Analysis
-
max time kernel
94s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
26-11-2022 00:07
General
-
Target
982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e.exe
-
Size
491KB
-
MD5
ebd7aea5d363a032c19d3f58bfaaf802
-
SHA1
75555e23db0ffe361a4cc71522ea603bad8a5b42
-
SHA256
982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
-
SHA512
d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
SSDEEP
3072:zaHqHL+1tc0ZioAX2uq5RhVYtfZ14sBEDErAgsafvWab4sBEDErAgsaf7:zaULim0ZUohVYtfZuBgs93Bgsy
Malware Config
Extracted
pony
http://185.7.34.251/~umord163/decpony/gate.php
Signatures
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE 13 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 4 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e.exe"C:\Users\Admin\AppData\Local\Temp\982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7120213.bat" "C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" "4⤵
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" 42378Mh OIDIQNARP 15643⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7154907.bat" "C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" "6⤵
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" 42378Mh OIDIQNARP 13445⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7160243.bat" "C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" "8⤵
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" 42378Mh OIDIQNARP 15047⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"9⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7179883.bat" "C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" "10⤵
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" 42378Mh OIDIQNARP 17289⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"11⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7217901.bat" "C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" "12⤵
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" 42378Mh OIDIQNARP 130011⤵
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"12⤵
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"13⤵
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" 42378Mh OIDIQNARP 174413⤵
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe"C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exe" B9180AMf PFREKKVDV "C:\Users\Admin\AppData\Local\Temp\982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e.exe"2⤵
- Executes dropped EXE
- Deletes itself
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7120213.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\7154907.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\7160243.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\7179883.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\7217901.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
C:\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\Eythjr\ywhs.exeFilesize
491KB
MD5ebd7aea5d363a032c19d3f58bfaaf802
SHA175555e23db0ffe361a4cc71522ea603bad8a5b42
SHA256982a6575259d8d905007d22e464b4d59a72f4930aebfe7862b2840129641739e
SHA512d1f184ac1e2e2e02e66232adc99b946b650a0ca53ce34fc91f76c3d0470879229c4ebb189e45514d2ad655b6e97680d677a6f608c9e6c840d0138c8256eb9ec1
-
memory/292-81-0x0000000000000000-mapping.dmp
-
memory/360-167-0x0000000000000000-mapping.dmp
-
memory/552-177-0x0000000000000000-mapping.dmp
-
memory/584-145-0x0000000000000000-mapping.dmp
-
memory/604-69-0x0000000000000000-mapping.dmp
-
memory/884-134-0x0000000000000000-mapping.dmp
-
memory/884-56-0x0000000000000000-mapping.dmp
-
memory/928-99-0x0000000000000000-mapping.dmp
-
memory/952-57-0x0000000000000000-mapping.dmp
-
memory/1036-112-0x0000000000000000-mapping.dmp
-
memory/1088-164-0x0000000000000000-mapping.dmp
-
memory/1144-143-0x0000000000000000-mapping.dmp
-
memory/1264-90-0x0000000000000000-mapping.dmp
-
memory/1300-165-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1300-163-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1300-162-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1300-153-0x000000000041AF60-mapping.dmp
-
memory/1344-98-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1344-89-0x000000000041AF60-mapping.dmp
-
memory/1344-100-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1344-94-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1344-96-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1504-114-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1504-110-0x000000000041AF60-mapping.dmp
-
memory/1504-118-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1504-122-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1548-155-0x0000000000000000-mapping.dmp
-
memory/1564-65-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1564-73-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1564-62-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1564-76-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1564-78-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1564-74-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1564-70-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1564-67-0x000000000041AF60-mapping.dmp
-
memory/1564-66-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1624-77-0x0000000000000000-mapping.dmp
-
memory/1700-102-0x0000000000000000-mapping.dmp
-
memory/1728-142-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1728-132-0x000000000041AF60-mapping.dmp
-
memory/1728-141-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1744-175-0x000000000041AF60-mapping.dmp
-
memory/1744-184-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1744-185-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1776-54-0x0000000075521000-0x0000000075523000-memory.dmpFilesize
8KB
-
memory/1928-121-0x0000000000000000-mapping.dmp
-
memory/2016-124-0x0000000000000000-mapping.dmp