Analysis
-
max time kernel
184s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 12:59
Static task
static1
Behavioral task
behavioral1
Sample
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe
Resource
win7-20221111-en
General
-
Target
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe
-
Size
315KB
-
MD5
6a862dc51bdf3cb9cbcff57bb592546c
-
SHA1
51f4bce1b1196e85146bec83a6549763af3f334c
-
SHA256
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf
-
SHA512
14d8ae5a44e1e1ca0c72e2cb0763f32b24698c0e1219c1e6c6d4b47874f5908678694501e3d20ba0eff149c8c0b0a79447adcddca0f8d665472947edc1f0e267
-
SSDEEP
6144:OAsBZxLA8ivLPhyqaShRf9OpRb9tDia3BjoybPDhk8Ni6F9D3qAPqUvtPTiI:SL7iTPhbAp9rznbr5i6F9TFLiI
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7ey7c5eqy15wm.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7ey7c5eqy15wm.exe\DisableExceptionChainValidation 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "onxtc.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exepid process 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Search 5.3.10 = "C:\\ProgramData\\Windows Search 5.3.10\\7ey7c5eqy15wm.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Search 5.3.10 = "\"C:\\ProgramData\\Windows Search 5.3.10\\7ey7c5eqy15wm.exe\"" explorer.exe -
Processes:
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exedescription ioc process File created C:\ProgramData\Windows Search 5.3.10\desktop.ini 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe File opened for modification C:\ProgramData\Windows Search 5.3.10\desktop.ini 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exeexplorer.exepid process 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exedescription pid process target process PID 1668 set thread context of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
explorer.exepid process 808 explorer.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exeexplorer.exepid process 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 808 explorer.exe 808 explorer.exe 808 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exepid process 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exeexplorer.exedescription pid process Token: SeDebugPrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeRestorePrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeBackupPrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeLoadDriverPrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeCreatePagefilePrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeShutdownPrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeTakeOwnershipPrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeChangeNotifyPrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeCreateTokenPrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeMachineAccountPrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeSecurityPrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeAssignPrimaryTokenPrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeCreateGlobalPrivilege 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: 33 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe Token: SeDebugPrivilege 808 explorer.exe Token: SeRestorePrivilege 808 explorer.exe Token: SeBackupPrivilege 808 explorer.exe Token: SeLoadDriverPrivilege 808 explorer.exe Token: SeCreatePagefilePrivilege 808 explorer.exe Token: SeShutdownPrivilege 808 explorer.exe Token: SeTakeOwnershipPrivilege 808 explorer.exe Token: SeChangeNotifyPrivilege 808 explorer.exe Token: SeCreateTokenPrivilege 808 explorer.exe Token: SeMachineAccountPrivilege 808 explorer.exe Token: SeSecurityPrivilege 808 explorer.exe Token: SeAssignPrimaryTokenPrivilege 808 explorer.exe Token: SeCreateGlobalPrivilege 808 explorer.exe Token: 33 808 explorer.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exeexplorer.exedescription pid process target process PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 1668 wrote to memory of 336 1668 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe PID 336 wrote to memory of 808 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe explorer.exe PID 336 wrote to memory of 808 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe explorer.exe PID 336 wrote to memory of 808 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe explorer.exe PID 336 wrote to memory of 808 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe explorer.exe PID 336 wrote to memory of 808 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe explorer.exe PID 336 wrote to memory of 808 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe explorer.exe PID 336 wrote to memory of 808 336 4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe explorer.exe PID 808 wrote to memory of 1192 808 explorer.exe Dwm.exe PID 808 wrote to memory of 1192 808 explorer.exe Dwm.exe PID 808 wrote to memory of 1192 808 explorer.exe Dwm.exe PID 808 wrote to memory of 1192 808 explorer.exe Dwm.exe PID 808 wrote to memory of 1192 808 explorer.exe Dwm.exe PID 808 wrote to memory of 1192 808 explorer.exe Dwm.exe PID 808 wrote to memory of 1284 808 explorer.exe Explorer.EXE PID 808 wrote to memory of 1284 808 explorer.exe Explorer.EXE PID 808 wrote to memory of 1284 808 explorer.exe Explorer.EXE PID 808 wrote to memory of 1284 808 explorer.exe Explorer.EXE PID 808 wrote to memory of 1284 808 explorer.exe Explorer.EXE PID 808 wrote to memory of 1284 808 explorer.exe Explorer.EXE PID 808 wrote to memory of 1096 808 explorer.exe DllHost.exe PID 808 wrote to memory of 1096 808 explorer.exe DllHost.exe PID 808 wrote to memory of 1096 808 explorer.exe DllHost.exe PID 808 wrote to memory of 1096 808 explorer.exe DllHost.exe PID 808 wrote to memory of 1096 808 explorer.exe DllHost.exe PID 808 wrote to memory of 1096 808 explorer.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe"C:\Users\Admin\AppData\Local\Temp\4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe"C:\Users\Admin\AppData\Local\Temp\4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe"3⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso2178.tmp\Maurois.dllFilesize
196KB
MD505db9e17519dbffe3c4dbb038ec686b1
SHA1be88fcf4047938903d1fa6953cf7661c7798f179
SHA256ea388ed5b8039160d784f24ef2f8d92e5cee8b9caf6de3a1c9924564550f8248
SHA51229097003d49074b07d9677d3d8d17246222f08300e8871bf3bc0b936c6f1d2dab83eff5f7df40dd68389a70b431ff7e5a8d738b780ab175d11efb94d2b37f0ac
-
memory/336-70-0x00000000003A0000-0x0000000000400000-memory.dmpFilesize
384KB
-
memory/336-59-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-72-0x00000000003A0000-0x0000000000400000-memory.dmpFilesize
384KB
-
memory/336-58-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-73-0x0000000000260000-0x000000000026D000-memory.dmpFilesize
52KB
-
memory/336-60-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-62-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-74-0x0000000001F80000-0x0000000001F8C000-memory.dmpFilesize
48KB
-
memory/336-64-0x00000000004015C6-mapping.dmp
-
memory/336-66-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-67-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-82-0x00000000003A0000-0x0000000000400000-memory.dmpFilesize
384KB
-
memory/336-57-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-56-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-81-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/808-77-0x0000000074F41000-0x0000000074F43000-memory.dmpFilesize
8KB
-
memory/808-78-0x00000000779F0000-0x0000000077B70000-memory.dmpFilesize
1.5MB
-
memory/808-79-0x0000000000090000-0x0000000000143000-memory.dmpFilesize
716KB
-
memory/808-80-0x00000000004D0000-0x00000000004DC000-memory.dmpFilesize
48KB
-
memory/808-75-0x0000000000000000-mapping.dmp
-
memory/808-83-0x00000000779F0000-0x0000000077B70000-memory.dmpFilesize
1.5MB
-
memory/808-84-0x0000000000090000-0x0000000000143000-memory.dmpFilesize
716KB
-
memory/1284-85-0x0000000002930000-0x0000000002936000-memory.dmpFilesize
24KB
-
memory/1668-54-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB