Analysis
-
max time kernel
144s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-02-2022 09:03
Static task
static1
Behavioral task
behavioral1
Sample
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
Resource
win10v2004-en-20220113
General
-
Target
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
-
Size
610KB
-
MD5
b3a27137bfa9f92fe6b4cc7f0aaf08f4
-
SHA1
266e5d674bd1fe6135bd74658bb8a1d58777bbe0
-
SHA256
37c712662321d51383b50cc3973ba187706384859c6ff4f9e43e8be3c9e6dfe4
-
SHA512
2aec6a1ffd6a1df55ca456ed80b42b28f10f98ab11ab1cfefad29529037e433a7cb527ab081fbcddcf38c70adf2b0bbb484e936f42a5720fbfc2943b7d96a37a
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://nanyainc.cf/ - Port:
21 - Username:
[email protected] - Password:
7qB+iH=KrUUT
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1200-69-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1200-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1200-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1200-72-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeb3a27137bfa9f92fe6b4cc7f0aaf08f4.exepid process 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe 1200 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Loads dropped DLL 3 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeb3a27137bfa9f92fe6b4cc7f0aaf08f4.exepid process 1744 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe 1744 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription pid process target process PID 432 set thread context of 1200 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Drops file in Program Files directory 64 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Drops file in Windows directory 1 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription ioc process File opened for modification C:\Windows\svchost.com b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exepid process 1200 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe 1200 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription pid process Token: SeDebugPrivilege 1200 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeb3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription pid process target process PID 1744 wrote to memory of 432 1744 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 1744 wrote to memory of 432 1744 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 1744 wrote to memory of 432 1744 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 1744 wrote to memory of 432 1744 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 432 wrote to memory of 1200 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 432 wrote to memory of 1200 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 432 wrote to memory of 1200 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 432 wrote to memory of 1200 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 432 wrote to memory of 1200 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 432 wrote to memory of 1200 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 432 wrote to memory of 1200 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 432 wrote to memory of 1200 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 432 wrote to memory of 1200 432 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"C:\Users\Admin\AppData\Local\Temp\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeMD5
cc2133f03997221244a4a684e8826f26
SHA16ec6ffa9180b886fdfd0fa8cdeabbbd3c4391737
SHA2564b17ac7e6e9b1dc14be2216ce0ff5ba66c80e0aed3c680e5269b875f914ee65c
SHA512d7b537fe99caa57b36a025bc750ee3f7c2187bab555148768799f48615cdd14c41394bfdca6f2e810b085a6a7982b44c2aec70fa202bb716f248e5f4f4105f91
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeMD5
cc2133f03997221244a4a684e8826f26
SHA16ec6ffa9180b886fdfd0fa8cdeabbbd3c4391737
SHA2564b17ac7e6e9b1dc14be2216ce0ff5ba66c80e0aed3c680e5269b875f914ee65c
SHA512d7b537fe99caa57b36a025bc750ee3f7c2187bab555148768799f48615cdd14c41394bfdca6f2e810b085a6a7982b44c2aec70fa202bb716f248e5f4f4105f91
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeMD5
cc2133f03997221244a4a684e8826f26
SHA16ec6ffa9180b886fdfd0fa8cdeabbbd3c4391737
SHA2564b17ac7e6e9b1dc14be2216ce0ff5ba66c80e0aed3c680e5269b875f914ee65c
SHA512d7b537fe99caa57b36a025bc750ee3f7c2187bab555148768799f48615cdd14c41394bfdca6f2e810b085a6a7982b44c2aec70fa202bb716f248e5f4f4105f91
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeMD5
cc2133f03997221244a4a684e8826f26
SHA16ec6ffa9180b886fdfd0fa8cdeabbbd3c4391737
SHA2564b17ac7e6e9b1dc14be2216ce0ff5ba66c80e0aed3c680e5269b875f914ee65c
SHA512d7b537fe99caa57b36a025bc750ee3f7c2187bab555148768799f48615cdd14c41394bfdca6f2e810b085a6a7982b44c2aec70fa202bb716f248e5f4f4105f91
-
\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeMD5
cc2133f03997221244a4a684e8826f26
SHA16ec6ffa9180b886fdfd0fa8cdeabbbd3c4391737
SHA2564b17ac7e6e9b1dc14be2216ce0ff5ba66c80e0aed3c680e5269b875f914ee65c
SHA512d7b537fe99caa57b36a025bc750ee3f7c2187bab555148768799f48615cdd14c41394bfdca6f2e810b085a6a7982b44c2aec70fa202bb716f248e5f4f4105f91
-
memory/432-59-0x0000000073B30000-0x000000007421E000-memory.dmpFilesize
6.9MB
-
memory/432-60-0x0000000000980000-0x0000000000A14000-memory.dmpFilesize
592KB
-
memory/432-63-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/432-64-0x0000000004A40000-0x0000000004AB0000-memory.dmpFilesize
448KB
-
memory/432-61-0x00000000002F0000-0x00000000002FC000-memory.dmpFilesize
48KB
-
memory/1200-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1200-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1200-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1200-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1200-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1200-72-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1200-73-0x0000000073B30000-0x000000007421E000-memory.dmpFilesize
6.9MB
-
memory/1200-74-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/1744-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB