Analysis
-
max time kernel
144s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-03-2023 03:15
Static task
static1
Behavioral task
behavioral1
Sample
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
Resource
win10v2004-20230220-en
General
-
Target
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
-
Size
494KB
-
MD5
94b4eb33f72c5df6e7823407e12fa2b5
-
SHA1
e59fbee36c7604f2fbbb05a13aa2ef6fe2e0f56f
-
SHA256
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03
-
SHA512
19539f69b0cbcc7c6be91f347d9289b19331f1def5606dc80600edf6b7d2923eefde62fd996614a22bbd56c8bb49293345d8f824f960220bdb91d56d539eb491
-
SSDEEP
12288:fzxzTDWikLSb4NS7/dc+tkUXY1AfOY7llq7KKIoYy:dDWHSb4NpnVYPq5Yy
Malware Config
Extracted
cobaltstrike
0
http://85.175.101.203:80/access/
-
access_type
512
-
host
85.175.101.203,/access/
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAAEAAAACBIb3N0OiBhdWRpby1zdjUtdDEtMy5wYW5kb3JhLmNvbQAAAAoAAABIQ29va2llOiAgX191dG1hPTIxMDA3NzYyMi4xNzMyNDM5OTk1LjE0MzMyMDE0NjIuMTQwMzIwNDM3Mi4xMzg1MjAyNDkzLjI7AAAACQAAAAl2ZXJzaW9uPTQAAAAJAAAADmxpZD0xNTgyNTAyNzI0AAAABwAAAAAAAAAIAAAABQAAAAV0b2tlbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFUhvc3Q6IHd3dy5wYW5kb3JhLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNTgyNTAyNzI0AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
1000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
7.382016e+08
-
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/radio/xmlrpc/v35
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 3 1516 rundll32.exe 4 1516 rundll32.exe 5 1516 rundll32.exe 7 1516 rundll32.exe 8 1516 rundll32.exe 9 1516 rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
Servis.exeUAC.exepid process 1588 Servis.exe 1532 UAC.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
UAC.exedescription pid process target process PID 1532 set thread context of 1516 1532 UAC.exe rundll32.exe -
Drops file in Windows directory 7 IoCs
Processes:
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exepowershell.exepowershell.exedescription ioc process File created C:\Windows\UAC.exe 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe File opened for modification C:\Windows\UAC.exe 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe File opened for modification C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\__tmp_rar_sfx_access_check_7079668 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe File created C:\Windows\Servis.exe 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe File opened for modification C:\Windows\Servis.exe 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1}\WpadDecisionTime = 5066325fe24fd901 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1}\WpadNetworkName = "Network 2" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1}\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1}\8a-ad-93-50-6a-67 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-ad-93-50-6a-67\WpadDecisionReason = "1" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-ad-93-50-6a-67\WpadDecisionTime = 5066325fe24fd901 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1} rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1}\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-ad-93-50-6a-67 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-ad-93-50-6a-67\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00af000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exerundll32.exepid process 628 powershell.exe 1784 powershell.exe 1516 rundll32.exe 1516 rundll32.exe 1516 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exepowershell.exepowershell.exedescription pid process Token: SeSecurityPrivilege 1060 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Token: SeRestorePrivilege 1060 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Token: SeDebugPrivilege 628 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exeServis.execmd.exeUAC.exerundll32.exedescription pid process target process PID 1060 wrote to memory of 1588 1060 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Servis.exe PID 1060 wrote to memory of 1588 1060 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Servis.exe PID 1060 wrote to memory of 1588 1060 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Servis.exe PID 1060 wrote to memory of 1588 1060 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Servis.exe PID 1588 wrote to memory of 1268 1588 Servis.exe cmd.exe PID 1588 wrote to memory of 1268 1588 Servis.exe cmd.exe PID 1588 wrote to memory of 1268 1588 Servis.exe cmd.exe PID 1588 wrote to memory of 1268 1588 Servis.exe cmd.exe PID 1268 wrote to memory of 628 1268 cmd.exe powershell.exe PID 1268 wrote to memory of 628 1268 cmd.exe powershell.exe PID 1268 wrote to memory of 628 1268 cmd.exe powershell.exe PID 1268 wrote to memory of 1784 1268 cmd.exe powershell.exe PID 1268 wrote to memory of 1784 1268 cmd.exe powershell.exe PID 1268 wrote to memory of 1784 1268 cmd.exe powershell.exe PID 1532 wrote to memory of 1516 1532 UAC.exe rundll32.exe PID 1532 wrote to memory of 1516 1532 UAC.exe rundll32.exe PID 1532 wrote to memory of 1516 1532 UAC.exe rundll32.exe PID 1532 wrote to memory of 1516 1532 UAC.exe rundll32.exe PID 1532 wrote to memory of 1516 1532 UAC.exe rundll32.exe PID 1532 wrote to memory of 1516 1532 UAC.exe rundll32.exe PID 1532 wrote to memory of 1516 1532 UAC.exe rundll32.exe PID 1532 wrote to memory of 1516 1532 UAC.exe rundll32.exe PID 1516 wrote to memory of 1240 1516 rundll32.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe"C:\Users\Admin\AppData\Local\Temp\7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Servis.exe"C:\Windows\Servis.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7FD.tmp\7FE.tmp\7FF.bat C:\Windows\Servis.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy bypass -command "New-Service -Name UAC -BinaryPathName C:\Windows\UAC.exe"5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy bypass -command "Start-Service -Name UAC -PassThru"5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\UAC.exeC:\Windows\UAC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7FD.tmp\7FE.tmp\7FF.batFilesize
211B
MD5ceb3c06960136b0e3ebadca62fdf415e
SHA18b67ec15381aad2453ad9f78f9ebd469de1a2925
SHA256d821ecc0208b6fcb11311f7c0abc45f640da48c09a37051da3320676495d5b16
SHA5129cf6ea5b486b33add21944225e6cc62fd2402628caf43d76ac3dfdb58ea4a3c965489de627c0c11d7a26065ae4d158ff687860ac0d3fe2dd5a502912100fb9d3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD565c94bae794ec7119cc20e6a457c5b8a
SHA19c5758f3767f03319524db95611e106ac5922031
SHA256fe476f1500c86ded41ebf0076233c22f2525f7cabde26c379eb42fc3aa3ee508
SHA5123f8bfd111623c2c935e265359ec130127a7abd11927e4997c5dcc8978a4764aab4c46b73092e72862778b6dc7733f5a05846b9b94dfb1cbf170b112e22c6d866
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T9LCX3SK6PML2AR9Z0O4.tempFilesize
7KB
MD565c94bae794ec7119cc20e6a457c5b8a
SHA19c5758f3767f03319524db95611e106ac5922031
SHA256fe476f1500c86ded41ebf0076233c22f2525f7cabde26c379eb42fc3aa3ee508
SHA5123f8bfd111623c2c935e265359ec130127a7abd11927e4997c5dcc8978a4764aab4c46b73092e72862778b6dc7733f5a05846b9b94dfb1cbf170b112e22c6d866
-
C:\Windows\Servis.exeFilesize
87KB
MD5461938519e0d15b209cf0da74d686e05
SHA1f7a21d413eba8ee1b8c82546cb1d0396aea6dc73
SHA256013f4ea44e1685269f940dced55d46485393c9a58160c79de69eed2f470ac82b
SHA51233640f9d37838b9ecbe842623980eafe24c9fc58e0ab26ee87d97de2edaa709879f593bc383638ba0af1c0f9917bb1c0c1b09762e72f174dbbb39c51c7a51f1e
-
C:\Windows\Servis.exeFilesize
87KB
MD5461938519e0d15b209cf0da74d686e05
SHA1f7a21d413eba8ee1b8c82546cb1d0396aea6dc73
SHA256013f4ea44e1685269f940dced55d46485393c9a58160c79de69eed2f470ac82b
SHA51233640f9d37838b9ecbe842623980eafe24c9fc58e0ab26ee87d97de2edaa709879f593bc383638ba0af1c0f9917bb1c0c1b09762e72f174dbbb39c51c7a51f1e
-
C:\Windows\UAC.exeFilesize
282KB
MD5d8c81b67c27140970e704edb6e0faf63
SHA143d91226c004d2b5538c4e057cd05eb9b52166be
SHA256da68308adf531b3dc93d7443669bfe84650c6fea041e3fdb63b4703b1be1cc5b
SHA5125ec9cb623987ae9ac524a5de02ae1ace0e3cc549cb134fa056d2c257dffafb51fb55c47fbdea29a6c9d215ea6b1b63baf6f3ebba81bc2118dac508d7c68d2268
-
memory/628-76-0x000000001B330000-0x000000001B612000-memory.dmpFilesize
2.9MB
-
memory/628-79-0x0000000001F40000-0x0000000001F48000-memory.dmpFilesize
32KB
-
memory/628-81-0x000000000264B000-0x0000000002682000-memory.dmpFilesize
220KB
-
memory/628-80-0x0000000002640000-0x00000000026C0000-memory.dmpFilesize
512KB
-
memory/628-78-0x0000000002640000-0x00000000026C0000-memory.dmpFilesize
512KB
-
memory/628-77-0x0000000002640000-0x00000000026C0000-memory.dmpFilesize
512KB
-
memory/1240-101-0x0000000003910000-0x0000000003929000-memory.dmpFilesize
100KB
-
memory/1240-100-0x0000000002A50000-0x0000000002A65000-memory.dmpFilesize
84KB
-
memory/1240-99-0x0000000002A50000-0x0000000002A65000-memory.dmpFilesize
84KB
-
memory/1516-98-0x00000000001F0000-0x000000000022E000-memory.dmpFilesize
248KB
-
memory/1516-103-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/1516-93-0x00000000000D0000-0x0000000000104000-memory.dmpFilesize
208KB
-
memory/1516-92-0x00000000000D0000-0x0000000000104000-memory.dmpFilesize
208KB
-
memory/1516-97-0x00000000001F0000-0x000000000022E000-memory.dmpFilesize
248KB
-
memory/1516-104-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/1516-105-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/1516-102-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/1532-95-0x00000000011D0000-0x000000000121D000-memory.dmpFilesize
308KB
-
memory/1784-96-0x00000000024F0000-0x0000000002570000-memory.dmpFilesize
512KB
-
memory/1784-87-0x000000001B2F0000-0x000000001B5D2000-memory.dmpFilesize
2.9MB
-
memory/1784-88-0x0000000001F40000-0x0000000001F48000-memory.dmpFilesize
32KB
-
memory/1784-89-0x00000000024F0000-0x0000000002570000-memory.dmpFilesize
512KB
-
memory/1784-90-0x00000000024F0000-0x0000000002570000-memory.dmpFilesize
512KB