Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2023 22:25
Static task
static1
Behavioral task
behavioral1
Sample
Legion Private Bot.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Legion Private Bot.exe
Resource
win10v2004-20221111-en
General
-
Target
Legion Private Bot.exe
-
Size
640KB
-
MD5
092334866080e7ec50fccc264d869221
-
SHA1
b4b69530c71474507e8ec5a341252e11862986e0
-
SHA256
1080f3cd4328fd1e0597c4aba89bf5004894c938234f2d2ccf282f1416219864
-
SHA512
101eaf97dc6293d7295fccd7883d161c128c780f55d76ba3132685cd92d52d0a417b373d08aa7cdde82f7cf0831776ea959040c7f6fb9568abbf34d365cbc9d9
-
SSDEEP
12288:/QGF2tAu9o+JPYx+5psS5GkwqbT7pllql+WZcYrje23UFDd6S7sQo:/7F2tAu9o+JQ+5psSU12olvraDt7s
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5345460701:AAELDlYM_8yHwfKYHoYl_27JYXLpT-SLsyY/sendMessage?chat_id=689992339
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1804-152-0x0000000000400000-0x0000000000440000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1804-152-0x0000000000400000-0x0000000000440000-memory.dmp asyncrat -
Executes dropped EXE 4 IoCs
Processes:
svc host.exeWindows Security Service.exesvc host.exeWindows Security Service.exepid process 1464 svc host.exe 3368 Windows Security Service.exe 4348 svc host.exe 1804 Windows Security Service.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Legion Private Bot.exeWindows Security Service.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation Legion Private Bot.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation Windows Security Service.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Legion Private Bot.exesvc host.exeWindows Security Service.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe" Legion Private Bot.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\FoGzRNCsHJ = "C:\\Users\\Admin\\AppData\\Roaming\\wDWQzMbHJQ\\xBLQRnSbFD.exe" svc host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\SoMYYdgGNH = "C:\\Users\\Admin\\AppData\\Roaming\\GxMBKmkSFT\\YdXWJzaKWR.exe" Windows Security Service.exe -
Drops desktop.ini file(s) 10 IoCs
Processes:
Windows Security Service.exedescription ioc process File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Windows Security Service.exe File opened for modification C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Windows Security Service.exe File opened for modification C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Windows Security Service.exe File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini Windows Security Service.exe File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini Windows Security Service.exe File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Windows Security Service.exe File opened for modification C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Windows Security Service.exe File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Windows Security Service.exe File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Windows Security Service.exe File opened for modification C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Windows Security Service.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Legion Private Bot.exesvc host.exeWindows Security Service.exedescription pid process target process PID 3388 set thread context of 1704 3388 Legion Private Bot.exe Legion Private Bot.exe PID 1464 set thread context of 4348 1464 svc host.exe svc host.exe PID 3368 set thread context of 1804 3368 Windows Security Service.exe Windows Security Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Windows Security Service.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Windows Security Service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Windows Security Service.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Security Service.exepid process 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe 1804 Windows Security Service.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Windows Security Service.exedescription pid process Token: SeDebugPrivilege 1804 Windows Security Service.exe Token: SeDebugPrivilege 1804 Windows Security Service.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
Legion Private Bot.exeLegion Private Bot.exesvc host.exeWindows Security Service.exeWindows Security Service.execmd.execmd.exedescription pid process target process PID 3388 wrote to memory of 1704 3388 Legion Private Bot.exe Legion Private Bot.exe PID 3388 wrote to memory of 1704 3388 Legion Private Bot.exe Legion Private Bot.exe PID 3388 wrote to memory of 1704 3388 Legion Private Bot.exe Legion Private Bot.exe PID 3388 wrote to memory of 1704 3388 Legion Private Bot.exe Legion Private Bot.exe PID 3388 wrote to memory of 1704 3388 Legion Private Bot.exe Legion Private Bot.exe PID 3388 wrote to memory of 1704 3388 Legion Private Bot.exe Legion Private Bot.exe PID 3388 wrote to memory of 1704 3388 Legion Private Bot.exe Legion Private Bot.exe PID 3388 wrote to memory of 1704 3388 Legion Private Bot.exe Legion Private Bot.exe PID 1704 wrote to memory of 1464 1704 Legion Private Bot.exe svc host.exe PID 1704 wrote to memory of 1464 1704 Legion Private Bot.exe svc host.exe PID 1704 wrote to memory of 1464 1704 Legion Private Bot.exe svc host.exe PID 1704 wrote to memory of 3368 1704 Legion Private Bot.exe Windows Security Service.exe PID 1704 wrote to memory of 3368 1704 Legion Private Bot.exe Windows Security Service.exe PID 1704 wrote to memory of 3368 1704 Legion Private Bot.exe Windows Security Service.exe PID 1464 wrote to memory of 4348 1464 svc host.exe svc host.exe PID 1464 wrote to memory of 4348 1464 svc host.exe svc host.exe PID 1464 wrote to memory of 4348 1464 svc host.exe svc host.exe PID 1464 wrote to memory of 4348 1464 svc host.exe svc host.exe PID 1464 wrote to memory of 4348 1464 svc host.exe svc host.exe PID 1464 wrote to memory of 4348 1464 svc host.exe svc host.exe PID 1464 wrote to memory of 4348 1464 svc host.exe svc host.exe PID 1464 wrote to memory of 4348 1464 svc host.exe svc host.exe PID 3368 wrote to memory of 1804 3368 Windows Security Service.exe Windows Security Service.exe PID 3368 wrote to memory of 1804 3368 Windows Security Service.exe Windows Security Service.exe PID 3368 wrote to memory of 1804 3368 Windows Security Service.exe Windows Security Service.exe PID 3368 wrote to memory of 1804 3368 Windows Security Service.exe Windows Security Service.exe PID 3368 wrote to memory of 1804 3368 Windows Security Service.exe Windows Security Service.exe PID 3368 wrote to memory of 1804 3368 Windows Security Service.exe Windows Security Service.exe PID 3368 wrote to memory of 1804 3368 Windows Security Service.exe Windows Security Service.exe PID 3368 wrote to memory of 1804 3368 Windows Security Service.exe Windows Security Service.exe PID 1804 wrote to memory of 5056 1804 Windows Security Service.exe cmd.exe PID 1804 wrote to memory of 5056 1804 Windows Security Service.exe cmd.exe PID 1804 wrote to memory of 5056 1804 Windows Security Service.exe cmd.exe PID 5056 wrote to memory of 4300 5056 cmd.exe chcp.com PID 5056 wrote to memory of 4300 5056 cmd.exe chcp.com PID 5056 wrote to memory of 4300 5056 cmd.exe chcp.com PID 5056 wrote to memory of 2164 5056 cmd.exe netsh.exe PID 5056 wrote to memory of 2164 5056 cmd.exe netsh.exe PID 5056 wrote to memory of 2164 5056 cmd.exe netsh.exe PID 5056 wrote to memory of 3448 5056 cmd.exe findstr.exe PID 5056 wrote to memory of 3448 5056 cmd.exe findstr.exe PID 5056 wrote to memory of 3448 5056 cmd.exe findstr.exe PID 1804 wrote to memory of 4572 1804 Windows Security Service.exe cmd.exe PID 1804 wrote to memory of 4572 1804 Windows Security Service.exe cmd.exe PID 1804 wrote to memory of 4572 1804 Windows Security Service.exe cmd.exe PID 4572 wrote to memory of 4252 4572 cmd.exe chcp.com PID 4572 wrote to memory of 4252 4572 cmd.exe chcp.com PID 4572 wrote to memory of 4252 4572 cmd.exe chcp.com PID 4572 wrote to memory of 3568 4572 cmd.exe netsh.exe PID 4572 wrote to memory of 3568 4572 cmd.exe netsh.exe PID 4572 wrote to memory of 3568 4572 cmd.exe netsh.exe PID 1804 wrote to memory of 3388 1804 Windows Security Service.exe schtasks.exe PID 1804 wrote to memory of 3388 1804 Windows Security Service.exe schtasks.exe PID 1804 wrote to memory of 3388 1804 Windows Security Service.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svc host.exe"C:\Users\Admin\AppData\Roaming\svc host.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svc host.exe"C:\Users\Admin\AppData\Roaming\svc host.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile6⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All6⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid6⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Legion Private Bot.exe.logFilesize
507B
MD576ffb2f33cb32ade8fc862a67599e9d8
SHA1920cc4ab75b36d2f9f6e979b74db568973c49130
SHA256f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310
SHA512f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svc host.exe.logFilesize
507B
MD576ffb2f33cb32ade8fc862a67599e9d8
SHA1920cc4ab75b36d2f9f6e979b74db568973c49130
SHA256f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310
SHA512f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exeFilesize
297KB
MD546f8b83424bbee8da5fd4f604ff0d980
SHA170bb6632cdafd5d2b1d12017be7573f997782ddd
SHA256618abb7d696e6545bf5c13f03a45faf1e5c3a15ecbedd0bf59096a62c6c94c9a
SHA512898390de451b8e6b691df6e7fbc3ccfbfd030da7ba6b436bf4a8fe0ebe20f8a2914b346f5775fe9ea7bed6d350f4f66adb6106cf83d22c4116bac384e02fb03c
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exeFilesize
297KB
MD546f8b83424bbee8da5fd4f604ff0d980
SHA170bb6632cdafd5d2b1d12017be7573f997782ddd
SHA256618abb7d696e6545bf5c13f03a45faf1e5c3a15ecbedd0bf59096a62c6c94c9a
SHA512898390de451b8e6b691df6e7fbc3ccfbfd030da7ba6b436bf4a8fe0ebe20f8a2914b346f5775fe9ea7bed6d350f4f66adb6106cf83d22c4116bac384e02fb03c
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exeFilesize
297KB
MD546f8b83424bbee8da5fd4f604ff0d980
SHA170bb6632cdafd5d2b1d12017be7573f997782ddd
SHA256618abb7d696e6545bf5c13f03a45faf1e5c3a15ecbedd0bf59096a62c6c94c9a
SHA512898390de451b8e6b691df6e7fbc3ccfbfd030da7ba6b436bf4a8fe0ebe20f8a2914b346f5775fe9ea7bed6d350f4f66adb6106cf83d22c4116bac384e02fb03c
-
C:\Users\Admin\AppData\Roaming\svc host.exeFilesize
140KB
MD5397638390e9c49c10200a5cbd7a9ec7f
SHA1e763d4cf6f005eac4fa683647d33ff9989069a90
SHA2560b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f
SHA51211e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701
-
C:\Users\Admin\AppData\Roaming\svc host.exeFilesize
140KB
MD5397638390e9c49c10200a5cbd7a9ec7f
SHA1e763d4cf6f005eac4fa683647d33ff9989069a90
SHA2560b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f
SHA51211e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701
-
C:\Users\Admin\AppData\Roaming\svc host.exeFilesize
140KB
MD5397638390e9c49c10200a5cbd7a9ec7f
SHA1e763d4cf6f005eac4fa683647d33ff9989069a90
SHA2560b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f
SHA51211e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701
-
memory/1464-143-0x00000000001C0000-0x00000000001EA000-memory.dmpFilesize
168KB
-
memory/1464-139-0x0000000000000000-mapping.dmp
-
memory/1704-137-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1704-136-0x0000000000000000-mapping.dmp
-
memory/1804-150-0x0000000000000000-mapping.dmp
-
memory/1804-163-0x0000000006F60000-0x0000000006F6A000-memory.dmpFilesize
40KB
-
memory/1804-164-0x0000000005F90000-0x0000000005FA2000-memory.dmpFilesize
72KB
-
memory/1804-152-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1804-154-0x00000000055D0000-0x0000000005636000-memory.dmpFilesize
408KB
-
memory/2164-158-0x0000000000000000-mapping.dmp
-
memory/3368-142-0x0000000000000000-mapping.dmp
-
memory/3368-146-0x0000000000730000-0x0000000000782000-memory.dmpFilesize
328KB
-
memory/3388-134-0x00000000054A0000-0x0000000005532000-memory.dmpFilesize
584KB
-
memory/3388-133-0x0000000005B90000-0x0000000006134000-memory.dmpFilesize
5.6MB
-
memory/3388-132-0x0000000000A20000-0x0000000000AC6000-memory.dmpFilesize
664KB
-
memory/3388-165-0x0000000000000000-mapping.dmp
-
memory/3388-135-0x00000000055E0000-0x000000000567C000-memory.dmpFilesize
624KB
-
memory/3448-159-0x0000000000000000-mapping.dmp
-
memory/3568-162-0x0000000000000000-mapping.dmp
-
memory/4252-161-0x0000000000000000-mapping.dmp
-
memory/4300-157-0x0000000000000000-mapping.dmp
-
memory/4348-147-0x0000000000000000-mapping.dmp
-
memory/4348-155-0x0000000005A30000-0x0000000005A3A000-memory.dmpFilesize
40KB
-
memory/4348-148-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4572-160-0x0000000000000000-mapping.dmp
-
memory/5056-156-0x0000000000000000-mapping.dmp