Analysis
-
max time kernel
130s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 03:26
Behavioral task
behavioral1
Sample
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe
Resource
win10v2004-20221111-en
General
-
Target
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe
-
Size
381KB
-
MD5
149924bd9dd9d34c6ee49f58843e44a9
-
SHA1
7eabff27b0162dee877ada28b14db624685818f9
-
SHA256
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2
-
SHA512
7eb4f440d670c45ba5ee1a5c16d7234ecfe979fb930afed84df671bec6281a8528192f3a84d200a2d566d1c2748a101295b4d31276458b8cf9ebae3c449e159d
-
SSDEEP
6144:SpnVW0KxSqgG0szKp48Pz9oGzH5piuyyrlirifuCsKF2aJH17goLpY4h71QzH1T2:mVWrYpsK4iz9nzvlLZULXgHp24UzVWNV
Malware Config
Signatures
-
Detect Blackmoon payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1076-60-0x00000000033B0000-0x0000000003420000-memory.dmp family_blackmoon behavioral1/memory/1076-61-0x00000000033B0000-0x0000000003420000-memory.dmp family_blackmoon behavioral1/memory/1076-66-0x00000000033B0000-0x0000000003420000-memory.dmp family_blackmoon behavioral1/memory/1940-78-0x0000000002350000-0x00000000023C0000-memory.dmp family_blackmoon behavioral1/memory/1940-85-0x00000000049A0000-0x0000000004BE2000-memory.dmp family_blackmoon behavioral1/memory/1940-102-0x00000000049A0000-0x0000000004BE2000-memory.dmp family_blackmoon -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1076-105-0x0000000010000000-0x0000000010017000-memory.dmp family_gh0strat -
Processes:
resource yara_rule \Users\Public\Documents\Applicationrcjcms.exe aspack_v212_v242 C:\Users\Public\Documents\Applicationrcjcms.exe aspack_v212_v242 \Users\Public\Documents\Applicationrcjcms.exe aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Applicationrcjcms.exepid process 1940 Applicationrcjcms.exe -
Loads dropped DLL 2 IoCs
Processes:
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exepid process 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\qdate = "C:\\Users\\Public\\Documents\\Applicationrcjcm.exe" 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exedescription ioc process File opened (read-only) \??\I: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\N: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\O: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\S: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\X: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\Y: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\E: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\G: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\K: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\T: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\B: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\F: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\L: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\M: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\Q: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\Z: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\H: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\J: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\P: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\R: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\U: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\V: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe File opened (read-only) \??\W: 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Applicationrcjcms.exedescription pid process target process PID 1940 set thread context of 1720 1940 Applicationrcjcms.exe dxdiag.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exeApplicationrcjcms.exedxdiag.exepid process 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1940 Applicationrcjcms.exe 1940 Applicationrcjcms.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1720 dxdiag.exe 1720 dxdiag.exe 1720 dxdiag.exe 1720 dxdiag.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exepid process 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1604 DllHost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exeApplicationrcjcms.exedxdiag.exepid process 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1940 Applicationrcjcms.exe 1940 Applicationrcjcms.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe 1720 dxdiag.exe 1720 dxdiag.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exepid process 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exeApplicationrcjcms.exedxdiag.exedescription pid process target process PID 1076 wrote to memory of 1940 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe Applicationrcjcms.exe PID 1076 wrote to memory of 1940 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe Applicationrcjcms.exe PID 1076 wrote to memory of 1940 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe Applicationrcjcms.exe PID 1076 wrote to memory of 1940 1076 86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe Applicationrcjcms.exe PID 1940 wrote to memory of 1720 1940 Applicationrcjcms.exe dxdiag.exe PID 1940 wrote to memory of 1720 1940 Applicationrcjcms.exe dxdiag.exe PID 1940 wrote to memory of 1720 1940 Applicationrcjcms.exe dxdiag.exe PID 1940 wrote to memory of 1720 1940 Applicationrcjcms.exe dxdiag.exe PID 1940 wrote to memory of 1720 1940 Applicationrcjcms.exe dxdiag.exe PID 1940 wrote to memory of 1720 1940 Applicationrcjcms.exe dxdiag.exe PID 1940 wrote to memory of 1720 1940 Applicationrcjcms.exe dxdiag.exe PID 1940 wrote to memory of 1720 1940 Applicationrcjcms.exe dxdiag.exe PID 1940 wrote to memory of 1720 1940 Applicationrcjcms.exe dxdiag.exe PID 1940 wrote to memory of 1720 1940 Applicationrcjcms.exe dxdiag.exe PID 1720 wrote to memory of 1948 1720 dxdiag.exe cmd.exe PID 1720 wrote to memory of 1948 1720 dxdiag.exe cmd.exe PID 1720 wrote to memory of 1948 1720 dxdiag.exe cmd.exe PID 1720 wrote to memory of 1948 1720 dxdiag.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe"C:\Users\Admin\AppData\Local\Temp\86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\Applicationrcjcms.exeC:\Users\Public\Documents\Applicationrcjcms.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\dxdiag.exec:\windows\system32\dxdiag.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmd.execmd.exe /c rd "C:\Users\Admin\AppData\Roaming\gqkkpkzn\" /s /q4⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\50272360\gconfig.jpgFilesize
596B
MD5529b5a3ca9dae94a324c56d9d892ea20
SHA190fc87b5591b11ddc9bb41048df2308a03f1ef09
SHA256359799480d3d49a6acd999b6c2d8f15aca444c3770c45e42a46f161784a8b41e
SHA512649124b134f70a91253e8cb96d792c5b05320411350b9395fb5b5fb9a311ecb0198ada7f1c102b1784f1cb8a2f63854a20a70dae3b5a94e872c9128464ac4b8c
-
C:\Users\Admin\AppData\Local\Temp\86199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2.jpgFilesize
77KB
MD51056902d0ac18740147a3b5e2d646d93
SHA1b811a8bdce5af1a581d475c3ba9aa77c92564656
SHA2563f9d54ae39c0a1119631ee605bb43cbb1965fe1c1652c0485e981aee74a57153
SHA512dfe81bc239aae188a643ddca378168bdabf47c1e7ab6716b5db8fa2dbad07c6efd17a26c14a1e9e2008932f0122be66138ef922ee5859c7242ff2ef56be14484
-
C:\Users\Admin\AppData\Local\Temp\qxx.zipFilesize
25B
MD51419fe2ce5effdb4e2b826ad579043b6
SHA1e3c2d092b31727ee0acac58adc1092c9499a4d6f
SHA256a95fee534d75fbb2caf696bcb03adf84cdf80a0c913fbac73d367c2f54b08ecf
SHA51271804a4f51180b69c4714413df56fbea153d01a16f7281a096daded3a27f7cc0fe02d48416cf9f18715df0fd7cd9e10201635c9886d411243cc5676810ee0e4c
-
C:\Users\Public\Documents\Applicationrcjcms.exeFilesize
381KB
MD5149924bd9dd9d34c6ee49f58843e44a9
SHA17eabff27b0162dee877ada28b14db624685818f9
SHA25686199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2
SHA5127eb4f440d670c45ba5ee1a5c16d7234ecfe979fb930afed84df671bec6281a8528192f3a84d200a2d566d1c2748a101295b4d31276458b8cf9ebae3c449e159d
-
C:\Users\Public\Documents\kjhhytFilesize
2KB
MD57943effe67a4647e06def2348949020e
SHA1eabd561f0639a975de259633f63896d82c3f878d
SHA2563fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa
SHA512c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003
-
C:\Users\Public\Documents\qxxback.datFilesize
41B
MD54357d98472361c991c9ce16819103475
SHA11d38f831be96d52d7f9d062d68c29e4bf25480db
SHA256e434538e1ba143ac6b34b9600b86a665bf53d21c9fce452e0724fcdb3ce69158
SHA5128ddde79a4f373862ae45d70ad93bb4816d6cc0cd13f1549ce117411bf8bc16ec2276bdaf1ab3fbf6b4288d9c0a14612fe4d85145bf2f598b97896938ff32556d
-
C:\Users\Public\Documents\sjsw.logFilesize
227B
MD53ca1ec31e511cffb2898d2abd6dcfa28
SHA14e01b20893f1c36a43fb458fffbfdb03ec4321d0
SHA25626bdbfec568ae904ee8f2445c016b58f955df724311a9d6355e14f95a495eaec
SHA512b924074ef01d43167799266131115c990700b739724c54f6e84631e9a479b894c335506b7fa0228d95003af75f07bbcf76a656321ed35ab6779cbb84dc624923
-
C:\Users\Public\Documents\sjsw.logFilesize
221B
MD5288bda8d423da8256dd7bf999d352e69
SHA1ebbd6ec15664df88b93b0f6be945da6bd65bf587
SHA256ab8a9c35324beedf3ccd7d911f95c79c71781c4ca757f28596fca76afa950a75
SHA51274654af295786e54046ed0d293c3e8b0d8d21c77e5a747d4163b403da0506016d699d9dc59cb82c08146791434a6ffd9afd6af571f28c14d072c310b93a8d6eb
-
\Users\Public\Documents\Applicationrcjcms.exeFilesize
381KB
MD5149924bd9dd9d34c6ee49f58843e44a9
SHA17eabff27b0162dee877ada28b14db624685818f9
SHA25686199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2
SHA5127eb4f440d670c45ba5ee1a5c16d7234ecfe979fb930afed84df671bec6281a8528192f3a84d200a2d566d1c2748a101295b4d31276458b8cf9ebae3c449e159d
-
\Users\Public\Documents\Applicationrcjcms.exeFilesize
381KB
MD5149924bd9dd9d34c6ee49f58843e44a9
SHA17eabff27b0162dee877ada28b14db624685818f9
SHA25686199e3bb77549db526a2780727223842860d3e840d51123b705850261232db2
SHA5127eb4f440d670c45ba5ee1a5c16d7234ecfe979fb930afed84df671bec6281a8528192f3a84d200a2d566d1c2748a101295b4d31276458b8cf9ebae3c449e159d
-
memory/1076-66-0x00000000033B0000-0x0000000003420000-memory.dmpFilesize
448KB
-
memory/1076-101-0x00000000044F0000-0x000000000513A000-memory.dmpFilesize
12.3MB
-
memory/1076-64-0x0000000004370000-0x00000000044F0000-memory.dmpFilesize
1.5MB
-
memory/1076-115-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1076-62-0x0000000001E60000-0x0000000001E63000-memory.dmpFilesize
12KB
-
memory/1076-61-0x00000000033B0000-0x0000000003420000-memory.dmpFilesize
448KB
-
memory/1076-113-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1076-55-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1076-56-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1076-108-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1076-60-0x00000000033B0000-0x0000000003420000-memory.dmpFilesize
448KB
-
memory/1076-105-0x0000000010000000-0x0000000010017000-memory.dmpFilesize
92KB
-
memory/1076-59-0x00000000033B0000-0x0000000003420000-memory.dmpFilesize
448KB
-
memory/1076-58-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1076-57-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1076-104-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1076-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmpFilesize
8KB
-
memory/1076-83-0x00000000044F0000-0x000000000513A000-memory.dmpFilesize
12.3MB
-
memory/1076-84-0x0000000003FE0000-0x00000000040F0000-memory.dmpFilesize
1.1MB
-
memory/1720-110-0x0000000000400000-0x00000000005A0000-memory.dmpFilesize
1.6MB
-
memory/1720-90-0x0000000000400000-0x00000000005A0000-memory.dmpFilesize
1.6MB
-
memory/1720-87-0x0000000000400000-0x00000000005A0000-memory.dmpFilesize
1.6MB
-
memory/1720-88-0x0000000000400000-0x00000000005A0000-memory.dmpFilesize
1.6MB
-
memory/1720-100-0x00000000004B6CA7-mapping.dmp
-
memory/1720-93-0x0000000000400000-0x00000000005A0000-memory.dmpFilesize
1.6MB
-
memory/1720-96-0x0000000000400000-0x00000000005A0000-memory.dmpFilesize
1.6MB
-
memory/1720-98-0x0000000000400000-0x00000000005A0000-memory.dmpFilesize
1.6MB
-
memory/1940-78-0x0000000002350000-0x00000000023C0000-memory.dmpFilesize
448KB
-
memory/1940-82-0x0000000001F50000-0x0000000001F53000-memory.dmpFilesize
12KB
-
memory/1940-81-0x0000000002350000-0x0000000002385000-memory.dmpFilesize
212KB
-
memory/1940-86-0x0000000003310000-0x0000000003357000-memory.dmpFilesize
284KB
-
memory/1940-102-0x00000000049A0000-0x0000000004BE2000-memory.dmpFilesize
2.3MB
-
memory/1940-103-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1940-75-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1940-72-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1940-74-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1940-85-0x00000000049A0000-0x0000000004BE2000-memory.dmpFilesize
2.3MB
-
memory/1940-73-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1940-69-0x0000000000000000-mapping.dmp
-
memory/1948-114-0x0000000000000000-mapping.dmp