Analysis
-
max time kernel
65s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-05-2022 20:37
Static task
static1
Behavioral task
behavioral1
Sample
payment swift.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
payment swift.exe
Resource
win10v2004-20220414-en
General
-
Target
payment swift.exe
-
Size
929KB
-
MD5
c4cf28c1d5e4da94c3391b90cd91671d
-
SHA1
2c0db45e4852ab67255f78fe6921ada7a305244e
-
SHA256
433c68e89fe741e7ec59e064861baf726ab0b8637849d9d92fa5e3a2819d211c
-
SHA512
23590c2584a04127ec7c75f5f642a6884715390158b897e3617d4cbd536d6369388a0f3cce6d926ae7bf3e149d4cc8c99f82a35e340553421411d1c624506f39
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1524-73-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1524-74-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1524-76-0x0000000000481BDE-mapping.dmp family_masslogger behavioral1/memory/1524-75-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1524-78-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1524-80-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
payment swift.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\payment swift.exe\"" payment swift.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
payment swift.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation payment swift.exe -
Drops startup file 2 IoCs
Processes:
payment swift.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment swift.exe payment swift.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment swift.exe payment swift.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
payment swift.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment swift.exe = "0" payment swift.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\payment swift.exe = "0" payment swift.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" payment swift.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths payment swift.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions payment swift.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" payment swift.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features payment swift.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection payment swift.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" payment swift.exe -
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
Processes:
payment swift.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook payment swift.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook payment swift.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook payment swift.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook payment swift.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook payment swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
payment swift.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\payment swift.exe" payment swift.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment swift.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\payment swift.exe" payment swift.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
payment swift.exepid process 2016 payment swift.exe 2016 payment swift.exe 2016 payment swift.exe 2016 payment swift.exe 2016 payment swift.exe 2016 payment swift.exe 2016 payment swift.exe 2016 payment swift.exe 2016 payment swift.exe 2016 payment swift.exe 2016 payment swift.exe 2016 payment swift.exe 2016 payment swift.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment swift.exedescription pid process target process PID 2016 set thread context of 1524 2016 payment swift.exe payment swift.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1760 2016 WerFault.exe payment swift.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
payment swift.exepid process 1524 payment swift.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepayment swift.exepayment swift.exepowershell.exepid process 1312 powershell.exe 1564 powershell.exe 1164 powershell.exe 1604 powershell.exe 2016 payment swift.exe 2016 payment swift.exe 1524 payment swift.exe 1524 payment swift.exe 1524 payment swift.exe 1524 payment swift.exe 1988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
payment swift.exepowershell.exepowershell.exepowershell.exepowershell.exepayment swift.exepowershell.exedescription pid process Token: SeDebugPrivilege 2016 payment swift.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 1524 payment swift.exe Token: SeDebugPrivilege 1988 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
payment swift.exepid process 1524 payment swift.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
payment swift.exepayment swift.exedescription pid process target process PID 2016 wrote to memory of 1604 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1604 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1604 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1604 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1312 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1312 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1312 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1312 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1564 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1564 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1564 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1564 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1164 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1164 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1164 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1164 2016 payment swift.exe powershell.exe PID 2016 wrote to memory of 1524 2016 payment swift.exe payment swift.exe PID 2016 wrote to memory of 1524 2016 payment swift.exe payment swift.exe PID 2016 wrote to memory of 1524 2016 payment swift.exe payment swift.exe PID 2016 wrote to memory of 1524 2016 payment swift.exe payment swift.exe PID 2016 wrote to memory of 1524 2016 payment swift.exe payment swift.exe PID 2016 wrote to memory of 1524 2016 payment swift.exe payment swift.exe PID 2016 wrote to memory of 1524 2016 payment swift.exe payment swift.exe PID 2016 wrote to memory of 1524 2016 payment swift.exe payment swift.exe PID 2016 wrote to memory of 1524 2016 payment swift.exe payment swift.exe PID 2016 wrote to memory of 1760 2016 payment swift.exe WerFault.exe PID 2016 wrote to memory of 1760 2016 payment swift.exe WerFault.exe PID 2016 wrote to memory of 1760 2016 payment swift.exe WerFault.exe PID 2016 wrote to memory of 1760 2016 payment swift.exe WerFault.exe PID 1524 wrote to memory of 1988 1524 payment swift.exe powershell.exe PID 1524 wrote to memory of 1988 1524 payment swift.exe powershell.exe PID 1524 wrote to memory of 1988 1524 payment swift.exe powershell.exe PID 1524 wrote to memory of 1988 1524 payment swift.exe powershell.exe -
outlook_office_path 1 IoCs
Processes:
payment swift.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe -
outlook_win_path 1 IoCs
Processes:
payment swift.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment swift.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment swift.exe"C:\Users\Admin\AppData\Local\Temp\payment swift.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment swift.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment swift.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment swift.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment swift.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\payment swift.exe"C:\Users\Admin\AppData\Local\Temp\payment swift.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\payment swift.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 8162⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5ed1a7e8a769c3d89a07ec4249386b99a
SHA13e7561c09722857a8da6b397e286ef0f2b57d0a5
SHA2561b2e8d6243e03c14042bb9c9588c8d8dd61ad40873522e4fa7ba1be83f868949
SHA512a9223a07f63a59cd8b9686dcdf3a94acbadae57d6518d21ca8f08b82753a165174c191355b4612d8400c470f82c961cb434ff0672e9b8a77390623a812e83cbb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5ed1a7e8a769c3d89a07ec4249386b99a
SHA13e7561c09722857a8da6b397e286ef0f2b57d0a5
SHA2561b2e8d6243e03c14042bb9c9588c8d8dd61ad40873522e4fa7ba1be83f868949
SHA512a9223a07f63a59cd8b9686dcdf3a94acbadae57d6518d21ca8f08b82753a165174c191355b4612d8400c470f82c961cb434ff0672e9b8a77390623a812e83cbb
-
memory/1164-63-0x0000000000000000-mapping.dmp
-
memory/1164-68-0x000000006EB30000-0x000000006F0DB000-memory.dmpFilesize
5.7MB
-
memory/1312-66-0x000000006EB30000-0x000000006F0DB000-memory.dmpFilesize
5.7MB
-
memory/1312-59-0x0000000000000000-mapping.dmp
-
memory/1524-70-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1524-80-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1524-87-0x0000000004965000-0x0000000004976000-memory.dmpFilesize
68KB
-
memory/1524-78-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1524-75-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1524-76-0x0000000000481BDE-mapping.dmp
-
memory/1524-74-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1524-71-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1524-73-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1564-67-0x000000006EB30000-0x000000006F0DB000-memory.dmpFilesize
5.7MB
-
memory/1564-60-0x0000000000000000-mapping.dmp
-
memory/1604-69-0x000000006EB30000-0x000000006F0DB000-memory.dmpFilesize
5.7MB
-
memory/1604-57-0x0000000000000000-mapping.dmp
-
memory/1760-81-0x0000000000000000-mapping.dmp
-
memory/1988-83-0x0000000000000000-mapping.dmp
-
memory/1988-86-0x000000006E5B0000-0x000000006EB5B000-memory.dmpFilesize
5.7MB
-
memory/2016-54-0x0000000000D00000-0x0000000000DEC000-memory.dmpFilesize
944KB
-
memory/2016-56-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/2016-55-0x0000000000A10000-0x0000000000AAA000-memory.dmpFilesize
616KB