Analysis
-
max time kernel
151s -
max time network
97s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 10:49
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PI.exe
Resource
win10v2004-20220901-en
General
-
Target
PI.exe
-
Size
992KB
-
MD5
f915f94f551c0c5371d093dbe27bbfaa
-
SHA1
912941a11e2c924eceb37ac5928ba457a10d8512
-
SHA256
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
-
SHA512
a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
SSDEEP
24576:NaPY8FueJVd/IfHydpi7m4Qt/XZhGPUKcpO+gpqeDySVR+PJ:GTN8Ui7mh/DGSpO+gp5nP
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
diamond7625w@gmail.com - Password:
pdmiawgubaleywef
Signatures
-
NirSoft MailPassView 7 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1076-117-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1076-118-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1076-119-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1076-120-0x000000000047E90E-mapping.dmp MailPassView behavioral1/memory/1076-122-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1076-124-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1808-159-0x000000000047E90E-mapping.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1076-117-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1076-118-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1076-119-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1076-120-0x000000000047E90E-mapping.dmp WebBrowserPassView behavioral1/memory/1076-122-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1076-124-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1808-159-0x000000000047E90E-mapping.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1076-117-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1076-118-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1076-119-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1076-120-0x000000000047E90E-mapping.dmp Nirsoft behavioral1/memory/1076-122-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1076-124-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1808-159-0x000000000047E90E-mapping.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
IpOverUsbSvrc.exepid process 888 IpOverUsbSvrc.exe -
Loads dropped DLL 1 IoCs
Processes:
PI.exepid process 1476 PI.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
IpOverUsbSvrc.exePI.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" PI.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 whatismyipaddress.com 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 7 IoCs
Processes:
PI.exePI.exePI.exePI.exePI.exePI.exedescription pid process target process PID 1476 set thread context of 1984 1476 PI.exe PI.exe PID 1984 set thread context of 1608 1984 PI.exe PI.exe PID 1476 set thread context of 924 1476 PI.exe PI.exe PID 1608 set thread context of 1076 1608 PI.exe PI.exe PID 1076 set thread context of 1156 1076 PI.exe vbc.exe PID 924 set thread context of 1580 924 PI.exe PI.exe PID 1580 set thread context of 1808 1580 PI.exe PI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1624 1156 WerFault.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PI.exeIpOverUsbSvrc.exePI.exepid process 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 888 IpOverUsbSvrc.exe 1476 PI.exe 1476 PI.exe 1476 PI.exe 888 IpOverUsbSvrc.exe 1984 PI.exe 1984 PI.exe 1984 PI.exe 1476 PI.exe 1984 PI.exe 1476 PI.exe 888 IpOverUsbSvrc.exe 1984 PI.exe 1476 PI.exe 1984 PI.exe 1476 PI.exe 888 IpOverUsbSvrc.exe 1984 PI.exe 1476 PI.exe 1984 PI.exe 1476 PI.exe 888 IpOverUsbSvrc.exe 1984 PI.exe 1476 PI.exe 1984 PI.exe 1476 PI.exe 888 IpOverUsbSvrc.exe 1984 PI.exe 1476 PI.exe 1984 PI.exe 1476 PI.exe 888 IpOverUsbSvrc.exe 1984 PI.exe 1476 PI.exe 1984 PI.exe 1476 PI.exe 888 IpOverUsbSvrc.exe 1984 PI.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
PI.exePI.exeIpOverUsbSvrc.exePI.exePI.exePI.exePI.exedescription pid process Token: SeDebugPrivilege 1476 PI.exe Token: SeDebugPrivilege 1984 PI.exe Token: SeDebugPrivilege 888 IpOverUsbSvrc.exe Token: SeDebugPrivilege 1608 PI.exe Token: SeDebugPrivilege 1076 PI.exe Token: SeDebugPrivilege 924 PI.exe Token: SeDebugPrivilege 1580 PI.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PI.exepid process 1076 PI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
PI.exePI.exePI.exePI.exevbc.exePI.exedescription pid process target process PID 1476 wrote to memory of 1984 1476 PI.exe PI.exe PID 1476 wrote to memory of 1984 1476 PI.exe PI.exe PID 1476 wrote to memory of 1984 1476 PI.exe PI.exe PID 1476 wrote to memory of 1984 1476 PI.exe PI.exe PID 1476 wrote to memory of 1984 1476 PI.exe PI.exe PID 1476 wrote to memory of 1984 1476 PI.exe PI.exe PID 1476 wrote to memory of 1984 1476 PI.exe PI.exe PID 1476 wrote to memory of 1984 1476 PI.exe PI.exe PID 1476 wrote to memory of 1984 1476 PI.exe PI.exe PID 1476 wrote to memory of 888 1476 PI.exe IpOverUsbSvrc.exe PID 1476 wrote to memory of 888 1476 PI.exe IpOverUsbSvrc.exe PID 1476 wrote to memory of 888 1476 PI.exe IpOverUsbSvrc.exe PID 1476 wrote to memory of 888 1476 PI.exe IpOverUsbSvrc.exe PID 1984 wrote to memory of 1608 1984 PI.exe PI.exe PID 1984 wrote to memory of 1608 1984 PI.exe PI.exe PID 1984 wrote to memory of 1608 1984 PI.exe PI.exe PID 1984 wrote to memory of 1608 1984 PI.exe PI.exe PID 1984 wrote to memory of 1608 1984 PI.exe PI.exe PID 1984 wrote to memory of 1608 1984 PI.exe PI.exe PID 1984 wrote to memory of 1608 1984 PI.exe PI.exe PID 1984 wrote to memory of 1608 1984 PI.exe PI.exe PID 1984 wrote to memory of 1608 1984 PI.exe PI.exe PID 1476 wrote to memory of 924 1476 PI.exe PI.exe PID 1476 wrote to memory of 924 1476 PI.exe PI.exe PID 1476 wrote to memory of 924 1476 PI.exe PI.exe PID 1476 wrote to memory of 924 1476 PI.exe PI.exe PID 1476 wrote to memory of 924 1476 PI.exe PI.exe PID 1476 wrote to memory of 924 1476 PI.exe PI.exe PID 1476 wrote to memory of 924 1476 PI.exe PI.exe PID 1476 wrote to memory of 924 1476 PI.exe PI.exe PID 1476 wrote to memory of 924 1476 PI.exe PI.exe PID 1608 wrote to memory of 1076 1608 PI.exe PI.exe PID 1608 wrote to memory of 1076 1608 PI.exe PI.exe PID 1608 wrote to memory of 1076 1608 PI.exe PI.exe PID 1608 wrote to memory of 1076 1608 PI.exe PI.exe PID 1608 wrote to memory of 1076 1608 PI.exe PI.exe PID 1608 wrote to memory of 1076 1608 PI.exe PI.exe PID 1608 wrote to memory of 1076 1608 PI.exe PI.exe PID 1608 wrote to memory of 1076 1608 PI.exe PI.exe PID 1608 wrote to memory of 1076 1608 PI.exe PI.exe PID 1076 wrote to memory of 1156 1076 PI.exe vbc.exe PID 1076 wrote to memory of 1156 1076 PI.exe vbc.exe PID 1076 wrote to memory of 1156 1076 PI.exe vbc.exe PID 1076 wrote to memory of 1156 1076 PI.exe vbc.exe PID 1076 wrote to memory of 1156 1076 PI.exe vbc.exe PID 1076 wrote to memory of 1156 1076 PI.exe vbc.exe PID 1076 wrote to memory of 1156 1076 PI.exe vbc.exe PID 1076 wrote to memory of 1156 1076 PI.exe vbc.exe PID 1076 wrote to memory of 1156 1076 PI.exe vbc.exe PID 1076 wrote to memory of 1156 1076 PI.exe vbc.exe PID 1156 wrote to memory of 1624 1156 vbc.exe WerFault.exe PID 1156 wrote to memory of 1624 1156 vbc.exe WerFault.exe PID 1156 wrote to memory of 1624 1156 vbc.exe WerFault.exe PID 1156 wrote to memory of 1624 1156 vbc.exe WerFault.exe PID 1076 wrote to memory of 864 1076 PI.exe dw20.exe PID 1076 wrote to memory of 864 1076 PI.exe dw20.exe PID 1076 wrote to memory of 864 1076 PI.exe dw20.exe PID 1076 wrote to memory of 864 1076 PI.exe dw20.exe PID 924 wrote to memory of 1580 924 PI.exe PI.exe PID 924 wrote to memory of 1580 924 PI.exe PI.exe PID 924 wrote to memory of 1580 924 PI.exe PI.exe PID 924 wrote to memory of 1580 924 PI.exe PI.exe PID 924 wrote to memory of 1580 924 PI.exe PI.exe PID 924 wrote to memory of 1580 924 PI.exe PI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 366⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 15925⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD503c4f3f5cdbc342eb1c0349e001fdd0c
SHA17d45ed19db4eaed16d1985240c98fab7623798e5
SHA256a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc
SHA512d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD503c4f3f5cdbc342eb1c0349e001fdd0c
SHA17d45ed19db4eaed16d1985240c98fab7623798e5
SHA256a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc
SHA512d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
992KB
MD5f915f94f551c0c5371d093dbe27bbfaa
SHA1912941a11e2c924eceb37ac5928ba457a10d8512
SHA2569cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
SHA512a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
992KB
MD5f915f94f551c0c5371d093dbe27bbfaa
SHA1912941a11e2c924eceb37ac5928ba457a10d8512
SHA2569cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
SHA512a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
992KB
MD5f915f94f551c0c5371d093dbe27bbfaa
SHA1912941a11e2c924eceb37ac5928ba457a10d8512
SHA2569cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
SHA512a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD503c4f3f5cdbc342eb1c0349e001fdd0c
SHA17d45ed19db4eaed16d1985240c98fab7623798e5
SHA256a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc
SHA512d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162
-
memory/864-133-0x0000000000000000-mapping.dmp
-
memory/888-82-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/888-76-0x0000000000000000-mapping.dmp
-
memory/888-80-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/924-127-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/924-106-0x00000000004E083E-mapping.dmp
-
memory/924-108-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/924-110-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/924-112-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1076-124-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1076-126-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1076-115-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1076-117-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1076-118-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1076-119-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1076-135-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1076-120-0x000000000047E90E-mapping.dmp
-
memory/1076-122-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1076-114-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1156-129-0x0000000000411654-mapping.dmp
-
memory/1156-128-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1476-54-0x0000000075E51000-0x0000000075E53000-memory.dmpFilesize
8KB
-
memory/1476-56-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1476-55-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1580-144-0x000000000049657E-mapping.dmp
-
memory/1580-150-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1580-151-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1608-93-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1608-85-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1608-89-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1608-90-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1608-91-0x000000000049657E-mapping.dmp
-
memory/1608-152-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1608-84-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1608-98-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1608-97-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1608-95-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1608-87-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1624-132-0x0000000000000000-mapping.dmp
-
memory/1808-159-0x000000000047E90E-mapping.dmp
-
memory/1808-170-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1808-171-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1984-57-0x0000000000080000-0x0000000000166000-memory.dmpFilesize
920KB
-
memory/1984-61-0x0000000000080000-0x0000000000166000-memory.dmpFilesize
920KB
-
memory/1984-74-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1984-99-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1984-65-0x0000000000080000-0x0000000000166000-memory.dmpFilesize
920KB
-
memory/1984-69-0x0000000000080000-0x0000000000166000-memory.dmpFilesize
920KB
-
memory/1984-81-0x0000000074E30000-0x00000000753DB000-memory.dmpFilesize
5.7MB
-
memory/1984-72-0x0000000000080000-0x0000000000166000-memory.dmpFilesize
920KB
-
memory/1984-64-0x0000000000080000-0x0000000000166000-memory.dmpFilesize
920KB
-
memory/1984-63-0x00000000004E083E-mapping.dmp
-
memory/1984-58-0x0000000000080000-0x0000000000166000-memory.dmpFilesize
920KB
-
memory/1984-60-0x0000000000080000-0x0000000000166000-memory.dmpFilesize
920KB