Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
02-07-2023 10:26
Static task
static1
Behavioral task
behavioral1
Sample
ba02abc98927e0f1c.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
ba02abc98927e0f1c.exe
Resource
win10v2004-20230621-en
General
-
Target
ba02abc98927e0f1c.exe
-
Size
657KB
-
MD5
0d34b9d96f2ae523a367698eb41392aa
-
SHA1
6ab2270dc35817ee1f15bb5dfacf096bb9d1219f
-
SHA256
ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
-
SHA512
54d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
SSDEEP
12288:J/a3HealIvHubbP8LxyX9bkR1MA6HXyUys/07KD/tK2F4QKl1qOILE4nGYCNx:JinIeEkt21MAmivgpD/tK2F43lA7RGYI
Malware Config
Signatures
-
NirSoft MailPassView 14 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1032-58-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1032-59-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1032-63-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1032-62-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1032-67-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1032-70-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/864-91-0x00000000000D0000-0x0000000000154000-memory.dmp MailPassView behavioral1/memory/864-95-0x00000000000D0000-0x0000000000154000-memory.dmp MailPassView behavioral1/memory/864-98-0x00000000000D0000-0x0000000000154000-memory.dmp MailPassView behavioral1/memory/1576-106-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1576-108-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1576-109-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/864-110-0x0000000002330000-0x0000000002370000-memory.dmp MailPassView behavioral1/memory/1576-111-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 14 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1032-58-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1032-59-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1032-63-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1032-62-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1032-67-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1032-70-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/864-91-0x00000000000D0000-0x0000000000154000-memory.dmp WebBrowserPassView behavioral1/memory/864-95-0x00000000000D0000-0x0000000000154000-memory.dmp WebBrowserPassView behavioral1/memory/864-98-0x00000000000D0000-0x0000000000154000-memory.dmp WebBrowserPassView behavioral1/memory/864-110-0x0000000002330000-0x0000000002370000-memory.dmp WebBrowserPassView behavioral1/memory/1508-112-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1508-114-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1508-115-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1508-119-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 18 IoCs
Processes:
resource yara_rule behavioral1/memory/1032-58-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1032-59-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1032-63-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1032-62-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1032-67-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1032-70-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/864-91-0x00000000000D0000-0x0000000000154000-memory.dmp Nirsoft behavioral1/memory/864-95-0x00000000000D0000-0x0000000000154000-memory.dmp Nirsoft behavioral1/memory/864-98-0x00000000000D0000-0x0000000000154000-memory.dmp Nirsoft behavioral1/memory/1576-106-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1576-108-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1576-109-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/864-110-0x0000000002330000-0x0000000002370000-memory.dmp Nirsoft behavioral1/memory/1576-111-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1508-112-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1508-114-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1508-115-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1508-119-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 864 Windows Update.exe -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 896 Windows Update.exe 864 Windows Update.exe -
Loads dropped DLL 2 IoCs
Processes:
ba02abc98927e0f1c.exeWindows Update.exepid process 1032 ba02abc98927e0f1c.exe 896 Windows Update.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 whatismyipaddress.com 3 whatismyipaddress.com 5 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
ba02abc98927e0f1c.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1548 set thread context of 1032 1548 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 896 set thread context of 864 896 Windows Update.exe Windows Update.exe PID 864 set thread context of 1576 864 Windows Update.exe vbc.exe PID 864 set thread context of 1508 864 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ba02abc98927e0f1c.exeWindows Update.exeWindows Update.exepid process 1548 ba02abc98927e0f1c.exe 1548 ba02abc98927e0f1c.exe 1548 ba02abc98927e0f1c.exe 1548 ba02abc98927e0f1c.exe 896 Windows Update.exe 896 Windows Update.exe 1548 ba02abc98927e0f1c.exe 896 Windows Update.exe 896 Windows Update.exe 896 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 896 Windows Update.exe 896 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe 864 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ba02abc98927e0f1c.exeWindows Update.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 1548 ba02abc98927e0f1c.exe Token: SeDebugPrivilege 896 Windows Update.exe Token: SeDebugPrivilege 864 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 864 Windows Update.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
ba02abc98927e0f1c.exeba02abc98927e0f1c.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1548 wrote to memory of 1032 1548 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 1548 wrote to memory of 1032 1548 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 1548 wrote to memory of 1032 1548 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 1548 wrote to memory of 1032 1548 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 1548 wrote to memory of 1032 1548 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 1548 wrote to memory of 1032 1548 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 1548 wrote to memory of 1032 1548 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 1548 wrote to memory of 1032 1548 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 1548 wrote to memory of 1032 1548 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 1032 wrote to memory of 896 1032 ba02abc98927e0f1c.exe Windows Update.exe PID 1032 wrote to memory of 896 1032 ba02abc98927e0f1c.exe Windows Update.exe PID 1032 wrote to memory of 896 1032 ba02abc98927e0f1c.exe Windows Update.exe PID 1032 wrote to memory of 896 1032 ba02abc98927e0f1c.exe Windows Update.exe PID 1032 wrote to memory of 896 1032 ba02abc98927e0f1c.exe Windows Update.exe PID 1032 wrote to memory of 896 1032 ba02abc98927e0f1c.exe Windows Update.exe PID 1032 wrote to memory of 896 1032 ba02abc98927e0f1c.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 896 wrote to memory of 864 896 Windows Update.exe Windows Update.exe PID 864 wrote to memory of 1576 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1576 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1576 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1576 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1576 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1576 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1576 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1576 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1576 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1576 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1508 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1508 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1508 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1508 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1508 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1508 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1508 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1508 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1508 864 Windows Update.exe vbc.exe PID 864 wrote to memory of 1508 864 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba02abc98927e0f1c.exe"C:\Users\Admin\AppData\Local\Temp\ba02abc98927e0f1c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ba02abc98927e0f1c.exe"C:\Users\Admin\AppData\Local\Temp\ba02abc98927e0f1c.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
55B
MD57de0b47e0f9e5127362586a19471497f
SHA1185113393dbea643d5a78cbe9040522d1827126d
SHA256d1d82428b8391b11570fe2577b3d0e820de6ad3fc3565b5fb80ae537e4283bca
SHA5120201fe83c38ed559f149458f213da3e57a20589c6ee1afb8f06016a40fcbd698c996896b7b4fb67572b318092bf7bac18bfd5d951a350bfcf173c450d48eac0c
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
657KB
MD50d34b9d96f2ae523a367698eb41392aa
SHA16ab2270dc35817ee1f15bb5dfacf096bb9d1219f
SHA256ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
SHA51254d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
657KB
MD50d34b9d96f2ae523a367698eb41392aa
SHA16ab2270dc35817ee1f15bb5dfacf096bb9d1219f
SHA256ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
SHA51254d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
657KB
MD50d34b9d96f2ae523a367698eb41392aa
SHA16ab2270dc35817ee1f15bb5dfacf096bb9d1219f
SHA256ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
SHA51254d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeFilesize
657KB
MD50d34b9d96f2ae523a367698eb41392aa
SHA16ab2270dc35817ee1f15bb5dfacf096bb9d1219f
SHA256ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
SHA51254d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
657KB
MD50d34b9d96f2ae523a367698eb41392aa
SHA16ab2270dc35817ee1f15bb5dfacf096bb9d1219f
SHA256ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
SHA51254d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
657KB
MD50d34b9d96f2ae523a367698eb41392aa
SHA16ab2270dc35817ee1f15bb5dfacf096bb9d1219f
SHA256ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
SHA51254d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
memory/864-105-0x0000000002330000-0x0000000002370000-memory.dmpFilesize
256KB
-
memory/864-91-0x00000000000D0000-0x0000000000154000-memory.dmpFilesize
528KB
-
memory/864-95-0x00000000000D0000-0x0000000000154000-memory.dmpFilesize
528KB
-
memory/864-98-0x00000000000D0000-0x0000000000154000-memory.dmpFilesize
528KB
-
memory/864-99-0x0000000002330000-0x0000000002370000-memory.dmpFilesize
256KB
-
memory/864-110-0x0000000002330000-0x0000000002370000-memory.dmpFilesize
256KB
-
memory/864-120-0x0000000002330000-0x0000000002370000-memory.dmpFilesize
256KB
-
memory/864-87-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/896-80-0x00000000020B0000-0x00000000020F0000-memory.dmpFilesize
256KB
-
memory/1032-70-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1032-58-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1032-56-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1032-67-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1032-62-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1032-63-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1032-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1032-59-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1032-57-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1032-71-0x00000000004E0000-0x0000000000520000-memory.dmpFilesize
256KB
-
memory/1508-112-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1508-114-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1508-115-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1508-119-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1508-117-0x0000000000460000-0x00000000004C7000-memory.dmpFilesize
412KB
-
memory/1548-54-0x0000000000DF0000-0x0000000000E30000-memory.dmpFilesize
256KB
-
memory/1576-109-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1576-111-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1576-108-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1576-106-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB