Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18-02-2023 19:06
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
3.0MB
-
MD5
fd560527411b6fc1dec327027f1b6a51
-
SHA1
056c4273219177194fa2d4c7cd308470391a4c53
-
SHA256
4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
-
SHA512
ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
-
SSDEEP
49152:Jsa3PHJZKMvup/RGA1Ub/6U3bFaAypQxbzkso9JnCmaukrrzI0AilFCvxHI:JjGUu1D1Uj6UnypSbzPo9JCm
Malware Config
Extracted
orcus
Sln
193.138.195.211:10134
eaf050d367294b239fe7db992d6ea4d7
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\svchost.exe
-
reconnect_delay
10000
-
registry_keyname
svchost
-
taskscheduler_taskname
svc host
-
watchdog_path
AppData\svchost.exe
Signatures
-
Orcus main payload 4 IoCs
Processes:
resource yara_rule \Program Files (x86)\svchost.exe family_orcus C:\Program Files (x86)\svchost.exe family_orcus C:\Program Files (x86)\svchost.exe family_orcus C:\Program Files (x86)\svchost.exe family_orcus -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-59-0x00000000006C0000-0x00000000006DE000-memory.dmp family_stormkitty -
Orcurs Rat Executable 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-54-0x0000000000C60000-0x0000000000F68000-memory.dmp orcus \Program Files (x86)\svchost.exe orcus C:\Program Files (x86)\svchost.exe orcus C:\Program Files (x86)\svchost.exe orcus behavioral1/memory/1780-73-0x00000000003F0000-0x00000000006F8000-memory.dmp orcus C:\Program Files (x86)\svchost.exe orcus -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
WindowsInput.exeWindowsInput.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 1188 WindowsInput.exe 1340 WindowsInput.exe 1780 svchost.exe 1468 svchost.exe 604 svchost.exe 1016 svchost.exe -
Loads dropped DLL 7 IoCs
Processes:
tmp.exesvchost.exepid process 1944 tmp.exe 1944 tmp.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files (x86)\\svchost.exe\"" svchost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 icanhazip.com 7 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 3 IoCs
Processes:
tmp.exeWindowsInput.exedescription ioc process File created C:\Windows\SysWOW64\WindowsInput.exe tmp.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config tmp.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Drops file in Program Files directory 4 IoCs
Processes:
tmp.exesvchost.exedescription ioc process File created C:\Program Files (x86)\svchost.exe tmp.exe File opened for modification C:\Program Files (x86)\svchost.exe tmp.exe File created C:\Program Files (x86)\svchost.exe.config tmp.exe File created C:\Program Files (x86)\Ionic.Zip.dll svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exesvchost.exepid process 1780 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1780 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe 1016 svchost.exe 1780 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1780 svchost.exe Token: SeDebugPrivilege 604 svchost.exe Token: SeDebugPrivilege 1016 svchost.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
tmp.exetaskeng.exesvchost.execmd.execmd.exesvchost.exedescription pid process target process PID 1944 wrote to memory of 1188 1944 tmp.exe WindowsInput.exe PID 1944 wrote to memory of 1188 1944 tmp.exe WindowsInput.exe PID 1944 wrote to memory of 1188 1944 tmp.exe WindowsInput.exe PID 1944 wrote to memory of 1188 1944 tmp.exe WindowsInput.exe PID 1944 wrote to memory of 1780 1944 tmp.exe svchost.exe PID 1944 wrote to memory of 1780 1944 tmp.exe svchost.exe PID 1944 wrote to memory of 1780 1944 tmp.exe svchost.exe PID 1944 wrote to memory of 1780 1944 tmp.exe svchost.exe PID 812 wrote to memory of 1468 812 taskeng.exe svchost.exe PID 812 wrote to memory of 1468 812 taskeng.exe svchost.exe PID 812 wrote to memory of 1468 812 taskeng.exe svchost.exe PID 812 wrote to memory of 1468 812 taskeng.exe svchost.exe PID 1780 wrote to memory of 1608 1780 svchost.exe cmd.exe PID 1780 wrote to memory of 1608 1780 svchost.exe cmd.exe PID 1780 wrote to memory of 1608 1780 svchost.exe cmd.exe PID 1780 wrote to memory of 1608 1780 svchost.exe cmd.exe PID 1608 wrote to memory of 1700 1608 cmd.exe chcp.com PID 1608 wrote to memory of 1700 1608 cmd.exe chcp.com PID 1608 wrote to memory of 1700 1608 cmd.exe chcp.com PID 1608 wrote to memory of 1700 1608 cmd.exe chcp.com PID 1608 wrote to memory of 1532 1608 cmd.exe netsh.exe PID 1608 wrote to memory of 1532 1608 cmd.exe netsh.exe PID 1608 wrote to memory of 1532 1608 cmd.exe netsh.exe PID 1608 wrote to memory of 1532 1608 cmd.exe netsh.exe PID 1608 wrote to memory of 844 1608 cmd.exe findstr.exe PID 1608 wrote to memory of 844 1608 cmd.exe findstr.exe PID 1608 wrote to memory of 844 1608 cmd.exe findstr.exe PID 1608 wrote to memory of 844 1608 cmd.exe findstr.exe PID 1780 wrote to memory of 1336 1780 svchost.exe cmd.exe PID 1780 wrote to memory of 1336 1780 svchost.exe cmd.exe PID 1780 wrote to memory of 1336 1780 svchost.exe cmd.exe PID 1780 wrote to memory of 1336 1780 svchost.exe cmd.exe PID 1336 wrote to memory of 1784 1336 cmd.exe chcp.com PID 1336 wrote to memory of 1784 1336 cmd.exe chcp.com PID 1336 wrote to memory of 1784 1336 cmd.exe chcp.com PID 1336 wrote to memory of 1784 1336 cmd.exe chcp.com PID 1336 wrote to memory of 2024 1336 cmd.exe netsh.exe PID 1336 wrote to memory of 2024 1336 cmd.exe netsh.exe PID 1336 wrote to memory of 2024 1336 cmd.exe netsh.exe PID 1336 wrote to memory of 2024 1336 cmd.exe netsh.exe PID 1780 wrote to memory of 604 1780 svchost.exe svchost.exe PID 1780 wrote to memory of 604 1780 svchost.exe svchost.exe PID 1780 wrote to memory of 604 1780 svchost.exe svchost.exe PID 1780 wrote to memory of 604 1780 svchost.exe svchost.exe PID 604 wrote to memory of 1016 604 svchost.exe svchost.exe PID 604 wrote to memory of 1016 604 svchost.exe svchost.exe PID 604 wrote to memory of 1016 604 svchost.exe svchost.exe PID 604 wrote to memory of 1016 604 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1188 -
C:\Program Files (x86)\svchost.exe"C:\Program Files (x86)\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1700
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:1532
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:844
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1784
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵PID:2024
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Program Files (x86)\svchost.exe" 1780 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Program Files (x86)\svchost.exe" 1780 "/protectFile"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:1340
-
C:\Windows\system32\taskeng.exetaskeng.exe {A317C76D-87C9-4997-84D1-DA1CA9493358} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Program Files (x86)\svchost.exe"C:\Program Files (x86)\svchost.exe"2⤵
- Executes dropped EXE
PID:1468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\svchost.exeFilesize
3.0MB
MD5fd560527411b6fc1dec327027f1b6a51
SHA1056c4273219177194fa2d4c7cd308470391a4c53
SHA2564b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
SHA512ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
-
C:\Program Files (x86)\svchost.exeFilesize
3.0MB
MD5fd560527411b6fc1dec327027f1b6a51
SHA1056c4273219177194fa2d4c7cd308470391a4c53
SHA2564b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
SHA512ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
-
C:\Program Files (x86)\svchost.exeFilesize
3.0MB
MD5fd560527411b6fc1dec327027f1b6a51
SHA1056c4273219177194fa2d4c7cd308470391a4c53
SHA2564b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
SHA512ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
-
C:\Program Files (x86)\svchost.exe.configFilesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
9KB
MD5c95012f934b8bb6e1fb1bcb11cd9f2eb
SHA1c6a565d220ff45730639cf5ec15a97a8ffa88dad
SHA256e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea
SHA512bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
9KB
MD5c95012f934b8bb6e1fb1bcb11cd9f2eb
SHA1c6a565d220ff45730639cf5ec15a97a8ffa88dad
SHA256e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea
SHA512bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
9KB
MD5c95012f934b8bb6e1fb1bcb11cd9f2eb
SHA1c6a565d220ff45730639cf5ec15a97a8ffa88dad
SHA256e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea
SHA512bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18
-
C:\Users\Admin\AppData\Roaming\svchost.exe.configFilesize
418B
MD547fb1af739ade4e938c8e6d2e504f4a4
SHA1b5c2786f406614105e488ee500858fc09365170d
SHA256552fc8db5bd09828e3d73ad68b737efc7f91980d860effd0c68f7d329cf20a92
SHA51267eb6bade5cca517ef0ba29197548e1d3df45fbad8cf2e407dbb3927c09f3da5008783348716f77311d3e2528f473651c3c8f59bb6cbea31050e39ae5fd09297
-
C:\Windows\SysWOW64\WindowsInput.exeFilesize
21KB
MD5e1e29e723b9e1e50d31e316adab71499
SHA15dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2
SHA2564c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3
SHA512de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3
-
C:\Windows\SysWOW64\WindowsInput.exeFilesize
21KB
MD5e1e29e723b9e1e50d31e316adab71499
SHA15dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2
SHA2564c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3
SHA512de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3
-
C:\Windows\SysWOW64\WindowsInput.exeFilesize
21KB
MD5e1e29e723b9e1e50d31e316adab71499
SHA15dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2
SHA2564c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3
SHA512de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3
-
C:\Windows\SysWOW64\WindowsInput.exe.configFilesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
\Program Files (x86)\Ionic.Zip.dllFilesize
451KB
MD56ded8fcbf5f1d9e422b327ca51625e24
SHA18a1140cebc39f6994eef7e8de4627fb7b72a2dd9
SHA2563b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
SHA512bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4
-
\Program Files (x86)\Ionic.Zip.dllFilesize
451KB
MD56ded8fcbf5f1d9e422b327ca51625e24
SHA18a1140cebc39f6994eef7e8de4627fb7b72a2dd9
SHA2563b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
SHA512bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4
-
\Program Files (x86)\Ionic.Zip.dllFilesize
451KB
MD56ded8fcbf5f1d9e422b327ca51625e24
SHA18a1140cebc39f6994eef7e8de4627fb7b72a2dd9
SHA2563b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
SHA512bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4
-
\Program Files (x86)\Ionic.Zip.dllFilesize
451KB
MD56ded8fcbf5f1d9e422b327ca51625e24
SHA18a1140cebc39f6994eef7e8de4627fb7b72a2dd9
SHA2563b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
SHA512bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4
-
\Program Files (x86)\svchost.exeFilesize
3.0MB
MD5fd560527411b6fc1dec327027f1b6a51
SHA1056c4273219177194fa2d4c7cd308470391a4c53
SHA2564b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
SHA512ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
9KB
MD5c95012f934b8bb6e1fb1bcb11cd9f2eb
SHA1c6a565d220ff45730639cf5ec15a97a8ffa88dad
SHA256e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea
SHA512bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18
-
\Windows\SysWOW64\WindowsInput.exeFilesize
21KB
MD5e1e29e723b9e1e50d31e316adab71499
SHA15dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2
SHA2564c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3
SHA512de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3
-
memory/604-101-0x00000000010E0000-0x00000000010E8000-memory.dmpFilesize
32KB
-
memory/604-96-0x0000000000000000-mapping.dmp
-
memory/844-84-0x0000000000000000-mapping.dmp
-
memory/1016-102-0x0000000000000000-mapping.dmp
-
memory/1188-65-0x0000000000280000-0x000000000028C000-memory.dmpFilesize
48KB
-
memory/1188-61-0x0000000000000000-mapping.dmp
-
memory/1336-86-0x0000000000000000-mapping.dmp
-
memory/1340-67-0x00000000002D0000-0x00000000002DC000-memory.dmpFilesize
48KB
-
memory/1468-78-0x0000000000000000-mapping.dmp
-
memory/1532-83-0x0000000000000000-mapping.dmp
-
memory/1608-81-0x0000000000000000-mapping.dmp
-
memory/1700-82-0x0000000000000000-mapping.dmp
-
memory/1780-77-0x00000000022C0000-0x00000000022D0000-memory.dmpFilesize
64KB
-
memory/1780-76-0x0000000000A20000-0x0000000000A38000-memory.dmpFilesize
96KB
-
memory/1780-73-0x00000000003F0000-0x00000000006F8000-memory.dmpFilesize
3.0MB
-
memory/1780-75-0x0000000002310000-0x000000000235E000-memory.dmpFilesize
312KB
-
memory/1780-92-0x0000000005890000-0x0000000005908000-memory.dmpFilesize
480KB
-
memory/1780-69-0x0000000000000000-mapping.dmp
-
memory/1784-87-0x0000000000000000-mapping.dmp
-
memory/1944-57-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/1944-54-0x0000000000C60000-0x0000000000F68000-memory.dmpFilesize
3.0MB
-
memory/1944-59-0x00000000006C0000-0x00000000006DE000-memory.dmpFilesize
120KB
-
memory/1944-58-0x00000000005D0000-0x00000000005E2000-memory.dmpFilesize
72KB
-
memory/1944-55-0x00000000003E0000-0x00000000003EE000-memory.dmpFilesize
56KB
-
memory/1944-56-0x00000000003F0000-0x000000000044C000-memory.dmpFilesize
368KB
-
memory/2024-88-0x0000000000000000-mapping.dmp