Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 11:26
Static task
static1
Behavioral task
behavioral1
Sample
SCAN_CAD-SPECIFICATION-11221001080.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
SCAN_CAD-SPECIFICATION-11221001080.exe
Resource
win10v2004-20220812-en
General
-
Target
SCAN_CAD-SPECIFICATION-11221001080.exe
-
Size
2.1MB
-
MD5
687af17193137f3da6ad493b3d677cbe
-
SHA1
cc35986e6eafa161506678a5f2d485ab1850cf6c
-
SHA256
28ea23168f0631c5c39cb104a4bc37b521df2dcf03789b5aaba23eebf322ec56
-
SHA512
e83047da80a39252e71fca47ed924af0be8b19cbd83dd374c869f882e2872326ea92a446dc77cebadeec6ba639dbcedd81c023ef4e1c24916a45610a1c0069e6
-
SSDEEP
49152:9m6JDKZNchBNQf1atM5eDsI+JT9/4Czs7pBiEigGo9jzTQp:9NJgcV+R9/4CzY7iX7o9jzTQ
Malware Config
Extracted
remcos
PeterObi2023
76.8.53.133:1198
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
sdfge.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
fghoiuytr.dat
-
keylog_flag
false
-
mouse_option
false
-
mutex
fghjcvbn-UURPOS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
dfghrtyu
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
remcos
IYKE
76.8.53.133:1198
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
explorer.exe
-
copy_folder
machines
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
12345MEEE
-
mouse_option
false
-
mutex
12345MEEE-NS9UK1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
explorer
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
warzonerat
76.8.53.133:1198
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe warzonerat C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe warzonerat -
Executes dropped EXE 5 IoCs
Processes:
My Nigga.exeiyke remcos.exewarzone rawfile new.exeexplorer.exeexplorer.exepid process 4348 My Nigga.exe 4172 iyke remcos.exe 1028 warzone rawfile new.exe 1600 explorer.exe 4972 explorer.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
iyke remcos.exeMy Nigga.exeWScript.exeWScript.exeSCAN_CAD-SPECIFICATION-11221001080.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation iyke remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation My Nigga.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SCAN_CAD-SPECIFICATION-11221001080.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exeMy Nigga.exeiyke remcos.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\machines\\explorer.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ My Nigga.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfghrtyu = "\"C:\\Users\\Admin\\AppData\\Roaming\\sdfge.exe\"" My Nigga.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ iyke remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\machines\\explorer.exe\"" iyke remcos.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SCAN_CAD-SPECIFICATION-11221001080.exedescription pid process target process PID 1964 set thread context of 388 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
iyke remcos.exeMy Nigga.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings iyke remcos.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings My Nigga.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SCAN_CAD-SPECIFICATION-11221001080.exepowershell.exepid process 1964 SCAN_CAD-SPECIFICATION-11221001080.exe 1964 SCAN_CAD-SPECIFICATION-11221001080.exe 1964 SCAN_CAD-SPECIFICATION-11221001080.exe 1964 SCAN_CAD-SPECIFICATION-11221001080.exe 1264 powershell.exe 1264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SCAN_CAD-SPECIFICATION-11221001080.exepowershell.exedescription pid process Token: SeDebugPrivilege 1964 SCAN_CAD-SPECIFICATION-11221001080.exe Token: SeDebugPrivilege 1264 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 1600 explorer.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
SCAN_CAD-SPECIFICATION-11221001080.exeSCAN_CAD-SPECIFICATION-11221001080.exeiyke remcos.exeMy Nigga.exeWScript.exeWScript.exewarzone rawfile new.execmd.execmd.exedescription pid process target process PID 1964 wrote to memory of 4132 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 4132 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 4132 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 4540 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 4540 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 4540 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 388 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 388 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 388 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 388 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 388 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 388 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 388 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 1964 wrote to memory of 388 1964 SCAN_CAD-SPECIFICATION-11221001080.exe SCAN_CAD-SPECIFICATION-11221001080.exe PID 388 wrote to memory of 4348 388 SCAN_CAD-SPECIFICATION-11221001080.exe My Nigga.exe PID 388 wrote to memory of 4348 388 SCAN_CAD-SPECIFICATION-11221001080.exe My Nigga.exe PID 388 wrote to memory of 4348 388 SCAN_CAD-SPECIFICATION-11221001080.exe My Nigga.exe PID 388 wrote to memory of 4172 388 SCAN_CAD-SPECIFICATION-11221001080.exe iyke remcos.exe PID 388 wrote to memory of 4172 388 SCAN_CAD-SPECIFICATION-11221001080.exe iyke remcos.exe PID 388 wrote to memory of 4172 388 SCAN_CAD-SPECIFICATION-11221001080.exe iyke remcos.exe PID 388 wrote to memory of 1028 388 SCAN_CAD-SPECIFICATION-11221001080.exe warzone rawfile new.exe PID 388 wrote to memory of 1028 388 SCAN_CAD-SPECIFICATION-11221001080.exe warzone rawfile new.exe PID 388 wrote to memory of 1028 388 SCAN_CAD-SPECIFICATION-11221001080.exe warzone rawfile new.exe PID 4172 wrote to memory of 3756 4172 iyke remcos.exe WScript.exe PID 4172 wrote to memory of 3756 4172 iyke remcos.exe WScript.exe PID 4172 wrote to memory of 3756 4172 iyke remcos.exe WScript.exe PID 4348 wrote to memory of 3952 4348 My Nigga.exe WScript.exe PID 4348 wrote to memory of 3952 4348 My Nigga.exe WScript.exe PID 4348 wrote to memory of 3952 4348 My Nigga.exe WScript.exe PID 3952 wrote to memory of 1228 3952 WScript.exe cmd.exe PID 3952 wrote to memory of 1228 3952 WScript.exe cmd.exe PID 3952 wrote to memory of 1228 3952 WScript.exe cmd.exe PID 3756 wrote to memory of 1120 3756 WScript.exe cmd.exe PID 3756 wrote to memory of 1120 3756 WScript.exe cmd.exe PID 3756 wrote to memory of 1120 3756 WScript.exe cmd.exe PID 1028 wrote to memory of 1264 1028 warzone rawfile new.exe powershell.exe PID 1028 wrote to memory of 1264 1028 warzone rawfile new.exe powershell.exe PID 1028 wrote to memory of 1264 1028 warzone rawfile new.exe powershell.exe PID 1028 wrote to memory of 4344 1028 warzone rawfile new.exe cmd.exe PID 1028 wrote to memory of 4344 1028 warzone rawfile new.exe cmd.exe PID 1028 wrote to memory of 4344 1028 warzone rawfile new.exe cmd.exe PID 1120 wrote to memory of 1600 1120 cmd.exe explorer.exe PID 1120 wrote to memory of 1600 1120 cmd.exe explorer.exe PID 1120 wrote to memory of 1600 1120 cmd.exe explorer.exe PID 1228 wrote to memory of 4972 1228 cmd.exe explorer.exe PID 1228 wrote to memory of 4972 1228 cmd.exe explorer.exe PID 1228 wrote to memory of 4972 1228 cmd.exe explorer.exe PID 1028 wrote to memory of 4344 1028 warzone rawfile new.exe cmd.exe PID 1028 wrote to memory of 4344 1028 warzone rawfile new.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\My Nigga.exe"C:\Users\Admin\AppData\Local\Temp\My Nigga.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\machines\explorer.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\machines\explorer.exeC:\ProgramData\machines\explorer.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe"C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\machines\explorer.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\machines\explorer.exeC:\ProgramData\machines\explorer.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe"C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\machines\explorer.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
C:\ProgramData\machines\explorer.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
C:\ProgramData\machines\explorer.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SCAN_CAD-SPECIFICATION-11221001080.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\My Nigga.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
C:\Users\Admin\AppData\Local\Temp\My Nigga.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
394B
MD506c791067d2932c95dd3677d2384841e
SHA1715003b9d13baa70e501982796d367792c1addfa
SHA256cf55c64c0a026c2a15389e088a337f98da369179508380519c1d7f69dc603f49
SHA51220a67da827a020cc6da8985cd1b1c0ec8847dd639c4c2a83f3e8af48dddaff58f5a05e8a3dba5e9911400d5f6e9d59b93361838f56455fd3b2fafe489e1a76ea
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
394B
MD506c791067d2932c95dd3677d2384841e
SHA1715003b9d13baa70e501982796d367792c1addfa
SHA256cf55c64c0a026c2a15389e088a337f98da369179508380519c1d7f69dc603f49
SHA51220a67da827a020cc6da8985cd1b1c0ec8847dd639c4c2a83f3e8af48dddaff58f5a05e8a3dba5e9911400d5f6e9d59b93361838f56455fd3b2fafe489e1a76ea
-
C:\Users\Admin\AppData\Local\Temp\iyke remcos.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
C:\Users\Admin\AppData\Local\Temp\iyke remcos.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exeFilesize
113KB
MD57aa7c2c90371cf809dac01092c13d63e
SHA15a41e80d24d965f039fca837ecdd6322ca673d4e
SHA256ff3f9f08d7956fb6699d0d58f7f02aef326a981a6433b3fa89bb550a90495602
SHA512dbb068e8d2ad9ec64845d43fe993c0f0978b93a3aae616392993e17ec48add26b3521a69003cefd8c71586cf35220b61f52f75cfa5835331d85ffea4018b185f
-
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exeFilesize
113KB
MD57aa7c2c90371cf809dac01092c13d63e
SHA15a41e80d24d965f039fca837ecdd6322ca673d4e
SHA256ff3f9f08d7956fb6699d0d58f7f02aef326a981a6433b3fa89bb550a90495602
SHA512dbb068e8d2ad9ec64845d43fe993c0f0978b93a3aae616392993e17ec48add26b3521a69003cefd8c71586cf35220b61f52f75cfa5835331d85ffea4018b185f
-
memory/388-140-0x0000000000400000-0x0000000000566000-memory.dmpFilesize
1.4MB
-
memory/388-139-0x0000000000000000-mapping.dmp
-
memory/1028-149-0x0000000000000000-mapping.dmp
-
memory/1120-156-0x0000000000000000-mapping.dmp
-
memory/1228-155-0x0000000000000000-mapping.dmp
-
memory/1264-165-0x0000000005090000-0x00000000056B8000-memory.dmpFilesize
6.2MB
-
memory/1264-178-0x0000000007450000-0x000000000745E000-memory.dmpFilesize
56KB
-
memory/1264-179-0x0000000007560000-0x000000000757A000-memory.dmpFilesize
104KB
-
memory/1264-164-0x00000000048F0000-0x0000000004926000-memory.dmpFilesize
216KB
-
memory/1264-177-0x0000000007490000-0x0000000007526000-memory.dmpFilesize
600KB
-
memory/1264-176-0x0000000007280000-0x000000000728A000-memory.dmpFilesize
40KB
-
memory/1264-175-0x0000000007210000-0x000000000722A000-memory.dmpFilesize
104KB
-
memory/1264-174-0x0000000007860000-0x0000000007EDA000-memory.dmpFilesize
6.5MB
-
memory/1264-157-0x0000000000000000-mapping.dmp
-
memory/1264-173-0x0000000006420000-0x000000000643E000-memory.dmpFilesize
120KB
-
memory/1264-172-0x0000000071080000-0x00000000710CC000-memory.dmpFilesize
304KB
-
memory/1264-171-0x0000000006440000-0x0000000006472000-memory.dmpFilesize
200KB
-
memory/1264-170-0x0000000005E90000-0x0000000005EAE000-memory.dmpFilesize
120KB
-
memory/1264-168-0x00000000058A0000-0x0000000005906000-memory.dmpFilesize
408KB
-
memory/1264-180-0x0000000007540000-0x0000000007548000-memory.dmpFilesize
32KB
-
memory/1264-167-0x00000000057C0000-0x0000000005826000-memory.dmpFilesize
408KB
-
memory/1264-166-0x0000000004FC0000-0x0000000004FE2000-memory.dmpFilesize
136KB
-
memory/1600-159-0x0000000000000000-mapping.dmp
-
memory/1964-133-0x00000000050F0000-0x0000000005694000-memory.dmpFilesize
5.6MB
-
memory/1964-134-0x0000000004BF0000-0x0000000004C82000-memory.dmpFilesize
584KB
-
memory/1964-136-0x0000000008E40000-0x0000000008EDC000-memory.dmpFilesize
624KB
-
memory/1964-135-0x0000000004CA0000-0x0000000004CAA000-memory.dmpFilesize
40KB
-
memory/1964-132-0x0000000000030000-0x0000000000248000-memory.dmpFilesize
2.1MB
-
memory/3756-153-0x0000000000000000-mapping.dmp
-
memory/3952-154-0x0000000000000000-mapping.dmp
-
memory/4132-137-0x0000000000000000-mapping.dmp
-
memory/4172-145-0x0000000000000000-mapping.dmp
-
memory/4344-169-0x0000000001380000-0x0000000001381000-memory.dmpFilesize
4KB
-
memory/4344-158-0x0000000000000000-mapping.dmp
-
memory/4348-142-0x0000000000000000-mapping.dmp
-
memory/4540-138-0x0000000000000000-mapping.dmp
-
memory/4972-162-0x0000000000000000-mapping.dmp