Analysis
-
max time kernel
40s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 02:40
General
-
Target
89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
-
Size
1.7MB
-
MD5
76306394646f5a2bc1b61ded001f1b26
-
SHA1
781c36faafca1c6279cd60704a472d1503336408
-
SHA256
89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff
-
SHA512
6a234c69d1a6d18f2999350fb213dc29b7eca7987d76b99e78cc2c344159bcc52e28954c8ae44b7873af7b627292e9c33c9896c23d107847991064489e6c2dc6
-
SSDEEP
24576:k5xolYQY6qObJ97J2xc20J7pBD0aej1zj1SqdAGFQZIxpK545UJoeKYd:nY4RGk7pBwVRzjYq+ZI2a5UJoeH
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 9 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 30 IoCs
-
UPX dump on OEP (original entry point) 34 IoCs
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 21 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe"C:\Users\Admin\AppData\Local\Temp\89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\users\admin\appdata\local\temp\89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exec:\users\admin\appdata\local\temp\89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\appdata\local\temp\360TS_Setup.exe"C:\Users\Admin\appdata\local\temp\360TS_Setup.exe" /c:101 /pmode:24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\1716345650_0\360TS_Setup.exe"C:\Program Files (x86)\1716345650_0\360TS_Setup.exe" /c:101 /pmode:2 /TSinstall5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 02:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
C:\Windows\SysWOW64\at.exeat 02:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
C:\Windows\SysWOW64\at.exeat 02:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
9Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8Filesize
2KB
MD51644fc022c50640be4434b7afdfc6949
SHA1b66cf51b7a7cfd457b78aae87c9321a08ba7812d
SHA2561728883bbe836ae1f5f4ae3e644353d519a4b60a0bc2b21798cb1163c851ad9a
SHA5126a084caeb72ef3793551bf57420f589b83e3360ec8cf6a22decc857f0d42193d2359b0957a516de0a5ce6c28490e1d72d74e9bede5e06389e310f39df1fbf80f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD5d8e0e108bd3225ee4823e2501a9c59b8
SHA190ee76ccb7a8c1cee70959c25f1cfffcb399aaeb
SHA256482fed17ea597c86abe64224786bd51836c64071c1047ca970c09ae96185c1cf
SHA512d7bd3501cf8a9a5d1f8cc34c5bd88af6228f40c97bb48f58cdfdded4775769d215c8029fb9fad8cfb27628e2550092c1bd82574f1218540c4288da141d581d48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8Filesize
488B
MD526b89fe30436107a707050d95fd63db7
SHA1c9bd32de11f9ab38f7cd539bc3620f9d8a04bb64
SHA256e2b9c84601486a81d21617b11d0ad785bb2459b44b5c6998e377359e63e09a50
SHA5121c95bace1d474ddb41294b9876b397ec44dee227493b0dca4d1224b62a231e149b25d5923f8690f8481f6fa4727b787d7cb3495b1895414e968014875bd169e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD56ae0956532e7625eff23ce4cd83ae757
SHA1e4f0f527891d9600078b42a600d1086c05964494
SHA2561f7a43d8a0cd42ab7d8382ebe47f0c5428b4e862d3363edf265fda396df7cb9a
SHA51200ce1e6aebf75c1eddd0419d6a2c48fcd8dc08bdbe035ad4ad86210aae32ed4dadca2ad186ac3e2ab02f0f384fadd63479a47afb42b2d8bed0c72ec53e7e7c57
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\1716345650_00000000_base\360base.dllFilesize
1.0MB
MD5b192f34d99421dc3207f2328ffe62bd0
SHA1e4bbbba20d05515678922371ea787b39f064cd2c
SHA25658f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73
SHA51200d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95
-
C:\Users\Admin\AppData\Local\Temp\{73EB6E63-04FC-4d80-BDA2-130CDB5BBEDF}.tmp\360P2SP.dllFilesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
C:\Users\Admin\AppData\Local\Temp\{BEF3E624-CFE3-4c66-9B6E-EA5BBCE17BF9}.tmpFilesize
3KB
MD52fee0e7e5c0db9a7f984a58bda3be11e
SHA14647e1517cf69154de140f722ec7ef39965d7189
SHA2564f2ad3f06aed602b6249c5d69b9558c546830116cc5f20d51eaff55937faf0ed
SHA5127e9834e9e7b16aecd17f0aac331d7396cd6ade3c8ea71d73956c19777f68d9eebc8645348b9c9d81769c2b3a45e158084e4877f4547cf876e0b90cef9c1155e5
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
287KB
MD50655b67e940ee126cb08c1420b3c25f1
SHA1c902b5cbbe052b69b6f2c291846021e537f22d77
SHA25625c49ee82561993047f1ebf0a1f5cac9eabd8402ff6a087aa983e4a88dd4ade2
SHA5126e63d036fddffee1b59e19267349404ad210bbb607739f3ac139930e0e077573e921a14507feaf377ad0326d01e38f92ea4db0d5108f527b14ff9185b1f92fa1
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
287KB
MD597a2bfe1d8c33eb556a9fed1d01f96ce
SHA12383bf2788de93a2e87b36b9fcaf95c2ccd6ec30
SHA256395f793c8dfd31be8348371720fec12607fbf9273e82d56c593287f74acf5f64
SHA512b05f83d688a96a78341a3a82b17c2822ea93afa5e76270f5a3506728ece95e7d0a32d065325f729c370941c44560143c3114972c5892d2c3c72a2a3326924ae5
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5dd23035735b20e81256917bc67c6eae1
SHA135597f77c38969c1e4e5c481a259d21a36ee4806
SHA256667f331c1f5e7fc0f30e55ad7bbe11522eafa01bb1f0ce7668cc7d31ded27a32
SHA5128713eed2a912efdbd1d9c523657eebd080fb183ce3566a3efb070f5184044ce5f2746007c21474a1e97f8034ea180ed67dc077899df0ef17b60e4df5a1d90013
-
C:\Windows\System\explorer.exeFilesize
287KB
MD55621cfa9eb732f01e1a5b05dcedc5f73
SHA12af698fbbb76443ef3067f936406e9d634cc5b4c
SHA2562a5e14c133c3ebe0487ad3593f0fe2d86d3aa14c71a1d5f5cd024e0c7d92cac3
SHA512adc32efdf823e403cdcd8e4674ee8b90ef3b89ed6129d4658a45f3a1456c2cd2fd006e5cfd81a6defce9eabc320bd0b0581bcbdc202d12959155acea577af044
-
C:\iowwww.pifFilesize
100KB
MD55e2972bb6350c84ed2af1195f5705fc7
SHA1645a5b93303243abf433abe1281acda3bd418716
SHA256ce1f05b6ed054794c09b110254abd93f20d49f77f6e7c66c1e75e65746f6701a
SHA5128c91eb10374494122240a097193865c0a418e31ca8d4be6ffd56541c37c71d7540b292499b0578784969fc969a8cb6b2666ebae819e762accdbab9d068a9cb39
-
\??\c:\users\admin\appdata\local\temp\89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exeFilesize
1.4MB
MD5fa39b3b422dc4232ef24e3f27fa8d69e
SHA1db04fa528bceb7284606997c660c74b8776892f7
SHA2564966ffd1379486d8d16508579522df2d19a715aac1ba168cb14dd8310b8adaf6
SHA512b60b661142653fc3007d1fc41fb25a8ab52290f7f4bc342974012fba7b53013f69f2e28dd761f9063675f48560c42eeae6523e336ed733e299f83a105a179e34
-
\??\c:\windows\system\spoolsv.exeFilesize
287KB
MD5078aab967cf490792e86a9c514c4c1d3
SHA1392256e32cb593b742967354a9a1855999fa0644
SHA256b9931f8c87d661cccd85a630040dd19422f15f5e812ddf2ce0a347b039425aaa
SHA5128b07b9b32f5e0d70a3eeec90a13cf7c8b3d8140a6b9ae254d7c7dfb5701ec28f743ab29a295d390f296a3f218d468f3bc78d56058eaad9a98a2b32f7b91cc748
-
\??\c:\windows\system\svchost.exeFilesize
287KB
MD580974350bd41b0d1f3ce403695e7d806
SHA1c1a6a166c320b20a5192eaeb7dae069e718c8a30
SHA256f4620ae6aaf67b46e8c1e842e69be0bd4e6de1b7543e8512e80487e82eec9150
SHA5128aa6a14e486387a2ec2c0643efd7e8cbbc3ddab12fc6c1e32bd10a1a517fb5a3147978a35aff7b4702116b12a790a0974b94bcb97ac4b58e54952acebbbbec50
-
memory/896-170-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/896-129-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1164-13-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-9-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1164-25-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-50-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-18-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-15-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-5-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-7-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-17-0x00000000023A0000-0x00000000023A2000-memory.dmpFilesize
8KB
-
memory/1164-6-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-82-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1164-14-0x00000000023A0000-0x00000000023A2000-memory.dmpFilesize
8KB
-
memory/1164-64-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-70-0x00000000023A0000-0x00000000023A2000-memory.dmpFilesize
8KB
-
memory/1164-4-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-8-0x00000000023A0000-0x00000000023A2000-memory.dmpFilesize
8KB
-
memory/1164-24-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-0-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1164-16-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-1-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1164-3-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/1820-139-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2136-43-0x00000000032F0000-0x00000000032F1000-memory.dmpFilesize
4KB
-
memory/2136-52-0x0000000003E70000-0x0000000003E71000-memory.dmpFilesize
4KB
-
memory/2136-59-0x0000000003E20000-0x0000000003E22000-memory.dmpFilesize
8KB
-
memory/2136-60-0x0000000003E20000-0x0000000003E22000-memory.dmpFilesize
8KB
-
memory/2448-92-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/2448-118-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/2480-123-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-167-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2480-93-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-96-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-131-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-94-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-89-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-140-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-142-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-29-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2480-117-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-87-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-122-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-152-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-163-0x00000000005A0000-0x00000000005A2000-memory.dmpFilesize
8KB
-
memory/2480-88-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-97-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-56-0x00000000005A0000-0x00000000005A2000-memory.dmpFilesize
8KB
-
memory/2480-95-0x0000000003910000-0x000000000499E000-memory.dmpFilesize
16.6MB
-
memory/2480-54-0x00000000006C0000-0x00000000006C1000-memory.dmpFilesize
4KB
-
memory/2480-55-0x00000000005A0000-0x00000000005A2000-memory.dmpFilesize
8KB
-
memory/2660-166-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2660-146-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB