Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 12:04
Static task
static1
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7-20220901-en
General
-
Target
PI.exe
-
Size
70KB
-
MD5
72e88de1efc3b17b6b59a635bad25294
-
SHA1
929b2471c0186e2e676c44d7687d3ac1f23c555c
-
SHA256
c0fdf37354c28e674255d1a26ed5190c6664639f424d485c5652098f458835c5
-
SHA512
95ec26ffa6a1de34aa9dc91ed431bccaa6c238bd316e79696e14e1ec4976f1a1564435f0d33e540cb15a023bc60230f223595c26e081033300c43ddc6edd3480
-
SSDEEP
1536:i03oxUXqNKAuDUaQl+kzdC9GiZQWSwi/fUpS/fX/MNK:i/QAuis1Jy///f/M0
Malware Config
Extracted
formbook
zzun
JnNtRHyNupy0GqRzAcasu7hb4rc=
Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=
ePArIFWvjkkMgVEVhw4M4Jk=
26rqUwJ7dD0AiDI=
pBAxMHeK741QFw==
kHD7TPt5846pUMTX
56UnjFjHL1i0j659h3LymRnHpQj+SshC
4vKlKHflPqmWXRbrRwfPtrhb4rc=
6LBd4qButFAi
phMzGll8Ue7Fu+inq5cdnPaSugG3
NKswiQGCvZoG5FgsdHEI
rtTHnuUY8M1qVcXV
SOmECrlAt2oGAA==
L1ep9adutFAi
/UE+/AyvE6uEl28weFI=
IP+xMPQxJR4NE6TK
xvW5GN9/rqA5YUoOVt185Sf7Uw==
fRFNW9DhxL6VF7LA
KFYTfkaY741QFw==
W4JGvMBmt2oGAA==
lnoad0Hkgrwl9uXlghvqdz33UA==
1msShiu+9wisELGDjYAK
FBXFOinAK8ylnMZzi35Okw==
V8Y7/cBnt2oGAA==
VfuI0k5pSmi6+aNjIlAT2mspCZBZLGA=
de74yg89D61bSiU=
V2UPjYUvwh21qdxUr4Mf
DcFXvTxFMlyfL5JJIU0=
GldbH/CCt2oGAA==
sxdEIBwn+o+pUMTX
UmViK+1/Knr8814sdHEI
jrfKoZ6paLyeEBETgw4M4Jk=
SR27MizpGwCa19Kb1A==
2DGo9XUNxBOe19Kb1A==
7tBn2cG8jasWHE7w559Aig==
8qtAoVHxl/KGerbsfA4M4Jk=
fC3AH6Utt2oGAA==
HltlPHZ7FpSpUMTX
xd0B+Pr30gBfQGYXafOW1dOSflv+SshC
DKXWyiOecY7319Kb1A==
Pvx505EaswiHYF3z559Aig==
aJ6kaz7CWKsP9g9Ur4Mf
qcvfxb9TwUoDCrfXw/uTdSkTCJBZLGA=
I++iH8xJxFp73nyUjJOg3/PS/3W7
K1N1guwbLz0AiDI=
vp2SfavTmBXNzLeXmIoUhsB7
UlAVhgIfLT0AiDI=
6BKH5GjHt2YIo/qhA69S+5E=
6U29K+qVw5hT4gQ83A==
G9NTmhwpAwY6r4I69kT4dz33UA==
0qstoaNBmBrMlfwTKhrAtLhb4rc=
ZvMhGW52cyAAXkVV3Jc96Lhb4rc=
N9Z3/PmEt2oGAA==
ohlOhcaP741QFw==
9WF3PohVjEolhCY=
am0ek4wtmkEI9GMVhw4M4Jk=
ROotH4+jhp7vnzVdww==
uvkuFhGmJlyjpFFpi35Okw==
ICHQQTIjaxTryG8weFI=
AhIZ8uh974+pUMTX
pEBtSFHr/5s0GQ==
qAcuLnqLNeOpUMTX
bcHv6WdbHoWEylgsdHEI
Nz/rbWh3s4WFDL9uPlAhXKNz
secure-id6793-chase.com
Extracted
xloader
2.9
zzun
JnNtRHyNupy0GqRzAcasu7hb4rc=
Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=
ePArIFWvjkkMgVEVhw4M4Jk=
26rqUwJ7dD0AiDI=
pBAxMHeK741QFw==
kHD7TPt5846pUMTX
56UnjFjHL1i0j659h3LymRnHpQj+SshC
4vKlKHflPqmWXRbrRwfPtrhb4rc=
6LBd4qButFAi
phMzGll8Ue7Fu+inq5cdnPaSugG3
NKswiQGCvZoG5FgsdHEI
rtTHnuUY8M1qVcXV
SOmECrlAt2oGAA==
L1ep9adutFAi
/UE+/AyvE6uEl28weFI=
IP+xMPQxJR4NE6TK
xvW5GN9/rqA5YUoOVt185Sf7Uw==
fRFNW9DhxL6VF7LA
KFYTfkaY741QFw==
W4JGvMBmt2oGAA==
lnoad0Hkgrwl9uXlghvqdz33UA==
1msShiu+9wisELGDjYAK
FBXFOinAK8ylnMZzi35Okw==
V8Y7/cBnt2oGAA==
VfuI0k5pSmi6+aNjIlAT2mspCZBZLGA=
de74yg89D61bSiU=
V2UPjYUvwh21qdxUr4Mf
DcFXvTxFMlyfL5JJIU0=
GldbH/CCt2oGAA==
sxdEIBwn+o+pUMTX
UmViK+1/Knr8814sdHEI
jrfKoZ6paLyeEBETgw4M4Jk=
SR27MizpGwCa19Kb1A==
2DGo9XUNxBOe19Kb1A==
7tBn2cG8jasWHE7w559Aig==
8qtAoVHxl/KGerbsfA4M4Jk=
fC3AH6Utt2oGAA==
HltlPHZ7FpSpUMTX
xd0B+Pr30gBfQGYXafOW1dOSflv+SshC
DKXWyiOecY7319Kb1A==
Pvx505EaswiHYF3z559Aig==
aJ6kaz7CWKsP9g9Ur4Mf
qcvfxb9TwUoDCrfXw/uTdSkTCJBZLGA=
I++iH8xJxFp73nyUjJOg3/PS/3W7
K1N1guwbLz0AiDI=
vp2SfavTmBXNzLeXmIoUhsB7
UlAVhgIfLT0AiDI=
6BKH5GjHt2YIo/qhA69S+5E=
6U29K+qVw5hT4gQ83A==
G9NTmhwpAwY6r4I69kT4dz33UA==
0qstoaNBmBrMlfwTKhrAtLhb4rc=
ZvMhGW52cyAAXkVV3Jc96Lhb4rc=
N9Z3/PmEt2oGAA==
ohlOhcaP741QFw==
9WF3PohVjEolhCY=
am0ek4wtmkEI9GMVhw4M4Jk=
ROotH4+jhp7vnzVdww==
uvkuFhGmJlyjpFFpi35Okw==
ICHQQTIjaxTryG8weFI=
AhIZ8uh974+pUMTX
pEBtSFHr/5s0GQ==
qAcuLnqLNeOpUMTX
bcHv6WdbHoWEylgsdHEI
Nz/rbWh3s4WFDL9uPlAhXKNz
secure-id6793-chase.com
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4208-146-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/4208-148-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/2036-154-0x0000000000F00000-0x0000000000F2C000-memory.dmp xloader behavioral2/memory/2036-159-0x0000000000F00000-0x0000000000F2C000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\H8R0TXE8_4 = "C:\\Program Files (x86)\\Fe6qlrh\\vgaevwtv400.exe" systray.exe -
Executes dropped EXE 1 IoCs
Processes:
vgaevwtv400.exepid process 2172 vgaevwtv400.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vgaevwtv400.exePI.exePI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation vgaevwtv400.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation PI.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation PI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PI.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iocoj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ndsosim\\Iocoj.exe\"" PI.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PI.exePI.exesystray.exedescription pid process target process PID 1324 set thread context of 4208 1324 PI.exe PI.exe PID 4208 set thread context of 2416 4208 PI.exe Explorer.EXE PID 2036 set thread context of 2416 2036 systray.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEsystray.exedescription ioc process File opened for modification C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe systray.exe File opened for modification C:\Program Files (x86)\Fe6qlrh Explorer.EXE File created C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
powershell.exePI.exePI.exesystray.exepowershell.exepid process 3396 powershell.exe 3396 powershell.exe 1324 PI.exe 1324 PI.exe 4208 PI.exe 4208 PI.exe 4208 PI.exe 4208 PI.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 3628 powershell.exe 3628 powershell.exe 2036 systray.exe 2036 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2416 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
PI.exesystray.exepid process 4208 PI.exe 4208 PI.exe 4208 PI.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe 2036 systray.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
PI.exepowershell.exePI.exesystray.exeExplorer.EXEvgaevwtv400.exepowershell.exedescription pid process Token: SeDebugPrivilege 1324 PI.exe Token: SeDebugPrivilege 3396 powershell.exe Token: SeDebugPrivilege 4208 PI.exe Token: SeDebugPrivilege 2036 systray.exe Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeDebugPrivilege 2172 vgaevwtv400.exe Token: SeDebugPrivilege 3628 powershell.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
PI.exeExplorer.EXEsystray.exevgaevwtv400.exedescription pid process target process PID 1324 wrote to memory of 3396 1324 PI.exe powershell.exe PID 1324 wrote to memory of 3396 1324 PI.exe powershell.exe PID 1324 wrote to memory of 3396 1324 PI.exe powershell.exe PID 1324 wrote to memory of 4624 1324 PI.exe PI.exe PID 1324 wrote to memory of 4624 1324 PI.exe PI.exe PID 1324 wrote to memory of 4624 1324 PI.exe PI.exe PID 1324 wrote to memory of 4208 1324 PI.exe PI.exe PID 1324 wrote to memory of 4208 1324 PI.exe PI.exe PID 1324 wrote to memory of 4208 1324 PI.exe PI.exe PID 1324 wrote to memory of 4208 1324 PI.exe PI.exe PID 1324 wrote to memory of 4208 1324 PI.exe PI.exe PID 1324 wrote to memory of 4208 1324 PI.exe PI.exe PID 2416 wrote to memory of 2036 2416 Explorer.EXE systray.exe PID 2416 wrote to memory of 2036 2416 Explorer.EXE systray.exe PID 2416 wrote to memory of 2036 2416 Explorer.EXE systray.exe PID 2036 wrote to memory of 3140 2036 systray.exe cmd.exe PID 2036 wrote to memory of 3140 2036 systray.exe cmd.exe PID 2036 wrote to memory of 3140 2036 systray.exe cmd.exe PID 2036 wrote to memory of 1324 2036 systray.exe cmd.exe PID 2036 wrote to memory of 1324 2036 systray.exe cmd.exe PID 2036 wrote to memory of 1324 2036 systray.exe cmd.exe PID 2036 wrote to memory of 444 2036 systray.exe cmd.exe PID 2036 wrote to memory of 444 2036 systray.exe cmd.exe PID 2036 wrote to memory of 444 2036 systray.exe cmd.exe PID 2036 wrote to memory of 892 2036 systray.exe Firefox.exe PID 2036 wrote to memory of 892 2036 systray.exe Firefox.exe PID 2036 wrote to memory of 892 2036 systray.exe Firefox.exe PID 2416 wrote to memory of 2172 2416 Explorer.EXE vgaevwtv400.exe PID 2416 wrote to memory of 2172 2416 Explorer.EXE vgaevwtv400.exe PID 2416 wrote to memory of 2172 2416 Explorer.EXE vgaevwtv400.exe PID 2172 wrote to memory of 3628 2172 vgaevwtv400.exe powershell.exe PID 2172 wrote to memory of 3628 2172 vgaevwtv400.exe powershell.exe PID 2172 wrote to memory of 3628 2172 vgaevwtv400.exe powershell.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PI.exeC:\Users\Admin\AppData\Local\Temp\PI.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\PI.exeC:\Users\Admin\AppData\Local\Temp\PI.exe3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe"C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exeFilesize
70KB
MD572e88de1efc3b17b6b59a635bad25294
SHA1929b2471c0186e2e676c44d7687d3ac1f23c555c
SHA256c0fdf37354c28e674255d1a26ed5190c6664639f424d485c5652098f458835c5
SHA51295ec26ffa6a1de34aa9dc91ed431bccaa6c238bd316e79696e14e1ec4976f1a1564435f0d33e540cb15a023bc60230f223595c26e081033300c43ddc6edd3480
-
C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exeFilesize
70KB
MD572e88de1efc3b17b6b59a635bad25294
SHA1929b2471c0186e2e676c44d7687d3ac1f23c555c
SHA256c0fdf37354c28e674255d1a26ed5190c6664639f424d485c5652098f458835c5
SHA51295ec26ffa6a1de34aa9dc91ed431bccaa6c238bd316e79696e14e1ec4976f1a1564435f0d33e540cb15a023bc60230f223595c26e081033300c43ddc6edd3480
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5a030b924386a906cce4bc7f41b92ac10
SHA164d319e816b289f62ea7877be5f06498360afbd7
SHA256d07eaace9a8c73b74542dc3e14850ceafd0974725ec5ea4bb89eff3879d78388
SHA5124063c94ce4edec93999f5c08062424d65d4e0c4d8aa79c86e48d35b0978eb6a8c6979f16914284b99525c19daeaf0d97b25f04485cafec9b32ad96fceedfcffb
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
memory/444-163-0x0000000000000000-mapping.dmp
-
memory/1324-142-0x0000000005D20000-0x0000000005DB2000-memory.dmpFilesize
584KB
-
memory/1324-132-0x0000000000380000-0x0000000000396000-memory.dmpFilesize
88KB
-
memory/1324-143-0x00000000069F0000-0x0000000006F94000-memory.dmpFilesize
5.6MB
-
memory/1324-133-0x00000000057C0000-0x00000000057E2000-memory.dmpFilesize
136KB
-
memory/1324-161-0x0000000000000000-mapping.dmp
-
memory/2036-153-0x0000000000530000-0x0000000000536000-memory.dmpFilesize
24KB
-
memory/2036-159-0x0000000000F00000-0x0000000000F2C000-memory.dmpFilesize
176KB
-
memory/2036-157-0x0000000002C00000-0x0000000002C90000-memory.dmpFilesize
576KB
-
memory/2036-155-0x0000000002D70000-0x00000000030BA000-memory.dmpFilesize
3.3MB
-
memory/2036-154-0x0000000000F00000-0x0000000000F2C000-memory.dmpFilesize
176KB
-
memory/2036-152-0x0000000000000000-mapping.dmp
-
memory/2172-179-0x0000000000000000-mapping.dmp
-
memory/2416-172-0x00000000028F0000-0x0000000002900000-memory.dmpFilesize
64KB
-
memory/2416-178-0x00000000028F0000-0x0000000002900000-memory.dmpFilesize
64KB
-
memory/2416-151-0x0000000002FE0000-0x00000000030A9000-memory.dmpFilesize
804KB
-
memory/2416-177-0x00000000028F0000-0x0000000002900000-memory.dmpFilesize
64KB
-
memory/2416-176-0x00000000028F0000-0x0000000002900000-memory.dmpFilesize
64KB
-
memory/2416-158-0x0000000007C00000-0x0000000007D3D000-memory.dmpFilesize
1.2MB
-
memory/2416-175-0x00000000028D0000-0x00000000028E0000-memory.dmpFilesize
64KB
-
memory/2416-160-0x0000000007C00000-0x0000000007D3D000-memory.dmpFilesize
1.2MB
-
memory/2416-174-0x0000000002B50000-0x0000000002B60000-memory.dmpFilesize
64KB
-
memory/2416-173-0x00000000028F0000-0x0000000002900000-memory.dmpFilesize
64KB
-
memory/2416-171-0x00000000028F0000-0x0000000002900000-memory.dmpFilesize
64KB
-
memory/2416-170-0x00000000028D0000-0x00000000028E0000-memory.dmpFilesize
64KB
-
memory/2416-165-0x0000000002B50000-0x0000000002B60000-memory.dmpFilesize
64KB
-
memory/2416-166-0x00000000028D0000-0x00000000028E0000-memory.dmpFilesize
64KB
-
memory/2416-167-0x00000000028F0000-0x0000000002900000-memory.dmpFilesize
64KB
-
memory/2416-168-0x00000000028F0000-0x0000000002900000-memory.dmpFilesize
64KB
-
memory/2416-169-0x00000000028F0000-0x0000000002900000-memory.dmpFilesize
64KB
-
memory/3140-156-0x0000000000000000-mapping.dmp
-
memory/3396-138-0x00000000059C0000-0x0000000005A26000-memory.dmpFilesize
408KB
-
memory/3396-134-0x0000000000000000-mapping.dmp
-
memory/3396-140-0x0000000007830000-0x0000000007EAA000-memory.dmpFilesize
6.5MB
-
memory/3396-135-0x00000000026A0000-0x00000000026D6000-memory.dmpFilesize
216KB
-
memory/3396-141-0x0000000006510000-0x000000000652A000-memory.dmpFilesize
104KB
-
memory/3396-136-0x0000000005260000-0x0000000005888000-memory.dmpFilesize
6.2MB
-
memory/3396-137-0x00000000051C0000-0x0000000005226000-memory.dmpFilesize
408KB
-
memory/3396-139-0x0000000005FF0000-0x000000000600E000-memory.dmpFilesize
120KB
-
memory/3628-182-0x0000000000000000-mapping.dmp
-
memory/4208-146-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4208-150-0x0000000000F10000-0x0000000000F21000-memory.dmpFilesize
68KB
-
memory/4208-149-0x0000000000F30000-0x000000000127A000-memory.dmpFilesize
3.3MB
-
memory/4208-148-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4208-145-0x0000000000000000-mapping.dmp
-
memory/4624-144-0x0000000000000000-mapping.dmp