Analysis
-
max time kernel
40s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
22-04-2024 20:17
General
-
Target
9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe
-
Size
1.4MB
-
MD5
325498b217d0b0ec66422357f0481dfa
-
SHA1
c85f1a5a0fec0d752525edc810ae2e96b6a5375c
-
SHA256
9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5
-
SHA512
41a00b502303d06fad9f86a94c74f8cd84984a6f91e1c100df96866c21d5ad071d1067623b8332a34dd57cb8c8802377b14cbe6013c189bb13f41394f8156e91
-
SSDEEP
24576:dO2uYj3kfi6KUjjcbnB7lY1SUkhYigJI1f+avnDKfydfqf0U3J:+s6FcbnDb4JI1f+sDKfydif0S
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe"C:\Users\Admin\AppData\Local\Temp\9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\nuvcrgaa.dll Exucute4⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop WinDefend5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend6⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc6⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" stop PolicyAgent5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\wtbhrgaa.dll Exucute4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exeC:\Users\Admin\AppData\Local\Temp\9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://baoku.360.cn/4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2244 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2468 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5204 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=2052 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=2144 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5744 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5876 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5396 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4620 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6124 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv CS5xfzsoDUSBZ/cngqUv2A.0.21⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Modify Registry
6Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\249A.tmpFilesize
4.3MB
MD56c7cdd25c2cb0073306eb22aebfc663f
SHA1a1eba8ab49272b9852fe6a543677e8af36271248
SHA25658280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705
SHA51217344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6
-
C:\Users\Admin\AppData\Local\Temp\9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exeFilesize
604KB
MD50379e70afd7d57a717a167aba8f2bf18
SHA102ac6d57f1eb69553ed5ec286af5d170e21fad7e
SHA2564aeb1dd860b8437a4ac3adc63516d33634613f527b266bd205380bf9c399d287
SHA51272ae74cedf89d7cae83d72e52a58ec7a4aac8313a4e5b24743f6cceea1551fa9d9922bceeac57ad2a95e153f9bcf9df9f5c91e275422106de1f56394951f71b8
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5481b082183b5e69532661442bb872f6e
SHA1dad2aa18e4c85a7998f2145f98fed1a49259e494
SHA256ec9a681ed543a26ded60c9d5b599693c66a3784f3fdabdc8f2c327af8bbae48f
SHA5127dd4341ecbaab9b7a16e3a10aee41394be05ec12004195e0d7e78b01aabc05e724d0ff974761f4373b4251ad55ecfa88695918899df1dec947407c9760d3e7bb
-
C:\Windows\SysWOW64\nuvcrgaa.dllFilesize
57KB
MD5c848f68231f5ac20c4245f84079a9759
SHA12a11d803f5103534902419b9e8b54a0144bc3551
SHA2568158733f86af1ffcf56df01831c69cf18effa94a77acd51189a7ba364a1d9f92
SHA512bae7ae9269565186e78609613d4406553f8848bf96e853118704bca0908a0db04907d52d1440cce2c8f9061740ba0a16b091ea3f71bf012e9b2368fb1d751845
-
C:\Windows\SysWOW64\system.exeFilesize
860KB
MD589a618337b7842fc9d21840d031901e7
SHA104adb161ed30732d4fa0416aa6f82b94c21a1e51
SHA256084021e8c8914a1be6a55d107fecb45495ea87d3702e5bf17ae14121993e3a25
SHA512cd9e30d4ad5644a61ff8bc938a09d56852f830978c9d0a2d8dc7866953d3909f248f4d200abb89cec7f0fa18f1aa6c0abe5cacb9c8aa4faf3deb94640ce5f1fb
-
C:\Windows\SysWOW64\wtbhrgaa.dllFilesize
18KB
MD5921039f6ac6a00846b4051b541001d03
SHA11667e66311f8a3528bb12de1afb6a8f23e45c9b0
SHA2565f3169f76a37f227621e96d263d52ca15e4462f73a9a6f8968c9689ec63e78bc
SHA51280efcaf4007290f25ab789b721ad18ee401cb99999ee79e1cc7931c7a31ebd753016266025fb159a76efa436fac912b7b5254aed4f8c5e6aaaf2c83365f7b4a9
-
F:\yvgak.pifFilesize
97KB
MD55b64b14b6e8c85e6c7b79d63d7743302
SHA18a992c7654fca79ee90ac2e6ad85cb49d14d1e8c
SHA256013878d38fc2c451ed2b83db64604b8258d7159d39a0472484fe89184f73fdf2
SHA512b505302cfdb9034881aa9864e015c3d07027d88d4d30b0eb3d31e3e9b211699134a5fd171b166dcd03854f328b7276fb3282be0969323cbf41e28a3edec1064f
-
memory/1536-49-0x0000000000AF0000-0x0000000000AF2000-memory.dmpFilesize
8KB
-
memory/1536-47-0x0000000000AF0000-0x0000000000AF2000-memory.dmpFilesize
8KB
-
memory/1536-43-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/2912-45-0x0000000000E40000-0x0000000000E42000-memory.dmpFilesize
8KB
-
memory/2912-57-0x0000000000E40000-0x0000000000E42000-memory.dmpFilesize
8KB
-
memory/2912-39-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/3536-183-0x0000000002A20000-0x0000000002A22000-memory.dmpFilesize
8KB
-
memory/3536-91-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/3536-113-0x0000000002A20000-0x0000000002A22000-memory.dmpFilesize
8KB
-
memory/3536-102-0x0000000002A70000-0x0000000002A71000-memory.dmpFilesize
4KB
-
memory/3536-103-0x0000000002A20000-0x0000000002A22000-memory.dmpFilesize
8KB
-
memory/4416-19-0x0000000000AB0000-0x0000000000AB2000-memory.dmpFilesize
8KB
-
memory/4416-16-0x0000000000AB0000-0x0000000000AB2000-memory.dmpFilesize
8KB
-
memory/4416-180-0x0000000002E50000-0x0000000003F0A000-memory.dmpFilesize
16.7MB
-
memory/4416-0-0x0000000000670000-0x00000000007E4000-memory.dmpFilesize
1.5MB
-
memory/4416-18-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/4416-111-0x0000000000AB0000-0x0000000000AB2000-memory.dmpFilesize
8KB
-
memory/4416-97-0x0000000002E50000-0x0000000003F0A000-memory.dmpFilesize
16.7MB
-
memory/4416-96-0x0000000002E50000-0x0000000003F0A000-memory.dmpFilesize
16.7MB
-
memory/4416-95-0x0000000002E50000-0x0000000003F0A000-memory.dmpFilesize
16.7MB
-
memory/4416-93-0x0000000002E50000-0x0000000003F0A000-memory.dmpFilesize
16.7MB
-
memory/4416-42-0x0000000000670000-0x00000000007E4000-memory.dmpFilesize
1.5MB
-
memory/4640-112-0x00000000036E0000-0x00000000036E2000-memory.dmpFilesize
8KB
-
memory/4640-99-0x0000000003770000-0x0000000003771000-memory.dmpFilesize
4KB
-
memory/4640-100-0x00000000036E0000-0x00000000036E2000-memory.dmpFilesize
8KB
-
memory/4640-182-0x00000000036E0000-0x00000000036E2000-memory.dmpFilesize
8KB
-
memory/4736-37-0x0000000002F00000-0x0000000002F02000-memory.dmpFilesize
8KB
-
memory/4736-61-0x0000000002F00000-0x0000000002F02000-memory.dmpFilesize
8KB
-
memory/4736-30-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/4752-48-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-40-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-60-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-56-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-55-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-54-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-50-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-53-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-66-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-73-0x0000000003380000-0x0000000003382000-memory.dmpFilesize
8KB
-
memory/4752-82-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4752-29-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-28-0x0000000003380000-0x0000000003382000-memory.dmpFilesize
8KB
-
memory/4752-17-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-22-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/4752-15-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-12-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-10-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-4-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB