Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-05-2022 14:01
Static task
static1
Behavioral task
behavioral1
Sample
05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exe
Resource
win10-20220414-en
General
-
Target
05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exe
-
Size
304KB
-
MD5
1044868882af2d4362480dcf0c918c3b
-
SHA1
277439cf62cdfedb2bdd03eeb04868b812556aa2
-
SHA256
05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea
-
SHA512
d504e11382f7d84a593e73826489ba56b706e59ab75ac559e35ddacfca6f1e187729adf1c0349ff4c5414200effe2d2b9368b43afef25062cd8d86c1e1c73155
Malware Config
Extracted
smokeloader
2020
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/
Extracted
redline
1
45.10.43.167:26696
-
auth_value
3a70a3e2f548aaf61e05be9e4cadc7c1
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5048-341-0x0000000001170000-0x0000000001692000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 6 IoCs
Processes:
8666.exe7z.exe7z.exe7z.exe7z.exebenbenben.exepid process 3832 8666.exe 4928 7z.exe 2148 7z.exe 1736 7z.exe 4960 7z.exe 5048 benbenben.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
benbenben.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion benbenben.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion benbenben.exe -
Deletes itself 1 IoCs
Processes:
pid process 2652 -
Loads dropped DLL 4 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exepid process 4928 7z.exe 2148 7z.exe 1736 7z.exe 4960 7z.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
benbenben.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA benbenben.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exepid process 1920 05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exe 1920 05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exe 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 2652 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2652 -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exepid process 1920 05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exe 2652 2652 2652 2652 -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exebenbenben.exedescription pid process Token: SeShutdownPrivilege 2652 Token: SeCreatePagefilePrivilege 2652 Token: SeShutdownPrivilege 2652 Token: SeCreatePagefilePrivilege 2652 Token: SeRestorePrivilege 4928 7z.exe Token: 35 4928 7z.exe Token: SeSecurityPrivilege 4928 7z.exe Token: SeSecurityPrivilege 4928 7z.exe Token: SeRestorePrivilege 2148 7z.exe Token: 35 2148 7z.exe Token: SeSecurityPrivilege 2148 7z.exe Token: SeSecurityPrivilege 2148 7z.exe Token: SeRestorePrivilege 1736 7z.exe Token: 35 1736 7z.exe Token: SeSecurityPrivilege 1736 7z.exe Token: SeSecurityPrivilege 1736 7z.exe Token: SeRestorePrivilege 4960 7z.exe Token: 35 4960 7z.exe Token: SeSecurityPrivilege 4960 7z.exe Token: SeSecurityPrivilege 4960 7z.exe Token: SeDebugPrivilege 5048 benbenben.exe Token: SeShutdownPrivilege 2652 Token: SeCreatePagefilePrivilege 2652 Token: SeShutdownPrivilege 2652 Token: SeCreatePagefilePrivilege 2652 Token: SeShutdownPrivilege 2652 Token: SeCreatePagefilePrivilege 2652 -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
8666.execmd.exedescription pid process target process PID 2652 wrote to memory of 3832 2652 8666.exe PID 2652 wrote to memory of 3832 2652 8666.exe PID 2652 wrote to memory of 3832 2652 8666.exe PID 2652 wrote to memory of 3580 2652 explorer.exe PID 2652 wrote to memory of 3580 2652 explorer.exe PID 2652 wrote to memory of 3580 2652 explorer.exe PID 2652 wrote to memory of 3580 2652 explorer.exe PID 2652 wrote to memory of 4708 2652 explorer.exe PID 2652 wrote to memory of 4708 2652 explorer.exe PID 2652 wrote to memory of 4708 2652 explorer.exe PID 3832 wrote to memory of 4676 3832 8666.exe cmd.exe PID 3832 wrote to memory of 4676 3832 8666.exe cmd.exe PID 4676 wrote to memory of 4916 4676 cmd.exe mode.com PID 4676 wrote to memory of 4916 4676 cmd.exe mode.com PID 4676 wrote to memory of 4928 4676 cmd.exe 7z.exe PID 4676 wrote to memory of 4928 4676 cmd.exe 7z.exe PID 4676 wrote to memory of 2148 4676 cmd.exe 7z.exe PID 4676 wrote to memory of 2148 4676 cmd.exe 7z.exe PID 4676 wrote to memory of 1736 4676 cmd.exe 7z.exe PID 4676 wrote to memory of 1736 4676 cmd.exe 7z.exe PID 4676 wrote to memory of 4960 4676 cmd.exe 7z.exe PID 4676 wrote to memory of 4960 4676 cmd.exe 7z.exe PID 4676 wrote to memory of 5036 4676 cmd.exe attrib.exe PID 4676 wrote to memory of 5036 4676 cmd.exe attrib.exe PID 4676 wrote to memory of 5048 4676 cmd.exe benbenben.exe PID 4676 wrote to memory of 5048 4676 cmd.exe benbenben.exe PID 4676 wrote to memory of 5048 4676 cmd.exe benbenben.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exe"C:\Users\Admin\AppData\Local\Temp\05434e326da912f5c6e1bb50a767d6dd16b27ff407b007cafd7d96d0daac1eea.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\8666.exeC:\Users\Admin\AppData\Local\Temp\8666.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode 65,103⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p283462270827100258722140325330 -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +H "benbenben.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\main\benbenben.exe"benbenben.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8666.exeFilesize
3.9MB
MD54f8a7c030aa8784e5f9726de742be5b5
SHA1b458828a0383defa2b1c79dc043d7e7e8cc712c4
SHA256b8885e1a627026d5ebbce5dfc321358a1d339e0b30c887ab39e4b9e972f90952
SHA5120c74b22a46d6362fc8e5a9d919c8d32f6a2e21e9c3bdbfb0be679407a753f8995cc929956c7bd0351e6f4b8e224ea7fa4ebdc9b8d07c324608ffa2e20b4b8d69
-
C:\Users\Admin\AppData\Local\Temp\8666.exeFilesize
3.9MB
MD54f8a7c030aa8784e5f9726de742be5b5
SHA1b458828a0383defa2b1c79dc043d7e7e8cc712c4
SHA256b8885e1a627026d5ebbce5dfc321358a1d339e0b30c887ab39e4b9e972f90952
SHA5120c74b22a46d6362fc8e5a9d919c8d32f6a2e21e9c3bdbfb0be679407a753f8995cc929956c7bd0351e6f4b8e224ea7fa4ebdc9b8d07c324608ffa2e20b4b8d69
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\main\benbenben.exeFilesize
1.5MB
MD54c76c4bb8969621583baa58bf9c625f4
SHA146fcb2f437241d330144ae3b9ec2980f9b12c209
SHA256e78a454a7fcf939c27d8beec97b8b77f851df342e2682143c9d2dc66fcab4340
SHA5125c52696822d339b0c9f53de3db0fabdf8c7158b6d00b42c59f78694b282243cf6f92066203c60cfcbf363b3684eba3ff10bdcd851557c05a46bfa38d0c856e0c
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DATFilesize
2.0MB
MD58f6c27385ab490689ddcc61866824ce8
SHA15b1874737e5cd1b1c52b7b8e10714d2c6e87d96d
SHA256d47d174fa9feac7cd178bd9a62d0f9183651c043f6f3c8d15bb7197fc1fc042f
SHA512046371e4c93c89ea54fceacd9b5f69e842f84debc00e668509d4b853e53621395cb4ac713093ff81368f9ad717f4621565a906a999d8dbfa3c0fad0278909c1f
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\benbenben.exeFilesize
1.5MB
MD54c76c4bb8969621583baa58bf9c625f4
SHA146fcb2f437241d330144ae3b9ec2980f9b12c209
SHA256e78a454a7fcf939c27d8beec97b8b77f851df342e2682143c9d2dc66fcab4340
SHA5125c52696822d339b0c9f53de3db0fabdf8c7158b6d00b42c59f78694b282243cf6f92066203c60cfcbf363b3684eba3ff10bdcd851557c05a46bfa38d0c856e0c
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zipFilesize
1.5MB
MD5a73635e84d7ab318619454487514f446
SHA1b492af29c93240c3479e69907f1ed74dec625ba6
SHA256ed19a2d5f65d95969d697f205d3fa91688c6daac6274ac7e4847789c9b3a4061
SHA512e8a0b92b3da67a60db0a9c65d7eb0bcd88d97ab1e72510eb602c1e0385b776c7834d08ff8618b805f805e457b21265884d71bdf9fafe6ca3da583ccd162b9f06
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zipFilesize
1.5MB
MD5620139174d311818701c05cbc8968c59
SHA17a427bf6653da862963e42c4f4a5a1ebd08ec061
SHA256df5e8ab12f09d0dc41e2a7c7e5043d6477a7dc6d9a4bbae0943bbbbcfbdc6b2a
SHA51221ebcfde72f38cc7d5feafe9168cb37e8b62c6fbf6a8c046fcba9cc9b6f079f5d4cc7dbf2b9d42e48fc4ff2909439a8cbff22c872b8453a944d0ad552792c37e
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zipFilesize
3.0MB
MD51a18731f1f1b9e3746a31b9bf7d6b901
SHA148cd2531251dff411b084dbb88c7fe6a73c437f8
SHA256149b8af8eb2eba7d584bbc72083fd26b0cbc678f75739fce532bd80cc6548cd7
SHA5124d298d564e4791f9404edafacd4d8ff2b70fb93152ca4e33a48fdd07f25c5d3b0bf616b4fe1cceb0a911093fb0ca47052a3529f115825729641b3dec1c82fafa
-
C:\Users\Admin\AppData\Local\Temp\main\file.binFilesize
3.0MB
MD503bd09b1b43203b5847bd65a390c7fe9
SHA115599a412e9d6934eaf35da04488a997ce88638f
SHA25611317bad4a6346566fec9f2cefcf1d0e97a074be1f85d2f25bebf4bbc532bd9a
SHA512058a97e75feb690afc35939017017b6d86725ab901c0a52473e6bb201ac38bbc20e052762f49567ba7f6cd4ea23c0dc94f42aaaae7b80644438f3e4ab0ed3118
-
C:\Users\Admin\AppData\Local\Temp\main\main.batFilesize
476B
MD521b6341d2b4fc3c54bca293b71545d0c
SHA1ba66216cd3552de6b3ad254f65ccb834188347b0
SHA256432347ce4e632e70cc0cb988ed72c43a17b81f8955a3905e43a93708029a0daf
SHA51204842ab2240d782fe7f3336f4776576f67f3a30ae522713b2bfb8e5c86ca30a2706f2c73ede5647495b8cde06ad36b6499bf8bd9c8908e794fdbdb8bd0d534d1
-
\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
memory/1736-287-0x0000000000000000-mapping.dmp
-
memory/1920-146-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-120-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-140-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-142-0x0000000000490000-0x000000000053E000-memory.dmpFilesize
696KB
-
memory/1920-141-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-143-0x00000000001E0000-0x00000000001E9000-memory.dmpFilesize
36KB
-
memory/1920-144-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1920-145-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-117-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-148-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-147-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-149-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-150-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-151-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-152-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-153-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-136-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-118-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-119-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-139-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-121-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-122-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-138-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-123-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-125-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-126-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-137-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-127-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-128-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-129-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-130-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-131-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-135-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-132-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-133-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1920-134-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2148-283-0x0000000000000000-mapping.dmp
-
memory/2652-154-0x0000000000570000-0x0000000000586000-memory.dmpFilesize
88KB
-
memory/3580-189-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-181-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-183-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-184-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-186-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-187-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-188-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-180-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-185-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-182-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-179-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-172-0x0000000000000000-mapping.dmp
-
memory/3580-175-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-177-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3580-178-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-157-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-168-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-160-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-173-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-158-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-174-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-171-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-176-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-170-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-155-0x0000000000000000-mapping.dmp
-
memory/3832-169-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-167-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-166-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-165-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-163-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-162-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-159-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3832-161-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/4676-275-0x0000000000000000-mapping.dmp
-
memory/4708-222-0x0000000000000000-mapping.dmp
-
memory/4916-277-0x0000000000000000-mapping.dmp
-
memory/4928-279-0x0000000000000000-mapping.dmp
-
memory/4960-291-0x0000000000000000-mapping.dmp
-
memory/5036-297-0x0000000000000000-mapping.dmp
-
memory/5048-361-0x00000000060F0000-0x000000000612E000-memory.dmpFilesize
248KB
-
memory/5048-367-0x00000000071B0000-0x00000000076AE000-memory.dmpFilesize
5.0MB
-
memory/5048-356-0x00000000066A0000-0x0000000006CA6000-memory.dmpFilesize
6.0MB
-
memory/5048-357-0x0000000006090000-0x00000000060A2000-memory.dmpFilesize
72KB
-
memory/5048-358-0x00000000061C0000-0x00000000062CA000-memory.dmpFilesize
1.0MB
-
memory/5048-298-0x0000000000000000-mapping.dmp
-
memory/5048-363-0x0000000006130000-0x000000000617B000-memory.dmpFilesize
300KB
-
memory/5048-341-0x0000000001170000-0x0000000001692000-memory.dmpFilesize
5.1MB
-
memory/5048-368-0x0000000006480000-0x00000000064F6000-memory.dmpFilesize
472KB
-
memory/5048-369-0x00000000065A0000-0x0000000006632000-memory.dmpFilesize
584KB
-
memory/5048-373-0x0000000006570000-0x000000000658E000-memory.dmpFilesize
120KB
-
memory/5048-375-0x0000000007090000-0x00000000070F6000-memory.dmpFilesize
408KB
-
memory/5048-383-0x00000000079B0000-0x0000000007A00000-memory.dmpFilesize
320KB
-
memory/5048-384-0x0000000007BD0000-0x0000000007D92000-memory.dmpFilesize
1.8MB
-
memory/5048-385-0x00000000082D0000-0x00000000087FC000-memory.dmpFilesize
5.2MB