Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-11-2021 20:19
Static task
static1
Behavioral task
behavioral1
Sample
61d62155465f85f8fc4d44a89e7ae831.exe
Resource
win7-en-20211014
General
-
Target
61d62155465f85f8fc4d44a89e7ae831.exe
-
Size
907KB
-
MD5
61d62155465f85f8fc4d44a89e7ae831
-
SHA1
10e1e0c049b58ff662f960a3e5270bfb97c9868b
-
SHA256
d6742c917817f02e01ba40c61606b3707f373bb8d1f525b75b72b1802cd9b290
-
SHA512
b77514d0de8c8582a3773fd76b82049bdc8dbba090827531ff1452d6729bc74eeb389f69701bf38b8b45a7fcebec62d12c26d5abab7e0516bb5cf78dc7dbeb24
Malware Config
Extracted
xloader
2.5
rqan
http://www.cardboutiqueapp.com/rqan/
panda.wiki
gailkannamassage.com
ungravitystudio.com
coraggiomusicschool.com
51walkerstreetrippleside.com
infemax.store
mapara-foundation.net
elitespeedwaxs.com
manateeprint.com
thelocksmithtradeshow.com
phoenix-out-of-ashes.com
marionkgregory.store
abasketofwords.com
century21nokta.com
anthonyaarnold.com
forevermyanmar.com
ramashi.com
uniquecarbonbrush.com
packecco.com
appelnacrtl.quest
mayo-group.com
healthychefla.com
chuhaitalk.com
promoapp12.com
sergomosta.com
missuniversepr.com
onfinan.com
moyue27.com
miaocharge.com
hubmedia.digital
sarasota-pressurewashing.com
deliciousrecipe.xyz
rosalia-pilates-angers.com
qqsmt09.com
comercialjyv.com
ismarthings.com
b8ceex.com
reviewbyornex.online
familylovmix.com
wurzelwerk-sk.com
buratacoin.com
delocdinh.com
paraspikakasino.com
buyinsurance24.com
d1storesa.com
apollonfitnessvrn.club
tokofebri.store
cambabez.xyz
pointcon.net
digitalcoursepreneur.com
15dgj.xyz
mg-garage.com
claggs.com
yuezhong66.com
uvowtae.xyz
puutuisossa.quest
glitchpunks.art
haferssippe.quest
ucwykl.biz
finlandtwo.xyz
efterpisart.com
usbankofamerican.com
bamubusinesssolutions.com
lakshhomesbalram.info
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
61d62155465f85f8fc4d44a89e7ae831.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 61d62155465f85f8fc4d44a89e7ae831.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/736-68-0x0000000000000000-mapping.dmp xloader behavioral1/memory/736-71-0x0000000072480000-0x00000000724A9000-memory.dmp xloader behavioral1/memory/1640-78-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
Processes:
61d62155465f85f8fc4d44a89e7ae831.exepid process 1076 61d62155465f85f8fc4d44a89e7ae831.exe -
Loads dropped DLL 3 IoCs
Processes:
61d62155465f85f8fc4d44a89e7ae831.exepid process 1240 61d62155465f85f8fc4d44a89e7ae831.exe 1240 61d62155465f85f8fc4d44a89e7ae831.exe 1240 61d62155465f85f8fc4d44a89e7ae831.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
61d62155465f85f8fc4d44a89e7ae831.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ounanmse = "C:\\Users\\Public\\Libraries\\esmnanuO.url" 61d62155465f85f8fc4d44a89e7ae831.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
mobsync.execmd.exedescription pid process target process PID 736 set thread context of 1268 736 mobsync.exe Explorer.EXE PID 1640 set thread context of 1268 1640 cmd.exe Explorer.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
61d62155465f85f8fc4d44a89e7ae831.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 61d62155465f85f8fc4d44a89e7ae831.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 61d62155465f85f8fc4d44a89e7ae831.exe -
Drops file in Windows directory 1 IoCs
Processes:
61d62155465f85f8fc4d44a89e7ae831.exedescription ioc process File opened for modification C:\Windows\svchost.com 61d62155465f85f8fc4d44a89e7ae831.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
61d62155465f85f8fc4d44a89e7ae831.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 61d62155465f85f8fc4d44a89e7ae831.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
mobsync.execmd.exepid process 736 mobsync.exe 736 mobsync.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
mobsync.execmd.exepid process 736 mobsync.exe 736 mobsync.exe 736 mobsync.exe 1640 cmd.exe 1640 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mobsync.execmd.exedescription pid process Token: SeDebugPrivilege 736 mobsync.exe Token: SeDebugPrivilege 1640 cmd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
61d62155465f85f8fc4d44a89e7ae831.exe61d62155465f85f8fc4d44a89e7ae831.exeExplorer.EXEdescription pid process target process PID 1240 wrote to memory of 1076 1240 61d62155465f85f8fc4d44a89e7ae831.exe 61d62155465f85f8fc4d44a89e7ae831.exe PID 1240 wrote to memory of 1076 1240 61d62155465f85f8fc4d44a89e7ae831.exe 61d62155465f85f8fc4d44a89e7ae831.exe PID 1240 wrote to memory of 1076 1240 61d62155465f85f8fc4d44a89e7ae831.exe 61d62155465f85f8fc4d44a89e7ae831.exe PID 1240 wrote to memory of 1076 1240 61d62155465f85f8fc4d44a89e7ae831.exe 61d62155465f85f8fc4d44a89e7ae831.exe PID 1076 wrote to memory of 736 1076 61d62155465f85f8fc4d44a89e7ae831.exe mobsync.exe PID 1076 wrote to memory of 736 1076 61d62155465f85f8fc4d44a89e7ae831.exe mobsync.exe PID 1076 wrote to memory of 736 1076 61d62155465f85f8fc4d44a89e7ae831.exe mobsync.exe PID 1076 wrote to memory of 736 1076 61d62155465f85f8fc4d44a89e7ae831.exe mobsync.exe PID 1076 wrote to memory of 736 1076 61d62155465f85f8fc4d44a89e7ae831.exe mobsync.exe PID 1076 wrote to memory of 736 1076 61d62155465f85f8fc4d44a89e7ae831.exe mobsync.exe PID 1076 wrote to memory of 736 1076 61d62155465f85f8fc4d44a89e7ae831.exe mobsync.exe PID 1268 wrote to memory of 1640 1268 Explorer.EXE cmd.exe PID 1268 wrote to memory of 1640 1268 Explorer.EXE cmd.exe PID 1268 wrote to memory of 1640 1268 Explorer.EXE cmd.exe PID 1268 wrote to memory of 1640 1268 Explorer.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\61d62155465f85f8fc4d44a89e7ae831.exe"C:\Users\Admin\AppData\Local\Temp\61d62155465f85f8fc4d44a89e7ae831.exe"2⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\mobsync.exeC:\Windows\System32\mobsync.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exeMD5
c5cfef9b7b6b39513f276093d7ef2157
SHA19c2d4c4ac1017ac91a5bd956e6864cefcd0f2bec
SHA25622a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6
SHA5124cb21736b9622ae2f6ed96ebb3d0e455253d1a61ebe428c464cd9e60bfb11dbcaf05a96a9c070dc4b012624e1fd2e333d518a704d3e15196938eb3143d556284
-
C:\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exeMD5
c5cfef9b7b6b39513f276093d7ef2157
SHA19c2d4c4ac1017ac91a5bd956e6864cefcd0f2bec
SHA25622a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6
SHA5124cb21736b9622ae2f6ed96ebb3d0e455253d1a61ebe428c464cd9e60bfb11dbcaf05a96a9c070dc4b012624e1fd2e333d518a704d3e15196938eb3143d556284
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exeMD5
c5cfef9b7b6b39513f276093d7ef2157
SHA19c2d4c4ac1017ac91a5bd956e6864cefcd0f2bec
SHA25622a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6
SHA5124cb21736b9622ae2f6ed96ebb3d0e455253d1a61ebe428c464cd9e60bfb11dbcaf05a96a9c070dc4b012624e1fd2e333d518a704d3e15196938eb3143d556284
-
\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exeMD5
c5cfef9b7b6b39513f276093d7ef2157
SHA19c2d4c4ac1017ac91a5bd956e6864cefcd0f2bec
SHA25622a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6
SHA5124cb21736b9622ae2f6ed96ebb3d0e455253d1a61ebe428c464cd9e60bfb11dbcaf05a96a9c070dc4b012624e1fd2e333d518a704d3e15196938eb3143d556284
-
memory/736-74-0x00000000002D0000-0x00000000002E1000-memory.dmpFilesize
68KB
-
memory/736-73-0x0000000001FD0000-0x00000000022D3000-memory.dmpFilesize
3.0MB
-
memory/736-71-0x0000000072480000-0x00000000724A9000-memory.dmpFilesize
164KB
-
memory/736-70-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/736-66-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/736-65-0x0000000072480000-0x00000000724A9000-memory.dmpFilesize
164KB
-
memory/736-68-0x0000000000000000-mapping.dmp
-
memory/1076-58-0x0000000000000000-mapping.dmp
-
memory/1076-63-0x0000000000281000-0x0000000000295000-memory.dmpFilesize
80KB
-
memory/1076-61-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1240-55-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1268-75-0x0000000006E30000-0x0000000006F6B000-memory.dmpFilesize
1.2MB
-
memory/1268-81-0x00000000067F0000-0x00000000068F7000-memory.dmpFilesize
1.0MB
-
memory/1640-76-0x0000000000000000-mapping.dmp
-
memory/1640-77-0x000000004A6C0000-0x000000004A70C000-memory.dmpFilesize
304KB
-
memory/1640-78-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1640-79-0x00000000020B0000-0x00000000023B3000-memory.dmpFilesize
3.0MB
-
memory/1640-80-0x00000000004A0000-0x0000000000530000-memory.dmpFilesize
576KB