Analysis
-
max time kernel
91s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
General
-
Target
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe
-
Size
789KB
-
MD5
e2889893d75c1ea7bd8982274873b1b8
-
SHA1
9ebedbf8146b9862503bf3c40239e169b09c67a7
-
SHA256
5a30a9b801943074fc132f20ab5f77cc2c2bd95ccd76a535b3ad7e8fcf6d1cdd
-
SHA512
a5c2fa4c73b885dd51cb07a227eb709805ec2d50c20be4f97f363f27dc2dd5377d4da9f695cd075287c50a619823082624a5f01838ae6dc126d4c51a70eb1275
-
SSDEEP
24576:hMwhWpdsQpT6q3tmxUgxDEuZ9WI+spi9iCnqV+:hMweskT6q30x4uZ8dr9q4
Malware Config
Extracted
remcos
2024
72.11.158.94:1604
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
vexplorers.exe
-
copy_folder
vexplorers
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-800RNZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1048-87-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/1048-81-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1612-78-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/1612-92-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3436-86-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3436-89-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1048-87-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/1048-81-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/1612-78-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1612-92-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe -
Executes dropped EXE 4 IoCs
Processes:
vexplorers.exevexplorers.exevexplorers.exevexplorers.exepid process 2412 vexplorers.exe 1612 vexplorers.exe 1048 vexplorers.exe 3436 vexplorers.exe -
Loads dropped DLL 5 IoCs
Processes:
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exevexplorers.exevexplorers.exepid process 3044 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe 3044 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe 2412 vexplorers.exe 2412 vexplorers.exe 5084 vexplorers.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vexplorers.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vexplorers.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
vexplorers.exeORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-800RNZ = "\"C:\\ProgramData\\vexplorers\\vexplorers.exe\"" vexplorers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-800RNZ = "\"C:\\ProgramData\\vexplorers\\vexplorers.exe\"" vexplorers.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Strejkevagter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Beleaguering\\Opkogs.exe" ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-800RNZ = "\"C:\\ProgramData\\vexplorers\\vexplorers.exe\"" ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-800RNZ = "\"C:\\ProgramData\\vexplorers\\vexplorers.exe\"" ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Strejkevagter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Beleaguering\\Opkogs.exe" vexplorers.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exevexplorers.exepid process 624 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe 5084 vexplorers.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exeORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exevexplorers.exevexplorers.exepid process 3044 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe 624 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe 2412 vexplorers.exe 5084 vexplorers.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exevexplorers.exevexplorers.exedescription pid process target process PID 3044 set thread context of 624 3044 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe PID 2412 set thread context of 5084 2412 vexplorers.exe vexplorers.exe PID 5084 set thread context of 3528 5084 vexplorers.exe svchost.exe PID 5084 set thread context of 1612 5084 vexplorers.exe vexplorers.exe PID 5084 set thread context of 1048 5084 vexplorers.exe vexplorers.exe PID 5084 set thread context of 3436 5084 vexplorers.exe vexplorers.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exevexplorers.exedescription ioc process File opened for modification C:\Program Files (x86)\disharmonize\semidivided.ini ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe File opened for modification C:\Program Files (x86)\disharmonize\semidivided.ini vexplorers.exe -
Drops file in Windows directory 2 IoCs
Processes:
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exevexplorers.exedescription ioc process File opened for modification C:\Windows\Fonts\snlig.ini ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe File opened for modification C:\Windows\Fonts\snlig.ini vexplorers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 412 5084 WerFault.exe vexplorers.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
vexplorers.exevexplorers.exepid process 1612 vexplorers.exe 1612 vexplorers.exe 3436 vexplorers.exe 3436 vexplorers.exe 1612 vexplorers.exe 1612 vexplorers.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exevexplorers.exevexplorers.exepid process 3044 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe 2412 vexplorers.exe 5084 vexplorers.exe 5084 vexplorers.exe 5084 vexplorers.exe 5084 vexplorers.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vexplorers.exedescription pid process Token: SeDebugPrivilege 3436 vexplorers.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exeORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exevexplorers.exevexplorers.exedescription pid process target process PID 3044 wrote to memory of 624 3044 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe PID 3044 wrote to memory of 624 3044 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe PID 3044 wrote to memory of 624 3044 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe PID 3044 wrote to memory of 624 3044 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe PID 3044 wrote to memory of 624 3044 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe PID 624 wrote to memory of 2412 624 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe vexplorers.exe PID 624 wrote to memory of 2412 624 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe vexplorers.exe PID 624 wrote to memory of 2412 624 ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe vexplorers.exe PID 2412 wrote to memory of 5084 2412 vexplorers.exe vexplorers.exe PID 2412 wrote to memory of 5084 2412 vexplorers.exe vexplorers.exe PID 2412 wrote to memory of 5084 2412 vexplorers.exe vexplorers.exe PID 2412 wrote to memory of 5084 2412 vexplorers.exe vexplorers.exe PID 2412 wrote to memory of 5084 2412 vexplorers.exe vexplorers.exe PID 5084 wrote to memory of 3528 5084 vexplorers.exe svchost.exe PID 5084 wrote to memory of 3528 5084 vexplorers.exe svchost.exe PID 5084 wrote to memory of 3528 5084 vexplorers.exe svchost.exe PID 5084 wrote to memory of 3528 5084 vexplorers.exe svchost.exe PID 5084 wrote to memory of 1612 5084 vexplorers.exe vexplorers.exe PID 5084 wrote to memory of 1612 5084 vexplorers.exe vexplorers.exe PID 5084 wrote to memory of 1612 5084 vexplorers.exe vexplorers.exe PID 5084 wrote to memory of 1048 5084 vexplorers.exe vexplorers.exe PID 5084 wrote to memory of 1048 5084 vexplorers.exe vexplorers.exe PID 5084 wrote to memory of 1048 5084 vexplorers.exe vexplorers.exe PID 5084 wrote to memory of 3436 5084 vexplorers.exe vexplorers.exe PID 5084 wrote to memory of 3436 5084 vexplorers.exe vexplorers.exe PID 5084 wrote to memory of 3436 5084 vexplorers.exe vexplorers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe"C:\Users\Admin\AppData\Local\Temp\ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe"C:\Users\Admin\AppData\Local\Temp\ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\vexplorers\vexplorers.exe"C:\ProgramData\vexplorers\vexplorers.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\vexplorers\vexplorers.exe"C:\ProgramData\vexplorers\vexplorers.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\ProgramData\vexplorers\vexplorers.exeC:\ProgramData\vexplorers\vexplorers.exe /stext "C:\Users\Admin\AppData\Local\Temp\ebkekhivroenunnxagbdatjzjnghoos"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\vexplorers\vexplorers.exeC:\ProgramData\vexplorers\vexplorers.exe /stext "C:\Users\Admin\AppData\Local\Temp\chftjoptdgmijhrlivocpppiizp"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\ProgramData\vexplorers\vexplorers.exeC:\ProgramData\vexplorers\vexplorers.exe /stext "C:\Users\Admin\AppData\Local\Temp\rfzbjweahyuehtdhzkbimcuz"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 14645⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5084 -ip 50841⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vexplorers\vexplorers.exeFilesize
789KB
MD5e2889893d75c1ea7bd8982274873b1b8
SHA19ebedbf8146b9862503bf3c40239e169b09c67a7
SHA2565a30a9b801943074fc132f20ab5f77cc2c2bd95ccd76a535b3ad7e8fcf6d1cdd
SHA512a5c2fa4c73b885dd51cb07a227eb709805ec2d50c20be4f97f363f27dc2dd5377d4da9f695cd075287c50a619823082624a5f01838ae6dc126d4c51a70eb1275
-
C:\ProgramData\vexplorers\vexplorers.exeFilesize
229KB
MD5bb178123aceb34b00c9becaed82e4fb7
SHA152bc6bc45edbb5ac55f4f611d6d238864207aa77
SHA256dbdbac3f03fd01ca15eb0ea61df0e4a13419bc7d518c87aa87c7a02d3c70bbac
SHA5128b18791b06c6846d53e076330bcdac048ce6b18cbf6e0248c769fe6f00269b4eb63f5b2bfdfa847a542263dd97f9d01dc285ed76fde60048e501bef5afead991
-
C:\ProgramData\vexplorers\vexplorers.exeFilesize
271KB
MD5e1290ab3ab25a216d078827b99bcc198
SHA1d1651f6df852aaee522e9928f70b83e17bdf6405
SHA25624c4afea6c87450490ec0129de6e8160f79794486864e782d1d8ece19808e1c3
SHA51230bdb25f4c2c51cd120851f8f94000f9c5f4fe6947069b6b406f61212be4e7994eaf81d5162b724cd3296d6ae1ca4441a70a79b655c52449b4ca3ae4e679ca79
-
C:\ProgramData\vexplorers\vexplorers.exeFilesize
282KB
MD59923196bad7b3c85ece433901ce927a8
SHA1244de842e35c083072b844a4004e61afb5790ca2
SHA256653d592c0a68c9041d53a240c87dcabf2ebb6ae3e82dfac6cdca43c4017f8828
SHA51286ca8a2cbe7786267f07b32b6f2356bc53fe452c2faf1eba72bd5c7068e72e2a59bfc9d63935341724725040bd38e458112eaeabc76e8ab2f8607cdab1171d0f
-
C:\Users\Admin\AppData\Local\Petals\Retrousse\Whiffletrees\Elitedivisionen\Fortolde.XylFilesize
227KB
MD5934a13585e8f3caa531f139bfbcc1db2
SHA1faccc849e76d81ff45f5660efcbc755c261ff2bf
SHA25698b761f80f1aa385782662756b112087a9a800577f643b50a114a187fd4f6f55
SHA512b5d52a6a6c8427041813c8336607ff3707a5e707a99d87d4cd058864d1161762bf44f136b3878967ebdf0eea7b09b73beb1081965431c403eda979968930c359
-
C:\Users\Admin\AppData\Local\Temp\Beleaguering\Opkogs.exeFilesize
789KB
MD5dec4253bf436c01e2fd66353a3ebe3e2
SHA104fb085611fa43af3e4683bf46d1f0fb35da98a4
SHA2567ce6d64fdef2d053b7ec18a28ac710ab19f815f6b2e84acf49514c2859325039
SHA51255b8484005880e3ada8412a83ca66f40f33ac8e312a00c2d6c7555055b46653233e133c74841a983a900c1085f1b69dcb3fd8881d7016714686a9b6292edcd32
-
C:\Users\Admin\AppData\Local\Temp\nsv48B2.tmp\System.dllFilesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
C:\Users\Admin\AppData\Local\Temp\rfzbjweahyuehtdhzkbimcuzFilesize
4KB
MD5a53497fd7bf281f61d7d819a649c64bd
SHA1580d201744bc94c3cf3cb922a79f8313b1011a93
SHA25634f39f0ccb042a848a325458f619fc07b808653c0bebd8cde69d5f8428cfeec7
SHA5121fcedb78352bf040a9a693e8389b9e81aa78f4995c6587b213ac57e813493f94bfa65b5d981e67dc32e59d861bb7c9f2f1d36892deee6d39b8371393b01f35dc
-
C:\Windows\Fonts\snlig.iniFilesize
43B
MD575285908e15263897f2fe77cc637ef6e
SHA1cc5a707cae259834b2453a305af9453b7b7412ac
SHA2566fc175d4186cfb67d46e22b277602aa3ec665ad44c9854e7bdaf0e5a25cefbc5
SHA512e93afaa0772d9aa9a8d77e44473a5c58cf9f3b214b76d5ed94e08dbc2ae9ef3d67b470073b83c157318bfa67fb44e17833af313efe8ded28e07d55272eb4edb2
-
memory/624-19-0x0000000077551000-0x0000000077671000-memory.dmpFilesize
1.1MB
-
memory/624-37-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/624-27-0x0000000077551000-0x0000000077671000-memory.dmpFilesize
1.1MB
-
memory/624-22-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/624-21-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/624-18-0x00000000775D8000-0x00000000775D9000-memory.dmpFilesize
4KB
-
memory/1048-77-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1048-81-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1048-68-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1048-87-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1612-78-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1612-66-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1612-92-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1612-72-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2412-52-0x0000000075080000-0x0000000075087000-memory.dmpFilesize
28KB
-
memory/3044-17-0x0000000074240000-0x0000000074247000-memory.dmpFilesize
28KB
-
memory/3044-16-0x0000000077551000-0x0000000077671000-memory.dmpFilesize
1.1MB
-
memory/3436-89-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3436-86-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3436-80-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3436-73-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3528-61-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/3528-64-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/3528-63-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/3528-100-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/5084-57-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/5084-98-0x0000000036A20000-0x0000000036A39000-memory.dmpFilesize
100KB
-
memory/5084-95-0x0000000036A20000-0x0000000036A39000-memory.dmpFilesize
100KB
-
memory/5084-56-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/5084-99-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB