Analysis
-
max time kernel
61s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-07-2021 23:42
Static task
static1
Behavioral task
behavioral1
Sample
6EA14E473644F3BEA03782F41D7C5246.exe
Resource
win7v20210408
General
-
Target
6EA14E473644F3BEA03782F41D7C5246.exe
-
Size
696KB
-
MD5
6ea14e473644f3bea03782f41d7c5246
-
SHA1
3be05d9f18b574c5c4eea2f8ab8160c470553aeb
-
SHA256
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
-
SHA512
7fcb2c62bd9d4a569ce0fd788068bfab133595d8ef54957aa5ed4295b1988a92c7d62fdd465e2c34152f02e39a022015ac2868c4b97df1327862d41c60885f59
Malware Config
Extracted
pony
http://fuckoff.av.com/gate.php
http://mrson.dan.al/sddob/gate.php
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 608 created 2644 608 WerFault.exe Explorer.EXE -
Executes dropped EXE 3 IoCs
Processes:
lsass.exelsass.exelsass.exepid process 3552 lsass.exe 3828 lsass.exe 4076 lsass.exe -
Processes:
resource yara_rule behavioral2/memory/3352-117-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/3352-129-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
6EA14E473644F3BEA03782F41D7C5246.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe 6EA14E473644F3BEA03782F41D7C5246.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 7 IoCs
Processes:
6EA14E473644F3BEA03782F41D7C5246.exe6EA14E473644F3BEA03782F41D7C5246.exelsass.exelsass.exedescription pid process target process PID 860 set thread context of 3352 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 3352 set thread context of 1436 3352 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 set thread context of 3692 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 3552 set thread context of 3828 3552 lsass.exe lsass.exe PID 3828 set thread context of 4076 3828 lsass.exe lsass.exe PID 3552 set thread context of 740 3552 lsass.exe lsass.exe PID 3552 set thread context of 740 3552 lsass.exe lsass.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2084 860 WerFault.exe 6EA14E473644F3BEA03782F41D7C5246.exe 608 2644 WerFault.exe Explorer.EXE 496 3696 WerFault.exe 1244 3552 WerFault.exe lsass.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
WerFault.exeExplorer.EXEWerFault.exeWerFault.exepid process 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2644 Explorer.EXE 2644 Explorer.EXE 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe -
Suspicious behavior: MapViewOfSection 16 IoCs
Processes:
lsass.exeexplorer.exeExplorer.EXElsass.exepid process 4076 lsass.exe 3164 explorer.exe 2644 Explorer.EXE 2644 Explorer.EXE 2644 Explorer.EXE 2644 Explorer.EXE 2644 Explorer.EXE 2644 Explorer.EXE 2644 Explorer.EXE 2644 Explorer.EXE 2644 Explorer.EXE 2644 Explorer.EXE 2644 Explorer.EXE 2644 Explorer.EXE 2644 Explorer.EXE 3552 lsass.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
6EA14E473644F3BEA03782F41D7C5246.exeWerFault.exe6EA14E473644F3BEA03782F41D7C5246.exelsass.exeExplorer.EXEWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1436 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeRestorePrivilege 2084 WerFault.exe Token: SeBackupPrivilege 2084 WerFault.exe Token: SeImpersonatePrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeTcbPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeChangeNotifyPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeCreateTokenPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeBackupPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeRestorePrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeIncreaseQuotaPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeAssignPrimaryTokenPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeDebugPrivilege 2084 WerFault.exe Token: SeImpersonatePrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeTcbPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeChangeNotifyPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeCreateTokenPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeBackupPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeRestorePrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeIncreaseQuotaPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeAssignPrimaryTokenPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeImpersonatePrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeTcbPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeChangeNotifyPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeCreateTokenPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeBackupPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeRestorePrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeIncreaseQuotaPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeAssignPrimaryTokenPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeImpersonatePrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeTcbPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeChangeNotifyPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeCreateTokenPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeBackupPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeRestorePrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeIncreaseQuotaPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeAssignPrimaryTokenPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeImpersonatePrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeTcbPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeChangeNotifyPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeCreateTokenPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeBackupPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeRestorePrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeIncreaseQuotaPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeAssignPrimaryTokenPrivilege 3692 6EA14E473644F3BEA03782F41D7C5246.exe Token: SeDebugPrivilege 4076 lsass.exe Token: SeShutdownPrivilege 2644 Explorer.EXE Token: SeCreatePagefilePrivilege 2644 Explorer.EXE Token: SeShutdownPrivilege 2644 Explorer.EXE Token: SeCreatePagefilePrivilege 2644 Explorer.EXE Token: SeDebugPrivilege 2644 Explorer.EXE Token: SeDebugPrivilege 1244 WerFault.exe Token: SeDebugPrivilege 496 WerFault.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
6EA14E473644F3BEA03782F41D7C5246.exe6EA14E473644F3BEA03782F41D7C5246.exelsass.exelsass.exepid process 860 6EA14E473644F3BEA03782F41D7C5246.exe 3352 6EA14E473644F3BEA03782F41D7C5246.exe 3552 lsass.exe 3828 lsass.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
6EA14E473644F3BEA03782F41D7C5246.exe6EA14E473644F3BEA03782F41D7C5246.exe6EA14E473644F3BEA03782F41D7C5246.exelsass.exelsass.exelsass.exedescription pid process target process PID 860 wrote to memory of 3352 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3352 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3352 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3352 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3352 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3352 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3352 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3352 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 3352 wrote to memory of 1436 3352 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 3352 wrote to memory of 1436 3352 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 3352 wrote to memory of 1436 3352 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 3352 wrote to memory of 1436 3352 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 3352 wrote to memory of 1436 3352 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 3352 wrote to memory of 1436 3352 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 1436 wrote to memory of 3552 1436 6EA14E473644F3BEA03782F41D7C5246.exe lsass.exe PID 1436 wrote to memory of 3552 1436 6EA14E473644F3BEA03782F41D7C5246.exe lsass.exe PID 1436 wrote to memory of 3552 1436 6EA14E473644F3BEA03782F41D7C5246.exe lsass.exe PID 860 wrote to memory of 3692 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3692 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3692 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3692 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3692 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3692 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3692 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 860 wrote to memory of 3692 860 6EA14E473644F3BEA03782F41D7C5246.exe 6EA14E473644F3BEA03782F41D7C5246.exe PID 3552 wrote to memory of 3828 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 3828 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 3828 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 3828 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 3828 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 3828 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 3828 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 3828 3552 lsass.exe lsass.exe PID 3828 wrote to memory of 4076 3828 lsass.exe lsass.exe PID 3828 wrote to memory of 4076 3828 lsass.exe lsass.exe PID 3828 wrote to memory of 4076 3828 lsass.exe lsass.exe PID 3828 wrote to memory of 4076 3828 lsass.exe lsass.exe PID 3828 wrote to memory of 4076 3828 lsass.exe lsass.exe PID 3828 wrote to memory of 4076 3828 lsass.exe lsass.exe PID 4076 wrote to memory of 3164 4076 lsass.exe explorer.exe PID 4076 wrote to memory of 3164 4076 lsass.exe explorer.exe PID 3552 wrote to memory of 740 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 740 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 740 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 740 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 740 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 740 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 740 3552 lsass.exe lsass.exe PID 3552 wrote to memory of 740 3552 lsass.exe lsass.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6EA14E473644F3BEA03782F41D7C5246.exe"C:\Users\Admin\AppData\Local\Temp\6EA14E473644F3BEA03782F41D7C5246.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6EA14E473644F3BEA03782F41D7C5246.exe"C:\Users\Admin\AppData\Local\Temp\6EA14E473644F3BEA03782F41D7C5246.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6EA14E473644F3BEA03782F41D7C5246.exe"C:\Users\Admin\AppData\Local\Temp\6EA14E473644F3BEA03782F41D7C5246.exe"4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe8⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 5446⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6EA14E473644F3BEA03782F41D7C5246.exe"C:\Users\Admin\AppData\Local\Temp\6EA14E473644F3BEA03782F41D7C5246.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 4843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2644 -s 34122⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3696 -s 9041⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exeMD5
6ea14e473644f3bea03782f41d7c5246
SHA13be05d9f18b574c5c4eea2f8ab8160c470553aeb
SHA256c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
SHA5127fcb2c62bd9d4a569ce0fd788068bfab133595d8ef54957aa5ed4295b1988a92c7d62fdd465e2c34152f02e39a022015ac2868c4b97df1327862d41c60885f59
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exeMD5
6ea14e473644f3bea03782f41d7c5246
SHA13be05d9f18b574c5c4eea2f8ab8160c470553aeb
SHA256c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
SHA5127fcb2c62bd9d4a569ce0fd788068bfab133595d8ef54957aa5ed4295b1988a92c7d62fdd465e2c34152f02e39a022015ac2868c4b97df1327862d41c60885f59
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exeMD5
6ea14e473644f3bea03782f41d7c5246
SHA13be05d9f18b574c5c4eea2f8ab8160c470553aeb
SHA256c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
SHA5127fcb2c62bd9d4a569ce0fd788068bfab133595d8ef54957aa5ed4295b1988a92c7d62fdd465e2c34152f02e39a022015ac2868c4b97df1327862d41c60885f59
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exeMD5
6ea14e473644f3bea03782f41d7c5246
SHA13be05d9f18b574c5c4eea2f8ab8160c470553aeb
SHA256c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
SHA5127fcb2c62bd9d4a569ce0fd788068bfab133595d8ef54957aa5ed4295b1988a92c7d62fdd465e2c34152f02e39a022015ac2868c4b97df1327862d41c60885f59
-
memory/860-114-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/860-152-0x0000000002280000-0x00000000022A3000-memory.dmpFilesize
140KB
-
memory/1436-121-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1436-122-0x0000000000401000-mapping.dmp
-
memory/2084-150-0x00000000065C0000-0x00000000065D1000-memory.dmpFilesize
68KB
-
memory/2084-149-0x0000000006520000-0x0000000006538000-memory.dmpFilesize
96KB
-
memory/2340-147-0x00000267976D0000-0x00000267976F7000-memory.dmpFilesize
156KB
-
memory/2644-144-0x0000000000C60000-0x0000000000C72000-memory.dmpFilesize
72KB
-
memory/2644-143-0x0000000000C30000-0x0000000000C57000-memory.dmpFilesize
156KB
-
memory/2644-151-0x0000000002C30000-0x0000000002C31000-memory.dmpFilesize
4KB
-
memory/3164-146-0x0000000000300000-0x0000000000327000-memory.dmpFilesize
156KB
-
memory/3164-141-0x0000000000000000-mapping.dmp
-
memory/3352-129-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3352-118-0x000000000041DE40-mapping.dmp
-
memory/3352-117-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3552-154-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/3552-153-0x0000000000600000-0x000000000074A000-memory.dmpFilesize
1.3MB
-
memory/3552-123-0x0000000000000000-mapping.dmp
-
memory/3692-131-0x0000000000410028-mapping.dmp
-
memory/3692-130-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3692-132-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3828-134-0x000000000041DE40-mapping.dmp
-
memory/4076-139-0x0000000000401000-mapping.dmp
-
memory/4076-145-0x0000000000420000-0x00000000004CE000-memory.dmpFilesize
696KB
-
memory/4076-142-0x0000000000420000-0x00000000004CE000-memory.dmpFilesize
696KB