Analysis
-
max time kernel
217s -
max time network
230s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 15:13
Static task
static1
Behavioral task
behavioral1
Sample
1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe
Resource
win10v2004-20221111-en
General
-
Target
1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe
-
Size
1.0MB
-
MD5
acd430684ecc9c6278874183ca40a133
-
SHA1
b7fa9d0383a64e5a3c18a66fa3ef4d349d60fbb2
-
SHA256
1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9
-
SHA512
301ab23e0989cdd42418d1a5f215ced23a54437d15d8fb6adbaf25edebdbca5ead5ce30a19b5eddba7c63ed07007d946050b830d6c293384d096de718b5c6d8c
-
SSDEEP
12288:Xu460DZby5vzCrdIxM0VVaCWg5ctGnw1uia4goH71NvQZoXYE/WRs4haBVtL8skS:e460EzVMoaXgFw0ia4goHRos4olL8VO
Malware Config
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2696-134-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView behavioral2/memory/4832-151-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4832-152-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4832-157-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4832-159-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2696-134-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView behavioral2/memory/4868-153-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/4868-155-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral2/memory/4868-158-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral2/memory/4868-160-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral2/memory/4868-162-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView -
Nirsoft 18 IoCs
Processes:
resource yara_rule behavioral2/memory/2696-134-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft behavioral2/memory/4832-151-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4832-152-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4868-153-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4868-155-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral2/memory/4832-157-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4868-158-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral2/memory/4832-159-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4868-160-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral2/memory/4868-162-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral2/memory/4528-163-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4528-164-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral2/memory/4528-166-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral2/memory/4528-168-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral2/memory/3116-169-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3116-170-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft behavioral2/memory/3116-172-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft behavioral2/memory/3116-174-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 3504 Windows Update.exe 1396 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 53 whatismyipaddress.com -
Suspicious use of SetThreadContext 6 IoCs
Processes:
1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exeWindows Update.exeWindows Update.exedescription pid process target process PID 4528 set thread context of 2696 4528 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe PID 3504 set thread context of 1396 3504 Windows Update.exe Windows Update.exe PID 1396 set thread context of 4832 1396 Windows Update.exe vbc.exe PID 1396 set thread context of 4868 1396 Windows Update.exe vbc.exe PID 1396 set thread context of 4528 1396 Windows Update.exe vbc.exe PID 1396 set thread context of 3116 1396 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Update.exepid process 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe 1396 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 1396 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 1396 Windows Update.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exeWindows Update.exeWindows Update.exedescription pid process target process PID 4528 wrote to memory of 2696 4528 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe PID 4528 wrote to memory of 2696 4528 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe PID 4528 wrote to memory of 2696 4528 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe PID 4528 wrote to memory of 2696 4528 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe PID 4528 wrote to memory of 2696 4528 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe PID 4528 wrote to memory of 2696 4528 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe PID 4528 wrote to memory of 2696 4528 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe PID 4528 wrote to memory of 2696 4528 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe PID 2696 wrote to memory of 3504 2696 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe Windows Update.exe PID 2696 wrote to memory of 3504 2696 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe Windows Update.exe PID 2696 wrote to memory of 3504 2696 1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe Windows Update.exe PID 3504 wrote to memory of 1396 3504 Windows Update.exe Windows Update.exe PID 3504 wrote to memory of 1396 3504 Windows Update.exe Windows Update.exe PID 3504 wrote to memory of 1396 3504 Windows Update.exe Windows Update.exe PID 3504 wrote to memory of 1396 3504 Windows Update.exe Windows Update.exe PID 3504 wrote to memory of 1396 3504 Windows Update.exe Windows Update.exe PID 3504 wrote to memory of 1396 3504 Windows Update.exe Windows Update.exe PID 3504 wrote to memory of 1396 3504 Windows Update.exe Windows Update.exe PID 3504 wrote to memory of 1396 3504 Windows Update.exe Windows Update.exe PID 1396 wrote to memory of 4832 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4832 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4832 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4832 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4832 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4832 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4832 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4832 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4832 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4868 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4868 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4868 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4868 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4868 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4868 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4868 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4868 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4868 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4528 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4528 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4528 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4528 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4528 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4528 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4528 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4528 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 4528 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 3116 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 3116 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 3116 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 3116 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 3116 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 3116 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 3116 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 3116 1396 Windows Update.exe vbc.exe PID 1396 wrote to memory of 3116 1396 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe"C:\Users\Admin\AppData\Local\Temp\1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe"C:\Users\Admin\AppData\Local\Temp\1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\1c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9.exe.logFilesize
411B
MD539582d3351c79bbe6b34c92b86bb2e15
SHA10a5bc37313778570ffd8b7664fd04380446641f3
SHA256a77ea8a3f342c18bc35e84d0c0255345ae259f80dd9ac4837760e5e4d5f593aa
SHA5124e6acca2e4fd55d3dcdcaba0155364dcf17924113f23bb58c895e0119a79906f4e3fd1950d1dbb405cc02509373a1e2057a46dbc364189779ae96abb19214283
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5c30a51b55a68711721d8a168e6e7e4b1
SHA146868ab5ba7bbda0d993153a8838d3cadc6a7426
SHA25612d0420f6116bb359f798979fe2dbe9b9e39aed6f25cbbcbe65522dcd040d76d
SHA512d6cf559613aa4e6754df8e7959a231440c4bbb218cbe7ca821c3eac51c5e9be2c2c7d3aa11e7cfb7a9fb74def1d834d1376421b4f20f3567e2f4b5b2dbf8bd05
-
C:\Users\Admin\AppData\Local\Temp\holderprodkey.txtFilesize
727B
MD515788e2047b69d289d21cb7994d1cae8
SHA145e87afd7dfcb6fe609dbda4db9831900a10633a
SHA2566a5d7cda4ad9cb08fa9729f0961a5160e4cb5939b5e59f5ee7c0ab11ca5f2b83
SHA5126ef8d92a4cfbac6b42b29edb8f0a3e3ff71842a618cf09cb630e47bd3f55076524aed7fd5d9d1e981a7a6ebb16d70b633f79f0270cbdc58b57cb12b5c74611c4
-
C:\Users\Admin\AppData\Local\Temp\holderskypeview.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.0MB
MD5acd430684ecc9c6278874183ca40a133
SHA1b7fa9d0383a64e5a3c18a66fa3ef4d349d60fbb2
SHA2561c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9
SHA512301ab23e0989cdd42418d1a5f215ced23a54437d15d8fb6adbaf25edebdbca5ead5ce30a19b5eddba7c63ed07007d946050b830d6c293384d096de718b5c6d8c
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.0MB
MD5acd430684ecc9c6278874183ca40a133
SHA1b7fa9d0383a64e5a3c18a66fa3ef4d349d60fbb2
SHA2561c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9
SHA512301ab23e0989cdd42418d1a5f215ced23a54437d15d8fb6adbaf25edebdbca5ead5ce30a19b5eddba7c63ed07007d946050b830d6c293384d096de718b5c6d8c
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.0MB
MD5acd430684ecc9c6278874183ca40a133
SHA1b7fa9d0383a64e5a3c18a66fa3ef4d349d60fbb2
SHA2561c991ad9e6a09ebde65d749f78a4a73890bf26780891410ca8a07b1dab841ab9
SHA512301ab23e0989cdd42418d1a5f215ced23a54437d15d8fb6adbaf25edebdbca5ead5ce30a19b5eddba7c63ed07007d946050b830d6c293384d096de718b5c6d8c
-
memory/1396-148-0x00000000751B0000-0x0000000075761000-memory.dmpFilesize
5.7MB
-
memory/1396-150-0x00000000751B0000-0x0000000075761000-memory.dmpFilesize
5.7MB
-
memory/1396-144-0x0000000000000000-mapping.dmp
-
memory/2696-136-0x00000000751B0000-0x0000000075761000-memory.dmpFilesize
5.7MB
-
memory/2696-141-0x00000000751B0000-0x0000000075761000-memory.dmpFilesize
5.7MB
-
memory/2696-134-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/2696-133-0x0000000000000000-mapping.dmp
-
memory/3116-172-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/3116-170-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/3116-169-0x0000000000000000-mapping.dmp
-
memory/3116-174-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/3504-142-0x00000000751B0000-0x0000000075761000-memory.dmpFilesize
5.7MB
-
memory/3504-147-0x00000000751B0000-0x0000000075761000-memory.dmpFilesize
5.7MB
-
memory/3504-143-0x00000000751B0000-0x0000000075761000-memory.dmpFilesize
5.7MB
-
memory/3504-137-0x0000000000000000-mapping.dmp
-
memory/4528-132-0x00000000751B0000-0x0000000075761000-memory.dmpFilesize
5.7MB
-
memory/4528-164-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4528-168-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4528-135-0x00000000751B0000-0x0000000075761000-memory.dmpFilesize
5.7MB
-
memory/4528-166-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4528-163-0x0000000000000000-mapping.dmp
-
memory/4832-151-0x0000000000000000-mapping.dmp
-
memory/4832-159-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4832-157-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4832-152-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4868-162-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4868-160-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4868-158-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4868-155-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4868-153-0x0000000000000000-mapping.dmp