Analysis
-
max time kernel
170s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2022 13:32
Static task
static1
Behavioral task
behavioral1
Sample
3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe
Resource
win10v2004-20221111-en
General
-
Target
3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe
-
Size
7.4MB
-
MD5
ea11c9608570a4e275e7a2c4b5558688
-
SHA1
70efacc502254cae66df460137f10bede1cdfeb4
-
SHA256
3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b
-
SHA512
9970126c5d87d429f5edce88acb243ee52ae65077d3bc15e71e8e30a75ba5d2bd25408ddf7271248fd3c97ff9a4e40f0cb572a121e9ff5306526842f40097525
-
SSDEEP
196608:Q+rNR2F7EU+iE09OKsRk3PdM+i+8lHFL9AYe:bRWEU+1OP6+X+oYe
Malware Config
Extracted
amadey
3.50
85.209.135.109/jg94cVd30f/index.php
Extracted
systembc
89.22.236.225:4193
176.124.205.5:4193
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 79 3944 rundll32.exe 92 5044 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
gntuud.exegntuud.exegntuud.exeavicapn32.exeumciavi32.exegntuud.exepid process 1444 gntuud.exe 2112 gntuud.exe 4544 gntuud.exe 2984 avicapn32.exe 3100 umciavi32.exe 4824 gntuud.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exegntuud.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation gntuud.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exepid process 3944 rundll32.exe 3944 rundll32.exe 5044 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avicapn32.exe = "C:\\Users\\Admin\\1000018002\\avicapn32.exe" gntuud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syncfiles.dll = "rundll32 C:\\Users\\Admin\\1000019012\\syncfiles.dll, rundll" gntuud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\umciavi32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000021000\\umciavi32.exe" gntuud.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exegntuud.exegntuud.exerundll32.exegntuud.exeavicapn32.exerundll32.exegntuud.exepid process 1240 3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe 1240 3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe 1444 gntuud.exe 1444 gntuud.exe 2112 gntuud.exe 2112 gntuud.exe 3944 rundll32.exe 3944 rundll32.exe 4544 gntuud.exe 4544 gntuud.exe 2984 avicapn32.exe 2984 avicapn32.exe 5044 rundll32.exe 5044 rundll32.exe 4824 gntuud.exe 4824 gntuud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exegntuud.exegntuud.exerundll32.exegntuud.exerundll32.exeavicapn32.exegntuud.exepid process 1240 3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe 1240 3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe 1444 gntuud.exe 1444 gntuud.exe 2112 gntuud.exe 2112 gntuud.exe 3944 rundll32.exe 3944 rundll32.exe 3944 rundll32.exe 3944 rundll32.exe 4544 gntuud.exe 4544 gntuud.exe 3944 rundll32.exe 3944 rundll32.exe 3944 rundll32.exe 3944 rundll32.exe 5044 rundll32.exe 5044 rundll32.exe 2984 avicapn32.exe 2984 avicapn32.exe 4824 gntuud.exe 4824 gntuud.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exegntuud.execmd.exedescription pid process target process PID 1240 wrote to memory of 1444 1240 3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe gntuud.exe PID 1240 wrote to memory of 1444 1240 3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe gntuud.exe PID 1240 wrote to memory of 1444 1240 3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe gntuud.exe PID 1444 wrote to memory of 312 1444 gntuud.exe schtasks.exe PID 1444 wrote to memory of 312 1444 gntuud.exe schtasks.exe PID 1444 wrote to memory of 312 1444 gntuud.exe schtasks.exe PID 1444 wrote to memory of 4012 1444 gntuud.exe cmd.exe PID 1444 wrote to memory of 4012 1444 gntuud.exe cmd.exe PID 1444 wrote to memory of 4012 1444 gntuud.exe cmd.exe PID 4012 wrote to memory of 320 4012 cmd.exe cmd.exe PID 4012 wrote to memory of 320 4012 cmd.exe cmd.exe PID 4012 wrote to memory of 320 4012 cmd.exe cmd.exe PID 4012 wrote to memory of 3568 4012 cmd.exe cacls.exe PID 4012 wrote to memory of 3568 4012 cmd.exe cacls.exe PID 4012 wrote to memory of 3568 4012 cmd.exe cacls.exe PID 4012 wrote to memory of 3552 4012 cmd.exe cacls.exe PID 4012 wrote to memory of 3552 4012 cmd.exe cacls.exe PID 4012 wrote to memory of 3552 4012 cmd.exe cacls.exe PID 4012 wrote to memory of 2772 4012 cmd.exe cmd.exe PID 4012 wrote to memory of 2772 4012 cmd.exe cmd.exe PID 4012 wrote to memory of 2772 4012 cmd.exe cmd.exe PID 4012 wrote to memory of 2736 4012 cmd.exe cacls.exe PID 4012 wrote to memory of 2736 4012 cmd.exe cacls.exe PID 4012 wrote to memory of 2736 4012 cmd.exe cacls.exe PID 4012 wrote to memory of 2096 4012 cmd.exe cacls.exe PID 4012 wrote to memory of 2096 4012 cmd.exe cacls.exe PID 4012 wrote to memory of 2096 4012 cmd.exe cacls.exe PID 1444 wrote to memory of 3944 1444 gntuud.exe rundll32.exe PID 1444 wrote to memory of 3944 1444 gntuud.exe rundll32.exe PID 1444 wrote to memory of 3944 1444 gntuud.exe rundll32.exe PID 1444 wrote to memory of 2984 1444 gntuud.exe avicapn32.exe PID 1444 wrote to memory of 2984 1444 gntuud.exe avicapn32.exe PID 1444 wrote to memory of 2984 1444 gntuud.exe avicapn32.exe PID 1444 wrote to memory of 5044 1444 gntuud.exe rundll32.exe PID 1444 wrote to memory of 5044 1444 gntuud.exe rundll32.exe PID 1444 wrote to memory of 5044 1444 gntuud.exe rundll32.exe PID 1444 wrote to memory of 3100 1444 gntuud.exe umciavi32.exe PID 1444 wrote to memory of 3100 1444 gntuud.exe umciavi32.exe PID 1444 wrote to memory of 3100 1444 gntuud.exe umciavi32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe"C:\Users\Admin\AppData\Local\Temp\3a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\03bd543fce" /P "Admin:N"&&CACLS "..\03bd543fce" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\03bd543fce" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\03bd543fce" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\1000018002\avicapn32.exe"C:\Users\Admin\1000018002\avicapn32.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000019012\syncfiles.dll, rundll3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exe"C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeC:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeC:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeC:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\1000018002\avicapn32.exeFilesize
12.1MB
MD50f6ef96c5e687631ef27f1dcd1afe7b4
SHA1ea8aeee11c243e3eacfa6753f708c20cbba39aac
SHA25638381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648
SHA5123ae1986071afffbed1978be560d5159f563d699be798e6ab6dc616a82104467b79ec872c891e11615d3793348730f311bce3a63f1ce289bb8d7c73399c26c5c9
-
C:\Users\Admin\1000018002\avicapn32.exeFilesize
12.1MB
MD50f6ef96c5e687631ef27f1dcd1afe7b4
SHA1ea8aeee11c243e3eacfa6753f708c20cbba39aac
SHA25638381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648
SHA5123ae1986071afffbed1978be560d5159f563d699be798e6ab6dc616a82104467b79ec872c891e11615d3793348730f311bce3a63f1ce289bb8d7c73399c26c5c9
-
C:\Users\Admin\1000019012\syncfiles.dllFilesize
7.2MB
MD50d079a931e42f554016db36476e55ba7
SHA1d5f1ab52221019c746f1cc59a45ce18d0b817496
SHA256ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798
SHA5121496f1296df89e1da8780f175631e2551300a99e6c7ea43d2750653fdf6e7ed096fdedd9f0d23b94190ecf418da09cf9c9b6caee5821ba1c457f0294063bbc9e
-
C:\Users\Admin\1000019012\syncfiles.dllFilesize
7.2MB
MD50d079a931e42f554016db36476e55ba7
SHA1d5f1ab52221019c746f1cc59a45ce18d0b817496
SHA256ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798
SHA5121496f1296df89e1da8780f175631e2551300a99e6c7ea43d2750653fdf6e7ed096fdedd9f0d23b94190ecf418da09cf9c9b6caee5821ba1c457f0294063bbc9e
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
7.4MB
MD5ea11c9608570a4e275e7a2c4b5558688
SHA170efacc502254cae66df460137f10bede1cdfeb4
SHA2563a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b
SHA5129970126c5d87d429f5edce88acb243ee52ae65077d3bc15e71e8e30a75ba5d2bd25408ddf7271248fd3c97ff9a4e40f0cb572a121e9ff5306526842f40097525
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
7.4MB
MD5ea11c9608570a4e275e7a2c4b5558688
SHA170efacc502254cae66df460137f10bede1cdfeb4
SHA2563a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b
SHA5129970126c5d87d429f5edce88acb243ee52ae65077d3bc15e71e8e30a75ba5d2bd25408ddf7271248fd3c97ff9a4e40f0cb572a121e9ff5306526842f40097525
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
7.4MB
MD5ea11c9608570a4e275e7a2c4b5558688
SHA170efacc502254cae66df460137f10bede1cdfeb4
SHA2563a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b
SHA5129970126c5d87d429f5edce88acb243ee52ae65077d3bc15e71e8e30a75ba5d2bd25408ddf7271248fd3c97ff9a4e40f0cb572a121e9ff5306526842f40097525
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
7.4MB
MD5ea11c9608570a4e275e7a2c4b5558688
SHA170efacc502254cae66df460137f10bede1cdfeb4
SHA2563a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b
SHA5129970126c5d87d429f5edce88acb243ee52ae65077d3bc15e71e8e30a75ba5d2bd25408ddf7271248fd3c97ff9a4e40f0cb572a121e9ff5306526842f40097525
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
7.4MB
MD5ea11c9608570a4e275e7a2c4b5558688
SHA170efacc502254cae66df460137f10bede1cdfeb4
SHA2563a9172d328fe0ba9c3aa3b754ffaa9fca58e98831d82d10d57894eb25945255b
SHA5129970126c5d87d429f5edce88acb243ee52ae65077d3bc15e71e8e30a75ba5d2bd25408ddf7271248fd3c97ff9a4e40f0cb572a121e9ff5306526842f40097525
-
C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exeFilesize
1.6MB
MD5b66347e9a4018f257a6bf1941b4a5d60
SHA10f4a358ad14e441f74c634054d798e6be2da476d
SHA256d74bf0394de0ad2adcfd7ecc96711bac682f3749f8953701eefc596b8c11dd36
SHA512eab7414a3d2ed2aab80eb4452e8b30b6e7481e7cb48bdb986450196ea8695008f7b26d3ee423934a0d6b30650ccd3e50b64cc979723d9df2df31052875c04695
-
C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exeFilesize
1.6MB
MD5b66347e9a4018f257a6bf1941b4a5d60
SHA10f4a358ad14e441f74c634054d798e6be2da476d
SHA256d74bf0394de0ad2adcfd7ecc96711bac682f3749f8953701eefc596b8c11dd36
SHA512eab7414a3d2ed2aab80eb4452e8b30b6e7481e7cb48bdb986450196ea8695008f7b26d3ee423934a0d6b30650ccd3e50b64cc979723d9df2df31052875c04695
-
C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
7.3MB
MD52b62e02b3581980ee5a1dda42fa4f3fe
SHA15c36bfa4a4973e8f694d5c077e7312b1c991aedf
SHA2568c46c2af1cb25bfa8fbbf9d683d72d30ddb2e5d0ecc6bba997b24714cf2b8c91
SHA512255e1b1d51d52872c5e0c54f7807adc3581d36b3dfb8220c818ac38ac7fcea91dd42999ee6ccaef3b9836cd59fcfe19c2669a5b697d627de4c1d9b8ba563eb3d
-
C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
7.3MB
MD52b62e02b3581980ee5a1dda42fa4f3fe
SHA15c36bfa4a4973e8f694d5c077e7312b1c991aedf
SHA2568c46c2af1cb25bfa8fbbf9d683d72d30ddb2e5d0ecc6bba997b24714cf2b8c91
SHA512255e1b1d51d52872c5e0c54f7807adc3581d36b3dfb8220c818ac38ac7fcea91dd42999ee6ccaef3b9836cd59fcfe19c2669a5b697d627de4c1d9b8ba563eb3d
-
C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
7.3MB
MD52b62e02b3581980ee5a1dda42fa4f3fe
SHA15c36bfa4a4973e8f694d5c077e7312b1c991aedf
SHA2568c46c2af1cb25bfa8fbbf9d683d72d30ddb2e5d0ecc6bba997b24714cf2b8c91
SHA512255e1b1d51d52872c5e0c54f7807adc3581d36b3dfb8220c818ac38ac7fcea91dd42999ee6ccaef3b9836cd59fcfe19c2669a5b697d627de4c1d9b8ba563eb3d
-
memory/312-145-0x0000000000000000-mapping.dmp
-
memory/320-147-0x0000000000000000-mapping.dmp
-
memory/1240-132-0x0000000000740000-0x00000000012BD000-memory.dmpFilesize
11.5MB
-
memory/1240-136-0x0000000000740000-0x00000000012BD000-memory.dmpFilesize
11.5MB
-
memory/1240-140-0x0000000000740000-0x00000000012BD000-memory.dmpFilesize
11.5MB
-
memory/1240-133-0x0000000000740000-0x00000000012BD000-memory.dmpFilesize
11.5MB
-
memory/1444-153-0x0000000000C60000-0x00000000017DD000-memory.dmpFilesize
11.5MB
-
memory/1444-137-0x0000000000000000-mapping.dmp
-
memory/1444-141-0x0000000000C60000-0x00000000017DD000-memory.dmpFilesize
11.5MB
-
memory/1444-144-0x0000000000C60000-0x00000000017DD000-memory.dmpFilesize
11.5MB
-
memory/2096-152-0x0000000000000000-mapping.dmp
-
memory/2112-156-0x0000000000C60000-0x00000000017DD000-memory.dmpFilesize
11.5MB
-
memory/2112-159-0x0000000000C60000-0x00000000017DD000-memory.dmpFilesize
11.5MB
-
memory/2112-155-0x0000000000C60000-0x00000000017DD000-memory.dmpFilesize
11.5MB
-
memory/2736-151-0x0000000000000000-mapping.dmp
-
memory/2772-150-0x0000000000000000-mapping.dmp
-
memory/2984-173-0x0000000000000000-mapping.dmp
-
memory/2984-184-0x0000000000130000-0x0000000000D7E000-memory.dmpFilesize
12.3MB
-
memory/2984-185-0x0000000000130000-0x0000000000D7E000-memory.dmpFilesize
12.3MB
-
memory/2984-176-0x0000000000130000-0x0000000000D7E000-memory.dmpFilesize
12.3MB
-
memory/3100-180-0x0000000000000000-mapping.dmp
-
memory/3552-149-0x0000000000000000-mapping.dmp
-
memory/3568-148-0x0000000000000000-mapping.dmp
-
memory/3944-165-0x00000000024B0000-0x0000000003069000-memory.dmpFilesize
11.7MB
-
memory/3944-164-0x00000000024B0000-0x0000000003069000-memory.dmpFilesize
11.7MB
-
memory/3944-167-0x00000000024B0000-0x0000000003069000-memory.dmpFilesize
11.7MB
-
memory/3944-160-0x0000000000000000-mapping.dmp
-
memory/4012-146-0x0000000000000000-mapping.dmp
-
memory/4544-172-0x0000000000C60000-0x00000000017DD000-memory.dmpFilesize
11.5MB
-
memory/4544-169-0x0000000000C60000-0x00000000017DD000-memory.dmpFilesize
11.5MB
-
memory/4824-187-0x0000000000C60000-0x00000000017DD000-memory.dmpFilesize
11.5MB
-
memory/4824-190-0x0000000000C60000-0x00000000017DD000-memory.dmpFilesize
11.5MB
-
memory/5044-177-0x0000000000000000-mapping.dmp
-
memory/5044-183-0x0000000010000000-0x0000000010B6B000-memory.dmpFilesize
11.4MB