Analysis
-
max time kernel
142s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2023 15:20
Static task
static1
Behavioral task
behavioral1
Sample
fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exe
Resource
win10v2004-20230621-en
General
-
Target
fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exe
-
Size
677KB
-
MD5
1c423459aacf4f31a3d5f6ea9e05f051
-
SHA1
2798fb6b886a50804171851de8897b85b4dfe3ad
-
SHA256
fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368
-
SHA512
fe7b3f7f0ff61b84d8d5e41f8964789be5df21948b2b4fc1d52e0d4717cea7bc9b375d6dbee65ea49cf5726466f0ca45a7a36d270d29214a1363eb15bde32010
-
SSDEEP
12288:JztKekjWeeIOZkdSWJSn/lwaSUBQY7gV0eKqsNB8cDw1GsM:Jkueezn/Y4l7m0eOB8cU
Malware Config
Extracted
redline
furga
83.97.73.128:19071
-
auth_value
1b7af6db7a79a3475798fcf494818be7
Extracted
amadey
3.84
77.91.68.63/doma/net/index.php
Signatures
-
Processes:
i7350497.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" i7350497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" i7350497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" i7350497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" i7350497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" i7350497.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection i7350497.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rugen.exeg7247111.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation rugen.exe Key value queried \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation g7247111.exe -
Executes dropped EXE 8 IoCs
Processes:
x8771353.exef4261313.exeg7247111.exerugen.exei7350497.exerugen.exerugen.exerugen.exepid process 4656 x8771353.exe 4820 f4261313.exe 1752 g7247111.exe 2100 rugen.exe 1536 i7350497.exe 224 rugen.exe 2164 rugen.exe 3028 rugen.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 856 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
i7350497.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" i7350497.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exex8771353.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x8771353.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8771353.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
f4261313.exei7350497.exepid process 4820 f4261313.exe 4820 f4261313.exe 1536 i7350497.exe 1536 i7350497.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f4261313.exei7350497.exedescription pid process Token: SeDebugPrivilege 4820 f4261313.exe Token: SeDebugPrivilege 1536 i7350497.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
g7247111.exepid process 1752 g7247111.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exex8771353.exeg7247111.exerugen.execmd.exedescription pid process target process PID 4220 wrote to memory of 4656 4220 fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exe x8771353.exe PID 4220 wrote to memory of 4656 4220 fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exe x8771353.exe PID 4220 wrote to memory of 4656 4220 fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exe x8771353.exe PID 4656 wrote to memory of 4820 4656 x8771353.exe f4261313.exe PID 4656 wrote to memory of 4820 4656 x8771353.exe f4261313.exe PID 4656 wrote to memory of 4820 4656 x8771353.exe f4261313.exe PID 4656 wrote to memory of 1752 4656 x8771353.exe g7247111.exe PID 4656 wrote to memory of 1752 4656 x8771353.exe g7247111.exe PID 4656 wrote to memory of 1752 4656 x8771353.exe g7247111.exe PID 1752 wrote to memory of 2100 1752 g7247111.exe rugen.exe PID 1752 wrote to memory of 2100 1752 g7247111.exe rugen.exe PID 1752 wrote to memory of 2100 1752 g7247111.exe rugen.exe PID 4220 wrote to memory of 1536 4220 fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exe i7350497.exe PID 4220 wrote to memory of 1536 4220 fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exe i7350497.exe PID 2100 wrote to memory of 4916 2100 rugen.exe schtasks.exe PID 2100 wrote to memory of 4916 2100 rugen.exe schtasks.exe PID 2100 wrote to memory of 4916 2100 rugen.exe schtasks.exe PID 2100 wrote to memory of 4996 2100 rugen.exe cmd.exe PID 2100 wrote to memory of 4996 2100 rugen.exe cmd.exe PID 2100 wrote to memory of 4996 2100 rugen.exe cmd.exe PID 4996 wrote to memory of 2736 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 2736 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 2736 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 4120 4996 cmd.exe cacls.exe PID 4996 wrote to memory of 4120 4996 cmd.exe cacls.exe PID 4996 wrote to memory of 4120 4996 cmd.exe cacls.exe PID 4996 wrote to memory of 2132 4996 cmd.exe cacls.exe PID 4996 wrote to memory of 2132 4996 cmd.exe cacls.exe PID 4996 wrote to memory of 2132 4996 cmd.exe cacls.exe PID 4996 wrote to memory of 4808 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 4808 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 4808 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 4748 4996 cmd.exe cacls.exe PID 4996 wrote to memory of 4748 4996 cmd.exe cacls.exe PID 4996 wrote to memory of 4748 4996 cmd.exe cacls.exe PID 4996 wrote to memory of 3960 4996 cmd.exe cacls.exe PID 4996 wrote to memory of 3960 4996 cmd.exe cacls.exe PID 4996 wrote to memory of 3960 4996 cmd.exe cacls.exe PID 2100 wrote to memory of 856 2100 rugen.exe rundll32.exe PID 2100 wrote to memory of 856 2100 rugen.exe rundll32.exe PID 2100 wrote to memory of 856 2100 rugen.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exe"C:\Users\Admin\AppData\Local\Temp\fe96d0ddf67df22663a35c3f915add35be2627bd2e8358a11a11a7abf0f5b368.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8771353.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8771353.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4261313.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4261313.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7247111.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7247111.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rugen.exe" /P "Admin:N"&&CACLS "rugen.exe" /P "Admin:R" /E&&echo Y|CACLS "..\200f691d32" /P "Admin:N"&&CACLS "..\200f691d32" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rugen.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rugen.exe" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\200f691d32" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\200f691d32" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i7350497.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i7350497.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeC:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeC:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeC:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeFilesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeFilesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeFilesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeFilesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeFilesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeFilesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i7350497.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i7350497.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8771353.exeFilesize
360KB
MD5f1ab5442512bd5829bfd79801878a273
SHA1ab1353e9bc0ea425864e9e95ca53651fa089d8d3
SHA256204e837afd174f9e393407fb2496d9ada9b3fe6b4ca108b6ab0cd2068e6472ca
SHA5126411d5da9f549f209c9361439939bbc411b715045578701c915065a6ba2be84075a0bec612a75df469f7bfa639a7dd35b0b5b503bfde2d2719ea06a2c912727f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8771353.exeFilesize
360KB
MD5f1ab5442512bd5829bfd79801878a273
SHA1ab1353e9bc0ea425864e9e95ca53651fa089d8d3
SHA256204e837afd174f9e393407fb2496d9ada9b3fe6b4ca108b6ab0cd2068e6472ca
SHA5126411d5da9f549f209c9361439939bbc411b715045578701c915065a6ba2be84075a0bec612a75df469f7bfa639a7dd35b0b5b503bfde2d2719ea06a2c912727f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4261313.exeFilesize
388KB
MD50e0b13a56bf0d638c1aa6772537f6b03
SHA13e5eb7ea81c98cce913575089659538362e2e500
SHA2566b08de7a750afc24caf07ae3228fc79f107fec71385ac7d91d1988c30d5129a7
SHA512b7e92e91b861b62f8935433c82b654b3b5fbce887919eb2247aeb3d62cba93bc3c28a03c1e724b26751fe444058aed021ae4aefe9d0dbb05e0301e2f2ae2bd81
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4261313.exeFilesize
388KB
MD50e0b13a56bf0d638c1aa6772537f6b03
SHA13e5eb7ea81c98cce913575089659538362e2e500
SHA2566b08de7a750afc24caf07ae3228fc79f107fec71385ac7d91d1988c30d5129a7
SHA512b7e92e91b861b62f8935433c82b654b3b5fbce887919eb2247aeb3d62cba93bc3c28a03c1e724b26751fe444058aed021ae4aefe9d0dbb05e0301e2f2ae2bd81
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7247111.exeFilesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7247111.exeFilesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
memory/1536-188-0x0000000000FB0000-0x0000000000FBA000-memory.dmpFilesize
40KB
-
memory/4220-191-0x0000000000580000-0x00000000005F8000-memory.dmpFilesize
480KB
-
memory/4220-133-0x0000000000580000-0x00000000005F8000-memory.dmpFilesize
480KB
-
memory/4820-159-0x000000000A770000-0x000000000A782000-memory.dmpFilesize
72KB
-
memory/4820-169-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4820-168-0x000000000B9D0000-0x000000000BEFC000-memory.dmpFilesize
5.2MB
-
memory/4820-167-0x000000000B7B0000-0x000000000B972000-memory.dmpFilesize
1.8MB
-
memory/4820-166-0x000000000B660000-0x000000000B6B0000-memory.dmpFilesize
320KB
-
memory/4820-165-0x000000000AFE0000-0x000000000B584000-memory.dmpFilesize
5.6MB
-
memory/4820-164-0x000000000AA90000-0x000000000AAF6000-memory.dmpFilesize
408KB
-
memory/4820-163-0x000000000A9F0000-0x000000000AA82000-memory.dmpFilesize
584KB
-
memory/4820-162-0x000000000A970000-0x000000000A9E6000-memory.dmpFilesize
472KB
-
memory/4820-161-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4820-160-0x000000000A790000-0x000000000A7CC000-memory.dmpFilesize
240KB
-
memory/4820-158-0x000000000A630000-0x000000000A73A000-memory.dmpFilesize
1.0MB
-
memory/4820-157-0x000000000A010000-0x000000000A628000-memory.dmpFilesize
6.1MB
-
memory/4820-153-0x0000000000540000-0x0000000000570000-memory.dmpFilesize
192KB