Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 11:09
Behavioral task
behavioral1
Sample
Free_Candy_Optimizer.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Free_Candy_Optimizer.exe
Resource
win10v2004-20240412-en
General
-
Target
Free_Candy_Optimizer.exe
-
Size
2.8MB
-
MD5
08ee4afb6173700b40bd882dcb430896
-
SHA1
3fbae4aa4fcf51624a730a4b0e4ecf88ee139597
-
SHA256
509166edc96857df176933f0efd86e52705c19c78922f833c9207d337742a277
-
SHA512
1e8b896fb4aa677d3d83b6ff48fbcfaf9484444de94f8464b1daa8ceb264617ea84e4811c4d67481d6244dd74370011a49ebe3b747a4a61f657e66264e4a577b
-
SSDEEP
49152:BXzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEVYq:BXzhW148Pd+Tf1mpcOldJQ3/VN
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
svchost.exespoolsv.exeFree_Candy_Optimizer.exeicsys.icn.exeexplorer.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Free_Candy_Optimizer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Free_Candy_Optimizer.exeicsys.icn.exespoolsv.exesvchost.exespoolsv.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Free_Candy_Optimizer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Free_Candy_Optimizer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Executes dropped EXE 6 IoCs
Processes:
free_candy_optimizer.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3636 free_candy_optimizer.exe 4964 icsys.icn.exe 4260 explorer.exe 1488 spoolsv.exe 4180 svchost.exe 3416 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/3016-0-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\Themes\icsys.icn.exe themida behavioral2/memory/4964-14-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\Themes\explorer.exe themida behavioral2/memory/4260-24-0x0000000000400000-0x0000000000A16000-memory.dmp themida \??\c:\windows\resources\spoolsv.exe themida behavioral2/memory/1488-33-0x0000000000400000-0x0000000000A16000-memory.dmp themida \??\c:\windows\resources\svchost.exe themida behavioral2/memory/4180-42-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3016-47-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4964-49-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3416-48-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3016-54-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3416-53-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/1488-55-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4964-56-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4260-57-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4260-58-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4180-59-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4180-61-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4180-63-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4260-68-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4260-76-0x0000000000400000-0x0000000000A16000-memory.dmp themida -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
svchost.exefree_candy_optimizer.exe explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" free_candy_optimizer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exeFree_Candy_Optimizer.exeicsys.icn.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Free_Candy_Optimizer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
Free_Candy_Optimizer.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3016 Free_Candy_Optimizer.exe 4964 icsys.icn.exe 4260 explorer.exe 1488 spoolsv.exe 4180 svchost.exe 3416 spoolsv.exe -
Drops file in Windows directory 5 IoCs
Processes:
explorer.exeFree_Candy_Optimizer.exeicsys.icn.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe Free_Candy_Optimizer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3920 timeout.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3704 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Free_Candy_Optimizer.exeicsys.icn.exepid process 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4964 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 4260 explorer.exe 4180 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
Free_Candy_Optimizer.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3016 Free_Candy_Optimizer.exe 3016 Free_Candy_Optimizer.exe 4964 icsys.icn.exe 4964 icsys.icn.exe 4260 explorer.exe 4260 explorer.exe 1488 spoolsv.exe 1488 spoolsv.exe 4180 svchost.exe 4180 svchost.exe 3416 spoolsv.exe 3416 spoolsv.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Free_Candy_Optimizer.exefree_candy_optimizer.exe cmd.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3016 wrote to memory of 3636 3016 Free_Candy_Optimizer.exe free_candy_optimizer.exe PID 3016 wrote to memory of 3636 3016 Free_Candy_Optimizer.exe free_candy_optimizer.exe PID 3636 wrote to memory of 2880 3636 free_candy_optimizer.exe cmd.exe PID 3636 wrote to memory of 2880 3636 free_candy_optimizer.exe cmd.exe PID 3016 wrote to memory of 4964 3016 Free_Candy_Optimizer.exe icsys.icn.exe PID 3016 wrote to memory of 4964 3016 Free_Candy_Optimizer.exe icsys.icn.exe PID 3016 wrote to memory of 4964 3016 Free_Candy_Optimizer.exe icsys.icn.exe PID 2880 wrote to memory of 4372 2880 cmd.exe chcp.com PID 2880 wrote to memory of 4372 2880 cmd.exe chcp.com PID 2880 wrote to memory of 3920 2880 cmd.exe timeout.exe PID 2880 wrote to memory of 3920 2880 cmd.exe timeout.exe PID 4964 wrote to memory of 4260 4964 icsys.icn.exe explorer.exe PID 4964 wrote to memory of 4260 4964 icsys.icn.exe explorer.exe PID 4964 wrote to memory of 4260 4964 icsys.icn.exe explorer.exe PID 4260 wrote to memory of 1488 4260 explorer.exe spoolsv.exe PID 4260 wrote to memory of 1488 4260 explorer.exe spoolsv.exe PID 4260 wrote to memory of 1488 4260 explorer.exe spoolsv.exe PID 1488 wrote to memory of 4180 1488 spoolsv.exe svchost.exe PID 1488 wrote to memory of 4180 1488 spoolsv.exe svchost.exe PID 1488 wrote to memory of 4180 1488 spoolsv.exe svchost.exe PID 4180 wrote to memory of 3416 4180 svchost.exe spoolsv.exe PID 4180 wrote to memory of 3416 4180 svchost.exe spoolsv.exe PID 4180 wrote to memory of 3416 4180 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Free_Candy_Optimizer.exe"C:\Users\Admin\AppData\Local\Temp\Free_Candy_Optimizer.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\free_candy_optimizer.exec:\users\admin\appdata\local\temp\free_candy_optimizer.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c "Free Candy Optimizer.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Free Candy Optimizer.bat1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Free Candy Optimizer.batFilesize
98KB
MD5e86e31bbeb9493c361cfdc29d838f644
SHA1792d995da93083729d863e5fd48e873ac4052c3f
SHA2562bbf80db47959a275b23572b7cc7465ac29c6727fefbf6b9935d638589fc17ec
SHA51221ccce57366c2bf293423edcef79da82932847dae526b3c23536047465aed7b624c053c2a87dc322956e36a98291a128cd33e8149a92515bd80b8db087c66d91
-
C:\Users\Admin\AppData\Local\Temp\free_candy_optimizer.exeFilesize
236KB
MD5cd1fa5bcbc7b251dc0efdfd32d5fd6ee
SHA152908e931654115ddb0100ba7795295e31382844
SHA2569cb855726b752e515fbab26ef7e898f9ed19207d5aa0ee50b9481dd91c6386b6
SHA512ab93e24942581e5c5b8197c50bf7d0824dbe9f0a53a10e27908fe01a2e5c956f57c69d1cbc01136541195d8776984bf516ea4f1276bdae64ee1d514091f7064c
-
C:\Windows\Resources\Themes\explorer.exeFilesize
2.6MB
MD512e0daa28671752a830aea57fb026b99
SHA1ac87d2792c169c44a8fac964661a13e8ced26a51
SHA256b15b968bb32c97a7070f30d6b9eb6993390aedcb03450321be60b00937d6fa1b
SHA512ae280d9948bb66dce12a25fe15bae1c7a7f077b73798f86e660f42eebcfa2cf055b5f521bba6975846bfce32d981b4b3b7cb5c67e1f4452d8d92250db8411628
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
2.6MB
MD59b9e7bb08462ad4c2b8ddf65e78b5bc5
SHA1afd3b983ac985cb04cd50480c7c5e5fa988eef91
SHA25680e42ee9ada71279c0a02eaa6b9a0d27cc8bb5a2ad1c6a246f57463213ddff73
SHA512d370244819ac839f37712055cd4ae8187f3727ef01801d79a51756ea2fad6d4412afede151edf31c9f28b898994be3ecd26a0cb69d09a3d92d06e6e2fbdf094b
-
\??\c:\windows\resources\spoolsv.exeFilesize
2.6MB
MD5fab97f1b34155e3c2f1846533d8fe0f5
SHA142c06f599f125b0dba50b277a69a13ad3ef73079
SHA256f0afd5be34c1901041699a472d436c971e29a4c2b225aa7e0dd08ee0c03d76b0
SHA512fbcff7b95ed867ae28c1e08c851642d7c823169807181a74a10db56df8cb61a5d4d35a7cf5726b775555184aa7e00f072633c4a06826dce8246f014ebd195475
-
\??\c:\windows\resources\svchost.exeFilesize
2.6MB
MD5885163f6ec4f1e0f47a928cbb2936ca6
SHA1cceca488aab90f1555811c5f5e6ae48c61954c7b
SHA256601eccf4272dd3794cc7484a092ccc773447545e3428c7ae8569d5ec7d842823
SHA512345ed08c9c65560f1d484bbda2bdd056b1c5f5ec00cb00cfb252ea8801464a810e7b682174883e9db54d23ae4ff49b9cc6ab409bbeee47e0bed9df5ef3dc7f41
-
memory/1488-55-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1488-33-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3016-47-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3016-1-0x00000000779F4000-0x00000000779F6000-memory.dmpFilesize
8KB
-
memory/3016-0-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3016-54-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3416-48-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3416-53-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4180-59-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4180-42-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4180-61-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4180-63-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4260-57-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4260-58-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4260-24-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4260-68-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4260-76-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4964-49-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4964-14-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4964-56-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB