Analysis
-
max time kernel
131s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
23-03-2024 02:28
General
-
Target
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
-
Size
303KB
-
MD5
91971721b53c791bd1e4bef7ae44c4fc
-
SHA1
ffd271ebad1b0afae61b36a62d63352d38c703bd
-
SHA256
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c
-
SHA512
25675855e0f4bb9727a1b7ffe63488f3a3a8bc85120bfd8be3187913dfd03d0db13f9f25fc79d06d3ee871b9e92b979df3a2a11b8e52812fcec858813d81a0ad
-
SSDEEP
3072:oQciUCwAoPh+BYYCEXWHbbk9B/armuE/1K8nD2ey7AOD65xL4dK:kOIhmhbL/uER2ey752L44
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
5.42.65.68:29093
Extracted
lumma
https://resergvearyinitiani.shop/api
https://associationokeo.shop/api
Signatures
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects executables packed with unregistered version of .NET Reactor 2 IoCs
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 42 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 20 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe"C:\Users\Admin\AppData\Local\Temp\b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AF0C.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\D1E7.exeC:\Users\Admin\AppData\Local\Temp\D1E7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D1E7.exeC:\Users\Admin\AppData\Local\Temp\D1E7.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\de3f9d24-dc64-48b1-8bfb-56d54ea461fd" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\D1E7.exe"C:\Users\Admin\AppData\Local\Temp\D1E7.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D1E7.exe"C:\Users\Admin\AppData\Local\Temp\D1E7.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 2245⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2556 -ip 25561⤵
-
C:\Users\Admin\AppData\Local\Temp\E198.exeC:\Users\Admin\AppData\Local\Temp\E198.exe1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 15202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4828 -ip 48281⤵
-
C:\Users\Admin\AppData\Local\Temp\B7C5.exeC:\Users\Admin\AppData\Local\Temp\B7C5.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 12322⤵
- Program crash
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BC1B.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2168 -ip 21681⤵
-
C:\Users\Admin\AppData\Local\Temp\CD04.exeC:\Users\Admin\AppData\Local\Temp\CD04.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 12043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2408 -ip 24081⤵
-
C:\Users\Admin\AppData\Roaming\vdutusuC:\Users\Admin\AppData\Roaming\vdutusu1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
3File and Directory Permissions Modification
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5e045d58509ea9ccf58a7c9da04faf233
SHA18cd270922bc0ba71e36e0925b5927dd5360792c2
SHA2569b3de31ff941c8b17a390481df65b96e177fa9865b83414aea64d1113b655a85
SHA5129b37b37f9c136b941fbbf7c7e53aa48c0e0d421daca792523e5221116dbda2bd48ab64be527903bb210a76802f1176e6e01ab873a79e0f3f414d77ef66f01902
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD5449db415d89575b9cbd16071d9a28140
SHA148c778cd4a2234cc8a1f4e0a322bca720b9e4a9e
SHA25643d37d8e7e82b8083bd4ef2c89289f6261bf4b84239870e75535d704a178290a
SHA5128f8893be7eff0bf0daf99e97e523500859bc1eceea57cbc87eac1e06ae4215e655024b21c80dfaf983cc9abdc1212a75472952f0cc7a18818a6109f2d6937734
-
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datFilesize
1022B
MD55438399e35344fd436c4a134915d34a6
SHA12c58d8229bebd3d97e7e7bec125da4caebcd461b
SHA256d0831327b04aa49d3744d248a66ece8b5be5279064d543f6a3e376fd50037865
SHA512cc011d1b255cf6eadcecd5e5345569aee96bdb4ac4cb9ac4af0521798f0d85cb0bf3d33ef51b6ceafa8b4045d5d3242d5b5b2e242b8bc2cf6c96c4b387a2c2f0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133556346265059170.txtFilesize
74KB
MD580dffedad36ef4c303579f8c9be9dbd7
SHA1792ca2a83d616ca82d973ece361ed9e95c95a0d8
SHA256590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e
SHA512826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\N3A1GXDL\microsoft.windows[1].xmlFilesize
97B
MD52a048584ff1532f817c94dc91dcd1288
SHA1a8feaa50ff20598096757253f961ed62cc8e2569
SHA256ac0e9ccd0c2a91247d80d72c35930928c1da245701ca832072bd977c61d3901a
SHA512b6e50c342123202657e524ce15e02851da3b8573494e0ba98f7b70c6438fcbee100df4eac302d1dcbd3d3123bdf14a11d232c96d998c569431887317419c1d86
-
C:\Users\Admin\AppData\Local\Temp\AF0C.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\B7C5.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\CD04.exeFilesize
351KB
MD540408d90b261f8716b703db1715df09f
SHA1ac4ccd5c3d585ff9f8ee24dc79fbaa2b918212ab
SHA2565ef8a6fc75231cb5751d95fd0fd21e6e9486097939c1f5a61930b01d59880c4a
SHA512c5f58b8862888d7019a736ec9652ae958265169d944447f96d96a43677f211d017fb60dbb090f35d98d2444c5cf9017b556737780f4399a0c156fdfb0b53b29d
-
C:\Users\Admin\AppData\Local\Temp\D1E7.exeFilesize
818KB
MD540a0b12623cca2067aaf9047c8fb36d6
SHA196be356366e488fca45b666138082fdd440fbedd
SHA256b5b61da6a6817d9815bd46ac996f56d285fe2b8fd85c961ce174adaff0c0d398
SHA512c178116559efe609067132c29bc88637b0e7c5b116e27705ff37080f7b4be0b2192b537ac342a19e9624602f99e066fe49687fbf77e2fbf11a4ae29e0fddfd2d
-
C:\Users\Admin\AppData\Local\Temp\E198.exeFilesize
474KB
MD5c94548113a5baefff7f1c142363a0eb6
SHA1cba3e3853950176d5cc1614893d22b994620aca2
SHA256abc164bef26cc5d7436f178e99393448844d95aa46151fbe1407cfa4756905a5
SHA51247992972c3cc47c3731e2b4af697f64ccbcddf8a5ebcb66a7d911c6514d24a1937c61e30d46d40cc42bdc2eef88c82860e30649dc5173041928d1b8ce468c501
-
C:\Users\Admin\AppData\Local\Temp\TmpEA8F.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Roaming\vdutusuFilesize
303KB
MD591971721b53c791bd1e4bef7ae44c4fc
SHA1ffd271ebad1b0afae61b36a62d63352d38c703bd
SHA256b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c
SHA51225675855e0f4bb9727a1b7ffe63488f3a3a8bc85120bfd8be3187913dfd03d0db13f9f25fc79d06d3ee871b9e92b979df3a2a11b8e52812fcec858813d81a0ad
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5aad1f7b37a15bbe1d1e77c3662aa623b
SHA13eaef2545471bb199e9c34ec81bb001cc7d7e26c
SHA2560404bd42f6094a3af2b2961634fae135c0fbd67b392f087a6516610bf2ea81e5
SHA512092eb1cfee08d373b1a16cb98a1522b0a9c82003678a4467c8a4a6769fbf46ccbf5097a10c2daf365b3a7f9ccf011d0c163dd3223981b89e3836ef4677bdac4d
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5c40a96900012f460d22dcbc20907ac91
SHA1d24ac795520e35990e9bfa41440af61496bd35c0
SHA256dbffca9dc704fbf7605983883ec1c7e15c6fd70ed19ed9486aa5f5420a1ef593
SHA512accf573808ba0d136e168bbdd8996178c8e7f6d972dc389f57235a9bfed8588588814c4c7dd182ed0a94c4970bdd7bd59271761e91f1cfea9f01f234272cc2ed
-
memory/1012-164-0x0000000003020000-0x0000000003120000-memory.dmpFilesize
1024KB
-
memory/1012-165-0x0000000000400000-0x0000000002D4A000-memory.dmpFilesize
41.3MB
-
memory/1012-169-0x0000000000400000-0x0000000002D4A000-memory.dmpFilesize
41.3MB
-
memory/1364-21-0x0000000002790000-0x000000000282F000-memory.dmpFilesize
636KB
-
memory/1364-22-0x00000000028E0000-0x00000000029FB000-memory.dmpFilesize
1.1MB
-
memory/1764-150-0x0000000074240000-0x00000000749F0000-memory.dmpFilesize
7.7MB
-
memory/1764-182-0x00000000024A0000-0x00000000044A0000-memory.dmpFilesize
32.0MB
-
memory/1764-151-0x00000000024A0000-0x00000000044A0000-memory.dmpFilesize
32.0MB
-
memory/1764-141-0x0000000000100000-0x000000000015E000-memory.dmpFilesize
376KB
-
memory/1764-142-0x0000000074240000-0x00000000749F0000-memory.dmpFilesize
7.7MB
-
memory/2052-199-0x000002D66FEE0000-0x000002D66FF00000-memory.dmpFilesize
128KB
-
memory/2052-198-0x000002D66F830000-0x000002D66F850000-memory.dmpFilesize
128KB
-
memory/2052-196-0x000002D66F870000-0x000002D66F890000-memory.dmpFilesize
128KB
-
memory/2168-124-0x0000000001C70000-0x0000000001C71000-memory.dmpFilesize
4KB
-
memory/2168-131-0x0000000003580000-0x00000000035B2000-memory.dmpFilesize
200KB
-
memory/2168-133-0x0000000003580000-0x00000000035B2000-memory.dmpFilesize
200KB
-
memory/2168-134-0x0000000003580000-0x00000000035B2000-memory.dmpFilesize
200KB
-
memory/2168-135-0x0000000003580000-0x00000000035B2000-memory.dmpFilesize
200KB
-
memory/2168-132-0x0000000003580000-0x00000000035B2000-memory.dmpFilesize
200KB
-
memory/2168-156-0x0000000000810000-0x00000000014F5000-memory.dmpFilesize
12.9MB
-
memory/2168-118-0x0000000000810000-0x00000000014F5000-memory.dmpFilesize
12.9MB
-
memory/2168-123-0x0000000001C60000-0x0000000001C61000-memory.dmpFilesize
4KB
-
memory/2168-125-0x0000000001CA0000-0x0000000001CA1000-memory.dmpFilesize
4KB
-
memory/2168-126-0x0000000000810000-0x00000000014F5000-memory.dmpFilesize
12.9MB
-
memory/2168-128-0x0000000003560000-0x0000000003561000-memory.dmpFilesize
4KB
-
memory/2168-127-0x0000000001CB0000-0x0000000001CB1000-memory.dmpFilesize
4KB
-
memory/2168-129-0x0000000003570000-0x0000000003571000-memory.dmpFilesize
4KB
-
memory/2168-130-0x0000000000810000-0x00000000014F5000-memory.dmpFilesize
12.9MB
-
memory/2408-170-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2408-148-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2408-154-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/2408-153-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/2408-152-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/2408-155-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2408-145-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2556-46-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2556-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2556-43-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3208-166-0x00000000028B0000-0x00000000028C6000-memory.dmpFilesize
88KB
-
memory/3272-8-0x0000000002E30000-0x0000000002E3B000-memory.dmpFilesize
44KB
-
memory/3272-1-0x0000000002E40000-0x0000000002F40000-memory.dmpFilesize
1024KB
-
memory/3272-2-0x0000000002E30000-0x0000000002E3B000-memory.dmpFilesize
44KB
-
memory/3272-3-0x0000000000400000-0x0000000002D4A000-memory.dmpFilesize
41.3MB
-
memory/3272-5-0x0000000000400000-0x0000000002D4A000-memory.dmpFilesize
41.3MB
-
memory/3388-40-0x00000000026B0000-0x0000000002748000-memory.dmpFilesize
608KB
-
memory/3456-160-0x0000000002B80000-0x0000000002B81000-memory.dmpFilesize
4KB
-
memory/3456-4-0x0000000002B90000-0x0000000002BA6000-memory.dmpFilesize
88KB
-
memory/3588-232-0x000002AE203B0000-0x000002AE203D0000-memory.dmpFilesize
128KB
-
memory/3588-234-0x000002AE20AC0000-0x000002AE20AE0000-memory.dmpFilesize
128KB
-
memory/3588-230-0x000002AE20700000-0x000002AE20720000-memory.dmpFilesize
128KB
-
memory/3648-222-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/4756-258-0x000001478A010000-0x000001478A030000-memory.dmpFilesize
128KB
-
memory/4756-255-0x0000014789C00000-0x0000014789C20000-memory.dmpFilesize
128KB
-
memory/4756-253-0x0000014789C40000-0x0000014789C60000-memory.dmpFilesize
128KB
-
memory/4828-60-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/4828-65-0x0000000005AD0000-0x0000000005ADA000-memory.dmpFilesize
40KB
-
memory/4828-105-0x00000000087B0000-0x0000000008CDC000-memory.dmpFilesize
5.2MB
-
memory/4828-104-0x00000000085E0000-0x00000000087A2000-memory.dmpFilesize
1.8MB
-
memory/4828-103-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/4828-102-0x0000000007C90000-0x0000000007CE0000-memory.dmpFilesize
320KB
-
memory/4828-101-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/4828-99-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/4828-96-0x0000000074C80000-0x0000000075430000-memory.dmpFilesize
7.7MB
-
memory/4828-95-0x0000000000400000-0x0000000000B1F000-memory.dmpFilesize
7.1MB
-
memory/4828-94-0x00000000073B0000-0x0000000007416000-memory.dmpFilesize
408KB
-
memory/4828-93-0x0000000000C40000-0x0000000000D40000-memory.dmpFilesize
1024KB
-
memory/4828-92-0x0000000007260000-0x00000000072AC000-memory.dmpFilesize
304KB
-
memory/4828-91-0x0000000007200000-0x000000000723C000-memory.dmpFilesize
240KB
-
memory/4828-88-0x00000000071E0000-0x00000000071F2000-memory.dmpFilesize
72KB
-
memory/4828-87-0x00000000070A0000-0x00000000071AA000-memory.dmpFilesize
1.0MB
-
memory/4828-86-0x0000000006A00000-0x0000000007018000-memory.dmpFilesize
6.1MB
-
memory/4828-83-0x00000000069E0000-0x00000000069FE000-memory.dmpFilesize
120KB
-
memory/4828-82-0x0000000006010000-0x0000000006086000-memory.dmpFilesize
472KB
-
memory/4828-109-0x0000000074C80000-0x0000000075430000-memory.dmpFilesize
7.7MB
-
memory/4828-64-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/4828-63-0x0000000005880000-0x0000000005912000-memory.dmpFilesize
584KB
-
memory/4828-62-0x0000000005250000-0x00000000052A6000-memory.dmpFilesize
344KB
-
memory/4828-61-0x00000000052C0000-0x0000000005864000-memory.dmpFilesize
5.6MB
-
memory/4828-54-0x0000000000C40000-0x0000000000D40000-memory.dmpFilesize
1024KB
-
memory/4828-59-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/4828-58-0x0000000074C80000-0x0000000075430000-memory.dmpFilesize
7.7MB
-
memory/4828-57-0x00000000051F0000-0x0000000005248000-memory.dmpFilesize
352KB
-
memory/4828-56-0x0000000000400000-0x0000000000B1F000-memory.dmpFilesize
7.1MB
-
memory/4828-55-0x0000000000BB0000-0x0000000000C0F000-memory.dmpFilesize
380KB
-
memory/4888-37-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4888-27-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4888-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4888-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4888-23-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4960-190-0x00000000046B0000-0x00000000046B1000-memory.dmpFilesize
4KB
-
memory/5020-245-0x0000000004160000-0x0000000004161000-memory.dmpFilesize
4KB