Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2022 05:33
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetectNet.01.4744.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.AIDetectNet.01.4744.exe
Resource
win10v2004-20220721-en
General
-
Target
SecuriteInfo.com.W32.AIDetectNet.01.4744.exe
-
Size
12KB
-
MD5
c5bfbb66c7e3eb946107feb15d7181c2
-
SHA1
1fa470b2d3569cb1b61436a2aaeadc6d916e7a54
-
SHA256
253ec23e3db30683bfed20ee25778f5632b700aaf411c498cb092ea18e0eb5cc
-
SHA512
93e229e6d8063b606f648119e8904aa5921e9bc459fe6a31d68c86b6e33e814e3c25e54bcde55cc56d9eda947f8525c53b0bb02652783178616747cb5c7f680e
Malware Config
Extracted
remcos
RemoteHost
obologs.work.gd:4044
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-5Y5EWD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1780-152-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2388-156-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2388-157-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1780-152-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/452-155-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2388-156-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2388-157-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
dwn.exepid process 3696 dwn.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.4744.exedwn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.W32.AIDetectNet.01.4744.exe Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation dwn.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts aspnet_compiler.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.4744.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yhpwllk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tlfczpop\\Yhpwllk.exe\"" SecuriteInfo.com.W32.AIDetectNet.01.4744.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.4744.exeaspnet_compiler.exedwn.exeaspnet_compiler.exewlanext.exedescription pid process target process PID 4236 set thread context of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 1828 set thread context of 2388 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 set thread context of 1780 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 set thread context of 452 1828 aspnet_compiler.exe aspnet_compiler.exe PID 3696 set thread context of 2964 3696 dwn.exe aspnet_compiler.exe PID 2964 set thread context of 2200 2964 aspnet_compiler.exe Explorer.EXE PID 1204 set thread context of 2200 1204 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
wlanext.exedescription ioc process Key created \Registry\User\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
powershell.exeSecuriteInfo.com.W32.AIDetectNet.01.4744.exeaspnet_compiler.exeaspnet_compiler.exepowershell.exedwn.exeaspnet_compiler.exewlanext.exepid process 2252 powershell.exe 2252 powershell.exe 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe 2388 aspnet_compiler.exe 2388 aspnet_compiler.exe 452 aspnet_compiler.exe 452 aspnet_compiler.exe 2388 aspnet_compiler.exe 2388 aspnet_compiler.exe 1824 powershell.exe 1824 powershell.exe 3696 dwn.exe 3696 dwn.exe 2964 aspnet_compiler.exe 2964 aspnet_compiler.exe 2964 aspnet_compiler.exe 2964 aspnet_compiler.exe 2964 aspnet_compiler.exe 2964 aspnet_compiler.exe 2964 aspnet_compiler.exe 2964 aspnet_compiler.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2200 Explorer.EXE -
Suspicious behavior: MapViewOfSection 13 IoCs
Processes:
aspnet_compiler.exeaspnet_compiler.exewlanext.exepid process 1828 aspnet_compiler.exe 1828 aspnet_compiler.exe 1828 aspnet_compiler.exe 1828 aspnet_compiler.exe 1828 aspnet_compiler.exe 1828 aspnet_compiler.exe 2964 aspnet_compiler.exe 2964 aspnet_compiler.exe 2964 aspnet_compiler.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe 1204 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.4744.exepowershell.exeaspnet_compiler.exedwn.exepowershell.exeaspnet_compiler.exewlanext.exedescription pid process Token: SeDebugPrivilege 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 452 aspnet_compiler.exe Token: SeDebugPrivilege 3696 dwn.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 2964 aspnet_compiler.exe Token: SeDebugPrivilege 1204 wlanext.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.4744.exeaspnet_compiler.exedwn.exeExplorer.EXEwlanext.exedescription pid process target process PID 4236 wrote to memory of 2252 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe powershell.exe PID 4236 wrote to memory of 2252 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe powershell.exe PID 4236 wrote to memory of 2252 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe powershell.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 4236 wrote to memory of 1828 4236 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe aspnet_compiler.exe PID 1828 wrote to memory of 2388 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 2388 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 2388 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 2388 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 2516 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 2516 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 2516 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 1780 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 1780 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 1780 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 1780 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 1524 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 1524 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 1524 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 4536 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 4536 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 4536 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 452 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 452 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 452 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 452 1828 aspnet_compiler.exe aspnet_compiler.exe PID 1828 wrote to memory of 3696 1828 aspnet_compiler.exe dwn.exe PID 1828 wrote to memory of 3696 1828 aspnet_compiler.exe dwn.exe PID 1828 wrote to memory of 3696 1828 aspnet_compiler.exe dwn.exe PID 3696 wrote to memory of 1824 3696 dwn.exe powershell.exe PID 3696 wrote to memory of 1824 3696 dwn.exe powershell.exe PID 3696 wrote to memory of 1824 3696 dwn.exe powershell.exe PID 3696 wrote to memory of 2964 3696 dwn.exe aspnet_compiler.exe PID 3696 wrote to memory of 2964 3696 dwn.exe aspnet_compiler.exe PID 3696 wrote to memory of 2964 3696 dwn.exe aspnet_compiler.exe PID 3696 wrote to memory of 2964 3696 dwn.exe aspnet_compiler.exe PID 3696 wrote to memory of 2964 3696 dwn.exe aspnet_compiler.exe PID 3696 wrote to memory of 2964 3696 dwn.exe aspnet_compiler.exe PID 2200 wrote to memory of 1204 2200 Explorer.EXE wlanext.exe PID 2200 wrote to memory of 1204 2200 Explorer.EXE wlanext.exe PID 2200 wrote to memory of 1204 2200 Explorer.EXE wlanext.exe PID 1204 wrote to memory of 2356 1204 wlanext.exe Firefox.exe PID 1204 wrote to memory of 2356 1204 wlanext.exe Firefox.exe PID 1204 wrote to memory of 2356 1204 wlanext.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4744.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4744.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\wkztrdhxclppgwwmhcqkvenufw"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\gmedkwsyqthujklqyndmfiilocqtfp"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\gmedkwsyqthujklqyndmfiilocqtfp"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\jgkwkodsebzhtqhchyqfivcuwjacgazql"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\jgkwkodsebzhtqhchyqfivcuwjacgazql"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\jgkwkodsebzhtqhchyqfivcuwjacgazql"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\dwn.exe"C:\Users\Admin\AppData\Local\Temp\dwn.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5f9cd81068ed125736f622dc118f18321
SHA18a85f1a7c47cb91997083fb95bd8588cf88049c9
SHA256d53fc42d579dbc96b080a0d23f585ce3966c54edf3843c4ef87997e0b3908166
SHA51299648e06b9e53f76d93d2d37780814b55dcd4aa07801af498059bb34d7a3c03b97b2fd3c6798c420802597da11697956f71283f1e418f85b34bbecb2322260f3
-
C:\Users\Admin\AppData\Local\Temp\dwn.exeFilesize
12KB
MD50cb74a735886a14d5fabe1a300cbdf71
SHA1069e8a67a521cb593b525bf95ae0c7bde2debccf
SHA256a05ed1c19c64d7a966f5219dfcd06a3a82c2207d704c5ad4bd6353d17d418e28
SHA512c5958271d9cdff5bef9f88d42df716d41095061bddf540a6fe57d9ff8bfccb7510a2e65f0ca954c423112510cbb5aad13c6458109efd8d46341b6eca2ccdedf9
-
C:\Users\Admin\AppData\Local\Temp\dwn.exeFilesize
12KB
MD50cb74a735886a14d5fabe1a300cbdf71
SHA1069e8a67a521cb593b525bf95ae0c7bde2debccf
SHA256a05ed1c19c64d7a966f5219dfcd06a3a82c2207d704c5ad4bd6353d17d418e28
SHA512c5958271d9cdff5bef9f88d42df716d41095061bddf540a6fe57d9ff8bfccb7510a2e65f0ca954c423112510cbb5aad13c6458109efd8d46341b6eca2ccdedf9
-
C:\Users\Admin\AppData\Local\Temp\wkztrdhxclppgwwmhcqkvenufwFilesize
4KB
MD5a64ef19cb7924d0ef7b27699e0237041
SHA1b6392aa8451f0721fcadff793808f8630182e66e
SHA25666635dcdbf3439d7e09ac3f043c0ff6792f1ec281070fea4618d9b5fb287cb56
SHA51266f6ae0b27227cfaf57a28e8f592a899375f763d0dc1e4f0199444b52e026f04243761bb20af127a7815a5c59db3c9fe1c1ff2a3ef069b8eccff3eef68da284b
-
memory/452-154-0x0000000000000000-mapping.dmp
-
memory/452-155-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1204-179-0x0000000001300000-0x000000000138F000-memory.dmpFilesize
572KB
-
memory/1204-174-0x0000000000000000-mapping.dmp
-
memory/1204-178-0x0000000000BB0000-0x0000000000BDB000-memory.dmpFilesize
172KB
-
memory/1204-176-0x0000000000B10000-0x0000000000B27000-memory.dmpFilesize
92KB
-
memory/1204-181-0x0000000000BB0000-0x0000000000BDB000-memory.dmpFilesize
172KB
-
memory/1204-177-0x00000000014F0000-0x000000000183A000-memory.dmpFilesize
3.3MB
-
memory/1524-151-0x0000000000000000-mapping.dmp
-
memory/1780-152-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1780-150-0x0000000000000000-mapping.dmp
-
memory/1824-163-0x0000000000000000-mapping.dmp
-
memory/1828-146-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1828-145-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1828-144-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1828-143-0x0000000000000000-mapping.dmp
-
memory/1828-147-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1828-167-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/2200-173-0x00000000088F0000-0x00000000089D2000-memory.dmpFilesize
904KB
-
memory/2200-182-0x0000000008B20000-0x0000000008C8D000-memory.dmpFilesize
1.4MB
-
memory/2200-180-0x0000000008B20000-0x0000000008C8D000-memory.dmpFilesize
1.4MB
-
memory/2252-142-0x0000000006E10000-0x0000000006E2A000-memory.dmpFilesize
104KB
-
memory/2252-139-0x00000000062A0000-0x0000000006306000-memory.dmpFilesize
408KB
-
memory/2252-138-0x0000000006230000-0x0000000006296000-memory.dmpFilesize
408KB
-
memory/2252-137-0x0000000005A20000-0x0000000006048000-memory.dmpFilesize
6.2MB
-
memory/2252-136-0x0000000003370000-0x00000000033A6000-memory.dmpFilesize
216KB
-
memory/2252-135-0x0000000000000000-mapping.dmp
-
memory/2252-140-0x0000000006930000-0x000000000694E000-memory.dmpFilesize
120KB
-
memory/2252-141-0x00000000081A0000-0x000000000881A000-memory.dmpFilesize
6.5MB
-
memory/2388-156-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2388-157-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2388-148-0x0000000000000000-mapping.dmp
-
memory/2516-149-0x0000000000000000-mapping.dmp
-
memory/2964-175-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2964-171-0x00000000010C0000-0x000000000140A000-memory.dmpFilesize
3.3MB
-
memory/2964-172-0x0000000000B50000-0x0000000000B60000-memory.dmpFilesize
64KB
-
memory/2964-169-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2964-168-0x0000000000000000-mapping.dmp
-
memory/3696-161-0x0000000000260000-0x0000000000268000-memory.dmpFilesize
32KB
-
memory/3696-158-0x0000000000000000-mapping.dmp
-
memory/4236-130-0x0000000000B50000-0x0000000000B58000-memory.dmpFilesize
32KB
-
memory/4236-134-0x0000000007A80000-0x0000000007AA2000-memory.dmpFilesize
136KB
-
memory/4236-133-0x0000000005750000-0x000000000575A000-memory.dmpFilesize
40KB
-
memory/4236-132-0x0000000005510000-0x00000000055A2000-memory.dmpFilesize
584KB
-
memory/4236-131-0x00000000058E0000-0x0000000005E84000-memory.dmpFilesize
5.6MB
-
memory/4536-153-0x0000000000000000-mapping.dmp