Analysis
-
max time kernel
80s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 16:04
Static task
static1
Behavioral task
behavioral1
Sample
FB06EC887642C3C5C23FB43D9F81C93A.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
FB06EC887642C3C5C23FB43D9F81C93A.exe
Resource
win10v20210408
General
-
Target
FB06EC887642C3C5C23FB43D9F81C93A.exe
-
Size
268KB
-
MD5
fb06ec887642c3c5c23fb43d9f81c93a
-
SHA1
9fe8ef2fab3c34bd98fade711b8256e0511a1097
-
SHA256
d00184f7ae894b5bfd832771e9a920f9c399ba785e9a2f89382d499ec32e54a2
-
SHA512
7443dd4992cdfdfec37dac2deca8bc85539bede8e1de792b64b8a88d6c4d6c81301ce43dfc28bb8839d03881a9a948a7f5da616540db97442685a2ed391cc4dd
Malware Config
Extracted
fickerstealer
truzen.site:80
Extracted
cryptbot
eosbej52.top
morwxi05.top
Extracted
redline
MIX 07.05
xisolenoy.xyz:80
Signatures
-
CryptBot Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2092-129-0x0000000002550000-0x0000000002631000-memory.dmp family_cryptbot behavioral2/memory/2092-130-0x0000000000400000-0x00000000008AF000-memory.dmp family_cryptbot -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/840-144-0x00000000029A0000-0x00000000029BE000-memory.dmp family_redline behavioral2/memory/840-148-0x0000000004D90000-0x0000000004DAD000-memory.dmp family_redline -
fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
27641234609.exe27641234609.exe61044119610.exe02035250095.exeedspolishpp.exepid process 2888 27641234609.exe 1376 27641234609.exe 2092 61044119610.exe 2312 02035250095.exe 840 edspolishpp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
27641234609.exedescription pid process target process PID 2888 set thread context of 1376 2888 27641234609.exe 27641234609.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
61044119610.exe02035250095.exe27641234609.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 61044119610.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 02035250095.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 02035250095.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 27641234609.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 27641234609.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 61044119610.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3400 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3140 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
27641234609.exeedspolishpp.exepid process 1376 27641234609.exe 1376 27641234609.exe 840 edspolishpp.exe 840 edspolishpp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exeedspolishpp.exedescription pid process Token: SeDebugPrivilege 3140 taskkill.exe Token: SeDebugPrivilege 840 edspolishpp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
61044119610.exepid process 2092 61044119610.exe 2092 61044119610.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
FB06EC887642C3C5C23FB43D9F81C93A.execmd.exe27641234609.execmd.execmd.execmd.exe02035250095.exe61044119610.execmd.exedescription pid process target process PID 624 wrote to memory of 3996 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 624 wrote to memory of 3996 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 624 wrote to memory of 3996 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 3996 wrote to memory of 2888 3996 cmd.exe 27641234609.exe PID 3996 wrote to memory of 2888 3996 cmd.exe 27641234609.exe PID 3996 wrote to memory of 2888 3996 cmd.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 2888 wrote to memory of 1376 2888 27641234609.exe 27641234609.exe PID 624 wrote to memory of 3176 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 624 wrote to memory of 3176 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 624 wrote to memory of 3176 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 3176 wrote to memory of 2092 3176 cmd.exe 61044119610.exe PID 3176 wrote to memory of 2092 3176 cmd.exe 61044119610.exe PID 3176 wrote to memory of 2092 3176 cmd.exe 61044119610.exe PID 624 wrote to memory of 636 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 624 wrote to memory of 636 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 624 wrote to memory of 636 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 636 wrote to memory of 2312 636 cmd.exe 02035250095.exe PID 636 wrote to memory of 2312 636 cmd.exe 02035250095.exe PID 636 wrote to memory of 2312 636 cmd.exe 02035250095.exe PID 624 wrote to memory of 4004 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 624 wrote to memory of 4004 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 624 wrote to memory of 4004 624 FB06EC887642C3C5C23FB43D9F81C93A.exe cmd.exe PID 4004 wrote to memory of 3140 4004 cmd.exe taskkill.exe PID 4004 wrote to memory of 3140 4004 cmd.exe taskkill.exe PID 4004 wrote to memory of 3140 4004 cmd.exe taskkill.exe PID 2312 wrote to memory of 840 2312 02035250095.exe edspolishpp.exe PID 2312 wrote to memory of 840 2312 02035250095.exe edspolishpp.exe PID 2312 wrote to memory of 840 2312 02035250095.exe edspolishpp.exe PID 2092 wrote to memory of 2888 2092 61044119610.exe cmd.exe PID 2092 wrote to memory of 2888 2092 61044119610.exe cmd.exe PID 2092 wrote to memory of 2888 2092 61044119610.exe cmd.exe PID 2888 wrote to memory of 3400 2888 cmd.exe timeout.exe PID 2888 wrote to memory of 3400 2888 cmd.exe timeout.exe PID 2888 wrote to memory of 3400 2888 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FB06EC887642C3C5C23FB43D9F81C93A.exe"C:\Users\Admin\AppData\Local\Temp\FB06EC887642C3C5C23FB43D9F81C93A.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\27641234609.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\27641234609.exe"C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\27641234609.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\27641234609.exe"C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\27641234609.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\61044119610.exe" /mix2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\61044119610.exe"C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\61044119610.exe" /mix3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\CvbNMOdrsPgMJ & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\61044119610.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\02035250095.exe" /mix2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\02035250095.exe"C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\02035250095.exe" /mix3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exeedspolishpp.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "FB06EC887642C3C5C23FB43D9F81C93A.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\FB06EC887642C3C5C23FB43D9F81C93A.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "FB06EC887642C3C5C23FB43D9F81C93A.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CvbNMOdrsPgMJ\BPAWNQ~1.ZIPMD5
dfeac72d7bc7fed5799ed0efad556ce5
SHA143634ae7a4bdc273adafdfcbdd767c329510c5cd
SHA25619b166e917a1b0afe95cb623e3662fa1a23dfa851a8e90646b40bf7f7b2e290e
SHA51201a3e0908f0a79d845b644e72e2992f941510ec31045cbb8e6f6fe8378b30ce7911679303b8c9b70ff4d8a4196dfabc19c773b29ce7aa76162e5a55304c58463
-
C:\Users\Admin\AppData\Local\Temp\CvbNMOdrsPgMJ\NQOCTK~1.ZIPMD5
c40d9f11ebd907cde8f7e6fea2b06c9f
SHA1b8fa0f7600c16ccbd234347c49b4778322a8a48c
SHA256b3b56fe0a7bdee1bc4f5987f2c6749c97f590284a52eb8065dee1a5a4a1cda78
SHA512019167234d874a23a29ab99e3244cd58f7df71bad88fa353edf5d4621ef0f4f1eebfde6eb6da7ab41cb8a64485f176567c82c8822f640129a201d1de2eefcf87
-
C:\Users\Admin\AppData\Local\Temp\CvbNMOdrsPgMJ\_Files\_INFOR~1.TXTMD5
810e19968501643f8b2d31fa9d495ab1
SHA1719a9a112fb9940e4c5193ee6c95615b187dc948
SHA256275309b46a3fa5349f95c99bc3be60d062706f93eae45be5969b1af850b6daee
SHA512a211bfe0548399a6b3398c365154d1bc74bd21b7abfc698a6eb97cfb3ea0246d3f90338ff2dec990c5e282b667726ae9c87719023f56506e9e871a0c4efaae8a
-
C:\Users\Admin\AppData\Local\Temp\CvbNMOdrsPgMJ\_Files\_SCREE~1.JPEMD5
923d674a75d2d13fe15e18b5289315a4
SHA1f8f56d325201be07aab8460194a356ace5ef93f5
SHA2562710f5082b738170179c8e563f05b5b8f7625ae93e0960a55e4eac69ab0d7e17
SHA512a975e17ec75d3b549f165311c812ad300ad8c6b1d6dfad07042c3e553927647b956b7bac7d55490a343879a45eda473d3d09b2b5504b77f0667eac07b7045c37
-
C:\Users\Admin\AppData\Local\Temp\CvbNMOdrsPgMJ\files_\SCREEN~1.JPGMD5
923d674a75d2d13fe15e18b5289315a4
SHA1f8f56d325201be07aab8460194a356ace5ef93f5
SHA2562710f5082b738170179c8e563f05b5b8f7625ae93e0960a55e4eac69ab0d7e17
SHA512a975e17ec75d3b549f165311c812ad300ad8c6b1d6dfad07042c3e553927647b956b7bac7d55490a343879a45eda473d3d09b2b5504b77f0667eac07b7045c37
-
C:\Users\Admin\AppData\Local\Temp\CvbNMOdrsPgMJ\files_\SYSTEM~1.TXTMD5
d300b5e453b2bf8da1fa6f478d0c1357
SHA18d26de9e554b8c70d13b33582a7122dad9b90079
SHA256efa428c20b4d73153a0e9d39252c5a38b0382ff67a0f4b6b8ce699e31b5aa612
SHA5124fca506c5c5963ffb4f21214d5859b5b887c5b48cf82808ad58ba1d0760c70bf98da37a725cec4fb82107680709ea8237fba2e771a9c237249f7adb8cf4efbad
-
C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\02035250095.exeMD5
9479a5596e62700d1972206df64ad7dc
SHA1ba45ab9b18908f8fbafb1d372dba4b819363c5a5
SHA2568286090596289d3f8c6d26e9f048776c61737da6256b0b3e3fb72fa52ae2f9f3
SHA512238ffefb496a688515638aa8fc7840d7c1252d61271c4a075b8c98b3628ff67473d03f37fdd091311c57ed8160a85bd4b5a5cf656d45ed2b0196cf7947c46ce1
-
C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\27641234609.exeMD5
9c23419a5813bde49026b7ffbb315e86
SHA19664a1d851e6a076228056dc3632b60917e78294
SHA256e9edd89f115b9d7fdd48092e43df7d58b74402b92ce7edadd049ea4b2b57aa1a
SHA512c695ee6ebd929287a407d9a2a36dfa9061ec3470c65690608be461f0dc62939461cf3e6405de82cb2daad96192b88d4e4dc8cae00e467516d6d0ec0c5b0c1023
-
C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\27641234609.exeMD5
9c23419a5813bde49026b7ffbb315e86
SHA19664a1d851e6a076228056dc3632b60917e78294
SHA256e9edd89f115b9d7fdd48092e43df7d58b74402b92ce7edadd049ea4b2b57aa1a
SHA512c695ee6ebd929287a407d9a2a36dfa9061ec3470c65690608be461f0dc62939461cf3e6405de82cb2daad96192b88d4e4dc8cae00e467516d6d0ec0c5b0c1023
-
C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\27641234609.exeMD5
9c23419a5813bde49026b7ffbb315e86
SHA19664a1d851e6a076228056dc3632b60917e78294
SHA256e9edd89f115b9d7fdd48092e43df7d58b74402b92ce7edadd049ea4b2b57aa1a
SHA512c695ee6ebd929287a407d9a2a36dfa9061ec3470c65690608be461f0dc62939461cf3e6405de82cb2daad96192b88d4e4dc8cae00e467516d6d0ec0c5b0c1023
-
C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\61044119610.exeMD5
7cae3416822ec2fa1a83a32d64f8f62d
SHA164b02f9cd5ba4d407b470878abf6e20350eac4e1
SHA256bae34b5431979a214eb8d112e79d305a8474eba7e46fb7470adc48f82010e5b7
SHA5127e44467f071992b798b18cfc705eb4df89712b57af8f026dcc10a1d752f08d385f4e73a53546941b82343bcf50db5c53ffe72f6aa3927d0f110a826c9afa36e6
-
C:\Users\Admin\AppData\Local\Temp\{zKuz-n5Qhp-BxoU-TgJGw}\61044119610.exeMD5
7cae3416822ec2fa1a83a32d64f8f62d
SHA164b02f9cd5ba4d407b470878abf6e20350eac4e1
SHA256bae34b5431979a214eb8d112e79d305a8474eba7e46fb7470adc48f82010e5b7
SHA5127e44467f071992b798b18cfc705eb4df89712b57af8f026dcc10a1d752f08d385f4e73a53546941b82343bcf50db5c53ffe72f6aa3927d0f110a826c9afa36e6
-
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exeMD5
5f3b587b0213ba0bfadae562d34f51fb
SHA1d2f879f6567c8d579f95f858185269d0f0879c63
SHA256f218fead84ca8d1c5063f776759cc9627cf6baff25bce94641ce4057c800ae52
SHA512a90368e0cf90bb2340de66ee29ab3aa686ca4362645dd336caa03123454d17a31b0bbabe117f443e655089ac2bd990204b8114964296fd351a6d86b8daf8e45d
-
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exeMD5
5f3b587b0213ba0bfadae562d34f51fb
SHA1d2f879f6567c8d579f95f858185269d0f0879c63
SHA256f218fead84ca8d1c5063f776759cc9627cf6baff25bce94641ce4057c800ae52
SHA512a90368e0cf90bb2340de66ee29ab3aa686ca4362645dd336caa03123454d17a31b0bbabe117f443e655089ac2bd990204b8114964296fd351a6d86b8daf8e45d
-
memory/624-114-0x00000000005F0000-0x000000000061F000-memory.dmpFilesize
188KB
-
memory/624-115-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/636-131-0x0000000000000000-mapping.dmp
-
memory/840-165-0x0000000006B10000-0x0000000006B11000-memory.dmpFilesize
4KB
-
memory/840-144-0x00000000029A0000-0x00000000029BE000-memory.dmpFilesize
120KB
-
memory/840-160-0x0000000004E14000-0x0000000004E16000-memory.dmpFilesize
8KB
-
memory/840-164-0x0000000006900000-0x0000000006901000-memory.dmpFilesize
4KB
-
memory/840-163-0x00000000064E0000-0x00000000064E1000-memory.dmpFilesize
4KB
-
memory/840-161-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/840-162-0x0000000005B80000-0x0000000005B81000-memory.dmpFilesize
4KB
-
memory/840-138-0x0000000000000000-mapping.dmp
-
memory/840-151-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/840-166-0x0000000007120000-0x0000000007121000-memory.dmpFilesize
4KB
-
memory/840-142-0x0000000000400000-0x000000000085B000-memory.dmpFilesize
4.4MB
-
memory/840-141-0x00000000008A0000-0x00000000008D0000-memory.dmpFilesize
192KB
-
memory/840-143-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/840-150-0x0000000005970000-0x0000000005971000-memory.dmpFilesize
4KB
-
memory/840-145-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/840-147-0x0000000004E13000-0x0000000004E14000-memory.dmpFilesize
4KB
-
memory/840-146-0x0000000004E12000-0x0000000004E13000-memory.dmpFilesize
4KB
-
memory/840-148-0x0000000004D90000-0x0000000004DAD000-memory.dmpFilesize
116KB
-
memory/840-149-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/1376-124-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1376-121-0x0000000000401480-mapping.dmp
-
memory/1376-120-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/2092-129-0x0000000002550000-0x0000000002631000-memory.dmpFilesize
900KB
-
memory/2092-126-0x0000000000000000-mapping.dmp
-
memory/2092-130-0x0000000000400000-0x00000000008AF000-memory.dmpFilesize
4.7MB
-
memory/2312-136-0x00000000025F0000-0x00000000026BE000-memory.dmpFilesize
824KB
-
memory/2312-137-0x0000000000400000-0x00000000008A4000-memory.dmpFilesize
4.6MB
-
memory/2312-132-0x0000000000000000-mapping.dmp
-
memory/2888-117-0x0000000000000000-mapping.dmp
-
memory/2888-123-0x0000000000AE0000-0x0000000000B24000-memory.dmpFilesize
272KB
-
memory/2888-152-0x0000000000000000-mapping.dmp
-
memory/3140-135-0x0000000000000000-mapping.dmp
-
memory/3176-125-0x0000000000000000-mapping.dmp
-
memory/3400-159-0x0000000000000000-mapping.dmp
-
memory/3996-116-0x0000000000000000-mapping.dmp
-
memory/4004-134-0x0000000000000000-mapping.dmp