Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-11-2022 05:19
Static task
static1
Behavioral task
behavioral1
Sample
2022-11-4 报价请求.PDF.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2022-11-4 报价请求.PDF.exe
Resource
win10v2004-20220901-en
General
-
Target
2022-11-4 报价请求.PDF.exe
-
Size
1.1MB
-
MD5
b80414e3202a808673a8254aec607a12
-
SHA1
fef5c52c3af36689f3c794ce586d83b0a458afa5
-
SHA256
5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b
-
SHA512
3e1a4e4918b2b64238403811348248ff5955793cf405087edaac332461c74ee3d26b21f814565d22ae4f30cc4436821ac7f9fcdc61cae38d1ce8adf3ff2609b3
-
SSDEEP
24576:ZH14Ct7BwWTmQHsOzj4j85M1hUQDAxzJX4K4hGxosG:ZHGW7BwWtsOzj4jGM1aK4FX3
Malware Config
Extracted
remcos
NEW REM STUB
valvesco.duckdns.org:5050
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-48V73L
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\mnvcbn .exe," reg.exe -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1968-105-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/1968-112-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/316-101-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2020-96-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/316-101-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1968-105-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/1968-112-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
mnvcbn .exe mnvcbnqa.exe mnvcbnqa.exepid process 2012 mnvcbn .exe 1076 mnvcbnqa.exe 1640 mnvcbnqa.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exemnvcbn .exe mnvcbnqa.exepid process 584 cmd.exe 2012 mnvcbn .exe 1076 mnvcbnqa.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts AddInProcess32.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
mnvcbn .exeAddInProcess32.exedescription pid process target process PID 2012 set thread context of 640 2012 mnvcbn .exe AddInProcess32.exe PID 640 set thread context of 316 640 AddInProcess32.exe AddInProcess32.exe PID 640 set thread context of 1968 640 AddInProcess32.exe AddInProcess32.exe PID 640 set thread context of 2020 640 AddInProcess32.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 1432 PING.EXE 1328 PING.EXE 1960 PING.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
2022-11-4 报价请求.PDF.exemnvcbn .exeAddInProcess32.exe mnvcbnqa.exe mnvcbnqa.exepid process 1884 2022-11-4 报价请求.PDF.exe 1884 2022-11-4 报价请求.PDF.exe 1884 2022-11-4 报价请求.PDF.exe 2012 mnvcbn .exe 2012 mnvcbn .exe 2012 mnvcbn .exe 316 AddInProcess32.exe 316 AddInProcess32.exe 1076 mnvcbnqa.exe 1640 mnvcbnqa.exe 1640 mnvcbnqa.exe 1640 mnvcbnqa.exe 2012 mnvcbn .exe 2012 mnvcbn .exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
AddInProcess32.exepid process 640 AddInProcess32.exe 640 AddInProcess32.exe 640 AddInProcess32.exe 640 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
2022-11-4 报价请求.PDF.exemnvcbn .exeAddInProcess32.exe mnvcbnqa.exe mnvcbnqa.exedescription pid process Token: SeDebugPrivilege 1884 2022-11-4 报价请求.PDF.exe Token: SeDebugPrivilege 2012 mnvcbn .exe Token: SeDebugPrivilege 2020 AddInProcess32.exe Token: SeDebugPrivilege 1076 mnvcbnqa.exe Token: SeDebugPrivilege 1640 mnvcbnqa.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AddInProcess32.exepid process 640 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2022-11-4 报价请求.PDF.execmd.execmd.exemnvcbn .exeAddInProcess32.exedescription pid process target process PID 1884 wrote to memory of 1976 1884 2022-11-4 报价请求.PDF.exe cmd.exe PID 1884 wrote to memory of 1976 1884 2022-11-4 报价请求.PDF.exe cmd.exe PID 1884 wrote to memory of 1976 1884 2022-11-4 报价请求.PDF.exe cmd.exe PID 1884 wrote to memory of 1976 1884 2022-11-4 报价请求.PDF.exe cmd.exe PID 1976 wrote to memory of 1960 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1960 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1960 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1960 1976 cmd.exe PING.EXE PID 1884 wrote to memory of 584 1884 2022-11-4 报价请求.PDF.exe cmd.exe PID 1884 wrote to memory of 584 1884 2022-11-4 报价请求.PDF.exe cmd.exe PID 1884 wrote to memory of 584 1884 2022-11-4 报价请求.PDF.exe cmd.exe PID 1884 wrote to memory of 584 1884 2022-11-4 报价请求.PDF.exe cmd.exe PID 584 wrote to memory of 1432 584 cmd.exe PING.EXE PID 584 wrote to memory of 1432 584 cmd.exe PING.EXE PID 584 wrote to memory of 1432 584 cmd.exe PING.EXE PID 584 wrote to memory of 1432 584 cmd.exe PING.EXE PID 1976 wrote to memory of 1028 1976 cmd.exe reg.exe PID 1976 wrote to memory of 1028 1976 cmd.exe reg.exe PID 1976 wrote to memory of 1028 1976 cmd.exe reg.exe PID 1976 wrote to memory of 1028 1976 cmd.exe reg.exe PID 584 wrote to memory of 1328 584 cmd.exe PING.EXE PID 584 wrote to memory of 1328 584 cmd.exe PING.EXE PID 584 wrote to memory of 1328 584 cmd.exe PING.EXE PID 584 wrote to memory of 1328 584 cmd.exe PING.EXE PID 584 wrote to memory of 2012 584 cmd.exe mnvcbn .exe PID 584 wrote to memory of 2012 584 cmd.exe mnvcbn .exe PID 584 wrote to memory of 2012 584 cmd.exe mnvcbn .exe PID 584 wrote to memory of 2012 584 cmd.exe mnvcbn .exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 2012 wrote to memory of 640 2012 mnvcbn .exe AddInProcess32.exe PID 640 wrote to memory of 316 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 316 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 316 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 316 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 316 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 1968 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 1968 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 1968 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 1968 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 1968 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 1932 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 1932 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 1932 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 1932 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 2020 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 2020 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 2020 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 2020 640 AddInProcess32.exe AddInProcess32.exe PID 640 wrote to memory of 2020 640 AddInProcess32.exe AddInProcess32.exe PID 2012 wrote to memory of 1076 2012 mnvcbn .exe mnvcbnqa.exe PID 2012 wrote to memory of 1076 2012 mnvcbn .exe mnvcbnqa.exe PID 2012 wrote to memory of 1076 2012 mnvcbn .exe mnvcbnqa.exe PID 2012 wrote to memory of 1076 2012 mnvcbn .exe mnvcbnqa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2022-11-4 报价请求.PDF.exe"C:\Users\Admin\AppData\Local\Temp\2022-11-4 报价请求.PDF.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mnvcbn .exe,"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mnvcbn .exe,"3⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\Admin\AppData\Local\Temp\2022-11-4 报价请求.PDF.exe" "C:\Users\Admin\AppData\Roaming\mnvcbn .exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\AppData\Roaming\mnvcbn .exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 183⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 183⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\mnvcbn .exe"C:\Users\Admin\AppData\Roaming\mnvcbn .exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\skxolfphrjvjjiwf"5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\vmkhmxabfrnomoljsnc"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\fhprnqkctzfawuhnbywfsx"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\fhprnqkctzfawuhnbywfsx"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe"C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe"C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.txtFilesize
53B
MD5ba828a567383f2bdd58824f26781e12e
SHA1ba9c7e1a71ef97b683b6ec44c95e0be0bcbec742
SHA256cfee7a1c39db26367884703541b45e711ed6c9e4a790c30a410eed459c2793bd
SHA5128ee9a49acbd5bb9f09fb59277ed2bafafa893abfa2727dd7b44ad77bfd79145b0fb31d24eaade3cc9ca7e98397ea9476eb94775aae5bea8ae5211fa420f31f2f
-
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.txtFilesize
56B
MD5c5b0a3039c2a3911f4825991f45e6df3
SHA1d8a94a86b30f7d4b4568acd814d20020f2da8b66
SHA256586fbeacd6f5c76b0ebb081f552b7b438e782475abef3ee4f17423c652ed123d
SHA51254f489deca2817f5f5871bec733061f575fae207e6cd14658b5912db374ad326053a61df737ac138c3f51940129f8abb99cfba667c8483678d8beb643d2de912
-
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.txtFilesize
56B
MD5c5b0a3039c2a3911f4825991f45e6df3
SHA1d8a94a86b30f7d4b4568acd814d20020f2da8b66
SHA256586fbeacd6f5c76b0ebb081f552b7b438e782475abef3ee4f17423c652ed123d
SHA51254f489deca2817f5f5871bec733061f575fae207e6cd14658b5912db374ad326053a61df737ac138c3f51940129f8abb99cfba667c8483678d8beb643d2de912
-
C:\Users\Admin\AppData\Local\Temp\skxolfphrjvjjiwfFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\mnvcbn .exeFilesize
1.1MB
MD5b80414e3202a808673a8254aec607a12
SHA1fef5c52c3af36689f3c794ce586d83b0a458afa5
SHA2565c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b
SHA5123e1a4e4918b2b64238403811348248ff5955793cf405087edaac332461c74ee3d26b21f814565d22ae4f30cc4436821ac7f9fcdc61cae38d1ce8adf3ff2609b3
-
C:\Users\Admin\AppData\Roaming\mnvcbn .exeFilesize
1.1MB
MD5b80414e3202a808673a8254aec607a12
SHA1fef5c52c3af36689f3c794ce586d83b0a458afa5
SHA2565c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b
SHA5123e1a4e4918b2b64238403811348248ff5955793cf405087edaac332461c74ee3d26b21f814565d22ae4f30cc4436821ac7f9fcdc61cae38d1ce8adf3ff2609b3
-
\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
\Users\Admin\AppData\Roaming\mnvcbn .exeFilesize
1.1MB
MD5b80414e3202a808673a8254aec607a12
SHA1fef5c52c3af36689f3c794ce586d83b0a458afa5
SHA2565c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b
SHA5123e1a4e4918b2b64238403811348248ff5955793cf405087edaac332461c74ee3d26b21f814565d22ae4f30cc4436821ac7f9fcdc61cae38d1ce8adf3ff2609b3
-
memory/316-90-0x0000000000476274-mapping.dmp
-
memory/316-101-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/584-60-0x0000000000000000-mapping.dmp
-
memory/640-89-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/640-85-0x00000000004327A4-mapping.dmp
-
memory/640-72-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/640-73-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/640-75-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/640-77-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/640-78-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/640-80-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/640-79-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/640-82-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/640-84-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/640-113-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/640-88-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1028-62-0x0000000000000000-mapping.dmp
-
memory/1076-98-0x0000000000000000-mapping.dmp
-
memory/1076-102-0x0000000001000000-0x000000000101A000-memory.dmpFilesize
104KB
-
memory/1328-63-0x0000000000000000-mapping.dmp
-
memory/1432-61-0x0000000000000000-mapping.dmp
-
memory/1640-107-0x0000000000000000-mapping.dmp
-
memory/1884-55-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/1884-56-0x00000000004C0000-0x00000000004F0000-memory.dmpFilesize
192KB
-
memory/1884-57-0x0000000000AF0000-0x0000000000B08000-memory.dmpFilesize
96KB
-
memory/1884-54-0x0000000000E70000-0x0000000000F90000-memory.dmpFilesize
1.1MB
-
memory/1960-59-0x0000000000000000-mapping.dmp
-
memory/1968-105-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1968-91-0x0000000000455238-mapping.dmp
-
memory/1968-112-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1976-58-0x0000000000000000-mapping.dmp
-
memory/2012-71-0x00000000006A0000-0x00000000006A6000-memory.dmpFilesize
24KB
-
memory/2012-65-0x0000000000000000-mapping.dmp
-
memory/2012-68-0x0000000001320000-0x0000000001440000-memory.dmpFilesize
1.1MB
-
memory/2012-70-0x0000000000680000-0x000000000069A000-memory.dmpFilesize
104KB
-
memory/2020-96-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2020-94-0x0000000000422206-mapping.dmp