Analysis
-
max time kernel
111s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 04:22
Static task
static1
Behavioral task
behavioral1
Sample
7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe
Resource
win10v2004-20221111-en
General
-
Target
7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe
-
Size
423KB
-
MD5
1fd12be39eaf609a4fc0c70121b32f92
-
SHA1
fe9f48bc1117329e2792d555260d1231dafb7f01
-
SHA256
7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd
-
SHA512
2bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d
-
SSDEEP
12288:esA+w6vdwRZQ8s85vrY4TTO1EYiGgVZ9fN0G:MYSvBTK1EF8
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
dzwbhatvaehtwxku
Signatures
-
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1676-60-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1676-61-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1676-62-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1676-63-0x000000000047EAEE-mapping.dmp MailPassView behavioral1/memory/1676-65-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1676-67-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/820-85-0x000000000047EAEE-mapping.dmp MailPassView behavioral1/memory/944-97-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/944-96-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/944-100-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/944-102-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/944-103-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1676-60-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1676-61-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1676-62-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1676-63-0x000000000047EAEE-mapping.dmp WebBrowserPassView behavioral1/memory/1676-65-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1676-67-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/820-85-0x000000000047EAEE-mapping.dmp WebBrowserPassView behavioral1/memory/2028-104-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2028-105-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/2028-108-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2028-109-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2028-111-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-60-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1676-61-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1676-62-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1676-63-0x000000000047EAEE-mapping.dmp Nirsoft behavioral1/memory/1676-65-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1676-67-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/820-85-0x000000000047EAEE-mapping.dmp Nirsoft behavioral1/memory/944-97-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/944-96-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/944-100-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/944-102-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/944-103-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2028-104-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2028-105-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/2028-108-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2028-109-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2028-111-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 1492 Windows Update.exe 820 Windows Update.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 820 Windows Update.exe -
Loads dropped DLL 2 IoCs
Processes:
7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exeWindows Update.exepid process 1676 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 1492 Windows Update.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1552 set thread context of 1676 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe PID 1492 set thread context of 820 1492 Windows Update.exe Windows Update.exe PID 820 set thread context of 944 820 Windows Update.exe vbc.exe PID 820 set thread context of 2028 820 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exeWindows Update.exeWindows Update.exepid process 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 1492 Windows Update.exe 820 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exeWindows Update.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe Token: SeDebugPrivilege 1492 Windows Update.exe Token: SeDebugPrivilege 820 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 820 Windows Update.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1552 wrote to memory of 1676 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe PID 1552 wrote to memory of 1676 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe PID 1552 wrote to memory of 1676 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe PID 1552 wrote to memory of 1676 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe PID 1552 wrote to memory of 1676 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe PID 1552 wrote to memory of 1676 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe PID 1552 wrote to memory of 1676 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe PID 1552 wrote to memory of 1676 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe PID 1552 wrote to memory of 1676 1552 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe PID 1676 wrote to memory of 1492 1676 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe Windows Update.exe PID 1676 wrote to memory of 1492 1676 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe Windows Update.exe PID 1676 wrote to memory of 1492 1676 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe Windows Update.exe PID 1676 wrote to memory of 1492 1676 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe Windows Update.exe PID 1676 wrote to memory of 1492 1676 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe Windows Update.exe PID 1676 wrote to memory of 1492 1676 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe Windows Update.exe PID 1676 wrote to memory of 1492 1676 7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 1492 wrote to memory of 820 1492 Windows Update.exe Windows Update.exe PID 820 wrote to memory of 944 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 944 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 944 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 944 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 944 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 944 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 944 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 944 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 944 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 944 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 2028 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 2028 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 2028 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 2028 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 2028 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 2028 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 2028 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 2028 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 2028 820 Windows Update.exe vbc.exe PID 820 wrote to memory of 2028 820 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe"C:\Users\Admin\AppData\Local\Temp\7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe"C:\Users\Admin\AppData\Local\Temp\7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5b2b5468b146afa334d28242960998109
SHA1ddcd732f6b80ff013f8742857a3a07f8deb086ca
SHA2560056ae900ece5326673320ecd173a2a04b732ef0f7b7c36b65c3dcb86436f520
SHA51219c1accae5837678dfb2377b0f5d3ddd7a5ef6710666dea549fed0de7d1c65c05ac6d0efb487c0479cebaca369456f12461300f1b8dda39dfad79191e3ba178b
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
423KB
MD51fd12be39eaf609a4fc0c70121b32f92
SHA1fe9f48bc1117329e2792d555260d1231dafb7f01
SHA2567afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd
SHA5122bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
423KB
MD51fd12be39eaf609a4fc0c70121b32f92
SHA1fe9f48bc1117329e2792d555260d1231dafb7f01
SHA2567afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd
SHA5122bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
423KB
MD51fd12be39eaf609a4fc0c70121b32f92
SHA1fe9f48bc1117329e2792d555260d1231dafb7f01
SHA2567afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd
SHA5122bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
423KB
MD51fd12be39eaf609a4fc0c70121b32f92
SHA1fe9f48bc1117329e2792d555260d1231dafb7f01
SHA2567afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd
SHA5122bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
423KB
MD51fd12be39eaf609a4fc0c70121b32f92
SHA1fe9f48bc1117329e2792d555260d1231dafb7f01
SHA2567afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd
SHA5122bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d
-
memory/820-112-0x0000000000DE5000-0x0000000000DF6000-memory.dmpFilesize
68KB
-
memory/820-101-0x0000000000DE5000-0x0000000000DF6000-memory.dmpFilesize
68KB
-
memory/820-85-0x000000000047EAEE-mapping.dmp
-
memory/820-95-0x00000000746D0000-0x0000000074C7B000-memory.dmpFilesize
5.7MB
-
memory/820-93-0x00000000746D0000-0x0000000074C7B000-memory.dmpFilesize
5.7MB
-
memory/944-102-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/944-97-0x0000000000411654-mapping.dmp
-
memory/944-96-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/944-100-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/944-103-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1492-77-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1492-72-0x0000000000000000-mapping.dmp
-
memory/1492-88-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1552-54-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB
-
memory/1552-55-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1552-56-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1552-69-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1676-61-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1676-57-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1676-63-0x000000000047EAEE-mapping.dmp
-
memory/1676-62-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1676-67-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1676-60-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1676-58-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1676-65-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1676-76-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1676-70-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/2028-108-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2028-109-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2028-111-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2028-105-0x0000000000442628-mapping.dmp
-
memory/2028-104-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB