Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
27-02-2023 22:38
General
-
Target
winrar-611br.msi
-
Size
4.5MB
-
MD5
68ba045e1427d63d03660ef2d88584d0
-
SHA1
a3e9bd9adddf1aaaaff03cd69a7128e6fc774977
-
SHA256
e06b212b0c26d4f385a3623c64820b3ea4bbd83065646a38d1f3e0cfdfbb0898
-
SHA512
d677806a4c4ed419995b0ead65db4081c3e4b002e400fafb8d042d6695e7e17cc476a0ccc8df9c1caed164254ba2536c73891f89f6f9f57aea7a5421a6d964e8
-
SSDEEP
98304:MYGKdAHTgvV1OsKnG5vgzfTVkdRTpRjbrvC7gEjT7A3:i81OsKG6zfTVkddpdTCRj
Malware Config
Signatures
-
Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 13 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 58 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 24 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\winrar-611br.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 45EC67E3B614F2DC771E8289A20DAA872⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssFB6F.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiFAFF.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrFB00.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrFB10.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\brado\intrínseco\Hw2dom.exe"C:\brado\intrínseco\Hw2dom.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Public\Documents\AnyDesk\winrar.exe"C:\Users\Public\Documents\AnyDesk\winrar.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3556 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e56f3bd.rbsFilesize
607KB
MD5b5785644f8ec8912a025c4e40d3895dc
SHA1c06e44f13947b416dd84100f251a2d56d1174a79
SHA256f32b0455737858c5e651b63aedfd033eda5df65b82ef9c096ef3dba1ebaacd6c
SHA512aca75013fdb5730fae0943d75cd9b48fce06724819d8a3709bab840d4c889f713574f9af08cc261432dfcd0e1df38cf78ab5c9698b74829d066b5c733dc913e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_F4007F33BFDFD6A958C2A17D8DEC3C00Filesize
406B
MD50df9971d6f39e25922a1efad454700a7
SHA195a4b3b8efd53cf3a5494457e5da588526930356
SHA2561cf53c4dac61e35f674305472574e320a30f12a453b03b653261de5dc328830e
SHA51272bc662de7d9b25670af0ff1e7abe141da3dd5fc2dcb35edfdf7a96c7860f07f0f7ea69e062c86eda9523e930fa62bc982c62c65ca1d2c2d3d77bb6096913a8c
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\7TU9U1MB\www.winrarbrasil.com[1].xmlFilesize
261B
MD5fcdb7e6d3a6a1e7d222ec6c974f94ca1
SHA1e3396d904230076dbb8c4d13bbf3e09939758903
SHA256778679500f606c6b5f8e68b5268310235d379e34d71e1d539e5893494c7a3e2d
SHA512082c4bfdc5333747f227fd0d95b951a8de999a73855a71ad5e7af101f4b59d5165f3efe4a1afbaf563ed9874c00688e50337dffeb5257ba5c6f1f46ccf18b8fc
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFE26.tmpFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.datFilesize
34KB
MD5327a27380c4567dde151d69f566028a4
SHA1318b87d67da0d4c8146f4b0bd4617f48a25cfef7
SHA256d86dc6a1077ef1d7182b6bddfca92728e57d511f0324cbc3b07eec9db88c5313
SHA5121f061ffb0973f00e38f080cb97fb44c48c3fc515eae14925f8efe5e3dad4dc03fc83c4437bf36c2dae8ddbb100148a4975f3e8d7a4763eb0e222472048d5d633
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\favicon[2].icoFilesize
33KB
MD5984e9972d3255788b83feb97e1637699
SHA14e3ea948abc13299ff124dccdf4b6ac620f7af72
SHA25619833a52f3a24049c123edf49ac201e3b6cb563dfded6d2a92f9c1377ff26122
SHA5125e5fa0537eaac8a5dd0f77442064f1af620f7bb1614152b0ca477bd252b64c7495901ba8ac72fe9cc2f26f2e11fa90d1a481e92ff04925ebc84a8eb3eff9fbdf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_omm44s4c.c4w.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\pssFB6F.ps1Filesize
5KB
MD5fc1bb6c87fd1f08b534e52546561c53c
SHA1db402c5c1025cf8d3e79df7b868fd186243aa9d1
SHA256a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b
SHA5125495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86
-
C:\Users\Admin\AppData\Local\Temp\scrFB00.ps1Filesize
17KB
MD5d815da347cf3c1a260840649beb56ff7
SHA14da95ffed10e7369b685a390fe4e99a6a1e1f416
SHA256d6f001aeb36cdb8e6bbcb0d35ffe55c86ad5f942f9d0d15a089706801fdad931
SHA512ca2cd68cf615db854c7ccc6cc5c84da4a8b5f6913229c856fc343ba3e7af8563b0afcd29e9d14ca75eb4cf833102a2ea8b802629f284819bfb2630a82d61b170
-
C:\Users\Public\Documents\AnyDesk\winrar.exeFilesize
3.3MB
MD58a6217d94e1bcbabdd1dfcdcaa83d1b3
SHA199b81b01f277540f38ea3e96c9c6dc2a57dfeb92
SHA2563023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
SHA512a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
C:\Users\Public\Documents\AnyDesk\winrar.exeFilesize
3.3MB
MD58a6217d94e1bcbabdd1dfcdcaa83d1b3
SHA199b81b01f277540f38ea3e96c9c6dc2a57dfeb92
SHA2563023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
SHA512a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
C:\Windows\Installer\MSIF438.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIF438.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIF64C.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIF64C.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIF6F9.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIF6F9.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIF6F9.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIF70A.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIF70A.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIFAE4.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
C:\Windows\Installer\MSIFAE4.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
C:\Windows\Installer\e56f3bb.msiFilesize
4.5MB
MD568ba045e1427d63d03660ef2d88584d0
SHA1a3e9bd9adddf1aaaaff03cd69a7128e6fc774977
SHA256e06b212b0c26d4f385a3623c64820b3ea4bbd83065646a38d1f3e0cfdfbb0898
SHA512d677806a4c4ed419995b0ead65db4081c3e4b002e400fafb8d042d6695e7e17cc476a0ccc8df9c1caed164254ba2536c73891f89f6f9f57aea7a5421a6d964e8
-
C:\brado\intrínseco\Hw2dom.exeFilesize
9.7MB
MD52e47fc5675f96d63b11821b8f0395f17
SHA11dccc123e58d2802491602345433dcb1e723f192
SHA25674b6bdee25a3dbb1a89e8e4170094c21ce60e782ff58e1123a99dae415ffe9d4
SHA5122ab1ce6c8ff45286411b95ddf8afba44e2fb8fd30d7d0feefe08b286a686bc415df2be890afc67d4513dac70ee2512f79854b5c265a4a0e9e7e86f6ab2d89273
-
C:\brado\intrínseco\Hw2dom.exeFilesize
9.7MB
MD52e47fc5675f96d63b11821b8f0395f17
SHA11dccc123e58d2802491602345433dcb1e723f192
SHA25674b6bdee25a3dbb1a89e8e4170094c21ce60e782ff58e1123a99dae415ffe9d4
SHA5122ab1ce6c8ff45286411b95ddf8afba44e2fb8fd30d7d0feefe08b286a686bc415df2be890afc67d4513dac70ee2512f79854b5c265a4a0e9e7e86f6ab2d89273
-
C:\brado\intrínseco\Hw2dom.exeFilesize
9.7MB
MD52e47fc5675f96d63b11821b8f0395f17
SHA11dccc123e58d2802491602345433dcb1e723f192
SHA25674b6bdee25a3dbb1a89e8e4170094c21ce60e782ff58e1123a99dae415ffe9d4
SHA5122ab1ce6c8ff45286411b95ddf8afba44e2fb8fd30d7d0feefe08b286a686bc415df2be890afc67d4513dac70ee2512f79854b5c265a4a0e9e7e86f6ab2d89273
-
C:\brado\intrínseco\Update.zipFilesize
32.9MB
MD5d546eff329671383fb1f934e80ea7435
SHA1c8e7ce1bff5870397cc6a636b73d79c4a1804da7
SHA2568a188dc28b67770cef25f9ea7312ca84f674c60c9f418eab0fedbbbffde9695c
SHA512fb2a5851b10b3d72f3f4be90d85c0b8aab4c3fb02b99802134c0618608c9a8c17df51521c28c85f7ebd6aa032a9602a44061c06fb0eb557e34557d73f8a4098b
-
C:\brado\intrínseco\windowsdumpFilesize
89.4MB
MD541aa2f4db1989e641169e9ccdf38a347
SHA1ced16950ca2e1c5d08ea87bb3034c21e6c6dd1df
SHA256573e582a98e8190dcf3b0dbe5ed86fe6e56044e948b5d5221b18052b584d5dc0
SHA5123423b722e89e4086f9ffd155b8039acd698775bf56181c23621269ca512e24e4a83c091c4ecbbf008edca0306b943c6e5b70170b51a17bf3f450c4d58d63f358
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD53e2501d645cd7f81776150972ee6e9c9
SHA1ad7d0419e955faf52a9518388ad1667bc1fc737b
SHA256b4faa400f122e1b40e7cb56335e0a3c542e0bba97196446b48fede01dc2c8c91
SHA512d40e9b6198339574709381da5cca980a76a6bca4a9d4a35a065ade1e85c0ebaadf765f94e986ec2508310323acc30d26496db903de14d5bcb34e22664a3103f5
-
\??\Volume{93c6d6f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2cee5045-b685-4013-8ca3-8c55cc3df42f}_OnDiskSnapshotPropFilesize
5KB
MD5ba49d4b94012b41819fa86a0fe5b9834
SHA1b8905615c6d874f16d061d03e645a4df3b4e6b48
SHA2566dffe736beadefaa50421acdcaae4121e471d955de0cd12b4165c9416df26741
SHA512b869b918b460326241f48a3cff6abcb757f2702f737bd11c774f53d2aa52d743d2ffe356e5f7ec62fbeb76a6b5a19fafbb568307a368f252114d48d3e52219e0
-
memory/1468-439-0x000002244BE80000-0x000002244D4F7000-memory.dmpFilesize
22.5MB
-
memory/4792-186-0x0000000005F80000-0x0000000005F9E000-memory.dmpFilesize
120KB
-
memory/4792-199-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/4792-198-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/4792-197-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/4792-193-0x0000000007F70000-0x0000000008514000-memory.dmpFilesize
5.6MB
-
memory/4792-170-0x00000000049C0000-0x00000000049F6000-memory.dmpFilesize
216KB
-
memory/4792-171-0x00000000050C0000-0x00000000056E8000-memory.dmpFilesize
6.2MB
-
memory/4792-192-0x0000000006560000-0x0000000006582000-memory.dmpFilesize
136KB
-
memory/4792-172-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/4792-191-0x0000000007270000-0x0000000007306000-memory.dmpFilesize
600KB
-
memory/4792-173-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/4792-190-0x00000000064D0000-0x00000000064EA000-memory.dmpFilesize
104KB
-
memory/4792-189-0x00000000078F0000-0x0000000007F6A000-memory.dmpFilesize
6.5MB
-
memory/4792-188-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/4792-176-0x0000000005910000-0x0000000005976000-memory.dmpFilesize
408KB
-
memory/4792-174-0x0000000004FD0000-0x0000000004FF2000-memory.dmpFilesize
136KB
-
memory/4792-175-0x00000000056F0000-0x0000000005756000-memory.dmpFilesize
408KB
-
memory/4924-361-0x0000000010A60000-0x0000000010AF4000-memory.dmpFilesize
592KB
-
memory/4924-384-0x000000000F550000-0x000000000F578000-memory.dmpFilesize
160KB
-
memory/4924-351-0x000000000E730000-0x000000000E75C000-memory.dmpFilesize
176KB
-
memory/4924-354-0x000000000E990000-0x000000000E996000-memory.dmpFilesize
24KB
-
memory/4924-355-0x000000000EB10000-0x000000000EC81000-memory.dmpFilesize
1.4MB
-
memory/4924-357-0x000000000F220000-0x000000000F29A000-memory.dmpFilesize
488KB
-
memory/4924-358-0x000000000F2A0000-0x000000000F2B7000-memory.dmpFilesize
92KB
-
memory/4924-359-0x000000000F2C0000-0x000000000F2F1000-memory.dmpFilesize
196KB
-
memory/4924-349-0x0000000002E20000-0x0000000002E28000-memory.dmpFilesize
32KB
-
memory/4924-362-0x0000000010B80000-0x0000000010BD8000-memory.dmpFilesize
352KB
-
memory/4924-360-0x000000000F300000-0x000000000F319000-memory.dmpFilesize
100KB
-
memory/4924-363-0x0000000010BE0000-0x0000000010BE6000-memory.dmpFilesize
24KB
-
memory/4924-366-0x0000000010D30000-0x0000000010D49000-memory.dmpFilesize
100KB
-
memory/4924-375-0x0000000010D50000-0x0000000010DC4000-memory.dmpFilesize
464KB
-
memory/4924-378-0x000000000F4B0000-0x000000000F4B8000-memory.dmpFilesize
32KB
-
memory/4924-381-0x000000000F4C0000-0x000000000F538000-memory.dmpFilesize
480KB
-
memory/4924-382-0x000000000F540000-0x000000000F550000-memory.dmpFilesize
64KB
-
memory/4924-350-0x000000000E700000-0x000000000E728000-memory.dmpFilesize
160KB
-
memory/4924-386-0x000000000F580000-0x000000000F5A1000-memory.dmpFilesize
132KB
-
memory/4924-388-0x000000000F5B0000-0x000000000F5CF000-memory.dmpFilesize
124KB
-
memory/4924-390-0x000000000F720000-0x000000000F728000-memory.dmpFilesize
32KB
-
memory/4924-391-0x0000000011520000-0x0000000011B4F000-memory.dmpFilesize
6.2MB
-
memory/4924-392-0x0000000011D50000-0x0000000011D82000-memory.dmpFilesize
200KB
-
memory/4924-393-0x0000000011D90000-0x0000000011F70000-memory.dmpFilesize
1.9MB
-
memory/4924-394-0x0000000011F70000-0x00000000120D5000-memory.dmpFilesize
1.4MB
-
memory/4924-348-0x000000000E570000-0x000000000E6FF000-memory.dmpFilesize
1.6MB
-
memory/4924-419-0x00000000120E0000-0x00000000121A3000-memory.dmpFilesize
780KB
-
memory/4924-427-0x00000000122F0000-0x000000001247F000-memory.dmpFilesize
1.6MB
-
memory/4924-345-0x0000000000400000-0x0000000000DC3000-memory.dmpFilesize
9.8MB
-
memory/4924-257-0x000000000E8B0000-0x000000000E8B1000-memory.dmpFilesize
4KB
-
memory/4924-255-0x0000000008BF0000-0x000000000E567000-memory.dmpFilesize
89.5MB
-
memory/4924-515-0x000000000E8B0000-0x000000000E8B1000-memory.dmpFilesize
4KB
-
memory/4924-253-0x0000000002DF0000-0x0000000002DF1000-memory.dmpFilesize
4KB
-
memory/4924-252-0x0000000002D80000-0x0000000002D81000-memory.dmpFilesize
4KB