Analysis
-
max time kernel
110s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-01-2021 09:20
Static task
static1
Behavioral task
behavioral1
Sample
Enq No 34 22-01-2021.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Enq No 34 22-01-2021.exe
Resource
win10v20201028
General
-
Target
Enq No 34 22-01-2021.exe
-
Size
15KB
-
MD5
8fd66b905336c204a24de3e7273fb835
-
SHA1
b8a9c7b99ccffbc8b1905d58fb27efe5b1f7bd4d
-
SHA256
69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f
-
SHA512
5a1814d8826f561331f512dc6211b4cfaed5d6b0b51ac9cc92b15c1b058e321a1f119c6f99eca61cc70b3cbff0b1eb651ebac60fe83592180ca37f2c6d0af007
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
noor.akbari@petrolnas.icu - Password:
@Mexico1.,
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Enq No 34 22-01-2021.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Enq No 34 22-01-2021.exe\"" Enq No 34 22-01-2021.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/640-10-0x00000000062B0000-0x0000000006315000-memory.dmp family_agenttesla behavioral2/memory/2332-36-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2332-37-0x000000000043747E-mapping.dmp family_agenttesla behavioral2/memory/1928-45-0x000000000043747E-mapping.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Enq No 34 22-01-2021.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Enq No 34 22-01-2021.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Enq No 34 22-01-2021.exe -
Drops startup file 2 IoCs
Processes:
Enq No 34 22-01-2021.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Enq No 34 22-01-2021.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions Enq No 34 22-01-2021.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe = "0" Enq No 34 22-01-2021.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection Enq No 34 22-01-2021.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Enq No 34 22-01-2021.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths Enq No 34 22-01-2021.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enq No 34 22-01-2021.exe = "0" Enq No 34 22-01-2021.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet Enq No 34 22-01-2021.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" Enq No 34 22-01-2021.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" Enq No 34 22-01-2021.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features Enq No 34 22-01-2021.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Enq No 34 22-01-2021.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Enq No 34 22-01-2021.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Enq No 34 22-01-2021.exe" Enq No 34 22-01-2021.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Enq No 34 22-01-2021.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Enq No 34 22-01-2021.exe" Enq No 34 22-01-2021.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Enq No 34 22-01-2021.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Enq No 34 22-01-2021.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Enq No 34 22-01-2021.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
Processes:
Enq No 34 22-01-2021.exepid process 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe 640 Enq No 34 22-01-2021.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Enq No 34 22-01-2021.exedescription pid process target process PID 640 set thread context of 2332 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 set thread context of 1928 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 set thread context of 1740 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 set thread context of 3580 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Enq No 34 22-01-2021.exepowershell.exepowershell.exepowershell.exepowershell.exeEnq No 34 22-01-2021.exepid process 640 Enq No 34 22-01-2021.exe 2704 powershell.exe 3812 powershell.exe 3748 powershell.exe 2204 powershell.exe 2332 Enq No 34 22-01-2021.exe 2332 Enq No 34 22-01-2021.exe 2204 powershell.exe 2704 powershell.exe 3812 powershell.exe 3748 powershell.exe 3812 powershell.exe 2704 powershell.exe 2204 powershell.exe 3748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Enq No 34 22-01-2021.exepowershell.exepowershell.exepowershell.exepowershell.exeEnq No 34 22-01-2021.exedescription pid process Token: SeDebugPrivilege 640 Enq No 34 22-01-2021.exe Token: SeDebugPrivilege 3812 powershell.exe Token: SeDebugPrivilege 3748 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2332 Enq No 34 22-01-2021.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Enq No 34 22-01-2021.exepid process 2332 Enq No 34 22-01-2021.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
Enq No 34 22-01-2021.exedescription pid process target process PID 640 wrote to memory of 2204 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 2204 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 2204 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 2704 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 2704 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 2704 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 3812 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 3812 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 3812 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 3748 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 3748 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 3748 640 Enq No 34 22-01-2021.exe powershell.exe PID 640 wrote to memory of 2332 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 2332 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 2332 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 2332 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 2332 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 2332 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 2332 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 2332 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1928 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1928 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1928 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1928 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1928 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1928 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1928 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1928 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1740 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1740 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1740 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1740 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1740 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1740 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1740 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 1740 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 3580 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 3580 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 3580 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 3580 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 3580 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 3580 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 3580 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 3580 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 4168 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 4168 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe PID 640 wrote to memory of 4168 640 Enq No 34 22-01-2021.exe Enq No 34 22-01-2021.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enq No 34 22-01-2021.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enq No 34 22-01-2021.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enq No 34 22-01-2021.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
148436ccb097c95fa6a7cd85cc8ffa5b
SHA19d2374681c90345b456e153169479c40f99528f2
SHA256bc6da336cce4d6f16672cf4320d44ebadd63c7ea72ea32b8eab38290bdd64699
SHA512319a9284570c7fa922565767f9e6d767c0e6950a33f6904ee73419f75f5b20c370e18ab901b361786388c26bcd8b9c88c15a72e31c74daab43cefe70cb2d5a24
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9359f5a64415ead9d111ce6104d4ece3
SHA170241ca91ce954c823cb535808ab64e34fb200bc
SHA256ba20ed8b21ee0b452bfe4d81d199c7153e301a8e00285686ab61264a8d188b75
SHA512e69b253cfa1523935205458bb6cf90755877a55427851cb60455ac0bdd664efca490e304291fbcab99ea1314d1b9b730a0e7b83bca633da4fe819aca7263eda6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2b85b16465ff6c335cc1166592588b47
SHA1292fa1204fd481ca203c01da44a310b155112d5f
SHA256c1b0955f126abcc4319c2faf8495c14cb76acaf83be0f0bb93338d33bf4505f5
SHA51275290e155dff3c48e9da875379b36d5bd936dbc8a6ab296fa96c6628335505f2acc1a3197c81ffb9507dd52a9554a590e346e855003839647665f788ec6e3195
-
memory/640-7-0x0000000002C20000-0x0000000002C21000-memory.dmpFilesize
4KB
-
memory/640-2-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6MB
-
memory/640-9-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/640-10-0x00000000062B0000-0x0000000006315000-memory.dmpFilesize
404KB
-
memory/640-11-0x0000000006530000-0x0000000006531000-memory.dmpFilesize
4KB
-
memory/640-3-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/640-48-0x00000000065B0000-0x00000000065B1000-memory.dmpFilesize
4KB
-
memory/640-8-0x0000000002D30000-0x0000000002D31000-memory.dmpFilesize
4KB
-
memory/640-6-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/640-5-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/1740-52-0x000000000043747E-mapping.dmp
-
memory/1740-58-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6MB
-
memory/1928-45-0x000000000043747E-mapping.dmp
-
memory/1928-49-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6MB
-
memory/2204-140-0x0000000009C80000-0x0000000009C81000-memory.dmpFilesize
4KB
-
memory/2204-34-0x0000000004EE2000-0x0000000004EE3000-memory.dmpFilesize
4KB
-
memory/2204-127-0x000000007E9C0000-0x000000007E9C1000-memory.dmpFilesize
4KB
-
memory/2204-12-0x0000000000000000-mapping.dmp
-
memory/2204-78-0x0000000008B50000-0x0000000008B51000-memory.dmpFilesize
4KB
-
memory/2204-74-0x0000000008180000-0x0000000008181000-memory.dmpFilesize
4KB
-
memory/2204-16-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6MB
-
memory/2204-28-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/2204-51-0x0000000008220000-0x0000000008221000-memory.dmpFilesize
4KB
-
memory/2204-138-0x0000000004EE3000-0x0000000004EE4000-memory.dmpFilesize
4KB
-
memory/2332-37-0x000000000043747E-mapping.dmp
-
memory/2332-36-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2332-40-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6MB
-
memory/2332-73-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/2332-162-0x0000000005761000-0x0000000005762000-memory.dmpFilesize
4KB
-
memory/2332-130-0x0000000005D00000-0x0000000005D01000-memory.dmpFilesize
4KB
-
memory/2704-120-0x000000007F280000-0x000000007F281000-memory.dmpFilesize
4KB
-
memory/2704-139-0x0000000006AC3000-0x0000000006AC4000-memory.dmpFilesize
4KB
-
memory/2704-13-0x0000000000000000-mapping.dmp
-
memory/2704-17-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6MB
-
memory/2704-38-0x0000000006F60000-0x0000000006F61000-memory.dmpFilesize
4KB
-
memory/2704-43-0x0000000007730000-0x0000000007731000-memory.dmpFilesize
4KB
-
memory/2704-29-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB
-
memory/2704-32-0x0000000006AC2000-0x0000000006AC3000-memory.dmpFilesize
4KB
-
memory/2704-122-0x00000000092F0000-0x00000000092F1000-memory.dmpFilesize
4KB
-
memory/2704-117-0x0000000008210000-0x0000000008211000-memory.dmpFilesize
4KB
-
memory/2704-89-0x0000000008F10000-0x0000000008F43000-memory.dmpFilesize
204KB
-
memory/3580-70-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6MB
-
memory/3580-65-0x000000000043747E-mapping.dmp
-
memory/3748-19-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6MB
-
memory/3748-31-0x00000000043B0000-0x00000000043B1000-memory.dmpFilesize
4KB
-
memory/3748-125-0x000000007F380000-0x000000007F381000-memory.dmpFilesize
4KB
-
memory/3748-15-0x0000000000000000-mapping.dmp
-
memory/3748-35-0x00000000043B2000-0x00000000043B3000-memory.dmpFilesize
4KB
-
memory/3748-132-0x00000000091D0000-0x00000000091D1000-memory.dmpFilesize
4KB
-
memory/3748-136-0x00000000043B3000-0x00000000043B4000-memory.dmpFilesize
4KB
-
memory/3812-33-0x0000000004B22000-0x0000000004B23000-memory.dmpFilesize
4KB
-
memory/3812-137-0x0000000004B23000-0x0000000004B24000-memory.dmpFilesize
4KB
-
memory/3812-24-0x0000000007580000-0x0000000007581000-memory.dmpFilesize
4KB
-
memory/3812-20-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/3812-148-0x0000000009800000-0x0000000009801000-memory.dmpFilesize
4KB
-
memory/3812-18-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6MB
-
memory/3812-129-0x000000007F010000-0x000000007F011000-memory.dmpFilesize
4KB
-
memory/3812-82-0x0000000008600000-0x0000000008601000-memory.dmpFilesize
4KB
-
memory/3812-14-0x0000000000000000-mapping.dmp
-
memory/3812-30-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB