Analysis
-
max time kernel
151s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
04-12-2021 04:59
General
-
Target
4735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded.exe
-
Size
251KB
-
MD5
35cc2057342197542eedfe1eec4469bb
-
SHA1
089a57bd193c0c5076081d86ea979effc8ed2478
-
SHA256
4735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded
-
SHA512
842333dcf97cc9ea44955917d58c3aec9a142c2dbcbaf070c0e372db329eece2287cf3dc7f0d7ec09e7b81644ccaddbdce9d6886b5d1c4d9ae5d341efe4cea60
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
remcos
3.3.2 Pro
J3J3-US
kent0mushinec0n3t.casacam.net:32095
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Pin.exe
-
copy_folder
J3J3-US
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
J3J3-US
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-TFIQE4
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
J3J3-US
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Extracted
raccoon
1.8.3-hotfix
b620be4c85b4051a92040003edbc322be4eb082d
-
url4cnc
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 28 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded.exe"C:\Users\Admin\AppData\Local\Temp\4735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded.exe"C:\Users\Admin\AppData\Local\Temp\4735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3285.exeC:\Users\Admin\AppData\Local\Temp\3285.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3285.exeC:\Users\Admin\AppData\Local\Temp\3285.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\418A.exeC:\Users\Admin\AppData\Local\Temp\418A.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 4762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9A0B.exeC:\Users\Admin\AppData\Local\Temp\9A0B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9A0B.exeC:\Users\Admin\AppData\Local\Temp\9A0B.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 9083⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\A23A.exeC:\Users\Admin\AppData\Local\Temp\A23A.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\A6DF.exeC:\Users\Admin\AppData\Local\Temp\A6DF.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 6282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 9802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 10602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 9802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 10922⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 11362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 10522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exeC:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 7045⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 7725⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 8005⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 6805⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 8325⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 7965⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 8885⤵
- Program crash
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 9285⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 9965⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 10085⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 10525⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 11845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 11925⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 11925⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 11965⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 12845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 11845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 11885⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 12845⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\BAF4.exeC:\Users\Admin\AppData\Local\Temp\BAF4.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\C853.exeC:\Users\Admin\AppData\Local\Temp\C853.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3285.exeMD5
35cc2057342197542eedfe1eec4469bb
SHA1089a57bd193c0c5076081d86ea979effc8ed2478
SHA2564735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded
SHA512842333dcf97cc9ea44955917d58c3aec9a142c2dbcbaf070c0e372db329eece2287cf3dc7f0d7ec09e7b81644ccaddbdce9d6886b5d1c4d9ae5d341efe4cea60
-
C:\Users\Admin\AppData\Local\Temp\3285.exeMD5
35cc2057342197542eedfe1eec4469bb
SHA1089a57bd193c0c5076081d86ea979effc8ed2478
SHA2564735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded
SHA512842333dcf97cc9ea44955917d58c3aec9a142c2dbcbaf070c0e372db329eece2287cf3dc7f0d7ec09e7b81644ccaddbdce9d6886b5d1c4d9ae5d341efe4cea60
-
C:\Users\Admin\AppData\Local\Temp\3285.exeMD5
35cc2057342197542eedfe1eec4469bb
SHA1089a57bd193c0c5076081d86ea979effc8ed2478
SHA2564735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded
SHA512842333dcf97cc9ea44955917d58c3aec9a142c2dbcbaf070c0e372db329eece2287cf3dc7f0d7ec09e7b81644ccaddbdce9d6886b5d1c4d9ae5d341efe4cea60
-
C:\Users\Admin\AppData\Local\Temp\418A.exeMD5
df13fac0d8b182e4d8b9a02ba87a9571
SHA1b2187debc6fde96e08d5014ce4f1af5cf568bce5
SHA256af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3
SHA512bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816
-
C:\Users\Admin\AppData\Local\Temp\418A.exeMD5
df13fac0d8b182e4d8b9a02ba87a9571
SHA1b2187debc6fde96e08d5014ce4f1af5cf568bce5
SHA256af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3
SHA512bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816
-
C:\Users\Admin\AppData\Local\Temp\9A0B.exeMD5
61a3807e15231687f38358e3ae6b670c
SHA1b577ef08f60b55811aa5b8b93e5b3755b899115f
SHA25656283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1
SHA5128dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4
-
C:\Users\Admin\AppData\Local\Temp\9A0B.exeMD5
61a3807e15231687f38358e3ae6b670c
SHA1b577ef08f60b55811aa5b8b93e5b3755b899115f
SHA25656283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1
SHA5128dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4
-
C:\Users\Admin\AppData\Local\Temp\9A0B.exeMD5
61a3807e15231687f38358e3ae6b670c
SHA1b577ef08f60b55811aa5b8b93e5b3755b899115f
SHA25656283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1
SHA5128dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4
-
C:\Users\Admin\AppData\Local\Temp\A23A.exeMD5
4df0d4be3b3abb5ca237d11013411885
SHA17b9376e633769eb52a70ec887143826f924f6fee
SHA2562cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813
SHA51214e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7
-
C:\Users\Admin\AppData\Local\Temp\A23A.exeMD5
4df0d4be3b3abb5ca237d11013411885
SHA17b9376e633769eb52a70ec887143826f924f6fee
SHA2562cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813
SHA51214e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7
-
C:\Users\Admin\AppData\Local\Temp\A6DF.exeMD5
6f78f5cf377470fc449263eaf2231dac
SHA1067211e73b880a6a7c9c01ac2c309ea49579ad1f
SHA2562fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9
SHA512cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c
-
C:\Users\Admin\AppData\Local\Temp\A6DF.exeMD5
6f78f5cf377470fc449263eaf2231dac
SHA1067211e73b880a6a7c9c01ac2c309ea49579ad1f
SHA2562fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9
SHA512cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c
-
C:\Users\Admin\AppData\Local\Temp\BAF4.exeMD5
4d96f213bfbba34ffba4986724d3a99c
SHA1b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526
SHA256f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7
SHA5124e333f8fd1fca9784deb59c12645be1b68e12771dbc77f48419365df7da46638b40bb0a00f0640225a1ee652096c0f3cf7ebd12ed3463afb24f7df27c3717937
-
C:\Users\Admin\AppData\Local\Temp\BAF4.exeMD5
4d96f213bfbba34ffba4986724d3a99c
SHA1b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526
SHA256f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7
SHA5124e333f8fd1fca9784deb59c12645be1b68e12771dbc77f48419365df7da46638b40bb0a00f0640225a1ee652096c0f3cf7ebd12ed3463afb24f7df27c3717937
-
C:\Users\Admin\AppData\Local\Temp\C853.exeMD5
40f480638f2e8462929a662217a64c5b
SHA1e72a9399e1ba8d61f26ba9a6e300e92d8bcd656e
SHA2564602413ecd189f0a449f0ae14ba743d35a1b179bb6d2dc227dec2dd048611f60
SHA512da9a5d796821f9fc648e2a8b0ccda133f1f276b2c55cc06b5cf158da805b1c6147348fc2e5f8177a96c78d9b178bb1321fd693dcf615f10584d2ae90a689c365
-
C:\Users\Admin\AppData\Local\Temp\C853.exeMD5
40f480638f2e8462929a662217a64c5b
SHA1e72a9399e1ba8d61f26ba9a6e300e92d8bcd656e
SHA2564602413ecd189f0a449f0ae14ba743d35a1b179bb6d2dc227dec2dd048611f60
SHA512da9a5d796821f9fc648e2a8b0ccda133f1f276b2c55cc06b5cf158da805b1c6147348fc2e5f8177a96c78d9b178bb1321fd693dcf615f10584d2ae90a689c365
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
c695cbd66dd11571be3ac1fe7c3ed743
SHA19892a72492f598e3f020861134a09594f1623461
SHA256730683c46165e37901272b7857015e14ce97f3da4bd90c8b31da100a38965813
SHA51230a59cf5a63cf5a246310fd8728d0c4a660c5975d70c102b9366478408329919cc6ce81f3fe25aa243e7fb94f5c127b85c89e444558c649ba19d1d83ef2e4ea6
-
C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exeMD5
6f78f5cf377470fc449263eaf2231dac
SHA1067211e73b880a6a7c9c01ac2c309ea49579ad1f
SHA2562fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9
SHA512cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c
-
C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exeMD5
6f78f5cf377470fc449263eaf2231dac
SHA1067211e73b880a6a7c9c01ac2c309ea49579ad1f
SHA2562fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9
SHA512cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c
-
memory/452-120-0x0000000000000000-mapping.dmp
-
memory/452-127-0x0000000000540000-0x000000000068A000-memory.dmpFilesize
1.3MB
-
memory/640-258-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB
-
memory/640-257-0x0000000000840000-0x00000000008EE000-memory.dmpFilesize
696KB
-
memory/640-253-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB
-
memory/640-256-0x0000000002F13000-0x0000000002F57000-memory.dmpFilesize
272KB
-
memory/640-250-0x000000000044D470-mapping.dmp
-
memory/892-118-0x0000000000402F47-mapping.dmp
-
memory/892-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/908-162-0x0000000005890000-0x0000000005891000-memory.dmpFilesize
4KB
-
memory/908-163-0x0000000071EB0000-0x0000000071EFB000-memory.dmpFilesize
300KB
-
memory/908-213-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/908-150-0x0000000072910000-0x0000000072990000-memory.dmpFilesize
512KB
-
memory/908-146-0x0000000074580000-0x0000000074671000-memory.dmpFilesize
964KB
-
memory/908-145-0x0000000001270000-0x0000000001271000-memory.dmpFilesize
4KB
-
memory/908-153-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB
-
memory/908-154-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/908-155-0x0000000005940000-0x0000000005941000-memory.dmpFilesize
4KB
-
memory/908-156-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/908-157-0x0000000074680000-0x0000000074C04000-memory.dmpFilesize
5.5MB
-
memory/908-159-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/908-144-0x0000000003020000-0x0000000003063000-memory.dmpFilesize
268KB
-
memory/908-158-0x0000000075720000-0x0000000076A68000-memory.dmpFilesize
19.3MB
-
memory/908-216-0x0000000005CC0000-0x0000000005CC1000-memory.dmpFilesize
4KB
-
memory/908-147-0x0000000001360000-0x0000000001361000-memory.dmpFilesize
4KB
-
memory/908-143-0x0000000074DC0000-0x0000000074F82000-memory.dmpFilesize
1.8MB
-
memory/908-142-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/908-141-0x0000000001360000-0x00000000014D5000-memory.dmpFilesize
1.5MB
-
memory/908-138-0x0000000000000000-mapping.dmp
-
memory/908-220-0x00000000067F0000-0x00000000067F1000-memory.dmpFilesize
4KB
-
memory/908-219-0x0000000005CA0000-0x0000000005CA1000-memory.dmpFilesize
4KB
-
memory/908-217-0x0000000006A60000-0x0000000006A61000-memory.dmpFilesize
4KB
-
memory/1008-191-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB
-
memory/1008-149-0x0000000000000000-mapping.dmp
-
memory/1008-190-0x0000000000510000-0x0000000000585000-memory.dmpFilesize
468KB
-
memory/1080-132-0x0000000004750000-0x0000000004759000-memory.dmpFilesize
36KB
-
memory/1080-133-0x0000000000400000-0x0000000002B64000-memory.dmpFilesize
39.4MB
-
memory/1080-131-0x0000000004740000-0x0000000004749000-memory.dmpFilesize
36KB
-
memory/1080-128-0x0000000000000000-mapping.dmp
-
memory/1516-209-0x0000000075720000-0x0000000076A68000-memory.dmpFilesize
19.3MB
-
memory/1516-199-0x0000000000C70000-0x0000000000CB3000-memory.dmpFilesize
268KB
-
memory/1516-212-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/1516-211-0x0000000071EB0000-0x0000000071EFB000-memory.dmpFilesize
300KB
-
memory/1516-208-0x0000000074680000-0x0000000074C04000-memory.dmpFilesize
5.5MB
-
memory/1516-203-0x0000000072910000-0x0000000072990000-memory.dmpFilesize
512KB
-
memory/1516-197-0x0000000074DC0000-0x0000000074F82000-memory.dmpFilesize
1.8MB
-
memory/1516-202-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/1516-192-0x0000000000000000-mapping.dmp
-
memory/1516-195-0x0000000000FE0000-0x00000000010F0000-memory.dmpFilesize
1.1MB
-
memory/1516-196-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/1516-200-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/1516-198-0x0000000074580000-0x0000000074671000-memory.dmpFilesize
964KB
-
memory/1532-160-0x0000000000751000-0x00000000007B7000-memory.dmpFilesize
408KB
-
memory/1532-135-0x0000000000000000-mapping.dmp
-
memory/1532-164-0x0000000000840000-0x00000000008CF000-memory.dmpFilesize
572KB
-
memory/2344-165-0x0000000000456A80-mapping.dmp
-
memory/2344-221-0x0000000000400000-0x0000000003269000-memory.dmpFilesize
46.4MB
-
memory/2344-167-0x0000000000400000-0x0000000003269000-memory.dmpFilesize
46.4MB
-
memory/2344-161-0x0000000000400000-0x0000000003269000-memory.dmpFilesize
46.4MB
-
memory/2344-215-0x0000000000400000-0x0000000003269000-memory.dmpFilesize
46.4MB
-
memory/2344-218-0x0000000004EA0000-0x0000000004F2F000-memory.dmpFilesize
572KB
-
memory/2548-125-0x0000000000402F47-mapping.dmp
-
memory/2568-119-0x0000000001140000-0x0000000001156000-memory.dmpFilesize
88KB
-
memory/2568-134-0x0000000002F10000-0x0000000002F26000-memory.dmpFilesize
88KB
-
memory/3204-229-0x0000000000000000-mapping.dmp
-
memory/3404-222-0x0000000000000000-mapping.dmp
-
memory/3876-231-0x0000000000000000-mapping.dmp
-
memory/3876-248-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB
-
memory/4064-173-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/4064-234-0x000000000AB90000-0x000000000AB91000-memory.dmpFilesize
4KB
-
memory/4064-172-0x00000000013B0000-0x0000000001518000-memory.dmpFilesize
1.4MB
-
memory/4064-171-0x0000000001520000-0x0000000001567000-memory.dmpFilesize
284KB
-
memory/4064-183-0x0000000001370000-0x0000000001371000-memory.dmpFilesize
4KB
-
memory/4064-230-0x000000000A250000-0x000000000A251000-memory.dmpFilesize
4KB
-
memory/4064-186-0x0000000074680000-0x0000000074C04000-memory.dmpFilesize
5.5MB
-
memory/4064-174-0x0000000074DC0000-0x0000000074F82000-memory.dmpFilesize
1.8MB
-
memory/4064-175-0x0000000074580000-0x0000000074671000-memory.dmpFilesize
964KB
-
memory/4064-168-0x0000000000000000-mapping.dmp
-
memory/4064-236-0x000000000B290000-0x000000000B291000-memory.dmpFilesize
4KB
-
memory/4064-176-0x00000000013B0000-0x00000000013B1000-memory.dmpFilesize
4KB
-
memory/4064-178-0x0000000072910000-0x0000000072990000-memory.dmpFilesize
512KB
-
memory/4064-189-0x0000000071EB0000-0x0000000071EFB000-memory.dmpFilesize
300KB
-
memory/4064-187-0x0000000075720000-0x0000000076A68000-memory.dmpFilesize
19.3MB
-
memory/4064-184-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/4092-116-0x00000000004F0000-0x000000000059E000-memory.dmpFilesize
696KB