Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 06:06
Static task
static1
Behavioral task
behavioral1
Sample
130e262fc8d5700e44df1213fa857f7f.exe
Resource
win7-20240221-en
General
-
Target
130e262fc8d5700e44df1213fa857f7f.exe
-
Size
829KB
-
MD5
130e262fc8d5700e44df1213fa857f7f
-
SHA1
e503933d4e1906f7ad224b2e81a67a9b2ac8119e
-
SHA256
2de9fa092d7c352b538462db3b0a9aa757924ad55383b24a61e797cf3cf08372
-
SHA512
58defe66c7bb104a17c54b8da3ab4e786080f2b04b04bac8dd591131a869731d6d2a1bd249b234368c3dab7d7d49e9bfb0b15e4993b323f59319a57b27968690
-
SSDEEP
24576:Yg61jjk0LAta9AuDIPQJZTcwICn8VgtugrQzhu:60YZgwICtU0Shu
Malware Config
Extracted
nanocore
1.2.2.0
2023endofyear.duckdns.org:15230
127.0.0.1:15230
8c336e03-69eb-4281-b96d-2ac47eee0dc7
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-03-23T06:08:52.807981736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
15230
-
default_group
JUNE/24
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8c336e03-69eb-4281-b96d-2ac47eee0dc7
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
2023endofyear.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1840 powershell.exe 4588 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
130e262fc8d5700e44df1213fa857f7f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 130e262fc8d5700e44df1213fa857f7f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
130e262fc8d5700e44df1213fa857f7f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" 130e262fc8d5700e44df1213fa857f7f.exe -
Processes:
130e262fc8d5700e44df1213fa857f7f.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 130e262fc8d5700e44df1213fa857f7f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
130e262fc8d5700e44df1213fa857f7f.exedescription pid process target process PID 3364 set thread context of 1732 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe -
Drops file in Program Files directory 2 IoCs
Processes:
130e262fc8d5700e44df1213fa857f7f.exedescription ioc process File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe 130e262fc8d5700e44df1213fa857f7f.exe File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe 130e262fc8d5700e44df1213fa857f7f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3568 schtasks.exe 2820 schtasks.exe 3440 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
130e262fc8d5700e44df1213fa857f7f.exepowershell.exepowershell.exe130e262fc8d5700e44df1213fa857f7f.exepid process 3364 130e262fc8d5700e44df1213fa857f7f.exe 3364 130e262fc8d5700e44df1213fa857f7f.exe 3364 130e262fc8d5700e44df1213fa857f7f.exe 3364 130e262fc8d5700e44df1213fa857f7f.exe 3364 130e262fc8d5700e44df1213fa857f7f.exe 3364 130e262fc8d5700e44df1213fa857f7f.exe 3364 130e262fc8d5700e44df1213fa857f7f.exe 1840 powershell.exe 1840 powershell.exe 4588 powershell.exe 4588 powershell.exe 1840 powershell.exe 4588 powershell.exe 1732 130e262fc8d5700e44df1213fa857f7f.exe 1732 130e262fc8d5700e44df1213fa857f7f.exe 1732 130e262fc8d5700e44df1213fa857f7f.exe 1732 130e262fc8d5700e44df1213fa857f7f.exe 1732 130e262fc8d5700e44df1213fa857f7f.exe 1732 130e262fc8d5700e44df1213fa857f7f.exe 1732 130e262fc8d5700e44df1213fa857f7f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
130e262fc8d5700e44df1213fa857f7f.exepid process 1732 130e262fc8d5700e44df1213fa857f7f.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
130e262fc8d5700e44df1213fa857f7f.exepowershell.exepowershell.exe130e262fc8d5700e44df1213fa857f7f.exedescription pid process Token: SeDebugPrivilege 3364 130e262fc8d5700e44df1213fa857f7f.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 1732 130e262fc8d5700e44df1213fa857f7f.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
130e262fc8d5700e44df1213fa857f7f.exe130e262fc8d5700e44df1213fa857f7f.exedescription pid process target process PID 3364 wrote to memory of 1840 3364 130e262fc8d5700e44df1213fa857f7f.exe powershell.exe PID 3364 wrote to memory of 1840 3364 130e262fc8d5700e44df1213fa857f7f.exe powershell.exe PID 3364 wrote to memory of 1840 3364 130e262fc8d5700e44df1213fa857f7f.exe powershell.exe PID 3364 wrote to memory of 4588 3364 130e262fc8d5700e44df1213fa857f7f.exe powershell.exe PID 3364 wrote to memory of 4588 3364 130e262fc8d5700e44df1213fa857f7f.exe powershell.exe PID 3364 wrote to memory of 4588 3364 130e262fc8d5700e44df1213fa857f7f.exe powershell.exe PID 3364 wrote to memory of 3568 3364 130e262fc8d5700e44df1213fa857f7f.exe schtasks.exe PID 3364 wrote to memory of 3568 3364 130e262fc8d5700e44df1213fa857f7f.exe schtasks.exe PID 3364 wrote to memory of 3568 3364 130e262fc8d5700e44df1213fa857f7f.exe schtasks.exe PID 3364 wrote to memory of 3184 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe PID 3364 wrote to memory of 3184 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe PID 3364 wrote to memory of 3184 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe PID 3364 wrote to memory of 1732 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe PID 3364 wrote to memory of 1732 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe PID 3364 wrote to memory of 1732 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe PID 3364 wrote to memory of 1732 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe PID 3364 wrote to memory of 1732 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe PID 3364 wrote to memory of 1732 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe PID 3364 wrote to memory of 1732 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe PID 3364 wrote to memory of 1732 3364 130e262fc8d5700e44df1213fa857f7f.exe 130e262fc8d5700e44df1213fa857f7f.exe PID 1732 wrote to memory of 2820 1732 130e262fc8d5700e44df1213fa857f7f.exe schtasks.exe PID 1732 wrote to memory of 2820 1732 130e262fc8d5700e44df1213fa857f7f.exe schtasks.exe PID 1732 wrote to memory of 2820 1732 130e262fc8d5700e44df1213fa857f7f.exe schtasks.exe PID 1732 wrote to memory of 3440 1732 130e262fc8d5700e44df1213fa857f7f.exe schtasks.exe PID 1732 wrote to memory of 3440 1732 130e262fc8d5700e44df1213fa857f7f.exe schtasks.exe PID 1732 wrote to memory of 3440 1732 130e262fc8d5700e44df1213fa857f7f.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qAUEpTI.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qAUEpTI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp556E.tmp"2⤵
- Creates scheduled task(s)
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"2⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6D9A.tmp"3⤵
- Creates scheduled task(s)
PID:2820 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6EF2.tmp"3⤵
- Creates scheduled task(s)
PID:3440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4312 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:3532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD55f8e5179b60b1e1985326521a6072dc2
SHA179f9b591d896e30fccf6559dd415b7bd13805a70
SHA2560033985978062666637739f5f4a1601f11c2a1f030215b8c1aa0608a683537a4
SHA512f4dbd4a4f9334724f78a30292fd3e79f1e2f39d4270de88d49b415ea5447c98e41883d7d3bde1e1793c528d46e06c06ba44cda1957c999d4e27da805fa08d25f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oswop02t.gsw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp556E.tmpFilesize
1KB
MD503c5a11af6aa464c10cb54c77cc479e1
SHA13022051e6103c2bbc7a6cecfdf1cb108ef7d769c
SHA2566fbce2f772beb643530f5b6331c9c2068f4ac82d4cdbbd37b7282ecbb965aa3f
SHA512a7a15fa6255eee9173f391175e70a6732730a9ae787893c63f4f497e176980f77ccea6190fd07456344cfe69ce60000d8981b9e21ad9494847dd1cac55b89bc8
-
C:\Users\Admin\AppData\Local\Temp\tmp6D9A.tmpFilesize
1KB
MD57ca5bfa8b1d5d27408930d7f42beb425
SHA1ef4fb82a20b357e3f678ac4f8988a03fc60db2ed
SHA2566b4072c53ba8e49354e554299945d7a9adcda2e42a13634b05ae8d9a4b05f0d7
SHA5120dea5fa64bbd98e1515a01357110926a4a4801a3d188393c6e0630868dfbf0b21a55708d5ca8dfc8f70fb0bfc95fc42b70822f76696d91a11d486e2f1637532a
-
C:\Users\Admin\AppData\Local\Temp\tmp6EF2.tmpFilesize
1KB
MD50339b45ef206f4becc88be0d65e24b9e
SHA16503a1851f4ccd8c80a31f96bd7ae40d962c9fad
SHA2563d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83
SHA512c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551
-
memory/1732-92-0x0000000006ED0000-0x0000000006EDE000-memory.dmpFilesize
56KB
-
memory/1732-61-0x00000000065E0000-0x00000000065EA000-memory.dmpFilesize
40KB
-
memory/1732-93-0x0000000006EE0000-0x0000000006EEC000-memory.dmpFilesize
48KB
-
memory/1732-94-0x0000000006EF0000-0x0000000006F04000-memory.dmpFilesize
80KB
-
memory/1732-96-0x0000000006F30000-0x0000000006F44000-memory.dmpFilesize
80KB
-
memory/1732-91-0x0000000006EC0000-0x0000000006ED2000-memory.dmpFilesize
72KB
-
memory/1732-90-0x0000000006EB0000-0x0000000006EBE000-memory.dmpFilesize
56KB
-
memory/1732-89-0x0000000006E80000-0x0000000006E9A000-memory.dmpFilesize
104KB
-
memory/1732-88-0x0000000006E70000-0x0000000006E82000-memory.dmpFilesize
72KB
-
memory/1732-95-0x0000000006F20000-0x0000000006F30000-memory.dmpFilesize
64KB
-
memory/1732-59-0x00000000064A0000-0x00000000064BE000-memory.dmpFilesize
120KB
-
memory/1732-58-0x00000000055D0000-0x00000000055DC000-memory.dmpFilesize
48KB
-
memory/1732-57-0x00000000055C0000-0x00000000055CA000-memory.dmpFilesize
40KB
-
memory/1732-98-0x0000000006F60000-0x0000000006F8E000-memory.dmpFilesize
184KB
-
memory/1732-99-0x0000000006F90000-0x0000000006FA4000-memory.dmpFilesize
80KB
-
memory/1732-97-0x0000000006F50000-0x0000000006F5E000-memory.dmpFilesize
56KB
-
memory/1732-26-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1840-60-0x0000000005E30000-0x0000000005E4E000-memory.dmpFilesize
120KB
-
memory/1840-17-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/1840-120-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/1840-115-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/1840-41-0x0000000005890000-0x0000000005BE4000-memory.dmpFilesize
3.3MB
-
memory/1840-25-0x0000000004EA0000-0x0000000004EC2000-memory.dmpFilesize
136KB
-
memory/1840-111-0x00000000074E0000-0x00000000074E8000-memory.dmpFilesize
32KB
-
memory/1840-110-0x0000000007500000-0x000000000751A000-memory.dmpFilesize
104KB
-
memory/1840-108-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/1840-20-0x0000000004F50000-0x0000000005578000-memory.dmpFilesize
6.2MB
-
memory/1840-107-0x0000000007400000-0x0000000007414000-memory.dmpFilesize
80KB
-
memory/1840-18-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/1840-62-0x0000000005EF0000-0x0000000005F3C000-memory.dmpFilesize
304KB
-
memory/1840-103-0x0000000007440000-0x00000000074D6000-memory.dmpFilesize
600KB
-
memory/1840-101-0x00000000071C0000-0x00000000071DA000-memory.dmpFilesize
104KB
-
memory/1840-13-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/1840-76-0x0000000070F40000-0x0000000070F8C000-memory.dmpFilesize
304KB
-
memory/1840-14-0x00000000024E0000-0x0000000002516000-memory.dmpFilesize
216KB
-
memory/3364-9-0x000000000B180000-0x000000000B21C000-memory.dmpFilesize
624KB
-
memory/3364-16-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/3364-30-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/3364-1-0x0000000000E60000-0x0000000000F36000-memory.dmpFilesize
856KB
-
memory/3364-10-0x0000000074EDE000-0x0000000074EDF000-memory.dmpFilesize
4KB
-
memory/3364-2-0x0000000005F20000-0x00000000064C4000-memory.dmpFilesize
5.6MB
-
memory/3364-8-0x00000000089F0000-0x0000000008A6C000-memory.dmpFilesize
496KB
-
memory/3364-7-0x0000000008680000-0x0000000008690000-memory.dmpFilesize
64KB
-
memory/3364-6-0x00000000086B0000-0x00000000086CA000-memory.dmpFilesize
104KB
-
memory/3364-5-0x0000000005940000-0x000000000594A000-memory.dmpFilesize
40KB
-
memory/3364-4-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/3364-3-0x0000000005970000-0x0000000005A02000-memory.dmpFilesize
584KB
-
memory/3364-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmpFilesize
4KB
-
memory/4588-65-0x0000000070F40000-0x0000000070F8C000-memory.dmpFilesize
304KB
-
memory/4588-109-0x0000000007620000-0x000000000763A000-memory.dmpFilesize
104KB
-
memory/4588-64-0x0000000006500000-0x0000000006532000-memory.dmpFilesize
200KB
-
memory/4588-104-0x0000000007460000-0x0000000007471000-memory.dmpFilesize
68KB
-
memory/4588-106-0x00000000075B0000-0x00000000075BE000-memory.dmpFilesize
56KB
-
memory/4588-100-0x00000000078F0000-0x0000000007F6A000-memory.dmpFilesize
6.5MB
-
memory/4588-21-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/4588-102-0x00000000072B0000-0x00000000072BA000-memory.dmpFilesize
40KB
-
memory/4588-22-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/4588-23-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB
-
memory/4588-29-0x0000000005920000-0x0000000005986000-memory.dmpFilesize
408KB
-
memory/4588-28-0x00000000058B0000-0x0000000005916000-memory.dmpFilesize
408KB
-
memory/4588-75-0x00000000064E0000-0x00000000064FE000-memory.dmpFilesize
120KB
-
memory/4588-86-0x00000000071C0000-0x0000000007263000-memory.dmpFilesize
652KB
-
memory/4588-119-0x0000000074ED0000-0x0000000075680000-memory.dmpFilesize
7.7MB