Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:39
Static task
static1
Behavioral task
behavioral1
Sample
d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe
Resource
win10v2004-20220812-en
General
-
Target
d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe
-
Size
1.4MB
-
MD5
da07bd9468f54a1b6b2e0ef10af1055d
-
SHA1
e92509af85492c6ac6f9c9713ae4be8c129cfb81
-
SHA256
d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462
-
SHA512
036478fe9143a55ac12db163d7edf76b1c2dfc4f701d83cea1d99c010faa4300620da62e01326ff8113cbc903f65c2c0013b91edae944e5fb223f2d9a831a1e6
-
SSDEEP
24576:1NrVMor2JF195R3LrLiMrdbWEDdfRp4/53XUn1Qk3Pc29x+GQX8LsBLli:1PrAbvR3LiMrj5fROh3U1tBx+GA8L8U
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
taskhost.exetaskhost.exeWindows Update.exetaskhost.exepid process 2452 taskhost.exe 1760 taskhost.exe 4012 Windows Update.exe 4676 taskhost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exetaskhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation taskhost.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exetaskhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anti Virus = "C:\\ProgramData\\taskhost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" taskhost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 44 whatismyipaddress.com 46 whatismyipaddress.com -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exetaskhost.exeWindows Update.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Windows Update.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Windows Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
taskhost.exetaskhost.exedescription pid process target process PID 2452 set thread context of 1760 2452 taskhost.exe taskhost.exe PID 2452 set thread context of 4676 2452 taskhost.exe taskhost.exe PID 4676 set thread context of 4476 4676 taskhost.exe vbc.exe PID 4676 set thread context of 3364 4676 taskhost.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exetaskhost.exeWindows Update.exetaskhost.exepid process 4436 d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 4012 Windows Update.exe 2452 taskhost.exe 2452 taskhost.exe 4676 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 4676 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe 2452 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exetaskhost.exeWindows Update.exetaskhost.exevbc.exevbc.exedescription pid process Token: SeDebugPrivilege 4436 d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe Token: SeDebugPrivilege 2452 taskhost.exe Token: SeDebugPrivilege 4012 Windows Update.exe Token: SeDebugPrivilege 4676 taskhost.exe Token: SeDebugPrivilege 4476 vbc.exe Token: SeDebugPrivilege 3364 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
taskhost.exepid process 4676 taskhost.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.execmd.exetaskhost.exetaskhost.exetaskhost.exedescription pid process target process PID 4436 wrote to memory of 1016 4436 d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe cmd.exe PID 4436 wrote to memory of 1016 4436 d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe cmd.exe PID 4436 wrote to memory of 1016 4436 d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe cmd.exe PID 1016 wrote to memory of 1780 1016 cmd.exe reg.exe PID 1016 wrote to memory of 1780 1016 cmd.exe reg.exe PID 1016 wrote to memory of 1780 1016 cmd.exe reg.exe PID 4436 wrote to memory of 2452 4436 d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe taskhost.exe PID 4436 wrote to memory of 2452 4436 d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe taskhost.exe PID 4436 wrote to memory of 2452 4436 d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe taskhost.exe PID 2452 wrote to memory of 1760 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 1760 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 1760 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 1760 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 1760 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 1760 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 1760 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 1760 2452 taskhost.exe taskhost.exe PID 1760 wrote to memory of 4012 1760 taskhost.exe Windows Update.exe PID 1760 wrote to memory of 4012 1760 taskhost.exe Windows Update.exe PID 1760 wrote to memory of 4012 1760 taskhost.exe Windows Update.exe PID 2452 wrote to memory of 4676 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 4676 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 4676 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 4676 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 4676 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 4676 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 4676 2452 taskhost.exe taskhost.exe PID 2452 wrote to memory of 4676 2452 taskhost.exe taskhost.exe PID 4676 wrote to memory of 4476 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 4476 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 4476 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 4476 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 4476 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 4476 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 4476 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 4476 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 4476 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 3364 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 3364 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 3364 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 3364 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 3364 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 3364 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 3364 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 3364 4676 taskhost.exe vbc.exe PID 4676 wrote to memory of 3364 4676 taskhost.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe"C:\Users\Admin\AppData\Local\Temp\d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Anti Virus" /t REG_SZ /d "C:\ProgramData\taskhost.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Anti Virus" /t REG_SZ /d "C:\ProgramData\taskhost.exe"3⤵
- Adds Run key to start application
-
C:\ProgramData\taskhost.exe"C:\ProgramData\taskhost.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\taskhost.exe"C:\ProgramData\taskhost.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\taskhost.exe"C:\ProgramData\taskhost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\taskhost.exeFilesize
1.4MB
MD5da07bd9468f54a1b6b2e0ef10af1055d
SHA1e92509af85492c6ac6f9c9713ae4be8c129cfb81
SHA256d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462
SHA512036478fe9143a55ac12db163d7edf76b1c2dfc4f701d83cea1d99c010faa4300620da62e01326ff8113cbc903f65c2c0013b91edae944e5fb223f2d9a831a1e6
-
C:\ProgramData\taskhost.exeFilesize
1.4MB
MD5da07bd9468f54a1b6b2e0ef10af1055d
SHA1e92509af85492c6ac6f9c9713ae4be8c129cfb81
SHA256d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462
SHA512036478fe9143a55ac12db163d7edf76b1c2dfc4f701d83cea1d99c010faa4300620da62e01326ff8113cbc903f65c2c0013b91edae944e5fb223f2d9a831a1e6
-
C:\ProgramData\taskhost.exeFilesize
1.4MB
MD5da07bd9468f54a1b6b2e0ef10af1055d
SHA1e92509af85492c6ac6f9c9713ae4be8c129cfb81
SHA256d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462
SHA512036478fe9143a55ac12db163d7edf76b1c2dfc4f701d83cea1d99c010faa4300620da62e01326ff8113cbc903f65c2c0013b91edae944e5fb223f2d9a831a1e6
-
C:\ProgramData\taskhost.exeFilesize
1.4MB
MD5da07bd9468f54a1b6b2e0ef10af1055d
SHA1e92509af85492c6ac6f9c9713ae4be8c129cfb81
SHA256d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462
SHA512036478fe9143a55ac12db163d7edf76b1c2dfc4f701d83cea1d99c010faa4300620da62e01326ff8113cbc903f65c2c0013b91edae944e5fb223f2d9a831a1e6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\taskhost.exe.logFilesize
594B
MD5fdb26b3b547022b45cfaeee57eafd566
SHA111c6798b8a59233f404014c5e79b3363cd564b37
SHA2562707fc7f074413881b7bafca05079327b188db6005709951e7f69d39a2af97c0
SHA51244d9bb8c0f0b341690d00eda86e15a50f7f29ce9595925c1a2a7e19ad26202d10049a7a97bea278ecb7d429ad555de8edceeffff664d4b06309a9410a09bb700
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
27B
MD5469935cb7643d938462dd8626ea43f19
SHA13b3c8fe30ffeda03f33e24d52e0fbf8fc241fee1
SHA256700a1869538429540c91e3af61a69fbc7499669cb64b1a559b2b9b5353147b90
SHA512090cb742c27ea35169eae61ae19d343ed9b5fd93000e58cdf2921dbfd3a0417ead7860730413c81e971c1eae83080118bb2c6fbeb7d5a44631d2569c2f59dd6e
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
327B
MD51265c5140a2f68b05b92aa1a25a2abb6
SHA1627a660e9d2a41c8c4a662ca44fdb68a1356bc82
SHA256694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9
SHA512ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
1KB
MD501e7975c708365983265ae40d604beb4
SHA1f1c793c9b7a312d355cd944928ba9272bbeec44e
SHA25695d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40
SHA5129c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.4MB
MD5da07bd9468f54a1b6b2e0ef10af1055d
SHA1e92509af85492c6ac6f9c9713ae4be8c129cfb81
SHA256d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462
SHA512036478fe9143a55ac12db163d7edf76b1c2dfc4f701d83cea1d99c010faa4300620da62e01326ff8113cbc903f65c2c0013b91edae944e5fb223f2d9a831a1e6
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.4MB
MD5da07bd9468f54a1b6b2e0ef10af1055d
SHA1e92509af85492c6ac6f9c9713ae4be8c129cfb81
SHA256d07c52e76e70f10941d294fbf9cbb34fcb3097d1a0a3d3c9d5f216b3b0a83462
SHA512036478fe9143a55ac12db163d7edf76b1c2dfc4f701d83cea1d99c010faa4300620da62e01326ff8113cbc903f65c2c0013b91edae944e5fb223f2d9a831a1e6
-
memory/1016-134-0x0000000000000000-mapping.dmp
-
memory/1760-150-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1760-144-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1760-142-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/1760-141-0x0000000000000000-mapping.dmp
-
memory/1780-135-0x0000000000000000-mapping.dmp
-
memory/2452-140-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/2452-145-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/2452-136-0x0000000000000000-mapping.dmp
-
memory/3364-168-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3364-167-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3364-166-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3364-169-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3364-165-0x0000000000000000-mapping.dmp
-
memory/3364-171-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4012-157-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4012-146-0x0000000000000000-mapping.dmp
-
memory/4012-149-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4436-139-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4436-133-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4436-132-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4476-163-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4476-158-0x0000000000000000-mapping.dmp
-
memory/4476-159-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4476-160-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4476-161-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4676-156-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4676-164-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4676-151-0x0000000000000000-mapping.dmp