Analysis
-
max time kernel
152s -
max time network
184s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:31
Static task
static1
Behavioral task
behavioral1
Sample
Payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment.exe
-
Size
1.5MB
-
MD5
ab56ad172a0bbb66aeff5c8d18aadc53
-
SHA1
9e79bba575e0e09d1b9c0f06f298f9c020b57198
-
SHA256
b22c648668d77e156bb1d3df67f22c0731bc3ea1010b4ddba7317f3f71b33329
-
SHA512
c30ee4d5da355679b8c73ab9c52372e4487b79bedbc2689ce2d1103a28b0209fcd95c2f0a7a39c253ddda367136ec5d5225d492b5af220bd706a0e3b913a2ce3
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 38 IoCs
Processes:
resource yara_rule behavioral1/memory/272-54-0x0000000000CF0000-0x0000000000E6E000-memory.dmp family_masslogger C:\Users\Admin\AppData\Roaming\chu.exe family_masslogger \Users\Admin\AppData\Roaming\chu.exe family_masslogger C:\Users\Admin\AppData\Roaming\chu.exe family_masslogger behavioral1/memory/2028-63-0x00000000000A0000-0x000000000021E000-memory.dmp family_masslogger behavioral1/memory/2008-72-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-73-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-74-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-75-0x00000000004ACB6E-mapping.dmp family_masslogger behavioral1/memory/2008-78-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-80-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-82-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-84-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-86-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-88-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-90-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-92-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-94-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-96-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-98-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-104-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-102-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-100-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-108-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-110-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-106-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-112-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-116-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-118-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-114-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-124-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-122-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-120-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-130-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-128-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-126-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-132-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2008-134-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Executes dropped EXE 2 IoCs
Processes:
chu.exeInstallUtil.exepid process 2028 chu.exe 2008 InstallUtil.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
InstallUtil.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation InstallUtil.exe -
Loads dropped DLL 2 IoCs
Processes:
Payment.exechu.exepid process 272 Payment.exe 2028 chu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook InstallUtil.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook InstallUtil.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook InstallUtil.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook InstallUtil.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook InstallUtil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chu.exedescription pid process target process PID 2028 set thread context of 2008 2028 chu.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
InstallUtil.exepid process 2008 InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Payment.exechu.exeInstallUtil.exepid process 272 Payment.exe 272 Payment.exe 2028 chu.exe 2028 chu.exe 2028 chu.exe 2008 InstallUtil.exe 2008 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payment.exechu.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 272 Payment.exe Token: SeDebugPrivilege 2028 chu.exe Token: SeDebugPrivilege 2008 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid process 2008 InstallUtil.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
Payment.execmd.exechu.execmd.exedescription pid process target process PID 272 wrote to memory of 856 272 Payment.exe cmd.exe PID 272 wrote to memory of 856 272 Payment.exe cmd.exe PID 272 wrote to memory of 856 272 Payment.exe cmd.exe PID 272 wrote to memory of 856 272 Payment.exe cmd.exe PID 856 wrote to memory of 1972 856 cmd.exe reg.exe PID 856 wrote to memory of 1972 856 cmd.exe reg.exe PID 856 wrote to memory of 1972 856 cmd.exe reg.exe PID 856 wrote to memory of 1972 856 cmd.exe reg.exe PID 272 wrote to memory of 2028 272 Payment.exe chu.exe PID 272 wrote to memory of 2028 272 Payment.exe chu.exe PID 272 wrote to memory of 2028 272 Payment.exe chu.exe PID 272 wrote to memory of 2028 272 Payment.exe chu.exe PID 2028 wrote to memory of 1640 2028 chu.exe cmd.exe PID 2028 wrote to memory of 1640 2028 chu.exe cmd.exe PID 2028 wrote to memory of 1640 2028 chu.exe cmd.exe PID 2028 wrote to memory of 1640 2028 chu.exe cmd.exe PID 1640 wrote to memory of 1884 1640 cmd.exe reg.exe PID 1640 wrote to memory of 1884 1640 cmd.exe reg.exe PID 1640 wrote to memory of 1884 1640 cmd.exe reg.exe PID 1640 wrote to memory of 1884 1640 cmd.exe reg.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe PID 2028 wrote to memory of 2008 2028 chu.exe InstallUtil.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\chu.exe"C:\Users\Admin\AppData\Roaming\chu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
40KB
MD591c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
40KB
MD591c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Roaming\chu.exeFilesize
1.5MB
MD5ab56ad172a0bbb66aeff5c8d18aadc53
SHA19e79bba575e0e09d1b9c0f06f298f9c020b57198
SHA256b22c648668d77e156bb1d3df67f22c0731bc3ea1010b4ddba7317f3f71b33329
SHA512c30ee4d5da355679b8c73ab9c52372e4487b79bedbc2689ce2d1103a28b0209fcd95c2f0a7a39c253ddda367136ec5d5225d492b5af220bd706a0e3b913a2ce3
-
C:\Users\Admin\AppData\Roaming\chu.exeFilesize
1.5MB
MD5ab56ad172a0bbb66aeff5c8d18aadc53
SHA19e79bba575e0e09d1b9c0f06f298f9c020b57198
SHA256b22c648668d77e156bb1d3df67f22c0731bc3ea1010b4ddba7317f3f71b33329
SHA512c30ee4d5da355679b8c73ab9c52372e4487b79bedbc2689ce2d1103a28b0209fcd95c2f0a7a39c253ddda367136ec5d5225d492b5af220bd706a0e3b913a2ce3
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
40KB
MD591c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
\Users\Admin\AppData\Roaming\chu.exeFilesize
1.5MB
MD5ab56ad172a0bbb66aeff5c8d18aadc53
SHA19e79bba575e0e09d1b9c0f06f298f9c020b57198
SHA256b22c648668d77e156bb1d3df67f22c0731bc3ea1010b4ddba7317f3f71b33329
SHA512c30ee4d5da355679b8c73ab9c52372e4487b79bedbc2689ce2d1103a28b0209fcd95c2f0a7a39c253ddda367136ec5d5225d492b5af220bd706a0e3b913a2ce3
-
memory/272-54-0x0000000000CF0000-0x0000000000E6E000-memory.dmpFilesize
1.5MB
-
memory/272-56-0x0000000000390000-0x000000000039A000-memory.dmpFilesize
40KB
-
memory/272-55-0x0000000000350000-0x000000000036E000-memory.dmpFilesize
120KB
-
memory/856-57-0x0000000000000000-mapping.dmp
-
memory/1640-64-0x0000000000000000-mapping.dmp
-
memory/1884-65-0x0000000000000000-mapping.dmp
-
memory/1972-58-0x0000000000000000-mapping.dmp
-
memory/2008-86-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-102-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-69-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-70-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-72-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-73-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-74-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-598-0x0000000002190000-0x00000000021A4000-memory.dmpFilesize
80KB
-
memory/2008-75-0x00000000004ACB6E-mapping.dmp
-
memory/2008-78-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-80-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-82-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-84-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-597-0x0000000004D85000-0x0000000004D96000-memory.dmpFilesize
68KB
-
memory/2008-88-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-90-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-92-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-94-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-96-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-98-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-104-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-595-0x00000000005D0000-0x0000000000614000-memory.dmpFilesize
272KB
-
memory/2008-100-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-108-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-110-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-106-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-112-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-116-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-118-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-114-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-124-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-122-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-120-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-130-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-128-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-126-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-132-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2008-134-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2028-66-0x00000000008C0000-0x00000000008CA000-memory.dmpFilesize
40KB
-
memory/2028-60-0x0000000000000000-mapping.dmp
-
memory/2028-63-0x00000000000A0000-0x000000000021E000-memory.dmpFilesize
1.5MB