Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 12:59
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-20230220-en
General
-
Target
Invoice.exe
-
Size
5.8MB
-
MD5
e0ad1b070ad9c0430f491d07c2708484
-
SHA1
f36de48706a23f38d7b3fa070d8948dbc9ac3491
-
SHA256
647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
-
SHA512
d7bea99b6595f75c0a448d93f8a1394d93a23d88933d3d26ba4c141faa69f9d87a18cf0535cb9e0e3016ad9067ade5320fc0171e7bbe84a42989bfd2f6c25ef9
-
SSDEEP
98304:AuBV+GvjiaLzY5lk+Ar+fbleEfho0b6s0LSvIragO0fMvU/5Lf62LDY:AbGvPE5Ca183
Malware Config
Extracted
Protocol: ftp- Host:
ftp.product-secured.com - Port:
21 - Username:
oyos@product-secured.com - Password:
H?G7iEWK_W0R##
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4336-136-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral2/memory/4300-160-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4300-162-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4300-164-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4336-136-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral2/memory/1976-167-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1976-169-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1976-173-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1976-177-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral2/memory/4336-136-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral2/memory/4300-160-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4300-162-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4300-164-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1976-167-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1976-169-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1976-173-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1976-177-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Invoice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation Invoice.exe -
Executes dropped EXE 6 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 2996 svchost.exe 4296 svchost.exe 2124 svchost.exe 1592 svchost.exe 4124 svchost.exe 2040 svchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 65 whatismyipaddress.com 62 whatismyipaddress.com -
Suspicious use of SetThreadContext 6 IoCs
Processes:
Invoice.exeInvoice.exesvchost.exesvchost.exesvchost.exedescription pid process target process PID 2780 set thread context of 4336 2780 Invoice.exe Invoice.exe PID 4336 set thread context of 4300 4336 Invoice.exe vbc.exe PID 4336 set thread context of 1976 4336 Invoice.exe vbc.exe PID 2996 set thread context of 2124 2996 svchost.exe svchost.exe PID 4296 set thread context of 1592 4296 svchost.exe svchost.exe PID 4124 set thread context of 2040 4124 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 552 schtasks.exe 1704 schtasks.exe 552 schtasks.exe 4716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exeInvoice.exepid process 1976 vbc.exe 1976 vbc.exe 4336 Invoice.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
svchost.exepid process 2124 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Invoice.exedescription pid process Token: SeDebugPrivilege 4336 Invoice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Invoice.exepid process 4336 Invoice.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Invoice.execmd.exeInvoice.exesvchost.execmd.exesvchost.exedescription pid process target process PID 2780 wrote to memory of 4336 2780 Invoice.exe Invoice.exe PID 2780 wrote to memory of 4336 2780 Invoice.exe Invoice.exe PID 2780 wrote to memory of 4336 2780 Invoice.exe Invoice.exe PID 2780 wrote to memory of 4336 2780 Invoice.exe Invoice.exe PID 2780 wrote to memory of 4336 2780 Invoice.exe Invoice.exe PID 2780 wrote to memory of 4336 2780 Invoice.exe Invoice.exe PID 2780 wrote to memory of 4336 2780 Invoice.exe Invoice.exe PID 2780 wrote to memory of 4336 2780 Invoice.exe Invoice.exe PID 2780 wrote to memory of 2996 2780 Invoice.exe svchost.exe PID 2780 wrote to memory of 2996 2780 Invoice.exe svchost.exe PID 2780 wrote to memory of 2996 2780 Invoice.exe svchost.exe PID 2780 wrote to memory of 3384 2780 Invoice.exe cmd.exe PID 2780 wrote to memory of 3384 2780 Invoice.exe cmd.exe PID 2780 wrote to memory of 3384 2780 Invoice.exe cmd.exe PID 2780 wrote to memory of 1768 2780 Invoice.exe cmd.exe PID 2780 wrote to memory of 1768 2780 Invoice.exe cmd.exe PID 2780 wrote to memory of 1768 2780 Invoice.exe cmd.exe PID 1768 wrote to memory of 552 1768 cmd.exe schtasks.exe PID 1768 wrote to memory of 552 1768 cmd.exe schtasks.exe PID 1768 wrote to memory of 552 1768 cmd.exe schtasks.exe PID 2780 wrote to memory of 1972 2780 Invoice.exe cmd.exe PID 2780 wrote to memory of 1972 2780 Invoice.exe cmd.exe PID 2780 wrote to memory of 1972 2780 Invoice.exe cmd.exe PID 4336 wrote to memory of 4300 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 4300 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 4300 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 4300 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 4300 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 4300 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 4300 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 4300 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 4300 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 1976 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 1976 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 1976 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 1976 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 1976 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 1976 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 1976 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 1976 4336 Invoice.exe vbc.exe PID 4336 wrote to memory of 1976 4336 Invoice.exe vbc.exe PID 2996 wrote to memory of 2124 2996 svchost.exe svchost.exe PID 2996 wrote to memory of 2124 2996 svchost.exe svchost.exe PID 2996 wrote to memory of 2124 2996 svchost.exe svchost.exe PID 2996 wrote to memory of 2124 2996 svchost.exe svchost.exe PID 2996 wrote to memory of 2124 2996 svchost.exe svchost.exe PID 2996 wrote to memory of 2124 2996 svchost.exe svchost.exe PID 2996 wrote to memory of 2124 2996 svchost.exe svchost.exe PID 2996 wrote to memory of 2124 2996 svchost.exe svchost.exe PID 2996 wrote to memory of 2220 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 2220 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 2220 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 1368 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 1368 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 1368 2996 svchost.exe cmd.exe PID 1368 wrote to memory of 1704 1368 cmd.exe schtasks.exe PID 1368 wrote to memory of 1704 1368 cmd.exe schtasks.exe PID 1368 wrote to memory of 1704 1368 cmd.exe schtasks.exe PID 2996 wrote to memory of 1596 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 1596 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 1596 2996 svchost.exe cmd.exe PID 4296 wrote to memory of 1592 4296 svchost.exe svchost.exe PID 4296 wrote to memory of 1592 4296 svchost.exe svchost.exe PID 4296 wrote to memory of 1592 4296 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Invoice.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.logFilesize
520B
MD503febbff58da1d3318c31657d89c8542
SHA1c9e017bd9d0a4fe533795b227c855935d86c2092
SHA2565164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4
SHA5123750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
3.0MB
MD5646f6ea76cd0f29d4c2d6b0c8935e39e
SHA159962777a41b8ca3dfd0c40147e013a3a6d9bda4
SHA2560f71486baf108292e78215a8ca9643408664ecf173a6d556185c784297fc2ac5
SHA512480044c8f611ead3ba8351f4e580fe191f3b7a8dfa2ab513a3caf6a3927d9997d9a3c77ae2e26c7ffa26d1569d8d2ecec235deca23b389b491237a1cca5d9442
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
3.0MB
MD5646f6ea76cd0f29d4c2d6b0c8935e39e
SHA159962777a41b8ca3dfd0c40147e013a3a6d9bda4
SHA2560f71486baf108292e78215a8ca9643408664ecf173a6d556185c784297fc2ac5
SHA512480044c8f611ead3ba8351f4e580fe191f3b7a8dfa2ab513a3caf6a3927d9997d9a3c77ae2e26c7ffa26d1569d8d2ecec235deca23b389b491237a1cca5d9442
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
3.0MB
MD5646f6ea76cd0f29d4c2d6b0c8935e39e
SHA159962777a41b8ca3dfd0c40147e013a3a6d9bda4
SHA2560f71486baf108292e78215a8ca9643408664ecf173a6d556185c784297fc2ac5
SHA512480044c8f611ead3ba8351f4e580fe191f3b7a8dfa2ab513a3caf6a3927d9997d9a3c77ae2e26c7ffa26d1569d8d2ecec235deca23b389b491237a1cca5d9442
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
3.0MB
MD5646f6ea76cd0f29d4c2d6b0c8935e39e
SHA159962777a41b8ca3dfd0c40147e013a3a6d9bda4
SHA2560f71486baf108292e78215a8ca9643408664ecf173a6d556185c784297fc2ac5
SHA512480044c8f611ead3ba8351f4e580fe191f3b7a8dfa2ab513a3caf6a3927d9997d9a3c77ae2e26c7ffa26d1569d8d2ecec235deca23b389b491237a1cca5d9442
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
5.8MB
MD5e0ad1b070ad9c0430f491d07c2708484
SHA1f36de48706a23f38d7b3fa070d8948dbc9ac3491
SHA256647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
SHA512d7bea99b6595f75c0a448d93f8a1394d93a23d88933d3d26ba4c141faa69f9d87a18cf0535cb9e0e3016ad9067ade5320fc0171e7bbe84a42989bfd2f6c25ef9
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
5.8MB
MD5e0ad1b070ad9c0430f491d07c2708484
SHA1f36de48706a23f38d7b3fa070d8948dbc9ac3491
SHA256647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
SHA512d7bea99b6595f75c0a448d93f8a1394d93a23d88933d3d26ba4c141faa69f9d87a18cf0535cb9e0e3016ad9067ade5320fc0171e7bbe84a42989bfd2f6c25ef9
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
5.8MB
MD5e0ad1b070ad9c0430f491d07c2708484
SHA1f36de48706a23f38d7b3fa070d8948dbc9ac3491
SHA256647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
SHA512d7bea99b6595f75c0a448d93f8a1394d93a23d88933d3d26ba4c141faa69f9d87a18cf0535cb9e0e3016ad9067ade5320fc0171e7bbe84a42989bfd2f6c25ef9
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
5.8MB
MD5e0ad1b070ad9c0430f491d07c2708484
SHA1f36de48706a23f38d7b3fa070d8948dbc9ac3491
SHA256647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
SHA512d7bea99b6595f75c0a448d93f8a1394d93a23d88933d3d26ba4c141faa69f9d87a18cf0535cb9e0e3016ad9067ade5320fc0171e7bbe84a42989bfd2f6c25ef9
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
5.8MB
MD5e0ad1b070ad9c0430f491d07c2708484
SHA1f36de48706a23f38d7b3fa070d8948dbc9ac3491
SHA256647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
SHA512d7bea99b6595f75c0a448d93f8a1394d93a23d88933d3d26ba4c141faa69f9d87a18cf0535cb9e0e3016ad9067ade5320fc0171e7bbe84a42989bfd2f6c25ef9
-
memory/1976-177-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1976-167-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1976-173-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1976-169-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2124-181-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2780-134-0x0000000005C80000-0x0000000006224000-memory.dmpFilesize
5.6MB
-
memory/2780-135-0x00000000056C0000-0x00000000056D0000-memory.dmpFilesize
64KB
-
memory/2780-133-0x00000000006D0000-0x0000000000C96000-memory.dmpFilesize
5.8MB
-
memory/2996-153-0x00000000005B0000-0x00000000008B4000-memory.dmpFilesize
3.0MB
-
memory/4300-164-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4300-163-0x0000000000420000-0x00000000004E9000-memory.dmpFilesize
804KB
-
memory/4300-160-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4300-162-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4336-140-0x0000000005880000-0x000000000588A000-memory.dmpFilesize
40KB
-
memory/4336-178-0x0000000005B60000-0x0000000005B70000-memory.dmpFilesize
64KB
-
memory/4336-141-0x0000000005AA0000-0x0000000005AF6000-memory.dmpFilesize
344KB
-
memory/4336-166-0x0000000005B60000-0x0000000005B70000-memory.dmpFilesize
64KB
-
memory/4336-149-0x0000000005B60000-0x0000000005B70000-memory.dmpFilesize
64KB
-
memory/4336-139-0x0000000005910000-0x00000000059A2000-memory.dmpFilesize
584KB
-
memory/4336-138-0x00000000057D0000-0x000000000586C000-memory.dmpFilesize
624KB
-
memory/4336-136-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/4336-165-0x0000000005B60000-0x0000000005B70000-memory.dmpFilesize
64KB
-
memory/4336-159-0x0000000007D00000-0x0000000007D66000-memory.dmpFilesize
408KB