Analysis
-
max time kernel
151s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 18:40
Static task
static1
Behavioral task
behavioral1
Sample
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe
Resource
win10v2004-20220812-en
General
-
Target
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe
-
Size
640KB
-
MD5
6615e3fdf098a182b254fd943a62a474
-
SHA1
790213ad034281437f7887f17a2ae97b73f8131f
-
SHA256
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1
-
SHA512
3701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e
-
SSDEEP
12288:rFY0DADILZoNEFKED5oJx/Ij9FD/aWWhsaExq:rF/AyZgEcEKK9FD/anil
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
general123
Signatures
-
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1000-64-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1000-65-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1000-66-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1000-67-0x000000000047E8EE-mapping.dmp MailPassView behavioral1/memory/1000-70-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1000-73-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/308-90-0x000000000047E8EE-mapping.dmp MailPassView behavioral1/memory/1596-101-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1596-102-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1596-105-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1596-106-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1596-108-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1000-64-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1000-65-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1000-66-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1000-67-0x000000000047E8EE-mapping.dmp WebBrowserPassView behavioral1/memory/1000-70-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1000-73-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/308-90-0x000000000047E8EE-mapping.dmp WebBrowserPassView -
Nirsoft 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1000-64-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1000-65-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1000-66-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1000-67-0x000000000047E8EE-mapping.dmp Nirsoft behavioral1/memory/1000-70-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1000-73-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/308-90-0x000000000047E8EE-mapping.dmp Nirsoft behavioral1/memory/1596-101-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1596-102-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1596-105-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1596-106-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1596-108-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 1068 Windows Update.exe 308 Windows Update.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 308 Windows Update.exe -
Loads dropped DLL 3 IoCs
Processes:
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exea777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exeWindows Update.exepid process 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe 1000 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe 1068 Windows Update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp\\GoogleUpdate.exe.lnk" reg.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 whatismyipaddress.com 7 whatismyipaddress.com 4 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1116 set thread context of 1000 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1068 set thread context of 308 1068 Windows Update.exe Windows Update.exe PID 308 set thread context of 1596 308 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exeWindows Update.exeWindows Update.exepid process 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe 1068 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe 308 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exeWindows Update.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Token: SeDebugPrivilege 1068 Windows Update.exe Token: SeDebugPrivilege 308 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 308 Windows Update.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.execmd.exea777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1116 wrote to memory of 800 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe cmd.exe PID 1116 wrote to memory of 800 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe cmd.exe PID 1116 wrote to memory of 800 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe cmd.exe PID 1116 wrote to memory of 800 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe cmd.exe PID 800 wrote to memory of 560 800 cmd.exe reg.exe PID 800 wrote to memory of 560 800 cmd.exe reg.exe PID 800 wrote to memory of 560 800 cmd.exe reg.exe PID 800 wrote to memory of 560 800 cmd.exe reg.exe PID 1116 wrote to memory of 1000 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1116 wrote to memory of 1000 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1116 wrote to memory of 1000 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1116 wrote to memory of 1000 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1116 wrote to memory of 1000 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1116 wrote to memory of 1000 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1116 wrote to memory of 1000 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1116 wrote to memory of 1000 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1116 wrote to memory of 1000 1116 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1000 wrote to memory of 1068 1000 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Windows Update.exe PID 1000 wrote to memory of 1068 1000 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Windows Update.exe PID 1000 wrote to memory of 1068 1000 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Windows Update.exe PID 1000 wrote to memory of 1068 1000 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Windows Update.exe PID 1000 wrote to memory of 1068 1000 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Windows Update.exe PID 1000 wrote to memory of 1068 1000 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Windows Update.exe PID 1000 wrote to memory of 1068 1000 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 1068 wrote to memory of 308 1068 Windows Update.exe Windows Update.exe PID 308 wrote to memory of 1596 308 Windows Update.exe vbc.exe PID 308 wrote to memory of 1596 308 Windows Update.exe vbc.exe PID 308 wrote to memory of 1596 308 Windows Update.exe vbc.exe PID 308 wrote to memory of 1596 308 Windows Update.exe vbc.exe PID 308 wrote to memory of 1596 308 Windows Update.exe vbc.exe PID 308 wrote to memory of 1596 308 Windows Update.exe vbc.exe PID 308 wrote to memory of 1596 308 Windows Update.exe vbc.exe PID 308 wrote to memory of 1596 308 Windows Update.exe vbc.exe PID 308 wrote to memory of 1596 308 Windows Update.exe vbc.exe PID 308 wrote to memory of 1596 308 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5c75d6d0d293ffb4995427e9aa537b095
SHA10fe0b1763179846ae78f0ceb8108a8a3ceb74698
SHA25621ce126b4cf434ba1bf468087a69ce18945fb98ab91a0803e000cef191fb652c
SHA512ec50a0cfeb2d09b242032fdaf44e3052f0ed04920587d387e6d27c1325cf00ba5abc9cb4d3770eaf56b3602a8bb8cb07edeeec76c9c933a45bae6476daee2af2
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
640KB
MD56615e3fdf098a182b254fd943a62a474
SHA1790213ad034281437f7887f17a2ae97b73f8131f
SHA256a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1
SHA5123701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
640KB
MD56615e3fdf098a182b254fd943a62a474
SHA1790213ad034281437f7887f17a2ae97b73f8131f
SHA256a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1
SHA5123701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
640KB
MD56615e3fdf098a182b254fd943a62a474
SHA1790213ad034281437f7887f17a2ae97b73f8131f
SHA256a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1
SHA5123701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e
-
\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exeFilesize
640KB
MD56615e3fdf098a182b254fd943a62a474
SHA1790213ad034281437f7887f17a2ae97b73f8131f
SHA256a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1
SHA5123701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
640KB
MD56615e3fdf098a182b254fd943a62a474
SHA1790213ad034281437f7887f17a2ae97b73f8131f
SHA256a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1
SHA5123701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
640KB
MD56615e3fdf098a182b254fd943a62a474
SHA1790213ad034281437f7887f17a2ae97b73f8131f
SHA256a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1
SHA5123701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e
-
memory/308-90-0x000000000047E8EE-mapping.dmp
-
memory/308-107-0x0000000074DB0000-0x000000007535B000-memory.dmpFilesize
5.7MB
-
memory/308-99-0x0000000074DB0000-0x000000007535B000-memory.dmpFilesize
5.7MB
-
memory/560-60-0x0000000000000000-mapping.dmp
-
memory/800-59-0x0000000000000000-mapping.dmp
-
memory/1000-65-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1000-67-0x000000000047E8EE-mapping.dmp
-
memory/1000-70-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1000-73-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1000-66-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1000-80-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/1000-64-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1000-62-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1000-61-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1068-76-0x0000000000000000-mapping.dmp
-
memory/1068-93-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/1068-82-0x0000000000306000-0x0000000000317000-memory.dmpFilesize
68KB
-
memory/1068-81-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/1068-94-0x0000000000306000-0x0000000000317000-memory.dmpFilesize
68KB
-
memory/1116-71-0x00000000003D6000-0x00000000003E7000-memory.dmpFilesize
68KB
-
memory/1116-69-0x0000000074DB0000-0x000000007535B000-memory.dmpFilesize
5.7MB
-
memory/1116-54-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/1116-57-0x0000000074DB0000-0x000000007535B000-memory.dmpFilesize
5.7MB
-
memory/1116-56-0x00000000003D6000-0x00000000003E7000-memory.dmpFilesize
68KB
-
memory/1116-55-0x0000000074DB0000-0x000000007535B000-memory.dmpFilesize
5.7MB
-
memory/1596-101-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1596-102-0x0000000000411654-mapping.dmp
-
memory/1596-105-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1596-106-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1596-108-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB