Analysis
-
max time kernel
100s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 20:57
Static task
static1
Behavioral task
behavioral1
Sample
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Resource
win10v2004-20221111-en
General
-
Target
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
-
Size
1.1MB
-
MD5
f318e540a01cf649bbb1640c81c55c94
-
SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93
-
SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
-
SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
SSDEEP
24576:X6blI9AqgZh+D3vspAANvVp2OrHtKuzNwiTIV3teph6ar+:X6bK91eh+D0pFBKOn8lwph6ay
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
drlwjrdttnageixp
Signatures
-
NirSoft MailPassView 11 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1580-73-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView behavioral1/memory/1580-74-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView behavioral1/memory/1580-71-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView behavioral1/memory/1580-75-0x00000000004EB1AE-mapping.dmp MailPassView behavioral1/memory/1580-78-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView behavioral1/memory/1580-80-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView behavioral1/memory/920-86-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/920-87-0x0000000000411714-mapping.dmp MailPassView behavioral1/memory/920-90-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/920-91-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/920-100-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 11 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1580-73-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView behavioral1/memory/1580-74-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView behavioral1/memory/1580-71-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView behavioral1/memory/1580-75-0x00000000004EB1AE-mapping.dmp WebBrowserPassView behavioral1/memory/1580-78-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView behavioral1/memory/1580-80-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView behavioral1/memory/1604-92-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral1/memory/1604-93-0x0000000000442F04-mapping.dmp WebBrowserPassView behavioral1/memory/1604-96-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral1/memory/1604-97-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral1/memory/1604-98-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView -
Nirsoft 24 IoCs
Processes:
resource yara_rule behavioral1/memory/1580-73-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft behavioral1/memory/1580-74-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft behavioral1/memory/1580-71-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft behavioral1/memory/1580-75-0x00000000004EB1AE-mapping.dmp Nirsoft behavioral1/memory/1580-78-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft behavioral1/memory/1580-80-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft behavioral1/memory/920-86-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/920-87-0x0000000000411714-mapping.dmp Nirsoft behavioral1/memory/920-90-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/920-91-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1604-92-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral1/memory/1604-93-0x0000000000442F04-mapping.dmp Nirsoft behavioral1/memory/1604-96-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral1/memory/1604-97-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral1/memory/1604-98-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral1/memory/920-100-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2032-101-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral1/memory/2032-102-0x000000000040BEC0-mapping.dmp Nirsoft behavioral1/memory/2032-105-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral1/memory/2032-107-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral1/memory/844-108-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft behavioral1/memory/844-109-0x000000000043BC50-mapping.dmp Nirsoft behavioral1/memory/844-112-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft behavioral1/memory/844-113-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
nvtray.exenvtray.exepid process 1700 nvtray.exe 1580 nvtray.exe -
Loads dropped DLL 1 IoCs
Processes:
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exepid process 1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 whatismyipaddress.com 7 whatismyipaddress.com 4 whatismyipaddress.com -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exenvtray.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum nvtray.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 nvtray.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nvtray.exenvtray.exedescription pid process target process PID 1700 set thread context of 1580 1700 nvtray.exe nvtray.exe PID 1580 set thread context of 920 1580 nvtray.exe vbc.exe PID 1580 set thread context of 1604 1580 nvtray.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exenvtray.exenvtray.exepid process 1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1580 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1700 nvtray.exe 1700 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe 1580 nvtray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exenvtray.exenvtray.exedescription pid process Token: SeDebugPrivilege 1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe Token: SeDebugPrivilege 1700 nvtray.exe Token: SeDebugPrivilege 1580 nvtray.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
nvtray.exepid process 1580 nvtray.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.execmd.exenvtray.exenvtray.exedescription pid process target process PID 1952 wrote to memory of 1108 1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe cmd.exe PID 1952 wrote to memory of 1108 1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe cmd.exe PID 1952 wrote to memory of 1108 1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe cmd.exe PID 1952 wrote to memory of 1108 1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe cmd.exe PID 1108 wrote to memory of 1156 1108 cmd.exe reg.exe PID 1108 wrote to memory of 1156 1108 cmd.exe reg.exe PID 1108 wrote to memory of 1156 1108 cmd.exe reg.exe PID 1108 wrote to memory of 1156 1108 cmd.exe reg.exe PID 1952 wrote to memory of 1700 1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe nvtray.exe PID 1952 wrote to memory of 1700 1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe nvtray.exe PID 1952 wrote to memory of 1700 1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe nvtray.exe PID 1952 wrote to memory of 1700 1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe nvtray.exe PID 1700 wrote to memory of 1580 1700 nvtray.exe nvtray.exe PID 1700 wrote to memory of 1580 1700 nvtray.exe nvtray.exe PID 1700 wrote to memory of 1580 1700 nvtray.exe nvtray.exe PID 1700 wrote to memory of 1580 1700 nvtray.exe nvtray.exe PID 1700 wrote to memory of 1580 1700 nvtray.exe nvtray.exe PID 1700 wrote to memory of 1580 1700 nvtray.exe nvtray.exe PID 1700 wrote to memory of 1580 1700 nvtray.exe nvtray.exe PID 1700 wrote to memory of 1580 1700 nvtray.exe nvtray.exe PID 1700 wrote to memory of 1580 1700 nvtray.exe nvtray.exe PID 1580 wrote to memory of 920 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 920 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 920 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 920 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 920 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 920 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 920 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 920 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 920 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 920 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 1604 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 1604 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 1604 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 1604 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 1604 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 1604 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 1604 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 1604 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 1604 1580 nvtray.exe vbc.exe PID 1580 wrote to memory of 1604 1580 nvtray.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe"C:\Users\Admin\AppData\Local\Temp\b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f /v "Load" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nvtray.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f /v "Load" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nvtray.exe"3⤵PID:1156
-
C:\Users\Admin\AppData\Roaming\nvtray.exe"C:\Users\Admin\AppData\Roaming\nvtray.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Roaming\nvtray.exe"C:\Users\Admin\AppData\Roaming\nvtray.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵PID:920
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵PID:1604
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"4⤵PID:2032
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"4⤵PID:844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderprodkey.txtFilesize
1KB
MD5c1da33bc664c10aa86e6e450136bb4b3
SHA14001924b38dc3e41a5d9573e2880919e204ede94
SHA25602c8c655b70f06dcde29a6bbaf35f76a70210954b5d934ca65f83e4f91e24391
SHA5125ce23126fdee1d418606f33217638818fcf0c44fcc19bbb1ab259ce0468db6878469a6f6c7f38d094d03a02104ddeb900364d367ad91753d2169e2b92660d8c1
-
C:\Users\Admin\AppData\Local\Temp\holderskypeview.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\nvtray.exeFilesize
1.1MB
MD5f318e540a01cf649bbb1640c81c55c94
SHA17afdb12755c99467b79dcc7ca92b07cac8b38a93
SHA256b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
SHA512a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
C:\Users\Admin\AppData\Roaming\nvtray.exeFilesize
1.1MB
MD5f318e540a01cf649bbb1640c81c55c94
SHA17afdb12755c99467b79dcc7ca92b07cac8b38a93
SHA256b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
SHA512a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
C:\Users\Admin\AppData\Roaming\nvtray.exeFilesize
1.1MB
MD5f318e540a01cf649bbb1640c81c55c94
SHA17afdb12755c99467b79dcc7ca92b07cac8b38a93
SHA256b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
SHA512a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
\Users\Admin\AppData\Roaming\nvtray.exeFilesize
1.1MB
MD5f318e540a01cf649bbb1640c81c55c94
SHA17afdb12755c99467b79dcc7ca92b07cac8b38a93
SHA256b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
SHA512a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
memory/844-113-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/844-112-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/844-109-0x000000000043BC50-mapping.dmp
-
memory/844-108-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/920-100-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/920-91-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/920-90-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/920-87-0x0000000000411714-mapping.dmp
-
memory/920-86-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1108-58-0x0000000000000000-mapping.dmp
-
memory/1156-59-0x0000000000000000-mapping.dmp
-
memory/1580-67-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1580-73-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1580-75-0x00000000004EB1AE-mapping.dmp
-
memory/1580-78-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1580-80-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1580-82-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1580-68-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1580-71-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1580-85-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1580-74-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1604-96-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/1604-92-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/1604-93-0x0000000000442F04-mapping.dmp
-
memory/1604-97-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/1604-98-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/1700-61-0x0000000000000000-mapping.dmp
-
memory/1700-70-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1700-84-0x0000000002056000-0x0000000002067000-memory.dmpFilesize
68KB
-
memory/1700-83-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1700-72-0x0000000002056000-0x0000000002067000-memory.dmpFilesize
68KB
-
memory/1952-54-0x00000000762F1000-0x00000000762F3000-memory.dmpFilesize
8KB
-
memory/1952-66-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1952-62-0x0000000002226000-0x0000000002237000-memory.dmpFilesize
68KB
-
memory/1952-57-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1952-56-0x0000000002226000-0x0000000002237000-memory.dmpFilesize
68KB
-
memory/1952-55-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/2032-102-0x000000000040BEC0-mapping.dmp
-
memory/2032-105-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2032-107-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2032-101-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB