Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-12-2021 08:39
Static task
static1
Behavioral task
behavioral1
Sample
7516ac47b4adfef609f6ce4dc1dd809c.exe
Resource
win7-en-20211208
General
-
Target
7516ac47b4adfef609f6ce4dc1dd809c.exe
-
Size
549KB
-
MD5
7516ac47b4adfef609f6ce4dc1dd809c
-
SHA1
81d93a74a813e4d2231bf4b06762090d520a5145
-
SHA256
e657e5580f64554a920f5460edc2a1ae4179b183f7a2adbd613f0e877839bdb4
-
SHA512
a49542a69ee2ee53ce5ef8db071c80aac38e8eb3a81c025a88229e431c990964dbf7011bdde20240665d791c038cef5cd1c43e02e1367b9ee9c4b4c01c42770b
Malware Config
Extracted
xloader
2.5
ea0r
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
asiapubz-hk.com
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
7516ac47b4adfef609f6ce4dc1dd809c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7516ac47b4adfef609f6ce4dc1dd809c.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1096-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1096-63-0x000000000041D410-mapping.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
7516ac47b4adfef609f6ce4dc1dd809c.exe7516ac47b4adfef609f6ce4dc1dd809c.exepid process 896 7516ac47b4adfef609f6ce4dc1dd809c.exe 1096 7516ac47b4adfef609f6ce4dc1dd809c.exe -
Loads dropped DLL 4 IoCs
Processes:
7516ac47b4adfef609f6ce4dc1dd809c.exe7516ac47b4adfef609f6ce4dc1dd809c.exepid process 1692 7516ac47b4adfef609f6ce4dc1dd809c.exe 896 7516ac47b4adfef609f6ce4dc1dd809c.exe 896 7516ac47b4adfef609f6ce4dc1dd809c.exe 1692 7516ac47b4adfef609f6ce4dc1dd809c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
7516ac47b4adfef609f6ce4dc1dd809c.exedescription pid process target process PID 896 set thread context of 1096 896 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7516ac47b4adfef609f6ce4dc1dd809c.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 7516ac47b4adfef609f6ce4dc1dd809c.exe -
Drops file in Windows directory 1 IoCs
Processes:
7516ac47b4adfef609f6ce4dc1dd809c.exedescription ioc process File opened for modification C:\Windows\svchost.com 7516ac47b4adfef609f6ce4dc1dd809c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
7516ac47b4adfef609f6ce4dc1dd809c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7516ac47b4adfef609f6ce4dc1dd809c.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7516ac47b4adfef609f6ce4dc1dd809c.exepid process 1096 7516ac47b4adfef609f6ce4dc1dd809c.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
7516ac47b4adfef609f6ce4dc1dd809c.exe7516ac47b4adfef609f6ce4dc1dd809c.exedescription pid process target process PID 1692 wrote to memory of 896 1692 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe PID 1692 wrote to memory of 896 1692 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe PID 1692 wrote to memory of 896 1692 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe PID 1692 wrote to memory of 896 1692 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe PID 896 wrote to memory of 1096 896 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe PID 896 wrote to memory of 1096 896 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe PID 896 wrote to memory of 1096 896 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe PID 896 wrote to memory of 1096 896 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe PID 896 wrote to memory of 1096 896 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe PID 896 wrote to memory of 1096 896 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe PID 896 wrote to memory of 1096 896 7516ac47b4adfef609f6ce4dc1dd809c.exe 7516ac47b4adfef609f6ce4dc1dd809c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7516ac47b4adfef609f6ce4dc1dd809c.exe"C:\Users\Admin\AppData\Local\Temp\7516ac47b4adfef609f6ce4dc1dd809c.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exeMD5
ca0d7b52d537773db4598a25fdf5cf22
SHA1f971b4ac64190312edfd3830dd40a257316c7e8f
SHA256b9829a5660b2dcf188de5595741b42380f091c30bb3be299e131b61171d7b513
SHA51258b69ca75d881acf8d90e3c22859dff514f796872460e619bd4699f71abbeb02ccc6832b583d29e916b6f993d508018b50d59cd8d46859251cb12e9e14d91195
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exeMD5
ca0d7b52d537773db4598a25fdf5cf22
SHA1f971b4ac64190312edfd3830dd40a257316c7e8f
SHA256b9829a5660b2dcf188de5595741b42380f091c30bb3be299e131b61171d7b513
SHA51258b69ca75d881acf8d90e3c22859dff514f796872460e619bd4699f71abbeb02ccc6832b583d29e916b6f993d508018b50d59cd8d46859251cb12e9e14d91195
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exeMD5
ca0d7b52d537773db4598a25fdf5cf22
SHA1f971b4ac64190312edfd3830dd40a257316c7e8f
SHA256b9829a5660b2dcf188de5595741b42380f091c30bb3be299e131b61171d7b513
SHA51258b69ca75d881acf8d90e3c22859dff514f796872460e619bd4699f71abbeb02ccc6832b583d29e916b6f993d508018b50d59cd8d46859251cb12e9e14d91195
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exeMD5
ca0d7b52d537773db4598a25fdf5cf22
SHA1f971b4ac64190312edfd3830dd40a257316c7e8f
SHA256b9829a5660b2dcf188de5595741b42380f091c30bb3be299e131b61171d7b513
SHA51258b69ca75d881acf8d90e3c22859dff514f796872460e619bd4699f71abbeb02ccc6832b583d29e916b6f993d508018b50d59cd8d46859251cb12e9e14d91195
-
\Users\Admin\AppData\Local\Temp\3582-490\7516ac47b4adfef609f6ce4dc1dd809c.exeMD5
ca0d7b52d537773db4598a25fdf5cf22
SHA1f971b4ac64190312edfd3830dd40a257316c7e8f
SHA256b9829a5660b2dcf188de5595741b42380f091c30bb3be299e131b61171d7b513
SHA51258b69ca75d881acf8d90e3c22859dff514f796872460e619bd4699f71abbeb02ccc6832b583d29e916b6f993d508018b50d59cd8d46859251cb12e9e14d91195
-
\Users\Admin\AppData\Local\Temp\nsiF73B.tmp\ynieoukx.dllMD5
7c9a18a000849851c8e34fe6e1e88b21
SHA1ffd0b9cd7b469be2f15ce836076ff21c88ee3a2d
SHA25680f12b6475767dd4cd6271fd6e213317230ce5814909c9b21e132cacae3952c6
SHA5125e62ee3116a13fe3fcaf137329f02825be17ed2385c43a227b9b5f7f59b09636de0f85ee778b31f1c87b67afd786a6f62d5c79acc85caad32ebde0ce24cd9c9a
-
memory/896-56-0x0000000000000000-mapping.dmp
-
memory/1096-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1096-63-0x000000000041D410-mapping.dmp
-
memory/1096-65-0x00000000006E0000-0x00000000009E3000-memory.dmpFilesize
3.0MB
-
memory/1692-54-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB