Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
26-06-2023 13:44
General
-
Target
b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
-
Size
335KB
-
MD5
b5237a3f0b1db945c1fe3f9ba71e3ff2
-
SHA1
ba302c3c2490a3b1b04cfbdd76097f2444a54700
-
SHA256
239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2
-
SHA512
9879c4cd6e995916cbd8cb16f6cb3982b48b0ffc5d01479e2c2f3f73ae46a5129893571f94ded70a0ad61a1340c67ef8214018bbc7e1e17fd5395a4f55fb78a1
-
SSDEEP
6144:d/sM+uEe4oleWZxrigxyZdXlgdqUh+LoXl4m34fX6Rs+j2exWLsxAFFDwkGklYkv:5sM+uEe30D67j2exWPFxwkiVi
Malware Config
Extracted
redline
1
dexstat255.xyz:46578
-
auth_value
c4805fc19583231a4c5bb64b0e833716
Extracted
systembc
adstat277xm.xyz:4044
demstat377xm.xyz:4044
Extracted
smokeloader
2022
http://serverlogs37.xyz/statweb255/
http://servblog757.xyz/statweb255/
http://dexblog45.xyz/statweb255/
http://admlogs.online/statweb255/
http://blogstat355.xyz/statweb255/
http://blogstatserv25.xyz/statweb255/
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Renames multiple (371) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 1 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\s777mx.exe"C:\Users\Admin\AppData\Local\Temp\s777mx.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\809A.exeC:\Users\Admin\AppData\Local\Temp\809A.exe1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\809A.exe"C:\Users\Admin\AppData\Local\Temp\809A.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 4683⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\8231.exeC:\Users\Admin\AppData\Local\Temp\8231.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 7242⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4412 -ip 44121⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1364 -ip 13641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[EC1FEA35-3483].[[email protected]].8baseFilesize
3.2MB
MD502f3ba42ef35ccaacb201eb0eac399d5
SHA189123a0480d270c558dcafdf8bcb237b91f4cff5
SHA256b7817f4af379fa1dc543da21f96c069bd17008e045e193ceedab157d29e586b5
SHA512e1a2935b6aaf00cf4bd640f9ee470bf42624c1c6c6f678ba2bb38be64040f6b2c5bd85a84e2aff06db4d6d1a350ab88f141ab4ee9c95f21d46366ccab53d050e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\809A.exeFilesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
C:\Users\Admin\AppData\Local\Temp\809A.exeFilesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
C:\Users\Admin\AppData\Local\Temp\809A.exeFilesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
C:\Users\Admin\AppData\Local\Temp\809A.exeFilesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
C:\Users\Admin\AppData\Local\Temp\8231.exeFilesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
C:\Users\Admin\AppData\Local\Temp\8231.exeFilesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngbubqwh.bsv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exeFilesize
205KB
MD59d8a3dd432e255ebb2e890d2a0653ddb
SHA10e5741c323e7c35671333863492743ae0c64f64b
SHA2566fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exeFilesize
205KB
MD59d8a3dd432e255ebb2e890d2a0653ddb
SHA10e5741c323e7c35671333863492743ae0c64f64b
SHA2566fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exeFilesize
205KB
MD59d8a3dd432e255ebb2e890d2a0653ddb
SHA10e5741c323e7c35671333863492743ae0c64f64b
SHA2566fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exeFilesize
205KB
MD59d8a3dd432e255ebb2e890d2a0653ddb
SHA10e5741c323e7c35671333863492743ae0c64f64b
SHA2566fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96
-
C:\Users\Admin\AppData\Local\Temp\s777mx.exeFilesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
C:\Users\Admin\AppData\Local\Temp\s777mx.exeFilesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
C:\Users\Admin\AppData\Local\Temp\s777mx.exeFilesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
memory/920-205-0x0000000001BC0000-0x0000000001BC9000-memory.dmpFilesize
36KB
-
memory/1140-165-0x000000001D630000-0x000000001DC48000-memory.dmpFilesize
6.1MB
-
memory/1140-170-0x0000000015810000-0x0000000015820000-memory.dmpFilesize
64KB
-
memory/1140-175-0x000000001FE30000-0x000000002035C000-memory.dmpFilesize
5.2MB
-
memory/1140-174-0x000000001F730000-0x000000001F8F2000-memory.dmpFilesize
1.8MB
-
memory/1140-173-0x000000001E110000-0x000000001E160000-memory.dmpFilesize
320KB
-
memory/1140-168-0x000000001D0F0000-0x000000001D12C000-memory.dmpFilesize
240KB
-
memory/1140-167-0x000000001D090000-0x000000001D0A2000-memory.dmpFilesize
72KB
-
memory/1140-164-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1140-176-0x0000000015810000-0x0000000015820000-memory.dmpFilesize
64KB
-
memory/1140-166-0x000000001D160000-0x000000001D26A000-memory.dmpFilesize
1.0MB
-
memory/1364-5454-0x0000000000400000-0x0000000001B38000-memory.dmpFilesize
23.2MB
-
memory/1364-607-0x0000000000400000-0x0000000001B38000-memory.dmpFilesize
23.2MB
-
memory/1424-650-0x0000000000140000-0x0000000000149000-memory.dmpFilesize
36KB
-
memory/1424-655-0x0000000000140000-0x0000000000149000-memory.dmpFilesize
36KB
-
memory/1424-652-0x0000000000150000-0x0000000000155000-memory.dmpFilesize
20KB
-
memory/1680-820-0x0000000000B90000-0x0000000000B95000-memory.dmpFilesize
20KB
-
memory/1680-818-0x0000000000B80000-0x0000000000B89000-memory.dmpFilesize
36KB
-
memory/1680-821-0x0000000000B80000-0x0000000000B89000-memory.dmpFilesize
36KB
-
memory/1808-604-0x0000000000680000-0x0000000000689000-memory.dmpFilesize
36KB
-
memory/1808-595-0x0000000000690000-0x0000000000694000-memory.dmpFilesize
16KB
-
memory/1808-529-0x0000000000680000-0x0000000000689000-memory.dmpFilesize
36KB
-
memory/1816-837-0x0000000000E70000-0x0000000000E7B000-memory.dmpFilesize
44KB
-
memory/1816-836-0x0000000000E80000-0x0000000000E86000-memory.dmpFilesize
24KB
-
memory/1816-827-0x0000000000E70000-0x0000000000E7B000-memory.dmpFilesize
44KB
-
memory/1852-743-0x00000000008D0000-0x00000000008F7000-memory.dmpFilesize
156KB
-
memory/1852-749-0x00000000008D0000-0x00000000008F7000-memory.dmpFilesize
156KB
-
memory/1852-800-0x0000000000900000-0x0000000000921000-memory.dmpFilesize
132KB
-
memory/2168-293-0x0000000000320000-0x0000000000329000-memory.dmpFilesize
36KB
-
memory/2168-307-0x0000000000310000-0x000000000031F000-memory.dmpFilesize
60KB
-
memory/2168-270-0x0000000000310000-0x000000000031F000-memory.dmpFilesize
60KB
-
memory/2264-235-0x0000000000D90000-0x0000000000DFB000-memory.dmpFilesize
428KB
-
memory/2264-260-0x0000000000D90000-0x0000000000DFB000-memory.dmpFilesize
428KB
-
memory/2264-238-0x0000000000D90000-0x0000000000DFB000-memory.dmpFilesize
428KB
-
memory/2264-237-0x0000000000E00000-0x0000000000E75000-memory.dmpFilesize
468KB
-
memory/2540-236-0x0000000000720000-0x000000000072F000-memory.dmpFilesize
60KB
-
memory/2540-4496-0x0000000000400000-0x0000000000695000-memory.dmpFilesize
2.6MB
-
memory/2540-7987-0x0000000000400000-0x0000000000695000-memory.dmpFilesize
2.6MB
-
memory/2540-6518-0x0000000000400000-0x0000000000695000-memory.dmpFilesize
2.6MB
-
memory/2540-5924-0x0000000000400000-0x0000000000695000-memory.dmpFilesize
2.6MB
-
memory/2540-584-0x0000000000400000-0x0000000000695000-memory.dmpFilesize
2.6MB
-
memory/2540-5188-0x0000000000400000-0x0000000000695000-memory.dmpFilesize
2.6MB
-
memory/2540-1575-0x0000000000400000-0x0000000000695000-memory.dmpFilesize
2.6MB
-
memory/2540-2438-0x0000000000400000-0x0000000000695000-memory.dmpFilesize
2.6MB
-
memory/2540-3923-0x0000000000400000-0x0000000000695000-memory.dmpFilesize
2.6MB
-
memory/2660-244-0x0000000000330000-0x000000000033C000-memory.dmpFilesize
48KB
-
memory/2660-240-0x0000000000330000-0x000000000033C000-memory.dmpFilesize
48KB
-
memory/2932-858-0x0000000000590000-0x000000000059D000-memory.dmpFilesize
52KB
-
memory/2932-878-0x00000000005A0000-0x00000000005A7000-memory.dmpFilesize
28KB
-
memory/2932-880-0x0000000000590000-0x000000000059D000-memory.dmpFilesize
52KB
-
memory/3052-207-0x0000000001CB0000-0x0000000001CB5000-memory.dmpFilesize
20KB
-
memory/3052-215-0x0000000000400000-0x0000000001B38000-memory.dmpFilesize
23.2MB
-
memory/3116-210-0x0000000002DE0000-0x0000000002DF6000-memory.dmpFilesize
88KB
-
memory/3208-266-0x0000000000930000-0x000000000093B000-memory.dmpFilesize
44KB
-
memory/3208-265-0x0000000000930000-0x000000000093B000-memory.dmpFilesize
44KB
-
memory/3260-262-0x0000000000180000-0x0000000000184000-memory.dmpFilesize
16KB
-
memory/3260-1013-0x0000000000180000-0x0000000000184000-memory.dmpFilesize
16KB
-
memory/3260-263-0x0000000000170000-0x0000000000179000-memory.dmpFilesize
36KB
-
memory/3260-261-0x0000000000170000-0x0000000000179000-memory.dmpFilesize
36KB
-
memory/3364-897-0x0000000000520000-0x000000000052B000-memory.dmpFilesize
44KB
-
memory/3396-135-0x0000000004C30000-0x0000000004CC2000-memory.dmpFilesize
584KB
-
memory/3396-139-0x0000000004E70000-0x0000000004E80000-memory.dmpFilesize
64KB
-
memory/3396-136-0x0000000004B50000-0x0000000004B72000-memory.dmpFilesize
136KB
-
memory/3396-137-0x0000000004BF0000-0x0000000004BFA000-memory.dmpFilesize
40KB
-
memory/3396-134-0x0000000005140000-0x00000000056E4000-memory.dmpFilesize
5.6MB
-
memory/3396-133-0x0000000000190000-0x00000000001E8000-memory.dmpFilesize
352KB
-
memory/3904-208-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3904-211-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3904-203-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3968-158-0x0000000007770000-0x0000000007DEA000-memory.dmpFilesize
6.5MB
-
memory/3968-169-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/3968-140-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/3968-159-0x0000000006290000-0x00000000062AA000-memory.dmpFilesize
104KB
-
memory/3968-138-0x0000000000BF0000-0x0000000000C26000-memory.dmpFilesize
216KB
-
memory/3968-155-0x0000000006040000-0x0000000006084000-memory.dmpFilesize
272KB
-
memory/3968-160-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/3968-161-0x00000000076C0000-0x00000000076E2000-memory.dmpFilesize
136KB
-
memory/3968-154-0x0000000005C50000-0x0000000005C6E000-memory.dmpFilesize
120KB
-
memory/3968-144-0x0000000004DC0000-0x0000000004E26000-memory.dmpFilesize
408KB
-
memory/3968-171-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/3968-162-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/3968-163-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/3968-141-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/3968-156-0x0000000007070000-0x00000000070E6000-memory.dmpFilesize
472KB
-
memory/3968-157-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/3968-143-0x0000000004D50000-0x0000000004DB6000-memory.dmpFilesize
408KB
-
memory/3968-142-0x00000000050C0000-0x00000000056E8000-memory.dmpFilesize
6.2MB
-
memory/4284-421-0x0000000000D80000-0x0000000000D89000-memory.dmpFilesize
36KB
-
memory/4284-494-0x0000000000D90000-0x0000000000D95000-memory.dmpFilesize
20KB
-
memory/4284-497-0x0000000000D80000-0x0000000000D89000-memory.dmpFilesize
36KB
-
memory/4308-480-0x00000000005F0000-0x00000000005FC000-memory.dmpFilesize
48KB
-
memory/4308-498-0x0000000000800000-0x0000000000806000-memory.dmpFilesize
24KB
-
memory/4308-511-0x00000000005F0000-0x00000000005FC000-memory.dmpFilesize
48KB
-
memory/4412-264-0x0000000000400000-0x0000000000695000-memory.dmpFilesize
2.6MB
-
memory/4936-269-0x0000000000370000-0x000000000037B000-memory.dmpFilesize
44KB
-
memory/4936-268-0x0000000000380000-0x0000000000387000-memory.dmpFilesize
28KB
-
memory/4936-267-0x0000000000370000-0x000000000037B000-memory.dmpFilesize
44KB