Analysis
-
max time kernel
121s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 16:50
Static task
static1
Behavioral task
behavioral1
Sample
39f9b4647bb119e34deeff137af960448be14dd80f0443270739c02d450b8ecf.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
39f9b4647bb119e34deeff137af960448be14dd80f0443270739c02d450b8ecf.msi
Resource
win10v2004-20220414-en
General
-
Target
39f9b4647bb119e34deeff137af960448be14dd80f0443270739c02d450b8ecf.msi
-
Size
2.3MB
-
MD5
c5d5542f35dff3d7f92dbc4c6a0ec56c
-
SHA1
6c37078b59c85448605ee96888ac00cb0b5f0654
-
SHA256
39f9b4647bb119e34deeff137af960448be14dd80f0443270739c02d450b8ecf
-
SHA512
110ddbdb35e2319f2d1939b40e0e950f129d46b51b985c56edb8e23c8e5ee29f76a03ea6ab5001f6a697aa94769856d74145f3b8f6122ea9f09d68db45120efa
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
ca8b7835-2ac0-4a33-a17c-532dfc1a88cf
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:3 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:ca8b7835-2ac0-4a33-a17c-532dfc1a88cf _PanelSecret:c9c9179f-8536-c2ed-1aa7-87bff231f0ce _PanelURL:http://patrogabon.com/jayjayman2 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral2/memory/1788-135-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1984-152-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1984-154-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1984-155-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1984-156-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4264-145-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4264-147-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4264-148-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4264-149-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral2/memory/4264-145-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4264-147-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4264-148-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4264-149-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1984-152-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1984-154-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1984-155-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1984-156-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
MSI37BA.tmppid process 864 MSI37BA.tmp -
Drops startup file 1 IoCs
Processes:
MSI37BA.tmpdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MaxxAudioMeters64.url MSI37BA.tmp -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Windows\Installer\MSI37BA.tmp autoit_exe C:\Windows\Installer\MSI37BA.tmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MSI37BA.tmpRegAsm.exedescription pid process target process PID 864 set thread context of 1788 864 MSI37BA.tmp RegAsm.exe PID 1788 set thread context of 4264 1788 RegAsm.exe vbc.exe PID 1788 set thread context of 1984 1788 RegAsm.exe vbc.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI370E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI37BA.tmp msiexec.exe File created C:\Windows\Installer\e573539.msi msiexec.exe File opened for modification C:\Windows\Installer\e573539.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000036afcf5ac1e326070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000036afcf5a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090036afcf5a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msiexec.exevbc.exeRegAsm.exepid process 4004 msiexec.exe 4004 msiexec.exe 4264 vbc.exe 4264 vbc.exe 4264 vbc.exe 4264 vbc.exe 4264 vbc.exe 4264 vbc.exe 4264 vbc.exe 4264 vbc.exe 4264 vbc.exe 4264 vbc.exe 4264 vbc.exe 4264 vbc.exe 1788 RegAsm.exe 1788 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exeRegAsm.exedescription pid process Token: SeShutdownPrivilege 4336 msiexec.exe Token: SeIncreaseQuotaPrivilege 4336 msiexec.exe Token: SeSecurityPrivilege 4004 msiexec.exe Token: SeCreateTokenPrivilege 4336 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4336 msiexec.exe Token: SeLockMemoryPrivilege 4336 msiexec.exe Token: SeIncreaseQuotaPrivilege 4336 msiexec.exe Token: SeMachineAccountPrivilege 4336 msiexec.exe Token: SeTcbPrivilege 4336 msiexec.exe Token: SeSecurityPrivilege 4336 msiexec.exe Token: SeTakeOwnershipPrivilege 4336 msiexec.exe Token: SeLoadDriverPrivilege 4336 msiexec.exe Token: SeSystemProfilePrivilege 4336 msiexec.exe Token: SeSystemtimePrivilege 4336 msiexec.exe Token: SeProfSingleProcessPrivilege 4336 msiexec.exe Token: SeIncBasePriorityPrivilege 4336 msiexec.exe Token: SeCreatePagefilePrivilege 4336 msiexec.exe Token: SeCreatePermanentPrivilege 4336 msiexec.exe Token: SeBackupPrivilege 4336 msiexec.exe Token: SeRestorePrivilege 4336 msiexec.exe Token: SeShutdownPrivilege 4336 msiexec.exe Token: SeDebugPrivilege 4336 msiexec.exe Token: SeAuditPrivilege 4336 msiexec.exe Token: SeSystemEnvironmentPrivilege 4336 msiexec.exe Token: SeChangeNotifyPrivilege 4336 msiexec.exe Token: SeRemoteShutdownPrivilege 4336 msiexec.exe Token: SeUndockPrivilege 4336 msiexec.exe Token: SeSyncAgentPrivilege 4336 msiexec.exe Token: SeEnableDelegationPrivilege 4336 msiexec.exe Token: SeManageVolumePrivilege 4336 msiexec.exe Token: SeImpersonatePrivilege 4336 msiexec.exe Token: SeCreateGlobalPrivilege 4336 msiexec.exe Token: SeBackupPrivilege 2384 vssvc.exe Token: SeRestorePrivilege 2384 vssvc.exe Token: SeAuditPrivilege 2384 vssvc.exe Token: SeBackupPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeBackupPrivilege 4188 srtasks.exe Token: SeRestorePrivilege 4188 srtasks.exe Token: SeSecurityPrivilege 4188 srtasks.exe Token: SeTakeOwnershipPrivilege 4188 srtasks.exe Token: SeBackupPrivilege 4188 srtasks.exe Token: SeRestorePrivilege 4188 srtasks.exe Token: SeSecurityPrivilege 4188 srtasks.exe Token: SeTakeOwnershipPrivilege 4188 srtasks.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeDebugPrivilege 1788 RegAsm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4336 msiexec.exe 4336 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1788 RegAsm.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
msiexec.exeMSI37BA.tmpRegAsm.exedescription pid process target process PID 4004 wrote to memory of 4188 4004 msiexec.exe srtasks.exe PID 4004 wrote to memory of 4188 4004 msiexec.exe srtasks.exe PID 4004 wrote to memory of 864 4004 msiexec.exe MSI37BA.tmp PID 4004 wrote to memory of 864 4004 msiexec.exe MSI37BA.tmp PID 4004 wrote to memory of 864 4004 msiexec.exe MSI37BA.tmp PID 864 wrote to memory of 1788 864 MSI37BA.tmp RegAsm.exe PID 864 wrote to memory of 1788 864 MSI37BA.tmp RegAsm.exe PID 864 wrote to memory of 1788 864 MSI37BA.tmp RegAsm.exe PID 864 wrote to memory of 1788 864 MSI37BA.tmp RegAsm.exe PID 864 wrote to memory of 1788 864 MSI37BA.tmp RegAsm.exe PID 1788 wrote to memory of 4264 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 4264 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 4264 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 4264 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 4264 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 4264 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 4264 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 4264 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 4264 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 1984 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 1984 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 1984 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 1984 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 1984 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 1984 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 1984 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 1984 1788 RegAsm.exe vbc.exe PID 1788 wrote to memory of 1984 1788 RegAsm.exe vbc.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\39f9b4647bb119e34deeff137af960448be14dd80f0443270739c02d450b8ecf.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Installer\MSI37BA.tmp"C:\Windows\Installer\MSI37BA.tmp"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6D8F.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp71A7.tmp"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6D8F.tmpFilesize
4KB
MD5bdf65f70610625cc771c5cc7ce168c7d
SHA1a8829b1c071ed0521d11925a98468c12a53a03b8
SHA256b66236dd86f140ca02db0c296e45032b272de2895c4f047a562e73bc8395dba5
SHA512add2db50b0440b07ecc48a5fde7f0b72e84b76f11ea060944afa28ddd03791e6adb3bfca704254131fb3f591f484b37f7276fab96b0c4776a27cb526bcf5f3a4
-
C:\Windows\Installer\MSI37BA.tmpFilesize
2.3MB
MD56ed84ffdf8184258763731cd34f6d4d3
SHA1015bae0bc0ab2bf4730fa81c6a2b0d5d28a607db
SHA2569cebc436acc05d484b4b50067704e089aab8353c17faefbed887aecf92caf472
SHA5127f44c3f945f5790275ebaf37131788d05791029155b1c044ae68737b6357a090e7c6a28fc77b9c2d608c699e399e90be02b0ea1ec64541ad774b90a4ab7a7b61
-
C:\Windows\Installer\MSI37BA.tmpFilesize
2.3MB
MD56ed84ffdf8184258763731cd34f6d4d3
SHA1015bae0bc0ab2bf4730fa81c6a2b0d5d28a607db
SHA2569cebc436acc05d484b4b50067704e089aab8353c17faefbed887aecf92caf472
SHA5127f44c3f945f5790275ebaf37131788d05791029155b1c044ae68737b6357a090e7c6a28fc77b9c2d608c699e399e90be02b0ea1ec64541ad774b90a4ab7a7b61
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5f3a45a6d591e72278d3e8c16e12fbdee
SHA1e4545992c1172d761088732e53bdf3fdd4ca4374
SHA256737215efb261ba203a8c86f43469b47c87f165ca15008c4e301246984df5dbd8
SHA5128af9036bc22679b1edb6ed3701461536a8aaf91d2702993ba59005d99d39be648c28c2d1b0329e4fa693e161e64cfbc1c71fc287ac86bd334e9d6e51474241ca
-
\??\Volume{5acfaf36-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{eede0e3d-63e9-499d-8c6f-e16fad8fe4c7}_OnDiskSnapshotPropFilesize
5KB
MD5ebcb5dbc8449905bd2e818cbaf6d7528
SHA150d2bc04cd73fa95132293c2bd27212ed44d50f3
SHA25675a5028e474c8d7c904b9296f59e968f09eb74695d95ed53197d1eaf1cc5a2ff
SHA512408c2e35817bac83d8cfbf9f36d90588f923c4e07e1d13d4abe96cf72cd3d9611bfc9c3e57eb3f4b38af4671fa5096ca4877a3fa7ed5b428c13410769bf77789
-
memory/864-131-0x0000000000000000-mapping.dmp
-
memory/1788-135-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1788-143-0x0000000073680000-0x0000000073C31000-memory.dmpFilesize
5.7MB
-
memory/1788-140-0x0000000073680000-0x0000000073C31000-memory.dmpFilesize
5.7MB
-
memory/1788-134-0x0000000000000000-mapping.dmp
-
memory/1984-151-0x0000000000000000-mapping.dmp
-
memory/1984-156-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1984-155-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1984-154-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1984-152-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4188-130-0x0000000000000000-mapping.dmp
-
memory/4264-144-0x0000000000000000-mapping.dmp
-
memory/4264-149-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4264-148-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4264-147-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4264-145-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB