Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
26-03-2024 20:12
General
-
Target
ea04271a88d3b5cc08e2d4aed3a720aaea145a0fbf0f35e47147afc0be11e543.exe
-
Size
1.8MB
-
MD5
d6b8a17e366c5f9b67fecbc046b32977
-
SHA1
bcd1b5acb583e8bca47730870dded7c825963032
-
SHA256
ea04271a88d3b5cc08e2d4aed3a720aaea145a0fbf0f35e47147afc0be11e543
-
SHA512
1ce66f4657265f739a03aa6805024f3653788f76cae4045ffc29e79a538119d2a45472a55f6215942059d8b5540d49b2267bcdc69ae192066a4924759175ea0b
-
SSDEEP
24576:Xgeb2cBh4TjmtriNMLjtXl62IYSrYqiOCxi1jBlWfhDachn8L+10tqmYku6DrIiC:QeJWUrXqAlMbWfhDZumrmy0Uq4
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
LiveTraffic
4.185.137.132:1632
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 4 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea04271a88d3b5cc08e2d4aed3a720aaea145a0fbf0f35e47147afc0be11e543.exe"C:\Users\Admin\AppData\Local\Temp\ea04271a88d3b5cc08e2d4aed3a720aaea145a0fbf0f35e47147afc0be11e543.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe"C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe"C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Defense Evasion
Virtualization/Sandbox Evasion
2Subvert Trust Controls
1Install Root Certificate
1Modify Registry
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
448KB
MD56be9fde94dd5c2eed1a593294ebe42ed
SHA127b874d7562e3501763ec9021b5b770db36fcc4d
SHA25657bb6ebdbeb2b2ec1878c8f6902a3b51d07b718fd7be22b69c0542c559582453
SHA5124689f95b31ad310d322eaf0bb1710568964448f6c069668abf26265065d02e16169ebbef2c6e1c8b070a56ba8629682f9741c734e513daf3f1c7d71252e6717f
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
260KB
MD5561eb9df122e8a2d834b1f4c43a3c681
SHA12d434a908e36b8f59461810b02190d0643c0f55f
SHA256c9b14a3ab8c3ebe92d345a0a361304d57a7994ea49a60588e528d4022300208c
SHA512a0451393d5e40a36defc4f8cf2aa778f234bfafcb7b6dddedfee50c71100054dcfb2d8141621762afc5a84364dda345e4e58e54b9114a1dd3b35a1ed5724e35a
-
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exeFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exeFilesize
403KB
MD5a67b5cfe022913db809e4233e68253d1
SHA155434967b0c7ae16df33b4aa64ea88e6afcf5cb7
SHA256b2ee7b17fe43cfaf2357a3b60b452cb94b1d7de063e99c92fdf3c004a93251b0
SHA51274b7405610ff426f2e373c1e663f07a573060b3dca1d09a5cbd033d6c0eb873ceee863019f2777494bc32dc939f2d8550a2308e4b55434fa6b547e30b6bc2a01
-
C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exeFilesize
447KB
MD5ad2d97a1b86e20b2750edc094b232d7f
SHA1c75fdae26448aa805d95b1c75d2f1e57da34f16e
SHA2569379dd516cdcf29d3b37036b499d3b399ca769866dc97a9a17bb3e5b6af61a09
SHA512a924b89416bd3d73953fba83ba4a716fd4674c95dd73a4eb10d7af5e73671756a598495b2c30cc36875545753e77a6c639caebd11c62d5cf5f07005ffe25ed9f
-
C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exeFilesize
541KB
MD53b069f3dd741e4360f26cb27cb10320a
SHA16a9503aaf1e297f2696482ddf1bd4605a8710101
SHA256f63bdc068c453e7e22740681a0c280d02745807b1695ce86e5067069beca533e
SHA512bda58c074f7bd5171d7e3188a48cbdc457607ff06045e64a9e8e33fcb6f66f941d75a7bf57eb0ef262491622b4a9936342384237fa61c1add3365d5006c6d0d9
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exeFilesize
315KB
MD55fe67781ffe47ec36f91991abf707432
SHA1137e6d50387a837bf929b0da70ab6b1512e95466
SHA256a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9
SHA5120e32d9a72b562d4c4a8c4edbd3d0ece54b67ee87c8ac382c6508c62b04b11a2dcd1fba23c3a78004fcd0c2b623dc854fd2fd82eb372dc7becdcbdd7ec7fe1b68
-
C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exeFilesize
350KB
MD504df085b57814d1a1accead4e153909e
SHA16d277da314ef185ba9072a9b677b599b1f46c35b
SHA25691a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd
SHA512f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa
-
C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exeFilesize
413KB
MD5d467222c3bd563cb72fa49302f80b079
SHA19335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7
-
C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exeFilesize
297KB
MD5cc1e287519f78a28dab6bde8e1093829
SHA19262753386caa4054aa845d918364e964e5505aa
SHA256dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2
SHA512527b6d905e2ca829369563baa7be9eaf4050ef9bbf438ccc98b9b821e76977aaebbda8471da8b81c0542395c5fc316b19d7034155f278640d0765bfc55dc1f43
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka111.exeFilesize
1KB
MD55343c1a8b203c162a3bf3870d9f50fd4
SHA104b5b886c20d88b57eea6d8ff882624a4ac1e51d
SHA256dc1d54dab6ec8c00f70137927504e4f222c8395f10760b6beecfcfa94e08249f
SHA512e0f50acb6061744e825a4051765cebf23e8c489b55b190739409d8a79bb08dac8f919247a4e5f65a015ea9c57d326bbef7ea045163915129e01f316c4958d949
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\Tmp1BA1.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fca4bwvn.yep.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
memory/764-243-0x0000000000400000-0x0000000002D4D000-memory.dmpFilesize
41.3MB
-
memory/1112-80-0x0000000006600000-0x0000000006C18000-memory.dmpFilesize
6.1MB
-
memory/1112-79-0x00000000050A0000-0x00000000050AA000-memory.dmpFilesize
40KB
-
memory/1112-76-0x00000000054A0000-0x0000000005A44000-memory.dmpFilesize
5.6MB
-
memory/1112-84-0x0000000006590000-0x00000000065DC000-memory.dmpFilesize
304KB
-
memory/1112-83-0x0000000006540000-0x000000000657C000-memory.dmpFilesize
240KB
-
memory/1112-81-0x0000000007E80000-0x0000000007F8A000-memory.dmpFilesize
1.0MB
-
memory/1112-110-0x0000000006050000-0x00000000060B6000-memory.dmpFilesize
408KB
-
memory/1112-77-0x0000000004FE0000-0x0000000005072000-memory.dmpFilesize
584KB
-
memory/1112-82-0x00000000064E0000-0x00000000064F2000-memory.dmpFilesize
72KB
-
memory/1112-78-0x0000000005230000-0x0000000005240000-memory.dmpFilesize
64KB
-
memory/1112-62-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1112-121-0x0000000005230000-0x0000000005240000-memory.dmpFilesize
64KB
-
memory/1112-120-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/1112-67-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/1940-178-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/3064-117-0x0000000020610000-0x0000000020B38000-memory.dmpFilesize
5.2MB
-
memory/3064-106-0x00007FFE09D60000-0x00007FFE0A821000-memory.dmpFilesize
10.8MB
-
memory/3064-124-0x000000001BAD0000-0x000000001BAE0000-memory.dmpFilesize
64KB
-
memory/3064-112-0x000000001D200000-0x000000001D212000-memory.dmpFilesize
72KB
-
memory/3064-113-0x000000001F1D0000-0x000000001F20C000-memory.dmpFilesize
240KB
-
memory/3064-107-0x000000001BAD0000-0x000000001BAE0000-memory.dmpFilesize
64KB
-
memory/3064-122-0x00007FFE09D60000-0x00007FFE0A821000-memory.dmpFilesize
10.8MB
-
memory/3064-104-0x0000000000BD0000-0x0000000000C5C000-memory.dmpFilesize
560KB
-
memory/3064-111-0x000000001F2A0000-0x000000001F3AA000-memory.dmpFilesize
1.0MB
-
memory/3064-116-0x000000001FF10000-0x00000000200D2000-memory.dmpFilesize
1.8MB
-
memory/3064-115-0x000000001D1D0000-0x000000001D1EE000-memory.dmpFilesize
120KB
-
memory/3064-114-0x000000001F7B0000-0x000000001F826000-memory.dmpFilesize
472KB
-
memory/3196-156-0x0000000002520000-0x0000000004520000-memory.dmpFilesize
32.0MB
-
memory/3196-155-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/3196-145-0x00000000000B0000-0x000000000026C000-memory.dmpFilesize
1.7MB
-
memory/3196-147-0x0000000002500000-0x0000000002510000-memory.dmpFilesize
64KB
-
memory/3196-146-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/3440-241-0x0000000002450000-0x0000000002466000-memory.dmpFilesize
88KB
-
memory/3516-118-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-109-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-108-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-105-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-19-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-20-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-21-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/3516-25-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/3516-266-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-382-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-24-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/3516-23-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/3516-123-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-238-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-125-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-404-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-394-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-27-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/3516-26-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/3516-210-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-29-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/3516-28-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/3516-397-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-22-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/3516-402-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3516-302-0x0000000000200000-0x00000000006C8000-memory.dmpFilesize
4.8MB
-
memory/3816-157-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/3816-158-0x00000000051B0000-0x00000000051C0000-memory.dmpFilesize
64KB
-
memory/3816-150-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/3828-58-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/3828-57-0x00000000008F0000-0x000000000096A000-memory.dmpFilesize
488KB
-
memory/3828-59-0x0000000005290000-0x00000000052A0000-memory.dmpFilesize
64KB
-
memory/3828-65-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/3828-66-0x0000000002C70000-0x0000000004C70000-memory.dmpFilesize
32.0MB
-
memory/3828-119-0x0000000002C70000-0x0000000004C70000-memory.dmpFilesize
32.0MB
-
memory/3868-10-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/3868-3-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/3868-6-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/3868-16-0x0000000000020000-0x00000000004E8000-memory.dmpFilesize
4.8MB
-
memory/3868-7-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/3868-8-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/3868-9-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/3868-0-0x0000000000020000-0x00000000004E8000-memory.dmpFilesize
4.8MB
-
memory/3868-2-0x0000000000020000-0x00000000004E8000-memory.dmpFilesize
4.8MB
-
memory/3868-5-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/3868-1-0x00000000771E4000-0x00000000771E6000-memory.dmpFilesize
8KB
-
memory/3868-4-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/3868-11-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/4372-275-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4372-270-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB