Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:25
Static task
static1
Behavioral task
behavioral1
Sample
96636e5bcd4cd79a7f594c4ce1a95270b0892f7b53ad0eae8221e50c02e98aaa.jar
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
96636e5bcd4cd79a7f594c4ce1a95270b0892f7b53ad0eae8221e50c02e98aaa.jar
Resource
win10v2004-20220812-en
General
-
Target
96636e5bcd4cd79a7f594c4ce1a95270b0892f7b53ad0eae8221e50c02e98aaa.jar
-
Size
315KB
-
MD5
da86ebc58406c0e5f462e5a1ae16f861
-
SHA1
c4f437cff14b052b0deb707887ea09c9e68383f6
-
SHA256
96636e5bcd4cd79a7f594c4ce1a95270b0892f7b53ad0eae8221e50c02e98aaa
-
SHA512
523e542dffa2dca34dff8b85beb4554250539f31f20e345308945f10b7aa1a0f4104da3604b1529ffe745ad672e57456d2651f47a37c8ac5c4cda3d35ccaf2fd
-
SSDEEP
6144:unNXtwg3rsWNqvXuQCocAUpZxlAbtaoiOlUd9USANf/0BqcpzrzR0/+LM7dL+M:und3rsWNqBCocAUvxyagNXUqclZ0/iQj
Malware Config
Extracted
pony
http://ghoesi.tk/scala/gate.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
asdqw30295147621630220480Jamesss.exeasdqw30295147621630220480Jamesss.exepid process 4692 asdqw30295147621630220480Jamesss.exe 3452 asdqw30295147621630220480Jamesss.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4296 attrib.exe 2808 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
asdqw30295147621630220480Jamesss.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation asdqw30295147621630220480Jamesss.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
asdqw30295147621630220480Jamesss.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts asdqw30295147621630220480Jamesss.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
asdqw30295147621630220480Jamesss.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook asdqw30295147621630220480Jamesss.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FlUYHJ7y3x = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ie0BjxAPXD\\OYmREFT1Hb.VwA\"" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FlUYHJ7y3x = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ie0BjxAPXD\\OYmREFT1Hb.VwA\"" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
javaw.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\Desktop.ini javaw.exe File opened for modification C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\Desktop.ini attrib.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
asdqw30295147621630220480Jamesss.exedescription pid process target process PID 4692 set thread context of 3452 4692 asdqw30295147621630220480Jamesss.exe asdqw30295147621630220480Jamesss.exe -
Drops file in Windows directory 4 IoCs
Processes:
javaw.exejavaw.exedescription ioc process File created C:\Windows\tem javaw.exe File opened for modification C:\Windows\tem javaw.exe File created C:\Windows\tem javaw.exe File opened for modification C:\Windows\tem javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
asdqw30295147621630220480Jamesss.exeasdqw30295147621630220480Jamesss.exedescription pid process Token: SeDebugPrivilege 4692 asdqw30295147621630220480Jamesss.exe Token: SeImpersonatePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeTcbPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeChangeNotifyPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeCreateTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeBackupPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeRestorePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeIncreaseQuotaPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeAssignPrimaryTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeImpersonatePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeTcbPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeChangeNotifyPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeCreateTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeBackupPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeRestorePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeIncreaseQuotaPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeAssignPrimaryTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeImpersonatePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeTcbPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeChangeNotifyPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeCreateTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeBackupPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeRestorePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeIncreaseQuotaPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeAssignPrimaryTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeImpersonatePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeTcbPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeChangeNotifyPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeCreateTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeBackupPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeRestorePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeIncreaseQuotaPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeAssignPrimaryTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeImpersonatePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeTcbPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeChangeNotifyPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeCreateTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeBackupPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeRestorePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeIncreaseQuotaPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeAssignPrimaryTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeImpersonatePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeTcbPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeChangeNotifyPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeCreateTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeBackupPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeRestorePrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeIncreaseQuotaPrivilege 3452 asdqw30295147621630220480Jamesss.exe Token: SeAssignPrimaryTokenPrivilege 3452 asdqw30295147621630220480Jamesss.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
java.exejavaw.exejavaw.exepid process 5080 java.exe 4932 javaw.exe 208 javaw.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
java.execmd.exejavaw.exeasdqw30295147621630220480Jamesss.exejavaw.exeasdqw30295147621630220480Jamesss.exedescription pid process target process PID 5080 wrote to memory of 1236 5080 java.exe cmd.exe PID 5080 wrote to memory of 1236 5080 java.exe cmd.exe PID 5080 wrote to memory of 4932 5080 java.exe javaw.exe PID 5080 wrote to memory of 4932 5080 java.exe javaw.exe PID 1236 wrote to memory of 4692 1236 cmd.exe asdqw30295147621630220480Jamesss.exe PID 1236 wrote to memory of 4692 1236 cmd.exe asdqw30295147621630220480Jamesss.exe PID 1236 wrote to memory of 4692 1236 cmd.exe asdqw30295147621630220480Jamesss.exe PID 4932 wrote to memory of 2144 4932 javaw.exe reg.exe PID 4932 wrote to memory of 2144 4932 javaw.exe reg.exe PID 4932 wrote to memory of 2808 4932 javaw.exe attrib.exe PID 4932 wrote to memory of 2808 4932 javaw.exe attrib.exe PID 4932 wrote to memory of 4296 4932 javaw.exe attrib.exe PID 4932 wrote to memory of 4296 4932 javaw.exe attrib.exe PID 4932 wrote to memory of 208 4932 javaw.exe javaw.exe PID 4932 wrote to memory of 208 4932 javaw.exe javaw.exe PID 4692 wrote to memory of 3452 4692 asdqw30295147621630220480Jamesss.exe asdqw30295147621630220480Jamesss.exe PID 4692 wrote to memory of 3452 4692 asdqw30295147621630220480Jamesss.exe asdqw30295147621630220480Jamesss.exe PID 4692 wrote to memory of 3452 4692 asdqw30295147621630220480Jamesss.exe asdqw30295147621630220480Jamesss.exe PID 4692 wrote to memory of 3452 4692 asdqw30295147621630220480Jamesss.exe asdqw30295147621630220480Jamesss.exe PID 4692 wrote to memory of 3452 4692 asdqw30295147621630220480Jamesss.exe asdqw30295147621630220480Jamesss.exe PID 4692 wrote to memory of 3452 4692 asdqw30295147621630220480Jamesss.exe asdqw30295147621630220480Jamesss.exe PID 4692 wrote to memory of 3452 4692 asdqw30295147621630220480Jamesss.exe asdqw30295147621630220480Jamesss.exe PID 4692 wrote to memory of 3452 4692 asdqw30295147621630220480Jamesss.exe asdqw30295147621630220480Jamesss.exe PID 208 wrote to memory of 3020 208 javaw.exe reg.exe PID 208 wrote to memory of 3020 208 javaw.exe reg.exe PID 3452 wrote to memory of 1756 3452 asdqw30295147621630220480Jamesss.exe cmd.exe PID 3452 wrote to memory of 1756 3452 asdqw30295147621630220480Jamesss.exe cmd.exe PID 3452 wrote to memory of 1756 3452 asdqw30295147621630220480Jamesss.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2808 attrib.exe 4296 attrib.exe -
outlook_win_path 1 IoCs
Processes:
asdqw30295147621630220480Jamesss.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook asdqw30295147621630220480Jamesss.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\96636e5bcd4cd79a7f594c4ce1a95270b0892f7b53ad0eae8221e50c02e98aaa.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\asdqw30295147621630220480Jamesss.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\asdqw30295147621630220480Jamesss.exeC:\Users\Admin\AppData\Local\Temp\asdqw30295147621630220480Jamesss.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\asdqw30295147621630220480Jamesss.exe"C:\Users\Admin\AppData\Local\Temp\asdqw30295147621630220480Jamesss.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:3452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240642296.bat" "C:\Users\Admin\AppData\Local\Temp\asdqw30295147621630220480Jamesss.exe" "5⤵PID:1756
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\asdqw83163131574013185531List.jar"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v FlUYHJ7y3x /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\OYmREFT1Hb.VwA\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:2144 -
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\*.*"3⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:2808 -
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\ie0BjxAPXD"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4296 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\OYmREFT1Hb.VwA"3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v FlUYHJ7y3x /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\OYmREFT1Hb.VwA\"" /f4⤵
- Adds Run key to start application
- Modifies registry key
PID:3020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampFilesize
50B
MD5b1234bc858f205d5765bdd4d4f194276
SHA1108a06fd7c2105ee12c7836907d5acd268513ee4
SHA2560f8060cf3aca85c6d725d3b6e47c66f000e27a99588f1d4781fca5b80a0c6308
SHA512c0eac66fbe63fdc45cc6bbf03d54de809a5e6b5014ff4a1ec8199c8c3223dd9773d12f7cd2d9c73d1c866b58fd04c407f3782bd0f0d8acb688af054d227c2e29
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampFilesize
50B
MD59452164d93c9eae97fd57af3838feb4d
SHA1bef07bb1bf8524215cad6662accfb5c07937d0fe
SHA2569c416d3c286d5492955b867e975599e1eee015720ec0ee876e061a2b1a23fb54
SHA5126d28742ece392006e9143bde716204a6367614bea01683a06dbb6bd32bfd3cf10c99a7e1db80141c50b6cc8a18c237f15b53eeb6a94567155d2cc08a197cef38
-
C:\Users\Admin\AppData\Local\Temp\240642296.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\asdqw30295147621630220480Jamesss.exeFilesize
359KB
MD5770cfc8f837ede9ff7775ed9aee3c736
SHA19fb5c22f1972ee661b7c432a6ff0797cd3b007b3
SHA2565f7c788a387ee39a271554870a764feaeb19c80efc6935a38e3762b867ead0b8
SHA512e64efd8c2d4bf6fca5da6de2e2c6388f072c74a999b061da76a05cb8580c951d3e868345407d6a7056802c81965f7ae9201e0abd7aa32a6c2e050e31cc1d03f8
-
C:\Users\Admin\AppData\Local\Temp\asdqw30295147621630220480Jamesss.exeFilesize
359KB
MD5770cfc8f837ede9ff7775ed9aee3c736
SHA19fb5c22f1972ee661b7c432a6ff0797cd3b007b3
SHA2565f7c788a387ee39a271554870a764feaeb19c80efc6935a38e3762b867ead0b8
SHA512e64efd8c2d4bf6fca5da6de2e2c6388f072c74a999b061da76a05cb8580c951d3e868345407d6a7056802c81965f7ae9201e0abd7aa32a6c2e050e31cc1d03f8
-
C:\Users\Admin\AppData\Local\Temp\asdqw30295147621630220480Jamesss.exeFilesize
359KB
MD5770cfc8f837ede9ff7775ed9aee3c736
SHA19fb5c22f1972ee661b7c432a6ff0797cd3b007b3
SHA2565f7c788a387ee39a271554870a764feaeb19c80efc6935a38e3762b867ead0b8
SHA512e64efd8c2d4bf6fca5da6de2e2c6388f072c74a999b061da76a05cb8580c951d3e868345407d6a7056802c81965f7ae9201e0abd7aa32a6c2e050e31cc1d03f8
-
C:\Users\Admin\AppData\Local\Temp\asdqw83163131574013185531List.jarFilesize
97KB
MD5d5adb5e6f16786fb8e87f4ba6ca59311
SHA11078e0a3637412550770acafcaaa9a70b37bbc53
SHA256f9549ed3c45c8e5c305883fd79052437e0ab666c2b8c0c96f1781f71dcd64085
SHA51275259756e11eb2a3a3b646e9daebc18ff21db5e323878b1e65566d945513fa66eb56f59433cd26b8e4647a577612cadfa4f376bf5d2e651341fc208ad99448c8
-
C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\Desktop.iniFilesize
63B
MD5e783bdd20a976eaeaae1ff4624487420
SHA1c2a44fab9df00b3e11582546b16612333c2f9286
SHA2562f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3
SHA5128c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80
-
C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\OYmREFT1Hb.VwAFilesize
97KB
MD5d5adb5e6f16786fb8e87f4ba6ca59311
SHA11078e0a3637412550770acafcaaa9a70b37bbc53
SHA256f9549ed3c45c8e5c305883fd79052437e0ab666c2b8c0c96f1781f71dcd64085
SHA51275259756e11eb2a3a3b646e9daebc18ff21db5e323878b1e65566d945513fa66eb56f59433cd26b8e4647a577612cadfa4f376bf5d2e651341fc208ad99448c8
-
memory/208-167-0x0000000000000000-mapping.dmp
-
memory/208-179-0x00000000032F0000-0x00000000042F0000-memory.dmpFilesize
16.0MB
-
memory/208-188-0x00000000032F0000-0x00000000042F0000-memory.dmpFilesize
16.0MB
-
memory/1236-142-0x0000000000000000-mapping.dmp
-
memory/1756-191-0x0000000000000000-mapping.dmp
-
memory/2144-164-0x0000000000000000-mapping.dmp
-
memory/2808-165-0x0000000000000000-mapping.dmp
-
memory/3020-190-0x0000000000000000-mapping.dmp
-
memory/3452-192-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3452-186-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3452-189-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3452-180-0x0000000000000000-mapping.dmp
-
memory/3452-181-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3452-184-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/4296-166-0x0000000000000000-mapping.dmp
-
memory/4692-185-0x0000000074AB0000-0x0000000075061000-memory.dmpFilesize
5.7MB
-
memory/4692-162-0x0000000074AB0000-0x0000000075061000-memory.dmpFilesize
5.7MB
-
memory/4692-160-0x0000000074AB0000-0x0000000075061000-memory.dmpFilesize
5.7MB
-
memory/4692-147-0x0000000000000000-mapping.dmp
-
memory/4932-161-0x0000000002B50000-0x0000000003B50000-memory.dmpFilesize
16.0MB
-
memory/4932-159-0x0000000002B50000-0x0000000003B50000-memory.dmpFilesize
16.0MB
-
memory/4932-143-0x0000000000000000-mapping.dmp
-
memory/5080-141-0x0000000002A00000-0x0000000003A00000-memory.dmpFilesize
16.0MB