Analysis
-
max time kernel
599s -
max time network
599s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 15:34
Behavioral task
behavioral1
Sample
s.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
s.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20231215-en
General
-
Target
s.exe
-
Size
254KB
-
MD5
4485d8844b083564cf510271d90d7399
-
SHA1
769d564f9b895c8d07fee07733782c548e30267a
-
SHA256
fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f
-
SHA512
0f0e1eb3249e1a73ab51b08462dfd8871c9fe5db7b87090635a8b6930c830440a2a225c4e1ed5e8f596cea1672f65fcb1a383a47ea9e4133bde8cc9ed793efeb
-
SSDEEP
6144:h+lSr5QA7XPoS5Ut7Qjs+oQmAWN3/+Ne1YmWpm0+ie+z:Zr5Q0oS5Fjs+MAU/Lypmr+z
Malware Config
Signatures
-
Detects PlugX payload 33 IoCs
Processes:
resource yara_rule behavioral2/memory/4304-14-0x0000000002B30000-0x0000000002B5E000-memory.dmp family_plugx behavioral2/memory/4304-16-0x0000000002B30000-0x0000000002B5E000-memory.dmp family_plugx behavioral2/memory/1516-35-0x0000000002830000-0x000000000285E000-memory.dmp family_plugx behavioral2/memory/1516-36-0x0000000002830000-0x000000000285E000-memory.dmp family_plugx behavioral2/memory/1516-38-0x0000000002830000-0x000000000285E000-memory.dmp family_plugx behavioral2/memory/3192-42-0x0000000000F90000-0x0000000000FBE000-memory.dmp family_plugx behavioral2/memory/3192-44-0x0000000000F90000-0x0000000000FBE000-memory.dmp family_plugx behavioral2/memory/3192-43-0x0000000000F90000-0x0000000000FBE000-memory.dmp family_plugx behavioral2/memory/1052-48-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-50-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/3192-49-0x0000000000F90000-0x0000000000FBE000-memory.dmp family_plugx behavioral2/memory/1052-51-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-55-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-57-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-62-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-66-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-65-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-70-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-71-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-72-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-74-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-76-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1052-79-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1516-80-0x0000000002830000-0x000000000285E000-memory.dmp family_plugx behavioral2/memory/1052-83-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1204-87-0x0000000002DC0000-0x0000000002DEE000-memory.dmp family_plugx behavioral2/memory/1204-88-0x0000000002DC0000-0x0000000002DEE000-memory.dmp family_plugx behavioral2/memory/1204-93-0x0000000002DC0000-0x0000000002DEE000-memory.dmp family_plugx behavioral2/memory/1204-92-0x0000000002DC0000-0x0000000002DEE000-memory.dmp family_plugx behavioral2/memory/1204-94-0x0000000002DC0000-0x0000000002DEE000-memory.dmp family_plugx behavioral2/memory/1204-95-0x0000000002DC0000-0x0000000002DEE000-memory.dmp family_plugx behavioral2/memory/1052-97-0x0000000000600000-0x000000000062E000-memory.dmp family_plugx behavioral2/memory/1204-106-0x0000000002DC0000-0x0000000002DEE000-memory.dmp family_plugx -
Deletes itself 1 IoCs
Processes:
ktmhelp.exepid process 4304 ktmhelp.exe -
Executes dropped EXE 3 IoCs
Processes:
ktmhelp.exektmhelp.exektmhelp.exepid process 4304 ktmhelp.exe 1516 ktmhelp.exe 3192 ktmhelp.exe -
Loads dropped DLL 3 IoCs
Processes:
ktmhelp.exektmhelp.exektmhelp.exepid process 4304 ktmhelp.exe 1516 ktmhelp.exe 3192 ktmhelp.exe -
Processes:
resource yara_rule behavioral2/memory/1188-0-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/1188-15-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Unexpected DNS network traffic destination 48 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 -
Blocklisted process makes network request 64 IoCs
Processes:
msiexec.exeflow pid process 27 1204 msiexec.exe 36 1204 msiexec.exe 37 1204 msiexec.exe 41 1204 msiexec.exe 60 1204 msiexec.exe 61 1204 msiexec.exe 64 1204 msiexec.exe 70 1204 msiexec.exe 71 1204 msiexec.exe 72 1204 msiexec.exe 81 1204 msiexec.exe 82 1204 msiexec.exe 84 1204 msiexec.exe 85 1204 msiexec.exe 97 1204 msiexec.exe 98 1204 msiexec.exe 99 1204 msiexec.exe 106 1204 msiexec.exe 107 1204 msiexec.exe 108 1204 msiexec.exe 116 1204 msiexec.exe 117 1204 msiexec.exe 119 1204 msiexec.exe 125 1204 msiexec.exe 126 1204 msiexec.exe 128 1204 msiexec.exe 129 1204 msiexec.exe 137 1204 msiexec.exe 138 1204 msiexec.exe 140 1204 msiexec.exe 146 1204 msiexec.exe 147 1204 msiexec.exe 149 1204 msiexec.exe 155 1204 msiexec.exe 156 1204 msiexec.exe 159 1204 msiexec.exe 163 1204 msiexec.exe 164 1204 msiexec.exe 168 1204 msiexec.exe 170 1204 msiexec.exe 176 1204 msiexec.exe 177 1204 msiexec.exe 180 1204 msiexec.exe 184 1204 msiexec.exe 185 1204 msiexec.exe 189 1204 msiexec.exe 193 1204 msiexec.exe 194 1204 msiexec.exe 196 1204 msiexec.exe 202 1204 msiexec.exe 203 1204 msiexec.exe 206 1204 msiexec.exe 208 1204 msiexec.exe 214 1204 msiexec.exe 215 1204 msiexec.exe 217 1204 msiexec.exe 224 1204 msiexec.exe 225 1204 msiexec.exe 230 1204 msiexec.exe 235 1204 msiexec.exe 236 1204 msiexec.exe 238 1204 msiexec.exe 244 1204 msiexec.exe 245 1204 msiexec.exe -
Modifies data under HKEY_USERS 17 IoCs
Processes:
dllhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ dllhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent dllhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings dllhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent dllhost.exe -
Modifies registry class 2 IoCs
Processes:
ktmhelp.exedescription ioc process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST ktmhelp.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 37003400450046003600460031003100350036004100320044004100310045000000 ktmhelp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
dllhost.exemsiexec.exepid process 1052 dllhost.exe 1204 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ktmhelp.exedllhost.exektmhelp.exemsiexec.exepid process 4304 ktmhelp.exe 4304 ktmhelp.exe 4304 ktmhelp.exe 4304 ktmhelp.exe 1052 dllhost.exe 1052 dllhost.exe 1516 ktmhelp.exe 1516 ktmhelp.exe 1052 dllhost.exe 1052 dllhost.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1052 dllhost.exe 1052 dllhost.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1052 dllhost.exe 1052 dllhost.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1052 dllhost.exe 1052 dllhost.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1052 dllhost.exe 1052 dllhost.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe 1204 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
dllhost.exemsiexec.exepid process 1052 dllhost.exe 1204 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
ktmhelp.exektmhelp.exektmhelp.exedllhost.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4304 ktmhelp.exe Token: SeTcbPrivilege 4304 ktmhelp.exe Token: SeDebugPrivilege 1516 ktmhelp.exe Token: SeTcbPrivilege 1516 ktmhelp.exe Token: SeDebugPrivilege 3192 ktmhelp.exe Token: SeTcbPrivilege 3192 ktmhelp.exe Token: SeDebugPrivilege 1052 dllhost.exe Token: SeTcbPrivilege 1052 dllhost.exe Token: SeDebugPrivilege 1204 msiexec.exe Token: SeTcbPrivilege 1204 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
s.exepid process 1188 s.exe 1188 s.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
s.exektmhelp.exedllhost.exedescription pid process target process PID 1188 wrote to memory of 4304 1188 s.exe ktmhelp.exe PID 1188 wrote to memory of 4304 1188 s.exe ktmhelp.exe PID 1188 wrote to memory of 4304 1188 s.exe ktmhelp.exe PID 3192 wrote to memory of 1052 3192 ktmhelp.exe dllhost.exe PID 3192 wrote to memory of 1052 3192 ktmhelp.exe dllhost.exe PID 3192 wrote to memory of 1052 3192 ktmhelp.exe dllhost.exe PID 3192 wrote to memory of 1052 3192 ktmhelp.exe dllhost.exe PID 3192 wrote to memory of 1052 3192 ktmhelp.exe dllhost.exe PID 3192 wrote to memory of 1052 3192 ktmhelp.exe dllhost.exe PID 3192 wrote to memory of 1052 3192 ktmhelp.exe dllhost.exe PID 3192 wrote to memory of 1052 3192 ktmhelp.exe dllhost.exe PID 1052 wrote to memory of 1204 1052 dllhost.exe msiexec.exe PID 1052 wrote to memory of 1204 1052 dllhost.exe msiexec.exe PID 1052 wrote to memory of 1204 1052 dllhost.exe msiexec.exe PID 1052 wrote to memory of 1204 1052 dllhost.exe msiexec.exe PID 1052 wrote to memory of 1204 1052 dllhost.exe msiexec.exe PID 1052 wrote to memory of 1204 1052 dllhost.exe msiexec.exe PID 1052 wrote to memory of 1204 1052 dllhost.exe msiexec.exe PID 1052 wrote to memory of 1204 1052 dllhost.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\s.exe"C:\Users\Admin\AppData\Local\Temp\s.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exeC:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 100 43041⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\system32\dllhost.exe 201 02⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 10523⤵
- Blocklisted process makes network request
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OUT\RoboForm.DLLFilesize
74KB
MD5ee1887696c8445caaaad13bdb39d5dba
SHA1bc09e8530d2497befaeacbf4d50022181ffc59cc
SHA2562e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b
SHA51294ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db
-
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exeFilesize
96KB
MD50ba73a0db3913ba14be521f82c1b2c6c
SHA115920f9b5c190b70f927d18fa9d03793cb1f6332
SHA256212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f
SHA51251472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a
-
C:\Users\Admin\AppData\Local\Temp\OUT\update.logFilesize
116KB
MD58c49d603e67e5933ff07216c80b0ed4b
SHA1a31aaff7adccb8563a2f798816f9b211b774bf08
SHA2566e9f83f1c98551bf184a008b44511ffebc5aa415d4620cbd158bb9be13eee20c
SHA51248397e74b3c6b5fe9f4235acae7087404cb2e9e605d39caa315fcb5e17a873324d375fd7a141f383e8546e4f8ccf5d9102bf83eb7b21a49680b3538c8dbc6ce4
-
memory/1052-83-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-71-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-79-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-66-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-97-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-69-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1052-76-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-65-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-62-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-74-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-72-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-57-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-46-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1052-48-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-50-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-70-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-51-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1052-55-0x0000000000600000-0x000000000062E000-memory.dmpFilesize
184KB
-
memory/1188-1-0x0000000010000000-0x000000001005D000-memory.dmpFilesize
372KB
-
memory/1188-0-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1188-15-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1204-94-0x0000000002DC0000-0x0000000002DEE000-memory.dmpFilesize
184KB
-
memory/1204-87-0x0000000002DC0000-0x0000000002DEE000-memory.dmpFilesize
184KB
-
memory/1204-88-0x0000000002DC0000-0x0000000002DEE000-memory.dmpFilesize
184KB
-
memory/1204-89-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/1204-93-0x0000000002DC0000-0x0000000002DEE000-memory.dmpFilesize
184KB
-
memory/1204-92-0x0000000002DC0000-0x0000000002DEE000-memory.dmpFilesize
184KB
-
memory/1204-95-0x0000000002DC0000-0x0000000002DEE000-memory.dmpFilesize
184KB
-
memory/1204-106-0x0000000002DC0000-0x0000000002DEE000-memory.dmpFilesize
184KB
-
memory/1204-85-0x0000000001200000-0x0000000001201000-memory.dmpFilesize
4KB
-
memory/1516-36-0x0000000002830000-0x000000000285E000-memory.dmpFilesize
184KB
-
memory/1516-80-0x0000000002830000-0x000000000285E000-memory.dmpFilesize
184KB
-
memory/1516-38-0x0000000002830000-0x000000000285E000-memory.dmpFilesize
184KB
-
memory/1516-35-0x0000000002830000-0x000000000285E000-memory.dmpFilesize
184KB
-
memory/3192-49-0x0000000000F90000-0x0000000000FBE000-memory.dmpFilesize
184KB
-
memory/3192-43-0x0000000000F90000-0x0000000000FBE000-memory.dmpFilesize
184KB
-
memory/3192-44-0x0000000000F90000-0x0000000000FBE000-memory.dmpFilesize
184KB
-
memory/3192-42-0x0000000000F90000-0x0000000000FBE000-memory.dmpFilesize
184KB
-
memory/4304-14-0x0000000002B30000-0x0000000002B5E000-memory.dmpFilesize
184KB
-
memory/4304-16-0x0000000002B30000-0x0000000002B5E000-memory.dmpFilesize
184KB
-
memory/4304-13-0x00000000029E0000-0x0000000002AE0000-memory.dmpFilesize
1024KB