncreaseQuotaPrivilege 3588 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3588 svchost.exe Token: SeImpersonatePrivilege 3588 svchost.exe Token: SeTcbPrivilege 3588 svchost.exe Token: SeChangeNotifyPrivilege 3588 svchost.exe Token: SeCreateTokenPrivilege 3588 svchost.exe Token: SeBackupPrivilege 3588 svchost.exe Token: SeRestorePrivilege 3588 svchost.exe Token: SeIncreaseQuotaPrivilege 3588 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3588 svchost.exe Token: SeImpersonatePrivilege 3588 svchost.exe Token: SeTcbPrivilege 3588 svchost.exe Token: SeChangeNotifyPrivilege 3588 svchost.exe Token: SeCreateTokenPrivilege 3588 svchost.exe Token: SeBackupPrivilege 3588 svchost.exe Token: SeRestorePrivilege 3588 svchost.exe Token: SeIncreaseQuotaPrivilege 3588 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3588 svchost.exe Token: SeImpersonatePrivilege 3588 svchost.exe Token: SeTcbPrivilege 3588 svchost.exe Token: SeChangeNotifyPrivilege 3588 svchost.exe Token: SeCreateTokenPrivilege 3588 svchost.exe Token: SeBackupPrivilege 3588 svchost.exe Token: SeRestorePrivilege 3588 svchost.exe Token: SeIncreaseQuotaPrivilege 3588 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3588 svchost.exe Token: SeImpersonatePrivilege 3588 svchost.exe Token: SeTcbPrivilege 3588 svchost.exe Token: SeChangeNotifyPrivilege 3588 svchost.exe Token: SeCreateTokenPrivilege 3588 svchost.exe Token: SeBackupPrivilege 3588 svchost.exe Token: SeRestorePrivilege 3588 svchost.exe Token: SeIncreaseQuotaPrivilege 3588 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3588 svchost.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exepid process 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exepid process 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 3028 svchost.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.execmd.exebCnqnn.exesvchost.execmd.exeWScript.exedescription pid process target process PID 1344 wrote to memory of 3124 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe cmd.exe PID 1344 wrote to memory of 3124 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe cmd.exe PID 1344 wrote to memory of 3124 1344 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe cmd.exe PID 3124 wrote to memory of 3080 3124 cmd.exe bCnqnn.exe PID 3124 wrote to memory of 3080 3124 cmd.exe bCnqnn.exe PID 3124 wrote to memory of 3080 3124 cmd.exe bCnqnn.exe PID 3080 wrote to memory of 3028 3080 bCnqnn.exe svchost.exe PID 3080 wrote to memory of 3028 3080 bCnqnn.exe svchost.exe PID 3080 wrote to memory of 3028 3080 bCnqnn.exe svchost.exe PID 3080 wrote to memory of 3028 3080 bCnqnn.exe svchost.exe PID 3080 wrote to memory of 3028 3080 bCnqnn.exe svchost.exe PID 3080 wrote to memory of 3028 3080 bCnqnn.exe svchost.exe PID 3080 wrote to memory of 3028 3080 bCnqnn.exe svchost.exe PID 3080 wrote to memory of 3028 3080 bCnqnn.exe svchost.exe PID 3028 wrote to memory of 4368 3028 svchost.exe schtasks.exe PID 3028 wrote to memory of 4368 3028 svchost.exe schtasks.exe PID 3028 wrote to memory of 4368 3028 svchost.exe schtasks.exe PID 3028 wrote to memory of 4664 3028 svchost.exe schtasks.exe PID 3028 wrote to memory of 4664 3028 svchost.exe schtasks.exe PID 3028 wrote to memory of 4664 3028 svchost.exe schtasks.exe PID 3028 wrote to memory of 1124 3028 svchost.exe cmd.exe PID 3028 wrote to memory of 1124 3028 svchost.exe cmd.exe PID 3028 wrote to memory of 1124 3028 svchost.exe cmd.exe PID 1124 wrote to memory of 3800 1124 cmd.exe icacls.exe PID 1124 wrote to memory of 3800 1124 cmd.exe icacls.exe PID 1124 wrote to memory of 3800 1124 cmd.exe icacls.exe PID 3028 wrote to memory of 3588 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 3588 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 3588 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 3588 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 3588 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 3588 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 3588 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 3588 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 2448 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 2448 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 2448 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 2448 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 2216 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 2216 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 2216 3028 svchost.exe svchost.exe PID 3028 wrote to memory of 2216 3028 svchost.exe svchost.exe PID 2544 wrote to memory of 2980 2544 WScript.exe cmd.exe PID 2544 wrote to memory of 2980 2544 WScript.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe"C:\Users\Admin\AppData\Local\Temp\7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bCnqnn.exe PjGWZk2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bCnqnn.exeC:\Users\Admin\AppData\Local\Temp\bCnqnn.exe PjGWZk3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn WindowsUpdatepjgwzk0x84295245⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn WindowsUpdatepjgwzk0x8429525 /tr "C:\ProgramData\pjgwzk\QyQhwE.vbs" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c icacls "C:\ProgramData\pjgwzk" /deny %username%:F5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\pjgwzk" /deny Admin:F6⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 846⤵
- Program crash
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 846⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2448 -ip 24481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2216 -ip 22161⤵
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\pjgwzk\QyQhwE.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\pjgwzk\\bCnqnn.exe C:\ProgramData\pjgwzk\\PjGWZk2⤵
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\pjgwzk\QyQhwE.vbs"1⤵
- Checks computer location settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\pjgwzk\DRxCLH.txtFilesize
235KB
MD56dfceb0fdc7b6958a79935c14bf91b57
SHA1ab47d02095a048dbd68b15c569ae1ba52ec075a7
SHA2563fb850a10aceabd25719ce1c75602f65c3708df58a62b4ebac5624f9711cfd05
SHA512f182122c2f256e3dc9e2062a30858f56430b91178493bdeac2a341612e42ecdab29d071649b53247fa9f74443a89461848632ef221fc5b868233dffa77462267
-
C:\ProgramData\pjgwzk\PjGWZkFilesize
7KB
MD5121df8c2cc00e500a6f33cae4efd3e83
SHA1c50fdb4557fd29b8da3418bbd970dacebdd2ba3a
SHA2561c67c07d32e8522feae55034d67cbdf9a895b1306cc8da6730476f10389361e6
SHA512c1afc91180d39c7032db1b2bc417fb901ae718cc141a02758037d6c783529012cff6acba90947ad18c1a75315d6279ada684c3335f00e68a6b406f5cbdd6fb34
-
C:\ProgramData\pjgwzk\QyQhwE.vbsFilesize
274B
MD5343c3ab8edd666ae4e44d266dc9611e5
SHA16167154c295c26716c25f60b58c833aa0db6cf56
SHA2567a98d15cb760c591ee075ac9f302b9d44a2dc56e53179f77042d29352f96e8a3
SHA512168890b6dd9db80b01176ee07a0e6b2976141886016b92254404f66063bc8402271b9e0212dcf121c0ad4bf8f23a9df5142ad5e2adda05079468485ac0c6647d
-
C:\ProgramData\pjgwzk\bCnqnn.exeFilesize
510KB
MD501d151ccd2a75bd713b8ce81d6509eb8
SHA1c751680d504bece45dc84e363e9e976fe77a8eac
SHA256a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801
SHA5128d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d
-
C:\Users\Admin\AppData\Local\Temp\DRxCLH.txtFilesize
235KB
MD56dfceb0fdc7b6958a79935c14bf91b57
SHA1ab47d02095a048dbd68b15c569ae1ba52ec075a7
SHA2563fb850a10aceabd25719ce1c75602f65c3708df58a62b4ebac5624f9711cfd05
SHA512f182122c2f256e3dc9e2062a30858f56430b91178493bdeac2a341612e42ecdab29d071649b53247fa9f74443a89461848632ef221fc5b868233dffa77462267
-
C:\Users\Admin\AppData\Local\Temp\PjGWZkFilesize
7KB
MD5121df8c2cc00e500a6f33cae4efd3e83
SHA1c50fdb4557fd29b8da3418bbd970dacebdd2ba3a
SHA2561c67c07d32e8522feae55034d67cbdf9a895b1306cc8da6730476f10389361e6
SHA512c1afc91180d39c7032db1b2bc417fb901ae718cc141a02758037d6c783529012cff6acba90947ad18c1a75315d6279ada684c3335f00e68a6b406f5cbdd6fb34
-
C:\Users\Admin\AppData\Local\Temp\bCnqnn.exeFilesize
510KB
MD501d151ccd2a75bd713b8ce81d6509eb8
SHA1c751680d504bece45dc84e363e9e976fe77a8eac
SHA256a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801
SHA5128d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d
-
C:\Users\Admin\AppData\Local\Temp\bCnqnn.exeFilesize
510KB
MD501d151ccd2a75bd713b8ce81d6509eb8
SHA1c751680d504bece45dc84e363e9e976fe77a8eac
SHA256a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801
SHA5128d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d
-
memory/1124-148-0x0000000000000000-mapping.dmp
-
memory/2216-162-0x0000000000000000-mapping.dmp
-
memory/2448-160-0x0000000000000000-mapping.dmp
-
memory/2980-167-0x0000000000000000-mapping.dmp
-
memory/3028-164-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3028-145-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3028-142-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3028-141-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3028-139-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3028-138-0x0000000000000000-mapping.dmp
-
memory/3080-133-0x0000000000000000-mapping.dmp
-
memory/3124-132-0x0000000000000000-mapping.dmp
-
memory/3588-157-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3588-155-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3588-158-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3588-159-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3588-154-0x0000000000000000-mapping.dmp
-
memory/3588-165-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3588-166-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3800-149-0x0000000000000000-mapping.dmp
-
memory/4368-146-0x0000000000000000-mapping.dmp
-
memory/4664-147-0x0000000000000000-mapping.dmp