Analysis
-
max time kernel
144s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 17:37
Static task
static1
Behavioral task
behavioral1
Sample
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Resource
win7-20220901-en
General
-
Target
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
-
Size
225KB
-
MD5
7b7efe9132956a5517e1e6b7ee89d302
-
SHA1
308f11a98895940845ef9a5af333bcc1d9f38260
-
SHA256
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded
-
SHA512
87d85fcc0b1d1e42a89a39ece64051269d7e75c9bc366f940059d33cf8b551f0d342537c2eb46a75549472ad5418c1f8691b42c8d5c0b728dfc7a631c74f7b99
-
SSDEEP
6144:WAsBZRjd0+yiRUeq2KdtlHrsk9/u6r89sMT3QrEY:m5+iRUefKzlHrbtu6rJMbQD
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sau79ky9c79e.exe\DisableExceptionChainValidation b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "hcgyxlolft.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sau79ky9c79e.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 4 IoCs
Processes:
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exepid process 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Search 5.3.10 = "C:\\ProgramData\\Windows Search 5.3.10\\sau79ky9c79e.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Search 5.3.10 = "\"C:\\ProgramData\\Windows Search 5.3.10\\sau79ky9c79e.exe\"" explorer.exe -
Processes:
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exedescription ioc process File created C:\ProgramData\Windows Search 5.3.10\desktop.ini b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe File opened for modification C:\ProgramData\Windows Search 5.3.10\desktop.ini b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exepid process 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exedescription pid process target process PID 1380 set thread context of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
explorer.exepid process 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exepid process 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe 760 explorer.exe 760 explorer.exe 760 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exepid process 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exedescription pid process Token: SeDebugPrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeRestorePrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeBackupPrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeLoadDriverPrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeCreatePagefilePrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeShutdownPrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeTakeOwnershipPrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeChangeNotifyPrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeCreateTokenPrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeMachineAccountPrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeSecurityPrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeAssignPrimaryTokenPrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeCreateGlobalPrivilege 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: 33 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe Token: SeDebugPrivilege 760 explorer.exe Token: SeRestorePrivilege 760 explorer.exe Token: SeBackupPrivilege 760 explorer.exe Token: SeLoadDriverPrivilege 760 explorer.exe Token: SeCreatePagefilePrivilege 760 explorer.exe Token: SeShutdownPrivilege 760 explorer.exe Token: SeTakeOwnershipPrivilege 760 explorer.exe Token: SeChangeNotifyPrivilege 760 explorer.exe Token: SeCreateTokenPrivilege 760 explorer.exe Token: SeMachineAccountPrivilege 760 explorer.exe Token: SeSecurityPrivilege 760 explorer.exe Token: SeAssignPrimaryTokenPrivilege 760 explorer.exe Token: SeCreateGlobalPrivilege 760 explorer.exe Token: 33 760 explorer.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeb94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exedescription pid process target process PID 1380 wrote to memory of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe PID 1380 wrote to memory of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe PID 1380 wrote to memory of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe PID 1380 wrote to memory of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe PID 1380 wrote to memory of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe PID 1380 wrote to memory of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe PID 1380 wrote to memory of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe PID 1380 wrote to memory of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe PID 1380 wrote to memory of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe PID 1380 wrote to memory of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe PID 1380 wrote to memory of 820 1380 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe PID 820 wrote to memory of 760 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe explorer.exe PID 820 wrote to memory of 760 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe explorer.exe PID 820 wrote to memory of 760 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe explorer.exe PID 820 wrote to memory of 760 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe explorer.exe PID 820 wrote to memory of 760 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe explorer.exe PID 820 wrote to memory of 760 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe explorer.exe PID 820 wrote to memory of 760 820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe explorer.exe PID 760 wrote to memory of 1144 760 explorer.exe Dwm.exe PID 760 wrote to memory of 1144 760 explorer.exe Dwm.exe PID 760 wrote to memory of 1144 760 explorer.exe Dwm.exe PID 760 wrote to memory of 1144 760 explorer.exe Dwm.exe PID 760 wrote to memory of 1144 760 explorer.exe Dwm.exe PID 760 wrote to memory of 1144 760 explorer.exe Dwm.exe PID 760 wrote to memory of 1212 760 explorer.exe Explorer.EXE PID 760 wrote to memory of 1212 760 explorer.exe Explorer.EXE PID 760 wrote to memory of 1212 760 explorer.exe Explorer.EXE PID 760 wrote to memory of 1212 760 explorer.exe Explorer.EXE PID 760 wrote to memory of 1212 760 explorer.exe Explorer.EXE PID 760 wrote to memory of 1212 760 explorer.exe Explorer.EXE PID 760 wrote to memory of 960 760 explorer.exe DllHost.exe PID 760 wrote to memory of 960 760 explorer.exe DllHost.exe PID 760 wrote to memory of 960 760 explorer.exe DllHost.exe PID 760 wrote to memory of 960 760 explorer.exe DllHost.exe PID 760 wrote to memory of 960 760 explorer.exe DllHost.exe PID 760 wrote to memory of 960 760 explorer.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe"C:\Users\Admin\AppData\Local\Temp\b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe"C:\Users\Admin\AppData\Local\Temp\b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe"3⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\dotations.dllFilesize
19KB
MD5cae5dfec13610999c9d2ae836dbe57ec
SHA17dc43e60e03d1dd8348c9328b56ad0546c26ca45
SHA256999e4591567c5537a36759f15108f1c3279cecdc88e520a6086269e67f73a76a
SHA5126549aedd952797db3875d69e7bf96dc4b4aa530131d56600b78e4dca237c5ea86fd3a3a358fa1ad15175ee98535e5dcc05277f0ab819969f1451372122c1a082
-
memory/760-78-0x0000000000000000-mapping.dmp
-
memory/760-87-0x0000000000090000-0x000000000012C000-memory.dmpFilesize
624KB
-
memory/760-86-0x0000000077210000-0x0000000077390000-memory.dmpFilesize
1.5MB
-
memory/760-84-0x00000000003A0000-0x00000000003AC000-memory.dmpFilesize
48KB
-
memory/760-83-0x0000000000090000-0x000000000012C000-memory.dmpFilesize
624KB
-
memory/760-82-0x0000000077210000-0x0000000077390000-memory.dmpFilesize
1.5MB
-
memory/760-80-0x00000000746B1000-0x00000000746B3000-memory.dmpFilesize
8KB
-
memory/820-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/820-61-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/820-69-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/820-71-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/820-72-0x0000000000440000-0x00000000004A0000-memory.dmpFilesize
384KB
-
memory/820-74-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/820-75-0x0000000000440000-0x00000000004A0000-memory.dmpFilesize
384KB
-
memory/820-76-0x0000000000300000-0x000000000030D000-memory.dmpFilesize
52KB
-
memory/820-77-0x0000000000500000-0x000000000050C000-memory.dmpFilesize
48KB
-
memory/820-67-0x00000000004015C6-mapping.dmp
-
memory/820-66-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/820-81-0x0000000000440000-0x00000000004A0000-memory.dmpFilesize
384KB
-
memory/820-65-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/820-62-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/820-59-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/820-60-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1212-85-0x0000000002680000-0x0000000002686000-memory.dmpFilesize
24KB
-
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB