Analysis
-
max time kernel
181s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 17:37
Static task
static1
Behavioral task
behavioral1
Sample
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Resource
win7-20221111-en
General
-
Target
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
-
Size
285KB
-
MD5
01daf4f618eac4c7379b4d1f8046deaa
-
SHA1
c73db227644dc6cc6d9b7fb91468014572507b4d
-
SHA256
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536
-
SHA512
435380deca7baf660e8a6b673d02ff6478bc6d823ca416b04a4ff758ffb7c821d5495f9870e9a8bbe513bde229ad5a114e44283160146e205e49d9489fbad465
-
SSDEEP
6144:JAsBZACyfs1vYtn9BqNmJ5y52jzm2YYrTASZ:YCyfsYBT5yEqM7Z
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
explorer.exe285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "kbt.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7isi31gqwi7.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7isi31gqwi7.exe\DisableExceptionChainValidation 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exepid process 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Search 5.3.10 = "C:\\ProgramData\\Windows Search 5.3.10\\7isi31gqwi7.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Search 5.3.10 = "\"C:\\ProgramData\\Windows Search 5.3.10\\7isi31gqwi7.exe\"" explorer.exe -
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exedescription ioc process File created C:\ProgramData\Windows Search 5.3.10\desktop.ini 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe File opened for modification C:\ProgramData\Windows Search 5.3.10\desktop.ini 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exepid process 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exedescription pid process target process PID 944 set thread context of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
explorer.exepid process 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exepid process 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exepid process 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exedescription pid process Token: SeDebugPrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeRestorePrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeBackupPrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeLoadDriverPrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeCreatePagefilePrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeShutdownPrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeTakeOwnershipPrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeChangeNotifyPrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeCreateTokenPrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeMachineAccountPrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeSecurityPrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeAssignPrimaryTokenPrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeCreateGlobalPrivilege 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: 33 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeDebugPrivilege 1336 explorer.exe Token: SeRestorePrivilege 1336 explorer.exe Token: SeBackupPrivilege 1336 explorer.exe Token: SeLoadDriverPrivilege 1336 explorer.exe Token: SeCreatePagefilePrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe Token: SeTakeOwnershipPrivilege 1336 explorer.exe Token: SeChangeNotifyPrivilege 1336 explorer.exe Token: SeCreateTokenPrivilege 1336 explorer.exe Token: SeMachineAccountPrivilege 1336 explorer.exe Token: SeSecurityPrivilege 1336 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1336 explorer.exe Token: SeCreateGlobalPrivilege 1336 explorer.exe Token: 33 1336 explorer.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exedescription pid process target process PID 944 wrote to memory of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 944 wrote to memory of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 944 wrote to memory of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 944 wrote to memory of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 944 wrote to memory of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 944 wrote to memory of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 944 wrote to memory of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 944 wrote to memory of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 944 wrote to memory of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 944 wrote to memory of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 944 wrote to memory of 576 944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 576 wrote to memory of 1336 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe explorer.exe PID 576 wrote to memory of 1336 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe explorer.exe PID 576 wrote to memory of 1336 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe explorer.exe PID 576 wrote to memory of 1336 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe explorer.exe PID 576 wrote to memory of 1336 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe explorer.exe PID 576 wrote to memory of 1336 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe explorer.exe PID 576 wrote to memory of 1336 576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe explorer.exe PID 1336 wrote to memory of 1168 1336 explorer.exe Dwm.exe PID 1336 wrote to memory of 1168 1336 explorer.exe Dwm.exe PID 1336 wrote to memory of 1168 1336 explorer.exe Dwm.exe PID 1336 wrote to memory of 1168 1336 explorer.exe Dwm.exe PID 1336 wrote to memory of 1168 1336 explorer.exe Dwm.exe PID 1336 wrote to memory of 1168 1336 explorer.exe Dwm.exe PID 1336 wrote to memory of 1204 1336 explorer.exe Explorer.EXE PID 1336 wrote to memory of 1204 1336 explorer.exe Explorer.EXE PID 1336 wrote to memory of 1204 1336 explorer.exe Explorer.EXE PID 1336 wrote to memory of 1204 1336 explorer.exe Explorer.EXE PID 1336 wrote to memory of 1204 1336 explorer.exe Explorer.EXE PID 1336 wrote to memory of 1204 1336 explorer.exe Explorer.EXE PID 1336 wrote to memory of 1924 1336 explorer.exe DllHost.exe PID 1336 wrote to memory of 1924 1336 explorer.exe DllHost.exe PID 1336 wrote to memory of 1924 1336 explorer.exe DllHost.exe PID 1336 wrote to memory of 1924 1336 explorer.exe DllHost.exe PID 1336 wrote to memory of 1924 1336 explorer.exe DllHost.exe PID 1336 wrote to memory of 1924 1336 explorer.exe DllHost.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"3⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsoA834.tmp\skiers.dllFilesize
228KB
MD5fc7a721c4e3c90b9598d7c81fe77e726
SHA1fe84f4d480c5da5e55c09842b74d502b03736770
SHA256d059347af564675db2b15bf372282457e4c4b829712ef67c1aa2864b8c706c6d
SHA5127bcc246a883e12c4f8965e99f2288e13d8a754600159240df6f881818d54a611b6cbdbe7364aa992405388f8b6b68fa6ad369f53f2fe1bba724cec699e2a0f8a
-
memory/576-70-0x0000000000350000-0x00000000003B0000-memory.dmpFilesize
384KB
-
memory/576-57-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/576-73-0x0000000000300000-0x000000000030D000-memory.dmpFilesize
52KB
-
memory/576-74-0x0000000000830000-0x000000000083C000-memory.dmpFilesize
48KB
-
memory/576-59-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/576-60-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/576-62-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/576-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/576-64-0x00000000004015C6-mapping.dmp
-
memory/576-66-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/576-67-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/576-72-0x0000000000350000-0x00000000003B0000-memory.dmpFilesize
384KB
-
memory/576-79-0x0000000000350000-0x00000000003B0000-memory.dmpFilesize
384KB
-
memory/576-56-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/576-58-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/576-78-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/944-54-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1204-85-0x0000000002600000-0x0000000002606000-memory.dmpFilesize
24KB
-
memory/1336-77-0x0000000075401000-0x0000000075403000-memory.dmpFilesize
8KB
-
memory/1336-75-0x0000000000000000-mapping.dmp
-
memory/1336-80-0x0000000077DD0000-0x0000000077F50000-memory.dmpFilesize
1.5MB
-
memory/1336-81-0x0000000000090000-0x000000000013B000-memory.dmpFilesize
684KB
-
memory/1336-82-0x0000000000550000-0x000000000055C000-memory.dmpFilesize
48KB
-
memory/1336-83-0x0000000077DD0000-0x0000000077F50000-memory.dmpFilesize
1.5MB
-
memory/1336-84-0x0000000000090000-0x000000000013B000-memory.dmpFilesize
684KB
-
memory/1924-86-0x0000000000100000-0x0000000000106000-memory.dmpFilesize
24KB