Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe
Resource
win7-20240215-en
General
-
Target
ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe
-
Size
8.5MB
-
MD5
0f67cc2e42069cb24164a7c3a2b3e9cd
-
SHA1
686c7573dceba02a5e49327521dcb7134c809225
-
SHA256
ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72
-
SHA512
adc182784d20037b4aff44592bad44139a6bc60cd7da0e96bf456ee32f8503b708fe4dec98f65bf7037e8cc91ef595837b2ea695989618005081ad9470c25a3b
-
SSDEEP
196608:DWT9nO7MzOJRCsU3lHOYhE0dutEcKEmmI1nzH59a3K2ZXVVoVeB:Z7EO3xatvE05EW1zH5V2ZFVoVeB
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2888-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2888-12-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2888-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2548-34-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2548-45-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2548-40-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2548-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2548-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2512-25-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/2888-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2888-12-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2888-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2548-34-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2548-45-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2548-40-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat \Windows\SysWOW64\259394734.txt family_gh0strat behavioral1/memory/2548-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2548-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2512-25-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe -
Executes dropped EXE 5 IoCs
Processes:
svchost.exeTXPlatforn.exeTXPlatforn.exesvchos.exeHD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exepid process 2888 svchost.exe 2512 TXPlatforn.exe 2548 TXPlatforn.exe 1344 svchos.exe 2424 HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe -
Loads dropped DLL 10 IoCs
Processes:
ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exeTXPlatforn.exesvchos.exeWerFault.exepid process 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe 2512 TXPlatforn.exe 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe 1344 svchos.exe 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe -
Processes:
resource yara_rule behavioral1/memory/2888-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2888-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2888-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2888-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2548-34-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2548-45-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2548-40-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2548-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2548-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2548-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2512-25-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Processes:
HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exedescription ioc process File opened for modification \??\PhysicalDrive0 HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exesvchos.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\259394734.txt svchos.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exepid process 2424 HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe -
Drops file in Program Files directory 4 IoCs
Processes:
ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2884 2424 WerFault.exe HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exeHD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exepid process 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe 2424 HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 2548 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exeTXPlatforn.exedescription pid process Token: SeIncBasePriorityPrivilege 2888 svchost.exe Token: SeLoadDriverPrivilege 2548 TXPlatforn.exe Token: 33 2548 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2548 TXPlatforn.exe Token: 33 2548 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2548 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exepid process 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exesvchost.exeTXPlatforn.execmd.exeHD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exedescription pid process target process PID 1664 wrote to memory of 2888 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe svchost.exe PID 1664 wrote to memory of 2888 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe svchost.exe PID 1664 wrote to memory of 2888 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe svchost.exe PID 1664 wrote to memory of 2888 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe svchost.exe PID 1664 wrote to memory of 2888 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe svchost.exe PID 1664 wrote to memory of 2888 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe svchost.exe PID 1664 wrote to memory of 2888 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe svchost.exe PID 2888 wrote to memory of 2632 2888 svchost.exe cmd.exe PID 2888 wrote to memory of 2632 2888 svchost.exe cmd.exe PID 2888 wrote to memory of 2632 2888 svchost.exe cmd.exe PID 2888 wrote to memory of 2632 2888 svchost.exe cmd.exe PID 2512 wrote to memory of 2548 2512 TXPlatforn.exe TXPlatforn.exe PID 2512 wrote to memory of 2548 2512 TXPlatforn.exe TXPlatforn.exe PID 2512 wrote to memory of 2548 2512 TXPlatforn.exe TXPlatforn.exe PID 2512 wrote to memory of 2548 2512 TXPlatforn.exe TXPlatforn.exe PID 2512 wrote to memory of 2548 2512 TXPlatforn.exe TXPlatforn.exe PID 2512 wrote to memory of 2548 2512 TXPlatforn.exe TXPlatforn.exe PID 2512 wrote to memory of 2548 2512 TXPlatforn.exe TXPlatforn.exe PID 1664 wrote to memory of 1344 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe svchos.exe PID 1664 wrote to memory of 1344 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe svchos.exe PID 1664 wrote to memory of 1344 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe svchos.exe PID 1664 wrote to memory of 1344 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe svchos.exe PID 2632 wrote to memory of 2912 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 2912 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 2912 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 2912 2632 cmd.exe PING.EXE PID 1664 wrote to memory of 2424 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe PID 1664 wrote to memory of 2424 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe PID 1664 wrote to memory of 2424 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe PID 1664 wrote to memory of 2424 1664 ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe PID 2424 wrote to memory of 2884 2424 HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe WerFault.exe PID 2424 wrote to memory of 2884 2424 HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe WerFault.exe PID 2424 wrote to memory of 2884 2424 HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe WerFault.exe PID 2424 wrote to memory of 2884 2424 HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe"C:\Users\Admin\AppData\Local\Temp\ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exeC:\Users\Admin\AppData\Local\Temp\HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 7403⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.8MB
MD54486f3cff55a579b3d14f469deb00373
SHA1d024c5ccce4025d315ad442ffb36629c5a389e8b
SHA25616c9ce3d4d8518e1acc2b9596042224e836bb3e704c1fa0349b5d5ec6fa3d2e8
SHA512596d83f5395b6f073a0550b510c1df30cca575ca660a76f10cfeef074fd42eb965fac75bdee40e8ae5b2db1343fe9daee4096a9ded93f6acdb94970a98703d87
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeFilesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
\Users\Admin\AppData\Local\Temp\HD_ac8bd683789d6db878e85696e43346bc92d468e4524a1aa0ae319975d6dd2c72.exeFilesize
6.7MB
MD5228d6cc0e7e1399dae79eaa5d6f71e52
SHA1290443a75bfd4108abb6e9f7fc14d4da1542314b
SHA2567189cf2950eb69251a80d120d2a75c860de50d2084bdb7c41a3345e34734958b
SHA512bd4b464037ea2ece9331905da72ef33e6803c0e642a5f051146f1e222186bb3b74a6dd28a309e893413282604a804c9132d52c5f8069902721aa78b5b074d743
-
\Windows\SysWOW64\259394734.txtFilesize
50KB
MD5afe2718aa5c70470fd3b116d5f58ac38
SHA14f39db0403d0c238d4854551a24a42f50c80fb41
SHA256c779f681b4d4361bdf555786b2bfa1adce725084c460448f4f5021b3820b7db2
SHA51251e3b5406596df1bf2f58ac0d4b8b473612f1b2b0321ee4ffe5bb162163ab64f92fcc560dd5d26c3e3bfb2e47194aefcc08d35b9c6b29432da3744747057649e
-
memory/1664-99-0x0000000004140000-0x00000000052D0000-memory.dmpFilesize
17.6MB
-
memory/1664-46-0x0000000004140000-0x00000000052D0000-memory.dmpFilesize
17.6MB
-
memory/2424-47-0x0000000000870000-0x0000000001A00000-memory.dmpFilesize
17.6MB
-
memory/2424-100-0x0000000000870000-0x0000000001A00000-memory.dmpFilesize
17.6MB
-
memory/2424-53-0x0000000000870000-0x0000000001A00000-memory.dmpFilesize
17.6MB
-
memory/2424-52-0x0000000000870000-0x0000000001A00000-memory.dmpFilesize
17.6MB
-
memory/2512-25-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2548-40-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2548-29-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2548-30-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2548-27-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2548-45-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2548-34-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2888-8-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2888-5-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2888-12-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2888-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB