Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-11-2021 09:56
Static task
static1
Behavioral task
behavioral1
Sample
2a0ecd6047ac3e929413c9dc65fd9550.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
2a0ecd6047ac3e929413c9dc65fd9550.exe
Resource
win10-en-20211104
General
-
Target
2a0ecd6047ac3e929413c9dc65fd9550.exe
-
Size
278KB
-
MD5
2a0ecd6047ac3e929413c9dc65fd9550
-
SHA1
cab43b6a7d163a16b052bde9ad9392fa7fe1809e
-
SHA256
77a56e7215c37931be8cb84232306667ec719336e2ae38fb75ed30bc39c303b9
-
SHA512
03ea28406bc08b13d283bbe8510d52ef8ddf5d5773038805c77b24d52fd61d745cd21739fb9780559845a47b9746f8a19b4c1a19d6a470f93dfabcc85c681f96
Malware Config
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
tofsee
quadoil.ru
lakeflex.ru
Extracted
redline
185.159.80.90:38637
Extracted
raccoon
1.8.3-hotfix
ddf183af4241e3172885cf1b2c4c1fb4ee03d05a
-
url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1960-100-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1960-101-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1960-102-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1960-103-0x0000000000418EEA-mapping.dmp family_redline behavioral1/memory/1960-105-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
CE09.exeDCAA.exeCE09.exeEBF6.exelvanupod.exe448.exeEBF6.exepid process 1380 CE09.exe 1140 DCAA.exe 660 CE09.exe 832 EBF6.exe 592 lvanupod.exe 1036 448.exe 1960 EBF6.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 1200 -
Loads dropped DLL 2 IoCs
Processes:
CE09.exeEBF6.exepid process 1380 CE09.exe 832 EBF6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
2a0ecd6047ac3e929413c9dc65fd9550.exeCE09.exeEBF6.exelvanupod.exedescription pid process target process PID 1584 set thread context of 1280 1584 2a0ecd6047ac3e929413c9dc65fd9550.exe 2a0ecd6047ac3e929413c9dc65fd9550.exe PID 1380 set thread context of 660 1380 CE09.exe CE09.exe PID 832 set thread context of 1960 832 EBF6.exe EBF6.exe PID 592 set thread context of 632 592 lvanupod.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2a0ecd6047ac3e929413c9dc65fd9550.exeCE09.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2a0ecd6047ac3e929413c9dc65fd9550.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2a0ecd6047ac3e929413c9dc65fd9550.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2a0ecd6047ac3e929413c9dc65fd9550.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CE09.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CE09.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CE09.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY svchost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 1c39273d2b7b860724edb47d450dd49d084297dce82e72baa49f3ffd387e5f1d2557f2ae80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56815dc854a713ae6a9644490bdbd7c2dee9d5a03c4f48d3c74bbc4103d29f5a16b10de834d703ed4f10b4c90d8f6127db9a45a3494b48d792cd39c420830faa36811edc70f3252a0f40948f490b37927e5935d04cef58d387287cc186270a4f93824dc814c753ce3a8531fc3bd606d19dd8bdb26a7c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bd5e5bb426e16d34fdc48e980fe7ad743d05fcad6e0ad882537539e2b35519c2bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042b955d24 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2a0ecd6047ac3e929413c9dc65fd9550.exepid process 1280 2a0ecd6047ac3e929413c9dc65fd9550.exe 1280 2a0ecd6047ac3e929413c9dc65fd9550.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1200 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
2a0ecd6047ac3e929413c9dc65fd9550.exeCE09.exepid process 1280 2a0ecd6047ac3e929413c9dc65fd9550.exe 660 CE09.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1200 Token: SeShutdownPrivilege 1200 Token: SeShutdownPrivilege 1200 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1200 1200 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1200 1200 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2a0ecd6047ac3e929413c9dc65fd9550.exeCE09.exeDCAA.exeEBF6.exelvanupod.exedescription pid process target process PID 1584 wrote to memory of 1280 1584 2a0ecd6047ac3e929413c9dc65fd9550.exe 2a0ecd6047ac3e929413c9dc65fd9550.exe PID 1584 wrote to memory of 1280 1584 2a0ecd6047ac3e929413c9dc65fd9550.exe 2a0ecd6047ac3e929413c9dc65fd9550.exe PID 1584 wrote to memory of 1280 1584 2a0ecd6047ac3e929413c9dc65fd9550.exe 2a0ecd6047ac3e929413c9dc65fd9550.exe PID 1584 wrote to memory of 1280 1584 2a0ecd6047ac3e929413c9dc65fd9550.exe 2a0ecd6047ac3e929413c9dc65fd9550.exe PID 1584 wrote to memory of 1280 1584 2a0ecd6047ac3e929413c9dc65fd9550.exe 2a0ecd6047ac3e929413c9dc65fd9550.exe PID 1584 wrote to memory of 1280 1584 2a0ecd6047ac3e929413c9dc65fd9550.exe 2a0ecd6047ac3e929413c9dc65fd9550.exe PID 1584 wrote to memory of 1280 1584 2a0ecd6047ac3e929413c9dc65fd9550.exe 2a0ecd6047ac3e929413c9dc65fd9550.exe PID 1200 wrote to memory of 1380 1200 CE09.exe PID 1200 wrote to memory of 1380 1200 CE09.exe PID 1200 wrote to memory of 1380 1200 CE09.exe PID 1200 wrote to memory of 1380 1200 CE09.exe PID 1200 wrote to memory of 1140 1200 DCAA.exe PID 1200 wrote to memory of 1140 1200 DCAA.exe PID 1200 wrote to memory of 1140 1200 DCAA.exe PID 1200 wrote to memory of 1140 1200 DCAA.exe PID 1380 wrote to memory of 660 1380 CE09.exe CE09.exe PID 1380 wrote to memory of 660 1380 CE09.exe CE09.exe PID 1380 wrote to memory of 660 1380 CE09.exe CE09.exe PID 1380 wrote to memory of 660 1380 CE09.exe CE09.exe PID 1380 wrote to memory of 660 1380 CE09.exe CE09.exe PID 1380 wrote to memory of 660 1380 CE09.exe CE09.exe PID 1380 wrote to memory of 660 1380 CE09.exe CE09.exe PID 1200 wrote to memory of 832 1200 EBF6.exe PID 1200 wrote to memory of 832 1200 EBF6.exe PID 1200 wrote to memory of 832 1200 EBF6.exe PID 1200 wrote to memory of 832 1200 EBF6.exe PID 1140 wrote to memory of 1740 1140 DCAA.exe cmd.exe PID 1140 wrote to memory of 1740 1140 DCAA.exe cmd.exe PID 1140 wrote to memory of 1740 1140 DCAA.exe cmd.exe PID 1140 wrote to memory of 1740 1140 DCAA.exe cmd.exe PID 1140 wrote to memory of 2040 1140 DCAA.exe cmd.exe PID 1140 wrote to memory of 2040 1140 DCAA.exe cmd.exe PID 1140 wrote to memory of 2040 1140 DCAA.exe cmd.exe PID 1140 wrote to memory of 2040 1140 DCAA.exe cmd.exe PID 1140 wrote to memory of 928 1140 DCAA.exe sc.exe PID 1140 wrote to memory of 928 1140 DCAA.exe sc.exe PID 1140 wrote to memory of 928 1140 DCAA.exe sc.exe PID 1140 wrote to memory of 928 1140 DCAA.exe sc.exe PID 1140 wrote to memory of 1792 1140 DCAA.exe sc.exe PID 1140 wrote to memory of 1792 1140 DCAA.exe sc.exe PID 1140 wrote to memory of 1792 1140 DCAA.exe sc.exe PID 1140 wrote to memory of 1792 1140 DCAA.exe sc.exe PID 832 wrote to memory of 1960 832 EBF6.exe EBF6.exe PID 832 wrote to memory of 1960 832 EBF6.exe EBF6.exe PID 832 wrote to memory of 1960 832 EBF6.exe EBF6.exe PID 832 wrote to memory of 1960 832 EBF6.exe EBF6.exe PID 1140 wrote to memory of 1944 1140 DCAA.exe sc.exe PID 1140 wrote to memory of 1944 1140 DCAA.exe sc.exe PID 1140 wrote to memory of 1944 1140 DCAA.exe sc.exe PID 1140 wrote to memory of 1944 1140 DCAA.exe sc.exe PID 1140 wrote to memory of 1056 1140 DCAA.exe netsh.exe PID 1140 wrote to memory of 1056 1140 DCAA.exe netsh.exe PID 1140 wrote to memory of 1056 1140 DCAA.exe netsh.exe PID 1140 wrote to memory of 1056 1140 DCAA.exe netsh.exe PID 1200 wrote to memory of 1036 1200 448.exe PID 1200 wrote to memory of 1036 1200 448.exe PID 1200 wrote to memory of 1036 1200 448.exe PID 1200 wrote to memory of 1036 1200 448.exe PID 832 wrote to memory of 1960 832 EBF6.exe EBF6.exe PID 832 wrote to memory of 1960 832 EBF6.exe EBF6.exe PID 832 wrote to memory of 1960 832 EBF6.exe EBF6.exe PID 832 wrote to memory of 1960 832 EBF6.exe EBF6.exe PID 832 wrote to memory of 1960 832 EBF6.exe EBF6.exe PID 592 wrote to memory of 632 592 lvanupod.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a0ecd6047ac3e929413c9dc65fd9550.exe"C:\Users\Admin\AppData\Local\Temp\2a0ecd6047ac3e929413c9dc65fd9550.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2a0ecd6047ac3e929413c9dc65fd9550.exe"C:\Users\Admin\AppData\Local\Temp\2a0ecd6047ac3e929413c9dc65fd9550.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CE09.exeC:\Users\Admin\AppData\Local\Temp\CE09.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CE09.exeC:\Users\Admin\AppData\Local\Temp\CE09.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\DCAA.exeC:\Users\Admin\AppData\Local\Temp\DCAA.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nufhbrxj\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lvanupod.exe" C:\Windows\SysWOW64\nufhbrxj\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nufhbrxj binPath= "C:\Windows\SysWOW64\nufhbrxj\lvanupod.exe /d\"C:\Users\Admin\AppData\Local\Temp\DCAA.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nufhbrxj "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nufhbrxj2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Users\Admin\AppData\Local\Temp\EBF6.exeC:\Users\Admin\AppData\Local\Temp\EBF6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EBF6.exeC:\Users\Admin\AppData\Local\Temp\EBF6.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\nufhbrxj\lvanupod.exeC:\Windows\SysWOW64\nufhbrxj\lvanupod.exe /d"C:\Users\Admin\AppData\Local\Temp\DCAA.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\448.exeC:\Users\Admin\AppData\Local\Temp\448.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\448.exeMD5
a93ee3be032ac2a200af6f5673ecc492
SHA1a6fb35b4230ae92ae50a2f3a4e7f0ca7341e9f1c
SHA256f106e2efb90c57289bbe57b3be618c063c1bc70f3eaabd2afa73e53c2168a54d
SHA512d4796fda3e4de570d77ffb5dd9efa8172647832e3e2e491d12578d19b9f8de6b876b349f827050f1aa6f6121cf0a5558e4cd4e4c920a33f2f46732b1ca99e321
-
C:\Users\Admin\AppData\Local\Temp\CE09.exeMD5
a9d354f0774af2221abb4ce37f870808
SHA10815c7b03bd8ddc8c2019d134c1bb7da8418d097
SHA2560349d11964cbf2fb8833a8c0cbbcf17dbb968aaf79cd66c7c374ac9ffcb592f4
SHA512782def04c5c22145c00f4cbb587c267d3cd9a14ce1c44145bba70a1851094879624a316d6c1af5dee49dc3518b8dd0a885b8844b955a27b3c2514890cfe37859
-
C:\Users\Admin\AppData\Local\Temp\CE09.exeMD5
a9d354f0774af2221abb4ce37f870808
SHA10815c7b03bd8ddc8c2019d134c1bb7da8418d097
SHA2560349d11964cbf2fb8833a8c0cbbcf17dbb968aaf79cd66c7c374ac9ffcb592f4
SHA512782def04c5c22145c00f4cbb587c267d3cd9a14ce1c44145bba70a1851094879624a316d6c1af5dee49dc3518b8dd0a885b8844b955a27b3c2514890cfe37859
-
C:\Users\Admin\AppData\Local\Temp\CE09.exeMD5
a9d354f0774af2221abb4ce37f870808
SHA10815c7b03bd8ddc8c2019d134c1bb7da8418d097
SHA2560349d11964cbf2fb8833a8c0cbbcf17dbb968aaf79cd66c7c374ac9ffcb592f4
SHA512782def04c5c22145c00f4cbb587c267d3cd9a14ce1c44145bba70a1851094879624a316d6c1af5dee49dc3518b8dd0a885b8844b955a27b3c2514890cfe37859
-
C:\Users\Admin\AppData\Local\Temp\DCAA.exeMD5
df204af89283181b4b009d723821a2de
SHA1a740a57d0f3ada138cc4ab8f72de6f8133b7d249
SHA256c5270981915ac263eedd80948cbaefaeb051f22f7f4f0190af53f2c2c9359598
SHA5126d45dc1b4e00b1160fe98c86cb203fdacdd01d9206351918f6df57d4f0b85a40409dfec606ec3ea12efa1dcc63be8e348ca784ea6d3c4e240dceeec2f8118af0
-
C:\Users\Admin\AppData\Local\Temp\DCAA.exeMD5
df204af89283181b4b009d723821a2de
SHA1a740a57d0f3ada138cc4ab8f72de6f8133b7d249
SHA256c5270981915ac263eedd80948cbaefaeb051f22f7f4f0190af53f2c2c9359598
SHA5126d45dc1b4e00b1160fe98c86cb203fdacdd01d9206351918f6df57d4f0b85a40409dfec606ec3ea12efa1dcc63be8e348ca784ea6d3c4e240dceeec2f8118af0
-
C:\Users\Admin\AppData\Local\Temp\EBF6.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\EBF6.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\EBF6.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\lvanupod.exeMD5
08500c4c52aad89aaae45b1e309d20e0
SHA116413f8333844aaf698bf8dbab2c72b9bcf6acf4
SHA25638ade785bac7672958ac2c80100e7cb35a484d49ed1f13a3065200671abb9156
SHA512c85b8aa4ce473eb0259e3cbb2567c0e5b0045bc0b1fffc21566d784e574fcece1ee613ceddad0e207d5443031ea4e58a9d287bfdec48f77c3ee24d920c2be4e2
-
C:\Windows\SysWOW64\nufhbrxj\lvanupod.exeMD5
08500c4c52aad89aaae45b1e309d20e0
SHA116413f8333844aaf698bf8dbab2c72b9bcf6acf4
SHA25638ade785bac7672958ac2c80100e7cb35a484d49ed1f13a3065200671abb9156
SHA512c85b8aa4ce473eb0259e3cbb2567c0e5b0045bc0b1fffc21566d784e574fcece1ee613ceddad0e207d5443031ea4e58a9d287bfdec48f77c3ee24d920c2be4e2
-
\Users\Admin\AppData\Local\Temp\CE09.exeMD5
a9d354f0774af2221abb4ce37f870808
SHA10815c7b03bd8ddc8c2019d134c1bb7da8418d097
SHA2560349d11964cbf2fb8833a8c0cbbcf17dbb968aaf79cd66c7c374ac9ffcb592f4
SHA512782def04c5c22145c00f4cbb587c267d3cd9a14ce1c44145bba70a1851094879624a316d6c1af5dee49dc3518b8dd0a885b8844b955a27b3c2514890cfe37859
-
\Users\Admin\AppData\Local\Temp\EBF6.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
memory/592-109-0x0000000002BEB000-0x0000000002BFC000-memory.dmpFilesize
68KB
-
memory/592-116-0x0000000000400000-0x0000000002B3F000-memory.dmpFilesize
39.2MB
-
memory/632-111-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/632-112-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/632-113-0x00000000000C9A6B-mapping.dmp
-
memory/660-69-0x0000000000402DD8-mapping.dmp
-
memory/832-86-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/832-77-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/832-72-0x0000000000000000-mapping.dmp
-
memory/928-87-0x0000000000000000-mapping.dmp
-
memory/1036-96-0x0000000000320000-0x000000000036F000-memory.dmpFilesize
316KB
-
memory/1036-97-0x0000000000370000-0x00000000003FF000-memory.dmpFilesize
572KB
-
memory/1036-93-0x0000000000000000-mapping.dmp
-
memory/1036-107-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/1056-91-0x0000000000000000-mapping.dmp
-
memory/1140-82-0x0000000000400000-0x0000000002B3F000-memory.dmpFilesize
39.2MB
-
memory/1140-81-0x00000000001B0000-0x00000000001C3000-memory.dmpFilesize
76KB
-
memory/1140-63-0x0000000000000000-mapping.dmp
-
memory/1140-75-0x000000000028B000-0x000000000029C000-memory.dmpFilesize
68KB
-
memory/1200-60-0x0000000002970000-0x0000000002986000-memory.dmpFilesize
88KB
-
memory/1200-85-0x0000000003BC0000-0x0000000003BD6000-memory.dmpFilesize
88KB
-
memory/1280-58-0x0000000074F21000-0x0000000074F23000-memory.dmpFilesize
8KB
-
memory/1280-57-0x0000000000402DD8-mapping.dmp
-
memory/1280-56-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1380-61-0x0000000000000000-mapping.dmp
-
memory/1380-65-0x0000000002C8B000-0x0000000002C9B000-memory.dmpFilesize
64KB
-
memory/1584-55-0x0000000002CDB000-0x0000000002CEC000-memory.dmpFilesize
68KB
-
memory/1584-59-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1740-80-0x0000000000000000-mapping.dmp
-
memory/1792-88-0x0000000000000000-mapping.dmp
-
memory/1944-90-0x0000000000000000-mapping.dmp
-
memory/1960-101-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1960-105-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1960-103-0x0000000000418EEA-mapping.dmp
-
memory/1960-102-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1960-100-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1960-99-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1960-115-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/1960-98-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2040-83-0x0000000000000000-mapping.dmp