Analysis
-
max time kernel
147s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
15-03-2023 17:41
General
-
Target
Solicitud de Cotización (Ulatina) 15-03-23·pd.exe
-
Size
267KB
-
MD5
4dbe71a4ca0eaea634ec73b4a82d32a9
-
SHA1
48ba9c1be52988de95bf1a2597fd573f96892895
-
SHA256
3abea4ab1fa4c8497722e9b58c5981fbc90fefe5a1d0bda707bdabfe3c1bdb1f
-
SHA512
5f157e987b2c2b25a2d66e49dcc583220da474bd8756b6ea8d206ebeb99e994a02f98800a081a750b885b576f20204b89b8632de956bf0d8cec9d5785c6fcd70
-
SSDEEP
6144:GDOmbbC0309OSXjr2Z2UCEVSOuzAtf/QZv3z9jnnOldiUf:4bZ309//2HCEVNuzaf/QZvj1nki
Malware Config
Extracted
warzonerat
dnmpbczm0963fxtdplc.duckdns.org:5689
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 7 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Checks QEMU agent file 2 TTPs 4 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies WinLogon 2 TTPs 4 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
NSIS installer 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solicitud de Cotización (Ulatina) 15-03-23·pd.exe"C:\Users\Admin\AppData\Local\Temp\Solicitud de Cotización (Ulatina) 15-03-23·pd.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Solicitud de Cotización (Ulatina) 15-03-23·pd.exe"C:\Users\Admin\AppData\Local\Temp\Solicitud de Cotización (Ulatina) 15-03-23·pd.exe"2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\Windows.exe"C:\Users\Admin\Documents\Windows.exe"3⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Windows.exe"C:\Users\Admin\Documents\Windows.exe"4⤵
- Sets DLL path for service in the registry
- Checks QEMU agent file
- Checks computer location settings
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=33896⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 3966⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3952 -ip 39521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft DN1\sqlmap.dllFilesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5d4ccf82269b1f99499622edacf84d5ce
SHA11454dc3c450b85b34c151ddacd93615b940f2c07
SHA256a40962bd1a9e00f869615fb13b660e00443c90958bbc4ac77b567865239779c3
SHA512eac0b2f13f2a63832bdfe154787e5221903713d9d8f8ea073d18f875c007c4f52fc33290aa260f1863beb6d667745ba02174c08689fce158a99fb3b78203e736
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E32DA5C2498E8CF7649760B1F24B32AFFilesize
471B
MD5f404c86bd5c34759a2d966fd219cbf2e
SHA1323a73895f6345d7e5b80fa9092fba269797ad94
SHA256332b2a32eb2fa8fdbd424442f4618cc5902110099e65cf06ed9fd7e3ef0638dd
SHA5122819708bf17d2378ec7e86c177307d4d02db421bd78154af54b324f436ceb2d4f96540373095c7e220081e2684c94d0436c988ff19e889736980766056b8c21e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_75B7C74DAC2A7692FAD0A4B72A918B03Filesize
471B
MD5ad8c85c44804fefc0a7bb63fc0e67734
SHA143492fc02c98b775a4aefbf88b62b99d844f2fe5
SHA25699085ce1c4abe0d7361b2cfba610aff4b2b0e97b6ae6dd6c9734d8366afe0665
SHA512483462e24068170a79e403920064a994ad4977965fb561748cae942d1bf2020ac8696412893d33eeb89b1623477a67d5b6f418e4b8f5fb91035835000920876c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5d6ca8137f8e3e5af869c69a26528a8e0
SHA18db376fee8b1f35e7a52d44567ef13391307cabb
SHA256a8ee022ff2747c824a54741d5645c036c390844f808e5b69e76ab57bf7219c12
SHA51233c4f40cb3621d88bbd25ec3b92250a27e4d20eb9f14d3625150991ceca3ca82c34dedfdc49c99671082d32eb95d1a9f10254e11ab539bc15e2a067dea122bbd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E32DA5C2498E8CF7649760B1F24B32AFFilesize
406B
MD523ea9568809bf63dbac091e86998a397
SHA1e80b415eed39127ad71806699dbacfff8d3673e8
SHA256bb12d15f32dc5c69ae925e3cbe6edad1d840bdfcdc18282b4f9025fdad95e7f2
SHA51206c9f810f632fce0735edb03e3254630268cc5ab59e237c15f9783b67f6377473227bde5ea8a0cb1ced19f7c16267d6058ee38972bf1d6ee100e6180414db125
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD59decdd59d553b9b46778b6c722c1f149
SHA11b3e4c7554448e02761c8dd137eb05a8ea1904a4
SHA256a196d206ce38e4af58072bdd4b2d1655c2fa0613df4a707b3c206a7c9c131799
SHA512777d3dbc17ef7872624878d2dad1623ff1d89a3cc77de7f3542721b07cb35f1984282ccc59026c9a3d0a7facbfeb16b204a23859646ccfe185e130cbf380d176
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_75B7C74DAC2A7692FAD0A4B72A918B03Filesize
406B
MD5603ab18882f3913c58e0a5df61221d09
SHA1c6172dab0a54c90c47ea033c28ee09975b767c6c
SHA2569f8e5359e840753003cafa88355a5698155d61106e9d3e99d6451259ad930ece
SHA51250d95dd5b9d2dcd615534eee27f3b85bf217b6252a08faed49f20f7e5d9ba5025d5f37c68faca93528a07366bdd6b9825565bef4c5f6aec3db1509f9e8cb07b7
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5ee113aa8c39846b8daf2b393565802a2
SHA1562a7a8028090e3fd9470469ead9785394f4670e
SHA256f500f9ea10acb3ddf79f27f5eb1a2f1a3c0af4f173852ac173acba25ff9347ad
SHA51258e3aed0c359a5b58010304c3d02d7ba44bdd499f5433cb1a6470e03c242b756c9aa3fa0d0e7b22d4e4906957745523e2eb2a4212d14514fc65ddd9f5c1d770a
-
C:\Users\Admin\AppData\Local\Temp\5.exeFilesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
C:\Users\Admin\AppData\Local\Temp\5.exeFilesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
C:\Users\Admin\AppData\Local\Temp\5.exeFilesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u2xfdam5.mgp.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\nsq227D.tmp\System.dllFilesize
11KB
MD5b0c77267f13b2f87c084fd86ef51ccfc
SHA1f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e
-
C:\Users\Admin\AppData\Local\Temp\nsq227D.tmp\System.dllFilesize
11KB
MD5b0c77267f13b2f87c084fd86ef51ccfc
SHA1f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e
-
C:\Users\Admin\AppData\Local\Temp\nst6C4C.tmp\System.dllFilesize
11KB
MD5b0c77267f13b2f87c084fd86ef51ccfc
SHA1f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e
-
C:\Users\Admin\Documents\Windows.exeFilesize
267KB
MD54dbe71a4ca0eaea634ec73b4a82d32a9
SHA148ba9c1be52988de95bf1a2597fd573f96892895
SHA2563abea4ab1fa4c8497722e9b58c5981fbc90fefe5a1d0bda707bdabfe3c1bdb1f
SHA5125f157e987b2c2b25a2d66e49dcc583220da474bd8756b6ea8d206ebeb99e994a02f98800a081a750b885b576f20204b89b8632de956bf0d8cec9d5785c6fcd70
-
C:\Users\Admin\Documents\Windows.exeFilesize
267KB
MD54dbe71a4ca0eaea634ec73b4a82d32a9
SHA148ba9c1be52988de95bf1a2597fd573f96892895
SHA2563abea4ab1fa4c8497722e9b58c5981fbc90fefe5a1d0bda707bdabfe3c1bdb1f
SHA5125f157e987b2c2b25a2d66e49dcc583220da474bd8756b6ea8d206ebeb99e994a02f98800a081a750b885b576f20204b89b8632de956bf0d8cec9d5785c6fcd70
-
C:\Users\Admin\Documents\Windows.exeFilesize
267KB
MD54dbe71a4ca0eaea634ec73b4a82d32a9
SHA148ba9c1be52988de95bf1a2597fd573f96892895
SHA2563abea4ab1fa4c8497722e9b58c5981fbc90fefe5a1d0bda707bdabfe3c1bdb1f
SHA5125f157e987b2c2b25a2d66e49dcc583220da474bd8756b6ea8d206ebeb99e994a02f98800a081a750b885b576f20204b89b8632de956bf0d8cec9d5785c6fcd70
-
C:\Users\Admin\Doliolidae\Flugtskydninger\Privatvejens\Haandfuldenes\Impregnating\Kontaktcentrenes.FlaFilesize
236KB
MD5b7d956e078c957cb5360c4ea2d3c2273
SHA1c628a326cf84d3dae3554e68fda7a3ea00a1b92f
SHA256ff47cd620bf8e3272e23989d45344b155305fe012786d5cd36daae86e437fdf1
SHA512c0a8f0d04295f810988e4cef08ee036326f1fc2247d2c35480fd9d019e0014f6a96ed07c0bf299fe230cb1f107f83c32bde8c04ae7445c6aa6eff881ae9f10f8
-
C:\Users\Admin\Doliolidae\Flugtskydninger\Privatvejens\Haandfuldenes\Impregnating\Superprecise.JumFilesize
89KB
MD5951a26dcadeac34af41bc733cec364c1
SHA1113d2cd326d79e26f9df13f1637b1d62de5e68b7
SHA256a3bc552ffe558a34a32cce7e4cb9b90d36ec8971f29d408ef9ed2f519a60525c
SHA5122d6987fbf99db85ccc7c5a6f3fa87f003d982ba06d5ba5e5e79f1f797399fa283cc3790483e9acb62a2e744c2accab433c26234e341ec0f9797d74d2fcfed378
-
\??\c:\program files\microsoft dn1\rdpwrap.iniFilesize
299KB
MD5fca6ba93c780afa00a5703df9ac65754
SHA13ed423763fdd9722ff8bed3667ffa93f77390138
SHA2561c4930123ec2a809b3bd93969967d6c321d8d65fc7b886e062b2581c741944e5
SHA512538b0995be3796737575a2fd3aaa1644b3e6566e4cd5ed5c4df9e0a586368e7ceea8f0284de53f7c3f0874fc90b9a194d2ea1438bc9d7779eb12d00b8807f595
-
\??\c:\program files\microsoft dn1\sqlmap.dllFilesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
memory/1492-257-0x00000000050E0000-0x00000000050F0000-memory.dmpFilesize
64KB
-
memory/1492-258-0x00000000050E0000-0x00000000050F0000-memory.dmpFilesize
64KB
-
memory/1492-259-0x00000000050E0000-0x00000000050F0000-memory.dmpFilesize
64KB
-
memory/1492-260-0x000000006ED40000-0x000000006ED8C000-memory.dmpFilesize
304KB
-
memory/1492-270-0x000000007F590000-0x000000007F5A0000-memory.dmpFilesize
64KB
-
memory/1792-191-0x0000000005AC0000-0x0000000005ADE000-memory.dmpFilesize
120KB
-
memory/1792-199-0x0000000074C20000-0x0000000074C6C000-memory.dmpFilesize
304KB
-
memory/1792-219-0x0000000006DD0000-0x0000000006DEA000-memory.dmpFilesize
104KB
-
memory/1792-220-0x0000000006E40000-0x0000000006E4A000-memory.dmpFilesize
40KB
-
memory/1792-175-0x00000000021E0000-0x0000000002216000-memory.dmpFilesize
216KB
-
memory/1792-222-0x0000000007050000-0x00000000070E6000-memory.dmpFilesize
600KB
-
memory/1792-223-0x0000000007000000-0x000000000700E000-memory.dmpFilesize
56KB
-
memory/1792-224-0x0000000007110000-0x000000000712A000-memory.dmpFilesize
104KB
-
memory/1792-225-0x00000000070F0000-0x00000000070F8000-memory.dmpFilesize
32KB
-
memory/1792-176-0x0000000004CE0000-0x0000000005308000-memory.dmpFilesize
6.2MB
-
memory/1792-214-0x0000000000D00000-0x0000000000D10000-memory.dmpFilesize
64KB
-
memory/1792-218-0x0000000007410000-0x0000000007A8A000-memory.dmpFilesize
6.5MB
-
memory/1792-177-0x0000000005340000-0x0000000005362000-memory.dmpFilesize
136KB
-
memory/1792-211-0x0000000006070000-0x000000000608E000-memory.dmpFilesize
120KB
-
memory/1792-209-0x000000007F300000-0x000000007F310000-memory.dmpFilesize
64KB
-
memory/1792-178-0x0000000005410000-0x0000000005476000-memory.dmpFilesize
408KB
-
memory/1792-198-0x0000000006090000-0x00000000060C2000-memory.dmpFilesize
200KB
-
memory/1792-188-0x00000000055F0000-0x0000000005656000-memory.dmpFilesize
408KB
-
memory/1792-189-0x0000000000D00000-0x0000000000D10000-memory.dmpFilesize
64KB
-
memory/1792-190-0x0000000000D00000-0x0000000000D10000-memory.dmpFilesize
64KB
-
memory/2332-228-0x0000000004050000-0x0000000004F7F000-memory.dmpFilesize
15.2MB
-
memory/2332-221-0x0000000004050000-0x0000000004F7F000-memory.dmpFilesize
15.2MB
-
memory/2848-194-0x0000000001660000-0x000000000258F000-memory.dmpFilesize
15.2MB
-
memory/2848-156-0x0000000001660000-0x000000000258F000-memory.dmpFilesize
15.2MB
-
memory/2848-169-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/2848-172-0x0000000001660000-0x000000000258F000-memory.dmpFilesize
15.2MB
-
memory/2848-196-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/2848-174-0x0000000001660000-0x000000000258F000-memory.dmpFilesize
15.2MB
-
memory/2848-173-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/2848-155-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3080-230-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3080-256-0x0000000001660000-0x000000000258F000-memory.dmpFilesize
15.2MB
-
memory/3080-244-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3080-243-0x0000000001660000-0x000000000258F000-memory.dmpFilesize
15.2MB
-
memory/3080-240-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3080-231-0x0000000001660000-0x000000000258F000-memory.dmpFilesize
15.2MB
-
memory/3080-290-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3080-292-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3952-286-0x0000000000260000-0x000000000028D000-memory.dmpFilesize
180KB
-
memory/4160-271-0x0000000001CB0000-0x0000000001CB1000-memory.dmpFilesize
4KB
-
memory/5116-154-0x0000000004190000-0x00000000050BF000-memory.dmpFilesize
15.2MB
-
memory/5116-153-0x0000000004190000-0x00000000050BF000-memory.dmpFilesize
15.2MB