Analysis
-
max time kernel
160s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
03-02-2022 15:57
Static task
static1
Behavioral task
behavioral1
Sample
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
Resource
win10v2004-en-20220112
General
-
Target
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
-
Size
332KB
-
MD5
349d353065a260a6cb340666ae9d5f06
-
SHA1
049c76e212e1e7368c368eb1b47bf18df84f2d61
-
SHA256
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f
-
SHA512
ecd932d518ef32d2c6c25927c9f0298ab380651078df8b3c837ad7027875574b9bb2764f9ac22bc30d65f816313dbf77554b688bcbaec5a1519c0fa6f1fe5293
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Crack.exesuper.exewinlogon.exepid process 704 Crack.exe 3296 super.exe 1472 winlogon.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exesuper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation super.exe -
Drops startup file 2 IoCs
Processes:
winlogon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3c8548e6ad9ecf00a0a44c81e84745f1.exe winlogon.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3c8548e6ad9ecf00a0a44c81e84745f1.exe winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3c8548e6ad9ecf00a0a44c81e84745f1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .." winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3c8548e6ad9ecf00a0a44c81e84745f1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .." winlogon.exe -
Drops file in Program Files directory 6 IoCs
Processes:
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exedescription ioc process File opened for modification C:\Program Files (x86)\udat 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe File created C:\Program Files (x86)\udat\__tmp_rar_sfx_access_check_30322687 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe File created C:\Program Files (x86)\udat\Crack.exe 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe File opened for modification C:\Program Files (x86)\udat\Crack.exe 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe File created C:\Program Files (x86)\udat\super.exe 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe File opened for modification C:\Program Files (x86)\udat\super.exe 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132885548848661571" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.961534" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4064" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
winlogon.exedescription pid process Token: SeDebugPrivilege 1472 winlogon.exe Token: 33 1472 winlogon.exe Token: SeIncBasePriorityPrivilege 1472 winlogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Crack.exepid process 704 Crack.exe 704 Crack.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exesuper.exewinlogon.exedescription pid process target process PID 2876 wrote to memory of 704 2876 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe Crack.exe PID 2876 wrote to memory of 704 2876 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe Crack.exe PID 2876 wrote to memory of 704 2876 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe Crack.exe PID 2876 wrote to memory of 3296 2876 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe super.exe PID 2876 wrote to memory of 3296 2876 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe super.exe PID 2876 wrote to memory of 3296 2876 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe super.exe PID 3296 wrote to memory of 1472 3296 super.exe winlogon.exe PID 3296 wrote to memory of 1472 3296 super.exe winlogon.exe PID 3296 wrote to memory of 1472 3296 super.exe winlogon.exe PID 1472 wrote to memory of 4092 1472 winlogon.exe netsh.exe PID 1472 wrote to memory of 4092 1472 winlogon.exe netsh.exe PID 1472 wrote to memory of 4092 1472 winlogon.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe"C:\Users\Admin\AppData\Local\Temp\8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\udat\Crack.exe"C:\Program Files (x86)\udat\Crack.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\udat\super.exe"C:\Program Files (x86)\udat\super.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winlogon.exe" "winlogon.exe" ENABLE4⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 2a275bebdb39eee968a8386397ce248f imhAM3Uzrk6gc/oKzN3D/Q.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\udat\Crack.exeMD5
1c626edcdad864d70de9befdf08bf9c1
SHA1cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e
SHA256e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a
SHA512b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9
-
C:\Program Files (x86)\udat\Crack.exeMD5
1c626edcdad864d70de9befdf08bf9c1
SHA1cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e
SHA256e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a
SHA512b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9
-
C:\Program Files (x86)\udat\super.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
C:\Program Files (x86)\udat\super.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
C:\Users\Admin\AppData\Roaming\winlogon.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
C:\Users\Admin\AppData\Roaming\winlogon.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
memory/1472-263-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/1472-264-0x0000000005390000-0x0000000005422000-memory.dmpFilesize
584KB
-
memory/1472-265-0x0000000005310000-0x000000000531A000-memory.dmpFilesize
40KB
-
memory/3296-259-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/3296-260-0x0000000005320000-0x00000000058C4000-memory.dmpFilesize
5.6MB
-
memory/3296-202-0x0000000004AD0000-0x0000000004B6C000-memory.dmpFilesize
624KB
-
memory/3296-134-0x00000000000A0000-0x00000000000DE000-memory.dmpFilesize
248KB