Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 10:18
Static task
static1
Behavioral task
behavioral1
Sample
05e18159486bf037d3b28317a7268710.exe.bin.dll
Resource
win7-20240508-en
General
-
Target
05e18159486bf037d3b28317a7268710.exe.bin.dll
-
Size
120KB
-
MD5
05e18159486bf037d3b28317a7268710
-
SHA1
cb1c43d6296177f8aa04defaf68ba8a9e879ecd8
-
SHA256
b23e8b82fc82399c8aa50a86f8f592fa689ad3841dcc80a49b01e35bb3caea79
-
SHA512
3f3582a794efbffc755960fbe1e925b12d5f90222843b4fca756c724db9bbb727cff549499dc49f06d98caa7274c52a1a8785ae860d0edac55fd70c32e4114bf
-
SSDEEP
3072:fNd7a82lh8+YYZ813i2vZjs9eRjcL12ik:ff7wX8+YYZ8oyjcQjc0ik
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
f761af0.exef76390a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f761af0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f761af0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76390a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76390a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76390a.exe -
Processes:
f761af0.exef76390a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76390a.exe -
Processes:
f761af0.exef76390a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76390a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76390a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76390a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76390a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76390a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76390a.exe -
Executes dropped EXE 3 IoCs
Processes:
f761af0.exef761ca5.exef76390a.exepid process 1932 f761af0.exe 2204 f761ca5.exe 804 f76390a.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exepid process 1444 rundll32.exe 1444 rundll32.exe 1444 rundll32.exe 1444 rundll32.exe 1444 rundll32.exe 1444 rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/1932-17-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-19-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-14-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-16-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-23-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-21-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-22-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-20-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-18-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-15-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-62-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-63-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-65-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-66-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-67-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-70-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-71-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-84-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-85-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-131-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1932-157-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/804-171-0x0000000000A60000-0x0000000001B1A000-memory.dmp upx behavioral1/memory/804-214-0x0000000000A60000-0x0000000001B1A000-memory.dmp upx -
Processes:
f761af0.exef76390a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761af0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76390a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76390a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76390a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76390a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76390a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76390a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76390a.exe -
Processes:
f761af0.exef76390a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76390a.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f761af0.exef76390a.exedescription ioc process File opened (read-only) \??\J: f761af0.exe File opened (read-only) \??\P: f761af0.exe File opened (read-only) \??\Q: f761af0.exe File opened (read-only) \??\T: f761af0.exe File opened (read-only) \??\H: f76390a.exe File opened (read-only) \??\H: f761af0.exe File opened (read-only) \??\M: f761af0.exe File opened (read-only) \??\R: f761af0.exe File opened (read-only) \??\E: f76390a.exe File opened (read-only) \??\G: f76390a.exe File opened (read-only) \??\L: f761af0.exe File opened (read-only) \??\O: f761af0.exe File opened (read-only) \??\S: f761af0.exe File opened (read-only) \??\G: f761af0.exe File opened (read-only) \??\I: f761af0.exe File opened (read-only) \??\K: f761af0.exe File opened (read-only) \??\N: f761af0.exe -
Drops file in Windows directory 3 IoCs
Processes:
f761af0.exef76390a.exedescription ioc process File created C:\Windows\f761b4e f761af0.exe File opened for modification C:\Windows\SYSTEM.INI f761af0.exe File created C:\Windows\f766b51 f76390a.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
f761af0.exef76390a.exepid process 1932 f761af0.exe 1932 f761af0.exe 804 f76390a.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
f761af0.exef76390a.exedescription pid process Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 1932 f761af0.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe Token: SeDebugPrivilege 804 f76390a.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
rundll32.exerundll32.exef761af0.exef76390a.exedescription pid process target process PID 3044 wrote to memory of 1444 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 1444 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 1444 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 1444 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 1444 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 1444 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 1444 3044 rundll32.exe rundll32.exe PID 1444 wrote to memory of 1932 1444 rundll32.exe f761af0.exe PID 1444 wrote to memory of 1932 1444 rundll32.exe f761af0.exe PID 1444 wrote to memory of 1932 1444 rundll32.exe f761af0.exe PID 1444 wrote to memory of 1932 1444 rundll32.exe f761af0.exe PID 1932 wrote to memory of 1104 1932 f761af0.exe taskhost.exe PID 1932 wrote to memory of 1152 1932 f761af0.exe Dwm.exe PID 1932 wrote to memory of 1188 1932 f761af0.exe Explorer.EXE PID 1932 wrote to memory of 1500 1932 f761af0.exe DllHost.exe PID 1932 wrote to memory of 3044 1932 f761af0.exe rundll32.exe PID 1932 wrote to memory of 1444 1932 f761af0.exe rundll32.exe PID 1932 wrote to memory of 1444 1932 f761af0.exe rundll32.exe PID 1444 wrote to memory of 2204 1444 rundll32.exe f761ca5.exe PID 1444 wrote to memory of 2204 1444 rundll32.exe f761ca5.exe PID 1444 wrote to memory of 2204 1444 rundll32.exe f761ca5.exe PID 1444 wrote to memory of 2204 1444 rundll32.exe f761ca5.exe PID 1444 wrote to memory of 804 1444 rundll32.exe f76390a.exe PID 1444 wrote to memory of 804 1444 rundll32.exe f76390a.exe PID 1444 wrote to memory of 804 1444 rundll32.exe f76390a.exe PID 1444 wrote to memory of 804 1444 rundll32.exe f76390a.exe PID 1932 wrote to memory of 1104 1932 f761af0.exe taskhost.exe PID 1932 wrote to memory of 1152 1932 f761af0.exe Dwm.exe PID 1932 wrote to memory of 1188 1932 f761af0.exe Explorer.EXE PID 1932 wrote to memory of 2204 1932 f761af0.exe f761ca5.exe PID 1932 wrote to memory of 2204 1932 f761af0.exe f761ca5.exe PID 1932 wrote to memory of 804 1932 f761af0.exe f76390a.exe PID 1932 wrote to memory of 804 1932 f761af0.exe f76390a.exe PID 804 wrote to memory of 1104 804 f76390a.exe taskhost.exe PID 804 wrote to memory of 1152 804 f76390a.exe Dwm.exe PID 804 wrote to memory of 1188 804 f76390a.exe Explorer.EXE -
System policy modification 1 TTPs 2 IoCs
Processes:
f761af0.exef76390a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761af0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76390a.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05e18159486bf037d3b28317a7268710.exe.bin.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05e18159486bf037d3b28317a7268710.exe.bin.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\f761af0.exeC:\Users\Admin\AppData\Local\Temp\f761af0.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\f761ca5.exeC:\Users\Admin\AppData\Local\Temp\f761ca5.exe4⤵
- Executes dropped EXE
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\f76390a.exeC:\Users\Admin\AppData\Local\Temp\f76390a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:804
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1500
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD51feff98a3cf2fd342de45d28c4b700e8
SHA14a259f41336ee86931b7770ab4dd7bdbd0b22a06
SHA2564f9047117bbd3c5990b37f7fa528410306d909bcd9f7be6c6fb6d41ce9bb76f9
SHA51260e8dd481f9230c4576a64388f35472b97d7f8092778f083aa7873b85c5b655bcdb2495bc2ee8ff23977acfc37b9761b79cd378b9778d39075ec7a88bb4a1c71
-
\Users\Admin\AppData\Local\Temp\f761af0.exeFilesize
97KB
MD50aa2c82fda03fdae944a9b6eab306a78
SHA1c113097a99dd0380b13c1d965023476c04bd2b73
SHA256b4ccf355dcd28edb30d8ccdafc8b9beb3b5af12069333442574020520900786f
SHA512b33338d009eb93538756cccfa07f99e62c493d3275bf5a7a27be2999f7eddcd09de510287d7660b7acab09ccd4468f34ebb70145923dcc9afc7c7eafa2b63716
-
memory/804-105-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/804-83-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/804-104-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/804-214-0x0000000000A60000-0x0000000001B1A000-memory.dmpFilesize
16.7MB
-
memory/804-171-0x0000000000A60000-0x0000000001B1A000-memory.dmpFilesize
16.7MB
-
memory/804-213-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/804-107-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/1104-25-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/1444-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1444-38-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1444-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1444-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1444-59-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1444-79-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1444-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1444-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1444-37-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1444-47-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1932-15-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-84-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-20-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-18-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-22-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-62-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-63-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1932-65-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-66-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-67-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-70-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-71-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-58-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1932-50-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1932-48-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1932-85-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-17-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-19-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-21-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-23-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-16-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-14-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-131-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/1932-156-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1932-157-0x0000000000700000-0x00000000017BA000-memory.dmpFilesize
16.7MB
-
memory/2204-106-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2204-98-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2204-184-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2204-101-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2204-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB