Analysis
-
max time kernel
30s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
31-03-2024 20:38
General
-
Target
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe
-
Size
824KB
-
MD5
5d91acb715da8501370af725e44d7aa3
-
SHA1
118d2f7c992f0e5ec16b07fd18c410a9517a60e5
-
SHA256
03e1ef8b9811f1ef7b3561f527f2ab4fd7570b06d91ed7507898c98a9ca4c8f6
-
SHA512
ab56c511b5cb46b0f7e4daec6cec0c62d7c2b96fcde35d14c900aa0c5c81d4da6e506ddbeb7a78a21c69591ebf7dc23198f870bc00c0777ca913f17266b91059
-
SSDEEP
24576:PUFa7K4Jy/fVtktVGPrfO/WxvaXUTcLHFpSYiVtktVGPrfO/WT1:8qMlSyfO/WxyXukHFISyfO/WT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Drops startup file 4 IoCs
-
Executes dropped EXE 7 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in Program Files directory 39 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
-
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\net.exenet stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵
-
C:\Windows\SysWOW64\net.exenet stop "Automatic Updates"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Automatic Updates"4⤵
-
C:\Windows\SysWOW64\net.exenet stop "Security Center"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ping.exeping www.putera.com -t -l 30005⤵
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\ping.exeping www.tourism.gov.my -t -l 30005⤵
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\ping.exeping www.miti.gov.my -t -l 30005⤵
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\Drvics32.dllFilesize
808B
MD5f9144a29af9775feb89b66bc8679dff7
SHA186a1246436e2f6c26a7de1a36f7a94cfd6e8202b
SHA25637dd8b6797dc589dbaebb4c6db3b4f343389caf3c68a298b56a8f4faae1d0284
SHA5120c13f645591e85bb8ce4e43bde458e0c2ea771382d1738a495c20d21580a22d6b194a7e1c543c3fa395e2e2c9fc27710cccc1af5742037733b8398ee8dcdd74a
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\PUB60SP.mrcFilesize
8KB
MD5cf07b3218b7a13466a3ab1abd929dc04
SHA10357e87e477c6c91af0dae6c7528089112bc4adb
SHA2560f19bef5cf2a0d134e2a8845caf5f8a57925c57c5bcc70b671fdf2dd71f52990
SHA51242e79e6bc3a1b183219fd327531402dd16dab72f1b6a4dd5475ffd5c556ee7a5564962a10880551d9bc27f989fd90beae3756349512e383eae9b3bd5b0bd1cbd
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\control.iniFilesize
176B
MD5fc0e51b62b341213d142b5061fe88606
SHA1a36c06ee541061a30ae14702c6d422366f1efda3
SHA256ef820d65689bda87756d2b775f286d992717289bb2e9bb2843903e05a87df3ef
SHA5125f44293217227a29f8031837ff87d7777cb425fb7b3684e925b349c54084d1a52bc1be6b19678c7dd20ed885c34dcafd063676549cdaaa93f1685d7ae8e9a70f
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\hjwgsd.dllFilesize
18KB
MD5ed6b628f8fcc9e5b4634047546b78091
SHA151d55b389381a84205ce07526b606f353e64a8dc
SHA2568aaa8cc5cee89de645ddc34bbaa4fe00274c4802ebda7120d1904fec1137fa33
SHA512ac97820615e26bd51cbc989fcbf3a028f2e5b12658449b4b6692f3cd82b2df08967118ee05aa7fd5063e439d1a0afbb611aa19f11a28d830612512a5438f63c7
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\jwiegh.dllFilesize
267KB
MD53814086d561a22ed9005ba4f35c5987c
SHA130f3059629c123223208659be7ab45c234aa9434
SHA2565d918c11a0efcfaaea5981aa4b25520584e33d09e4e940c65078ca0581673387
SHA51255197cc81b499b35e14aa80f84a44449335fc85f3b2d757dcea2b1b172ceb7cb0ed4805dd1503d2fb1c3e680f4df0a9487e70b0fa270d4c5cb88e3a00370c9cd
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\remote.iniFilesize
20KB
MD5d982ae777e8e44019b24bc272d84d582
SHA1a490d6472e8ee57fe7f6046a911dfdf6a5e4ed95
SHA256b9681ebd6aaa8276d307c2e5243eecfea97e045b9ffd432ad75974fb818cac82
SHA51225321a7325e330d37323e05a9a045fcd515cacd9555ba413eab1709cd59db92fbcfbb424ed150199720a338e0017331f4e1fbfcaf5763b64280d9ea29bcf06b2
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\ruimsbbe.dllFilesize
2KB
MD5b023650f83ebe604181f657c0d8a4be1
SHA128b808d1fb4e9a6022c8a7de29248fcdb583eea9
SHA2561b12ded49161bc6bf18bf521fe233be4f41a4107d0c76fa2fa66a8023828fa36
SHA5128c4b703a19ab8be5c1c7fdafa1380e4c83f99370afae6dd938ef78066458665668ef4076740d151b6ad53eedc94b5934f486090058ead456d474e96fb7efeeff
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exeFilesize
563KB
MD581cfac8335822ba4bea1e50c46adf967
SHA1ea360da28b5aff7112b6f42404dc2ee2610e640c
SHA2561829bf1ccae25c61dca8eb1b4fea10c47276157cc619efb6ab8a8804592770a7
SHA51224dee2758eda2facb07c814737e4f20ea718a4ef42294dfc97a61c1af7b271df5ef0a0d414199ee89c8c496a1063d217173e32bcf4f305c3b41dca1ccf30c738
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\yofc.dllFilesize
2KB
MD505e9217895f13d8b004c83d8223957cc
SHA15655ea6576dceaff14b7b27f4b347e85f322f9b1
SHA2560b767361d3dfbaa8ab7748eb0aecb104f394b4473b228e269addaebe95e2a4d6
SHA5128188c722a25d45a857712be7673a1b9bf43d1f4e64d891004d6b71ba6a20894f0fb833e877230b5cfc833b4d05a0d1a44c930aee6c9fcd3c712e149496482bf8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.comFilesize
824KB
MD55d91acb715da8501370af725e44d7aa3
SHA1118d2f7c992f0e5ec16b07fd18c410a9517a60e5
SHA25603e1ef8b9811f1ef7b3561f527f2ab4fd7570b06d91ed7507898c98a9ca4c8f6
SHA512ab56c511b5cb46b0f7e4daec6cec0c62d7c2b96fcde35d14c900aa0c5c81d4da6e506ddbeb7a78a21c69591ebf7dc23198f870bc00c0777ca913f17266b91059
-
C:\Windows\SYSTEM.INIFilesize
258B
MD5e8d131d743f705ac76d2015b0d574479
SHA175488ce3ed2ebc5af5eb84871f0ae8f9eb6bdb7b
SHA256bde725e617212c10c3da4c4483530a01aa60e4c564b4cec203df069dd6ffcdb7
SHA512587df4f33351cb67ad5b8412527a16085c506ff3a9ff7449419749a8f734c948635ae93fc27656715c33ea96f862a852f5436fc6c6063ca8fac7a84499233f14
-
memory/1120-186-0x0000000000C70000-0x0000000000C72000-memory.dmpFilesize
8KB
-
memory/1120-260-0x0000000000C70000-0x0000000000C72000-memory.dmpFilesize
8KB
-
memory/1120-187-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/1168-125-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1168-117-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1168-119-0x00000000006A0000-0x00000000006A2000-memory.dmpFilesize
8KB
-
memory/1404-100-0x0000000002CE0000-0x0000000002CE2000-memory.dmpFilesize
8KB
-
memory/1404-165-0x0000000003F20000-0x0000000004F53000-memory.dmpFilesize
16.2MB
-
memory/1404-128-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1404-161-0x0000000003F20000-0x0000000004F53000-memory.dmpFilesize
16.2MB
-
memory/1404-162-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1404-164-0x0000000003F20000-0x0000000004F53000-memory.dmpFilesize
16.2MB
-
memory/1404-97-0x0000000003C70000-0x0000000003C71000-memory.dmpFilesize
4KB
-
memory/1404-212-0x0000000003F20000-0x0000000004F53000-memory.dmpFilesize
16.2MB
-
memory/1404-107-0x0000000002CE0000-0x0000000002CE2000-memory.dmpFilesize
8KB
-
memory/1404-50-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1404-68-0x00000000006A0000-0x00000000006A2000-memory.dmpFilesize
8KB
-
memory/2228-230-0x0000000000D30000-0x0000000000D32000-memory.dmpFilesize
8KB
-
memory/2228-180-0x0000000000D30000-0x0000000000D32000-memory.dmpFilesize
8KB
-
memory/2228-183-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/2236-170-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/2236-182-0x0000000000F30000-0x0000000000F32000-memory.dmpFilesize
8KB
-
memory/2236-239-0x0000000000F30000-0x0000000000F32000-memory.dmpFilesize
8KB
-
memory/2732-140-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/2800-51-0x00007FFC8BAB0000-0x00007FFC8BAC0000-memory.dmpFilesize
64KB
-
memory/2800-57-0x00007FFC8BAB0000-0x00007FFC8BAC0000-memory.dmpFilesize
64KB
-
memory/2800-70-0x00007FFC893A0000-0x00007FFC893B0000-memory.dmpFilesize
64KB
-
memory/2800-69-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-52-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-54-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-56-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-55-0x00007FFC8BAB0000-0x00007FFC8BAC0000-memory.dmpFilesize
64KB
-
memory/2800-94-0x00007FFC893A0000-0x00007FFC893B0000-memory.dmpFilesize
64KB
-
memory/2800-53-0x00007FFC8BAB0000-0x00007FFC8BAC0000-memory.dmpFilesize
64KB
-
memory/2800-59-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-138-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-67-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-66-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-65-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-134-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-49-0x00007FFC8BAB0000-0x00007FFC8BAC0000-memory.dmpFilesize
64KB
-
memory/2800-130-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-61-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-64-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-62-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/3612-99-0x0000000002D00000-0x0000000002D02000-memory.dmpFilesize
8KB
-
memory/3612-120-0x0000000002D00000-0x0000000002D02000-memory.dmpFilesize
8KB
-
memory/3612-93-0x00000000036E0000-0x00000000036E1000-memory.dmpFilesize
4KB
-
memory/3612-105-0x0000000002D00000-0x0000000002D02000-memory.dmpFilesize
8KB
-
memory/3688-273-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/3688-274-0x00000000008F0000-0x00000000008F2000-memory.dmpFilesize
8KB
-
memory/3780-9-0x0000000002B10000-0x0000000003B43000-memory.dmpFilesize
16.2MB
-
memory/3780-86-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/3780-0-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/3780-155-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/3780-36-0x0000000002B10000-0x0000000003B43000-memory.dmpFilesize
16.2MB
-
memory/3780-1-0x00000000006C0000-0x00000000006C2000-memory.dmpFilesize
8KB
-
memory/3780-2-0x0000000002B10000-0x0000000003B43000-memory.dmpFilesize
16.2MB
-
memory/3780-5-0x0000000002B10000-0x0000000003B43000-memory.dmpFilesize
16.2MB
-
memory/3780-123-0x0000000002AE0000-0x0000000002AE2000-memory.dmpFilesize
8KB
-
memory/3780-10-0x0000000002AE0000-0x0000000002AE2000-memory.dmpFilesize
8KB
-
memory/3780-35-0x0000000002B10000-0x0000000003B43000-memory.dmpFilesize
16.2MB
-
memory/3780-12-0x0000000002AF0000-0x0000000002AF1000-memory.dmpFilesize
4KB
-
memory/3780-14-0x0000000002AE0000-0x0000000002AE2000-memory.dmpFilesize
8KB
-
memory/4060-264-0x0000000000130000-0x0000000000147000-memory.dmpFilesize
92KB
-
memory/4228-222-0x0000000003E80000-0x0000000003E82000-memory.dmpFilesize
8KB
-
memory/4228-172-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/4228-168-0x0000000003E80000-0x0000000003E82000-memory.dmpFilesize
8KB
-
memory/4228-167-0x0000000004150000-0x0000000004151000-memory.dmpFilesize
4KB
-
memory/4228-104-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/4228-102-0x00000000023F0000-0x00000000023F2000-memory.dmpFilesize
8KB
-
memory/4320-131-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/4320-126-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/4968-88-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/4968-90-0x00000000006A0000-0x00000000006A2000-memory.dmpFilesize
8KB
-
memory/4968-96-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/5056-133-0x0000000000400000-0x00000000005CA000-memory.dmpFilesize
1.8MB