Analysis
-
max time kernel
2100s -
max time network
2093s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
24-06-2024 06:04
General
-
Target
ex2d.exe
-
Size
1.0MB
-
MD5
9c727dc787a39ab9b922995de8c1ad99
-
SHA1
1a0fab414c33759fdecbec52460a8d596c434a19
-
SHA256
1e414463710f5eee406e44815894e93a945289a50a2e8cfa9deef40d7c2e2de3
-
SHA512
c74691ca8821faed1a8cd2ab7112e91ba90326a24e01a3f7077ae179c8b458452784b0634b19242795ee2b025ae689f8e08d8b01f5d2552b9df2a9ae60536e35
-
SSDEEP
24576:rmoO8itEqfZBBoIroaajDce2wia6Gx9UtZmSx00MNFe32UkqD/XDuH+o:qvZrrZU56cc8NFe32UkC+f
Malware Config
Extracted
lokibot
http://batlxt.org/blL0/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 12 IoCs
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 4 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ex2d.exe"C:\Users\Admin\AppData\Local\Temp\ex2d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.0.1901512625\705492602" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49299085-d457-4293-9670-77402403ed71} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 1276 107d8e58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.1.911433543\728354845" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1464 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4789124-122f-4f9d-80fc-4f6514fbe7ad} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 1480 f6fb58 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.2.1932081915\2122007732" -childID 1 -isForBrowser -prefsHandle 1860 -prefMapHandle 2000 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7daa61e-d75d-44cd-86ca-0822887fec0d} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 1984 10758e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.3.522343061\430031454" -childID 2 -isForBrowser -prefsHandle 2420 -prefMapHandle 2540 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {daf3ed17-4d15-49d1-bfef-c3dcd572fe51} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 2516 1b838d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.4.961478615\1175011491" -childID 3 -isForBrowser -prefsHandle 2952 -prefMapHandle 2948 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf74700d-7530-4edc-96cd-f143539bffc9} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 2964 f61958 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.5.1498139789\454547583" -childID 4 -isForBrowser -prefsHandle 3748 -prefMapHandle 3744 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6729705b-e0ee-4795-8411-4d7f22b0b010} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 3760 1a091158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.6.467116705\927862952" -childID 5 -isForBrowser -prefsHandle 3868 -prefMapHandle 3872 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea8f5d3c-688c-4304-953d-adadd5d4a817} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 3856 1f0e1558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1800.7.1223538922\1429201684" -childID 6 -isForBrowser -prefsHandle 4052 -prefMapHandle 4056 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {457c9026-5031-47e0-9c22-4129f327cece} 1800 "\\.\pipe\gecko-crash-server-pipe.1800" 4040 1f0e2158 tab3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"1⤵
-
C:\Users\Admin\Contacts\pmseo.exe"C:\Users\Admin\Contacts\pmseo.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Users\Admin\Contacts\pmseo.exe"C:\Users\Admin\Contacts\pmseo.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Program Files\Windows Mail\wab.exe"C:\Program Files\Windows Mail\wab.exe" /contact "C:\Users\Admin\Contacts\Admin.contact"1⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\15kjbvz9.default-release\activity-stream.discovery_stream.json.tmpFilesize
30KB
MD5ab87d59949f09c9036cef34241a6a6a7
SHA18652943a3038f27bb7d78dc830923ca5203d10c5
SHA2562aefd90bf48516614f97af260b33c9e504f6e0419fed9a7fbe2f6ce9f3efa0cd
SHA5120fa62f54a1d701385244b0d43d6510d057e47d2f749cd142eab84b8f94056f62df42d512c843fd30cdb99c278f81aca0cf51ce7bb082e1680d87b194115d6338
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pm.pngFilesize
570KB
MD58ad676dd7492a10768e8dbfdb25f5462
SHA122363d608e2e630e354f4d3dace5d15c2495b9c1
SHA256c4bd361e8127437a039f09036985262ac3041ae9085a1e99584ea8ce742a9269
SHA512f1946e789957d7ee625d168f636b1a624f58743fd357829d4b7ed5843345634b7c6571cc8b558734f811e6cdf354d8897b5c1d13c954894d7aa07313e113cd85
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmwfr.exeFilesize
886KB
MD57866de22baa38c927b53fc331fcde99e
SHA1ca899afd50fbb88da439ca8e492b2a992cebe948
SHA2560171e836f4a7ffbf66dea654f4bce360578ba8493032acd2a1b7c8d64cf4b79c
SHA512d3047dfab772a0c9db64d24aa1bc09e07056118e5b964fd09feacde040a7ad0d0c97299596b38b059271fa7ae71e3542ea02e2bfe41d88839ba400381b9b45c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-39690363-730359138-1046745555-1000\0f5007522459c86e95ffcc62f32308f1_793829ab-9e00-42f6-8ab9-a6ffde9cf44aFilesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-39690363-730359138-1046745555-1000\0f5007522459c86e95ffcc62f32308f1_793829ab-9e00-42f6-8ab9-a6ffde9cf44aFilesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\15kjbvz9.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD5110be82fc8e9784f0fcbb83717e47c30
SHA1930b52df573b37685000d1b9e0efc77039f51824
SHA256d5955c84ba2eaf5aa0e88ec45027dde1059620e72a11e71a4bb38b66e1d09e91
SHA512622f95d4cefc3ed36bec234d141c245795899a76a46a66d2fffec14027c97ee53a955510f559b6884069bfa5b7ff6d0c5af411c2a37230dd915032dedf7a3e5a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\15kjbvz9.default-release\datareporting\glean\pending_pings\eee138c6-8a97-44db-bf88-2efdde17f9bcFilesize
745B
MD5e3668990f6b03097bc0d7832586b4072
SHA192baca4ebc6dbd498458ac114eb7044820cc1188
SHA256a20aed72da150c242fb5967eae892b59e2471eeb5e00bbcf11e1f59c49933cf1
SHA51268d47dc7e160e17d8c2c36eb0be4e7c2b6b89f212a31ccada5ea0a0acc69fcd804f0cdff2b93629d4f07c04fe95862cc219acd681a58c13b6024c9d2976ad0a8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\15kjbvz9.default-release\datareporting\glean\pending_pings\f3e95b38-4c7f-4766-a234-b47f830bde29Filesize
11KB
MD5fc431d64aad98a6dcedca596e8c15774
SHA13abfa3926d8d9baaeca8bd65cc148ef04f9ef5ed
SHA256f2a6d4ec4d5e7bd8aba8f19327faa78bec8db234301c53807c2a2a08f5ea8011
SHA512dc9d0070f7e207f32f64f71d599f18dd5a5874cbc14d0bdb46b784e859eca6dae41c855736135973f77ba7312672501c9a70cf023d17aa90a9873bb08e85fcde
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\15kjbvz9.default-release\prefs-1.jsFilesize
6KB
MD517ccaaf28c5889e6b48b69622a171258
SHA10381fe16f4f261a1f8b0726cb4d91defb58ef09d
SHA2560faa0913f087e1cc5986e4a8fa0998beacdc623e2370d275723d305dd507634a
SHA512f4525719e10683c44a4e5b8f88610c53cb200588579575fbfadb700cabaa827cc67ca860574e9295bc297e0be24efbeebb5da02945045cd42c7faac72f039da5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\15kjbvz9.default-release\sessionstore.jsonlz4Filesize
835B
MD5c30b91fbbf90674b1db6dcf3d9ad26a8
SHA193bd2f5e0ef2c060d678a967f571cdf620ba65f0
SHA2565a93f9834a5c68f59b94989e6b17b80eba4f15336daf7958ab09930035523a8b
SHA512b74a2a392e0dadac48679c6a0e4a1cff2084330d69ed304f7d8c0959ebda519a94031c759401bc5cdf0e574f937567f8c37cbc1de3c098e647ae0e5b1d04911e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1336-472-0x0000000000400000-0x0000000000700000-memory.dmpFilesize
3.0MB
-
memory/1556-492-0x0000000000400000-0x0000000000700000-memory.dmpFilesize
3.0MB
-
memory/1624-543-0x0000000000400000-0x0000000000700000-memory.dmpFilesize
3.0MB
-
memory/1640-439-0x0000000000400000-0x0000000000700000-memory.dmpFilesize
3.0MB
-
memory/1916-499-0x0000000000400000-0x0000000000700000-memory.dmpFilesize
3.0MB
-
memory/2364-454-0x0000000000400000-0x0000000000700000-memory.dmpFilesize
3.0MB
-
memory/2472-611-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2516-550-0x0000000000400000-0x0000000000700000-memory.dmpFilesize
3.0MB
-
memory/2560-32-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2560-35-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2560-37-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2560-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2608-430-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2632-432-0x0000000000400000-0x0000000000700000-memory.dmpFilesize
3.0MB
-
memory/2812-644-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2812-645-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2812-646-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2892-36-0x0000000000400000-0x0000000000700000-memory.dmpFilesize
3.0MB
-
memory/2976-446-0x0000000000400000-0x0000000000700000-memory.dmpFilesize
3.0MB
