Analysis
-
max time kernel
113s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 14:01
Static task
static1
Behavioral task
behavioral1
Sample
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe
Resource
win7-20220812-en
General
-
Target
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe
-
Size
562KB
-
MD5
f886c38a35b5b55226ee4160baf51f43
-
SHA1
36c3a0571a2123f71ad168501857de60790041b7
-
SHA256
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
-
SHA512
904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
SSDEEP
12288:zmOGmPQkxEB95xE3JWsJIoDSKPVpzNKwP/6XFh61CUnIfm5f03:zmxmPQ55x9KdpzNNPiVvUIp
Malware Config
Signatures
-
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1916-60-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1916-61-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1916-62-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1916-63-0x000000000047EAEE-mapping.dmp MailPassView behavioral1/memory/1916-65-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1916-67-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1016-86-0x000000000047EAEE-mapping.dmp MailPassView behavioral1/memory/696-99-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/696-100-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/696-103-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/696-104-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/696-105-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1916-60-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1916-61-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1916-62-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1916-63-0x000000000047EAEE-mapping.dmp WebBrowserPassView behavioral1/memory/1916-65-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1916-67-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1016-86-0x000000000047EAEE-mapping.dmp WebBrowserPassView behavioral1/memory/1576-106-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1576-107-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1576-110-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1576-111-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1576-113-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1916-60-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1916-61-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1916-62-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1916-63-0x000000000047EAEE-mapping.dmp Nirsoft behavioral1/memory/1916-65-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1916-67-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1016-86-0x000000000047EAEE-mapping.dmp Nirsoft behavioral1/memory/696-99-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/696-100-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/696-103-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/696-104-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/696-105-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1576-106-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1576-107-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1576-110-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1576-111-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1576-113-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 1740 Windows Update.exe 1016 Windows Update.exe -
Drops startup file 2 IoCs
Processes:
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exeWindows Update.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gz68mkaaJQ.lnk 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gz68mkaaJQ.lnk Windows Update.exe -
Loads dropped DLL 4 IoCs
Processes:
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exeWindows Update.exepid process 1916 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 284 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 1740 Windows Update.exe 1740 Windows Update.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 whatismyipaddress.com 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exeWindows Update.exeWindows Update.exedescription pid process target process PID 284 set thread context of 1916 284 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 1740 set thread context of 1016 1740 Windows Update.exe Windows Update.exe PID 1016 set thread context of 696 1016 Windows Update.exe vbc.exe PID 1016 set thread context of 1576 1016 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Windows Update.exepid process 1016 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 1016 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 1016 Windows Update.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exeWindows Update.exeWindows Update.exedescription pid process target process PID 284 wrote to memory of 1916 284 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 284 wrote to memory of 1916 284 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 284 wrote to memory of 1916 284 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 284 wrote to memory of 1916 284 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 284 wrote to memory of 1916 284 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 284 wrote to memory of 1916 284 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 284 wrote to memory of 1916 284 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 284 wrote to memory of 1916 284 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 284 wrote to memory of 1916 284 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 1916 wrote to memory of 1740 1916 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe Windows Update.exe PID 1916 wrote to memory of 1740 1916 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe Windows Update.exe PID 1916 wrote to memory of 1740 1916 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe Windows Update.exe PID 1916 wrote to memory of 1740 1916 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe Windows Update.exe PID 1916 wrote to memory of 1740 1916 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe Windows Update.exe PID 1916 wrote to memory of 1740 1916 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe Windows Update.exe PID 1916 wrote to memory of 1740 1916 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1740 wrote to memory of 1016 1740 Windows Update.exe Windows Update.exe PID 1016 wrote to memory of 696 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 696 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 696 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 696 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 696 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 696 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 696 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 696 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 696 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 696 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 1576 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 1576 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 1576 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 1576 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 1576 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 1576 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 1576 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 1576 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 1576 1016 Windows Update.exe vbc.exe PID 1016 wrote to memory of 1576 1016 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe"C:\Users\Admin\AppData\Local\Temp\545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe"C:\Users\Admin\AppData\Local\Temp\545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5dadcdbfd871a7b4edeb98ad70621ad60
SHA18b0268f5540fd0bc0d71fb2d7b268c85a89a093f
SHA256744e2f63293665e69598dc1fd4164c0ba6de2b5a710e0d60a74c2d3c92f24b33
SHA512e4fbcffe87f4be2e4d4034cbb9b284ec42d2c6766fe246043b9fc9ba1e0c2436fb0159d9a90a562e7cb3fbd09cc699ede517c91a0a4292d26e929d94c795390f
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gz68mkaaJQ.lnkFilesize
916B
MD542c2724eb44735cafab5b89df08dc3b5
SHA10864858bd9b8bfe48a5fe3d26c1a1eb309bd4e37
SHA256171ecf7c569a6be4bfcea56e64efb38ab38ef4093474b46f4b0903b567c7560d
SHA5121e5e68cef08d97dccaec278a35727783739929b8bb459811d4b6c028c407969575153ea7da2484f227bdcbe3dac96197cba33692a86178057354716a23dbfd13
-
C:\Users\Admin\AppData\Roaming\TwLiiVlrzn\gz68mkaaJQ.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
\Users\Admin\AppData\Roaming\TwLiiVlrzn\gz68mkaaJQ.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
\Users\Admin\AppData\Roaming\TwLiiVlrzn\gz68mkaaJQ.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
memory/284-54-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/284-56-0x0000000074350000-0x00000000748FB000-memory.dmpFilesize
5.7MB
-
memory/284-55-0x0000000074350000-0x00000000748FB000-memory.dmpFilesize
5.7MB
-
memory/696-100-0x0000000000411654-mapping.dmp
-
memory/696-99-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/696-105-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/696-104-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/696-103-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1016-86-0x000000000047EAEE-mapping.dmp
-
memory/1016-94-0x0000000074350000-0x00000000748FB000-memory.dmpFilesize
5.7MB
-
memory/1016-98-0x0000000074350000-0x00000000748FB000-memory.dmpFilesize
5.7MB
-
memory/1576-113-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1576-111-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1576-110-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1576-107-0x0000000000442628-mapping.dmp
-
memory/1576-106-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1740-76-0x0000000074350000-0x00000000748FB000-memory.dmpFilesize
5.7MB
-
memory/1740-71-0x0000000000000000-mapping.dmp
-
memory/1740-78-0x0000000074350000-0x00000000748FB000-memory.dmpFilesize
5.7MB
-
memory/1916-62-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1916-69-0x0000000074350000-0x00000000748FB000-memory.dmpFilesize
5.7MB
-
memory/1916-58-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1916-75-0x0000000074350000-0x00000000748FB000-memory.dmpFilesize
5.7MB
-
memory/1916-60-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1916-61-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1916-67-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1916-63-0x000000000047EAEE-mapping.dmp
-
memory/1916-57-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1916-65-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB