Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 13:03
Static task
static1
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7-20220812-en
General
-
Target
PI.exe
-
Size
70KB
-
MD5
72e88de1efc3b17b6b59a635bad25294
-
SHA1
929b2471c0186e2e676c44d7687d3ac1f23c555c
-
SHA256
c0fdf37354c28e674255d1a26ed5190c6664639f424d485c5652098f458835c5
-
SHA512
95ec26ffa6a1de34aa9dc91ed431bccaa6c238bd316e79696e14e1ec4976f1a1564435f0d33e540cb15a023bc60230f223595c26e081033300c43ddc6edd3480
-
SSDEEP
1536:i03oxUXqNKAuDUaQl+kzdC9GiZQWSwi/fUpS/fX/MNK:i/QAuis1Jy///f/M0
Malware Config
Extracted
formbook
zzun
JnNtRHyNupy0GqRzAcasu7hb4rc=
Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=
ePArIFWvjkkMgVEVhw4M4Jk=
26rqUwJ7dD0AiDI=
pBAxMHeK741QFw==
kHD7TPt5846pUMTX
56UnjFjHL1i0j659h3LymRnHpQj+SshC
4vKlKHflPqmWXRbrRwfPtrhb4rc=
6LBd4qButFAi
phMzGll8Ue7Fu+inq5cdnPaSugG3
NKswiQGCvZoG5FgsdHEI
rtTHnuUY8M1qVcXV
SOmECrlAt2oGAA==
L1ep9adutFAi
/UE+/AyvE6uEl28weFI=
IP+xMPQxJR4NE6TK
xvW5GN9/rqA5YUoOVt185Sf7Uw==
fRFNW9DhxL6VF7LA
KFYTfkaY741QFw==
W4JGvMBmt2oGAA==
lnoad0Hkgrwl9uXlghvqdz33UA==
1msShiu+9wisELGDjYAK
FBXFOinAK8ylnMZzi35Okw==
V8Y7/cBnt2oGAA==
VfuI0k5pSmi6+aNjIlAT2mspCZBZLGA=
de74yg89D61bSiU=
V2UPjYUvwh21qdxUr4Mf
DcFXvTxFMlyfL5JJIU0=
GldbH/CCt2oGAA==
sxdEIBwn+o+pUMTX
UmViK+1/Knr8814sdHEI
jrfKoZ6paLyeEBETgw4M4Jk=
SR27MizpGwCa19Kb1A==
2DGo9XUNxBOe19Kb1A==
7tBn2cG8jasWHE7w559Aig==
8qtAoVHxl/KGerbsfA4M4Jk=
fC3AH6Utt2oGAA==
HltlPHZ7FpSpUMTX
xd0B+Pr30gBfQGYXafOW1dOSflv+SshC
DKXWyiOecY7319Kb1A==
Pvx505EaswiHYF3z559Aig==
aJ6kaz7CWKsP9g9Ur4Mf
qcvfxb9TwUoDCrfXw/uTdSkTCJBZLGA=
I++iH8xJxFp73nyUjJOg3/PS/3W7
K1N1guwbLz0AiDI=
vp2SfavTmBXNzLeXmIoUhsB7
UlAVhgIfLT0AiDI=
6BKH5GjHt2YIo/qhA69S+5E=
6U29K+qVw5hT4gQ83A==
G9NTmhwpAwY6r4I69kT4dz33UA==
0qstoaNBmBrMlfwTKhrAtLhb4rc=
ZvMhGW52cyAAXkVV3Jc96Lhb4rc=
N9Z3/PmEt2oGAA==
ohlOhcaP741QFw==
9WF3PohVjEolhCY=
am0ek4wtmkEI9GMVhw4M4Jk=
ROotH4+jhp7vnzVdww==
uvkuFhGmJlyjpFFpi35Okw==
ICHQQTIjaxTryG8weFI=
AhIZ8uh974+pUMTX
pEBtSFHr/5s0GQ==
qAcuLnqLNeOpUMTX
bcHv6WdbHoWEylgsdHEI
Nz/rbWh3s4WFDL9uPlAhXKNz
secure-id6793-chase.com
Extracted
xloader
2.9
zzun
JnNtRHyNupy0GqRzAcasu7hb4rc=
Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=
ePArIFWvjkkMgVEVhw4M4Jk=
26rqUwJ7dD0AiDI=
pBAxMHeK741QFw==
kHD7TPt5846pUMTX
56UnjFjHL1i0j659h3LymRnHpQj+SshC
4vKlKHflPqmWXRbrRwfPtrhb4rc=
6LBd4qButFAi
phMzGll8Ue7Fu+inq5cdnPaSugG3
NKswiQGCvZoG5FgsdHEI
rtTHnuUY8M1qVcXV
SOmECrlAt2oGAA==
L1ep9adutFAi
/UE+/AyvE6uEl28weFI=
IP+xMPQxJR4NE6TK
xvW5GN9/rqA5YUoOVt185Sf7Uw==
fRFNW9DhxL6VF7LA
KFYTfkaY741QFw==
W4JGvMBmt2oGAA==
lnoad0Hkgrwl9uXlghvqdz33UA==
1msShiu+9wisELGDjYAK
FBXFOinAK8ylnMZzi35Okw==
V8Y7/cBnt2oGAA==
VfuI0k5pSmi6+aNjIlAT2mspCZBZLGA=
de74yg89D61bSiU=
V2UPjYUvwh21qdxUr4Mf
DcFXvTxFMlyfL5JJIU0=
GldbH/CCt2oGAA==
sxdEIBwn+o+pUMTX
UmViK+1/Knr8814sdHEI
jrfKoZ6paLyeEBETgw4M4Jk=
SR27MizpGwCa19Kb1A==
2DGo9XUNxBOe19Kb1A==
7tBn2cG8jasWHE7w559Aig==
8qtAoVHxl/KGerbsfA4M4Jk=
fC3AH6Utt2oGAA==
HltlPHZ7FpSpUMTX
xd0B+Pr30gBfQGYXafOW1dOSflv+SshC
DKXWyiOecY7319Kb1A==
Pvx505EaswiHYF3z559Aig==
aJ6kaz7CWKsP9g9Ur4Mf
qcvfxb9TwUoDCrfXw/uTdSkTCJBZLGA=
I++iH8xJxFp73nyUjJOg3/PS/3W7
K1N1guwbLz0AiDI=
vp2SfavTmBXNzLeXmIoUhsB7
UlAVhgIfLT0AiDI=
6BKH5GjHt2YIo/qhA69S+5E=
6U29K+qVw5hT4gQ83A==
G9NTmhwpAwY6r4I69kT4dz33UA==
0qstoaNBmBrMlfwTKhrAtLhb4rc=
ZvMhGW52cyAAXkVV3Jc96Lhb4rc=
N9Z3/PmEt2oGAA==
ohlOhcaP741QFw==
9WF3PohVjEolhCY=
am0ek4wtmkEI9GMVhw4M4Jk=
ROotH4+jhp7vnzVdww==
uvkuFhGmJlyjpFFpi35Okw==
ICHQQTIjaxTryG8weFI=
AhIZ8uh974+pUMTX
pEBtSFHr/5s0GQ==
qAcuLnqLNeOpUMTX
bcHv6WdbHoWEylgsdHEI
Nz/rbWh3s4WFDL9uPlAhXKNz
secure-id6793-chase.com
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1852-145-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/1852-151-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/1068-154-0x0000000000150000-0x000000000017C000-memory.dmp xloader behavioral2/memory/1068-158-0x0000000000150000-0x000000000017C000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
Processes:
brjttj.exepid process 4708 brjttj.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PI.exePI.exebrjttj.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation PI.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation PI.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation brjttj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
raserver.exePI.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DZW8UFWXCPG = "C:\\Program Files (x86)\\Ltzl4an\\brjttj.exe" raserver.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iocoj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ndsosim\\Iocoj.exe\"" PI.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{10233253-CDD6-490D-96C3-9D80EC590149}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{48404BD2-ADA3-42E4-9BC8-D9C33C5FE457}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PI.exePI.exeraserver.exedescription pid process target process PID 1544 set thread context of 1852 1544 PI.exe PI.exe PID 1852 set thread context of 3004 1852 PI.exe Explorer.EXE PID 1068 set thread context of 3004 1068 raserver.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEraserver.exedescription ioc process File opened for modification C:\Program Files (x86)\Ltzl4an Explorer.EXE File created C:\Program Files (x86)\Ltzl4an\brjttj.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Ltzl4an\brjttj.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Ltzl4an\brjttj.exe raserver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Processes:
raserver.exedescription ioc process Key created \Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
powershell.exePI.exeraserver.exepowershell.exepid process 3012 powershell.exe 3012 powershell.exe 1852 PI.exe 1852 PI.exe 1852 PI.exe 1852 PI.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 4788 powershell.exe 4788 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
PI.exeraserver.exepid process 1852 PI.exe 1852 PI.exe 1852 PI.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe 1068 raserver.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
PI.exepowershell.exePI.exeraserver.exebrjttj.exepowershell.exedescription pid process Token: SeDebugPrivilege 1544 PI.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 1852 PI.exe Token: SeDebugPrivilege 1068 raserver.exe Token: SeDebugPrivilege 4708 brjttj.exe Token: SeDebugPrivilege 4788 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
PI.exeExplorer.EXEraserver.exebrjttj.exedescription pid process target process PID 1544 wrote to memory of 3012 1544 PI.exe powershell.exe PID 1544 wrote to memory of 3012 1544 PI.exe powershell.exe PID 1544 wrote to memory of 3012 1544 PI.exe powershell.exe PID 1544 wrote to memory of 1852 1544 PI.exe PI.exe PID 1544 wrote to memory of 1852 1544 PI.exe PI.exe PID 1544 wrote to memory of 1852 1544 PI.exe PI.exe PID 1544 wrote to memory of 1852 1544 PI.exe PI.exe PID 1544 wrote to memory of 1852 1544 PI.exe PI.exe PID 1544 wrote to memory of 1852 1544 PI.exe PI.exe PID 3004 wrote to memory of 1068 3004 Explorer.EXE raserver.exe PID 3004 wrote to memory of 1068 3004 Explorer.EXE raserver.exe PID 3004 wrote to memory of 1068 3004 Explorer.EXE raserver.exe PID 1068 wrote to memory of 3692 1068 raserver.exe cmd.exe PID 1068 wrote to memory of 3692 1068 raserver.exe cmd.exe PID 1068 wrote to memory of 3692 1068 raserver.exe cmd.exe PID 1068 wrote to memory of 1984 1068 raserver.exe cmd.exe PID 1068 wrote to memory of 1984 1068 raserver.exe cmd.exe PID 1068 wrote to memory of 1984 1068 raserver.exe cmd.exe PID 1068 wrote to memory of 1344 1068 raserver.exe cmd.exe PID 1068 wrote to memory of 1344 1068 raserver.exe cmd.exe PID 1068 wrote to memory of 1344 1068 raserver.exe cmd.exe PID 1068 wrote to memory of 3444 1068 raserver.exe Firefox.exe PID 1068 wrote to memory of 3444 1068 raserver.exe Firefox.exe PID 1068 wrote to memory of 3444 1068 raserver.exe Firefox.exe PID 3004 wrote to memory of 4708 3004 Explorer.EXE brjttj.exe PID 3004 wrote to memory of 4708 3004 Explorer.EXE brjttj.exe PID 3004 wrote to memory of 4708 3004 Explorer.EXE brjttj.exe PID 4708 wrote to memory of 4788 4708 brjttj.exe powershell.exe PID 4708 wrote to memory of 4788 4708 brjttj.exe powershell.exe PID 4708 wrote to memory of 4788 4708 brjttj.exe powershell.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PI.exeC:\Users\Admin\AppData\Local\Temp\PI.exe3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Ltzl4an\brjttj.exe"C:\Program Files (x86)\Ltzl4an\brjttj.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Ltzl4an\brjttj.exeFilesize
70KB
MD572e88de1efc3b17b6b59a635bad25294
SHA1929b2471c0186e2e676c44d7687d3ac1f23c555c
SHA256c0fdf37354c28e674255d1a26ed5190c6664639f424d485c5652098f458835c5
SHA51295ec26ffa6a1de34aa9dc91ed431bccaa6c238bd316e79696e14e1ec4976f1a1564435f0d33e540cb15a023bc60230f223595c26e081033300c43ddc6edd3480
-
C:\Program Files (x86)\Ltzl4an\brjttj.exeFilesize
70KB
MD572e88de1efc3b17b6b59a635bad25294
SHA1929b2471c0186e2e676c44d7687d3ac1f23c555c
SHA256c0fdf37354c28e674255d1a26ed5190c6664639f424d485c5652098f458835c5
SHA51295ec26ffa6a1de34aa9dc91ed431bccaa6c238bd316e79696e14e1ec4976f1a1564435f0d33e540cb15a023bc60230f223595c26e081033300c43ddc6edd3480
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD56195a91754effb4df74dbc72cdf4f7a6
SHA1aba262f5726c6d77659fe0d3195e36a85046b427
SHA2563254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5d36f9c89346fd0d74b278dfa39dcb073
SHA1203b8311e4b94c30cfa7bef877a20a3a583c5a5f
SHA2568c8eb44bc461d5cbc7202bce79c18b5cc6b89c877c27b7e999b2057658be2600
SHA5120217938667cf81b14a08f48d3dd65b2636d9c89af2e175cc1f8b60c319f8525705ae9dac4a20f93161c5aa532fdc2e8d279953101f50c03e2c6ba1ba49f1ea14
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
memory/1068-150-0x0000000000000000-mapping.dmp
-
memory/1068-155-0x0000000002210000-0x000000000255A000-memory.dmpFilesize
3.3MB
-
memory/1068-156-0x0000000002070000-0x0000000002100000-memory.dmpFilesize
576KB
-
memory/1068-154-0x0000000000150000-0x000000000017C000-memory.dmpFilesize
176KB
-
memory/1068-153-0x0000000000A80000-0x0000000000A9F000-memory.dmpFilesize
124KB
-
memory/1068-158-0x0000000000150000-0x000000000017C000-memory.dmpFilesize
176KB
-
memory/1344-162-0x0000000000000000-mapping.dmp
-
memory/1544-142-0x0000000006000000-0x0000000006092000-memory.dmpFilesize
584KB
-
memory/1544-132-0x00000000000A0000-0x00000000000B6000-memory.dmpFilesize
88KB
-
memory/1544-143-0x0000000006650000-0x0000000006BF4000-memory.dmpFilesize
5.6MB
-
memory/1544-133-0x00000000054E0000-0x0000000005502000-memory.dmpFilesize
136KB
-
memory/1852-148-0x0000000001390000-0x00000000013A1000-memory.dmpFilesize
68KB
-
memory/1852-147-0x0000000001410000-0x000000000175A000-memory.dmpFilesize
3.3MB
-
memory/1852-151-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1852-145-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1852-144-0x0000000000000000-mapping.dmp
-
memory/1984-160-0x0000000000000000-mapping.dmp
-
memory/3004-149-0x00000000036A0000-0x0000000003761000-memory.dmpFilesize
772KB
-
memory/3004-157-0x0000000008B40000-0x0000000008C8F000-memory.dmpFilesize
1.3MB
-
memory/3004-159-0x0000000008B40000-0x0000000008C8F000-memory.dmpFilesize
1.3MB
-
memory/3012-139-0x00000000063A0000-0x00000000063BE000-memory.dmpFilesize
120KB
-
memory/3012-141-0x0000000006880000-0x000000000689A000-memory.dmpFilesize
104KB
-
memory/3012-140-0x0000000007B80000-0x00000000081FA000-memory.dmpFilesize
6.5MB
-
memory/3012-138-0x0000000005D30000-0x0000000005D96000-memory.dmpFilesize
408KB
-
memory/3012-137-0x0000000005560000-0x00000000055C6000-memory.dmpFilesize
408KB
-
memory/3012-136-0x00000000055D0000-0x0000000005BF8000-memory.dmpFilesize
6.2MB
-
memory/3012-135-0x0000000002DB0000-0x0000000002DE6000-memory.dmpFilesize
216KB
-
memory/3012-134-0x0000000000000000-mapping.dmp
-
memory/3692-152-0x0000000000000000-mapping.dmp
-
memory/4708-164-0x0000000000000000-mapping.dmp
-
memory/4788-167-0x0000000000000000-mapping.dmp