Analysis
-
max time kernel
169s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
27-03-2024 06:03
General
-
Target
9d97003b3cf93667337333bbff9df95a9d0390306694daa03f9183a26b619c6b.exe
-
Size
1.8MB
-
MD5
7a1d3e9f848157b5668d367a507fae97
-
SHA1
7f900bc80aed66254d9256dbd96bc96b90f18444
-
SHA256
9d97003b3cf93667337333bbff9df95a9d0390306694daa03f9183a26b619c6b
-
SHA512
027408116387095c68e916e0632ce87d8eeaf25ca8c5fff1cf6f80a269e7cbc42e05b991c4e43598efa5d28c7bbb0f17372f4cf0b06203da78c7ebf1997253ca
-
SSDEEP
49152:JMI8PoxBbThF46XVxLw3/CVQqn/8rJGEypxH2PLN:SPPg5XPL2yQq/8wEgIPLN
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
LiveTraffic
4.185.137.132:1632
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 4 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d97003b3cf93667337333bbff9df95a9d0390306694daa03f9183a26b619c6b.exe"C:\Users\Admin\AppData\Local\Temp\9d97003b3cf93667337333bbff9df95a9d0390306694daa03f9183a26b619c6b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\045580317372_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\045580317372_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\E0F0.exeC:\Users\Admin\AppData\Local\Temp\E0F0.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD528ab7dcce3d62b5c8ccd681d9968b672
SHA1005ccbc3246ff88960a97f557a4067c3aad400e4
SHA256d473a8ce9b47fedbf7413bc6aac2ec10e90512d9441b80d89a778697e29d79ca
SHA5129b0ba427a787c812308ed18b825e23e67185f70de6ff68707a44ea30a1b3847a9d2392c0ac832a9d987c41016253ddb754710cbc0b9ea335f31510272ea99817
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.8MB
MD57a1d3e9f848157b5668d367a507fae97
SHA17f900bc80aed66254d9256dbd96bc96b90f18444
SHA2569d97003b3cf93667337333bbff9df95a9d0390306694daa03f9183a26b619c6b
SHA512027408116387095c68e916e0632ce87d8eeaf25ca8c5fff1cf6f80a269e7cbc42e05b991c4e43598efa5d28c7bbb0f17372f4cf0b06203da78c7ebf1997253ca
-
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exeFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exeFilesize
315KB
MD55fe67781ffe47ec36f91991abf707432
SHA1137e6d50387a837bf929b0da70ab6b1512e95466
SHA256a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9
SHA5120e32d9a72b562d4c4a8c4edbd3d0ece54b67ee87c8ac382c6508c62b04b11a2dcd1fba23c3a78004fcd0c2b623dc854fd2fd82eb372dc7becdcbdd7ec7fe1b68
-
C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exeFilesize
413KB
MD5d467222c3bd563cb72fa49302f80b079
SHA19335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka111.exeFilesize
1KB
MD55343c1a8b203c162a3bf3870d9f50fd4
SHA104b5b886c20d88b57eea6d8ff882624a4ac1e51d
SHA256dc1d54dab6ec8c00f70137927504e4f222c8395f10760b6beecfcfa94e08249f
SHA512e0f50acb6061744e825a4051765cebf23e8c489b55b190739409d8a79bb08dac8f919247a4e5f65a015ea9c57d326bbef7ea045163915129e01f316c4958d949
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\E0F0.exeFilesize
960KB
MD5401d4de4d2dcdbcb90b74750d55db7b5
SHA16bc3426f685c989241e6adc3b764e73016545a1f
SHA256ecd387bd32829c5ef0931469bc0690372a5b1caa26e359be47ecf667c2325b08
SHA512288ca6c6218c7180d57a3342f819225a9d060acc662bfa15ad189ca7efde2fad9ed14437bb4a2773526985975a68a6567a1a62ae766a485640db6cd0c30805c0
-
C:\Users\Admin\AppData\Local\Temp\E0F0.exeFilesize
128KB
MD50852ae9b298049532f3f790ee56ae523
SHA1288b601c5ee0ea0eb6f51d735d4df7c1a8b5d888
SHA2566b411259c31124a911bffed1ca73c253f60fc2fb457b82e7ad59861f694ed2e4
SHA5129a900dee056479735f3dc7375b083ac5a59defb8ccd49a5e4003c0a36f4d84365fe77459fcb71ed26bca74417307f100833060069a8c837c304e998050de5b07
-
C:\Users\Admin\AppData\Local\Temp\Tmp1AA2.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ilfx0cw.mk5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
42KB
MD5f7feb2f63ee244b6f0e76170e88d6b22
SHA19c285531077e10dc642c397157eedf78b9ceb5b6
SHA2568c01134396bf2a7d43a725d015c05003f0848ca57c47ea23348f3de3e99319cf
SHA5126f776914200eb5897f022554f940e06139db9a488a90c5e244c28d0f4e1282e6afe1d07c21a4e1889db73dc9a6d203da3de393bfd6d6a8afeb63ad3c9bf13ae9
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
memory/212-76-0x0000000005380000-0x000000000538A000-memory.dmpFilesize
40KB
-
memory/212-79-0x0000000008120000-0x000000000822A000-memory.dmpFilesize
1.0MB
-
memory/212-85-0x00000000082F0000-0x0000000008356000-memory.dmpFilesize
408KB
-
memory/212-159-0x00000000052C0000-0x00000000052D0000-memory.dmpFilesize
64KB
-
memory/212-96-0x0000000008770000-0x0000000008932000-memory.dmpFilesize
1.8MB
-
memory/212-82-0x0000000008230000-0x000000000827C000-memory.dmpFilesize
304KB
-
memory/212-81-0x0000000008090000-0x00000000080CC000-memory.dmpFilesize
240KB
-
memory/212-68-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/212-80-0x0000000008030000-0x0000000008042000-memory.dmpFilesize
72KB
-
memory/212-100-0x0000000008E70000-0x000000000939C000-memory.dmpFilesize
5.2MB
-
memory/212-74-0x00000000057F0000-0x0000000005D94000-memory.dmpFilesize
5.6MB
-
memory/212-73-0x0000000073A50000-0x0000000074200000-memory.dmpFilesize
7.7MB
-
memory/212-75-0x00000000052E0000-0x0000000005372000-memory.dmpFilesize
584KB
-
memory/212-148-0x0000000073A50000-0x0000000074200000-memory.dmpFilesize
7.7MB
-
memory/212-77-0x00000000052C0000-0x00000000052D0000-memory.dmpFilesize
64KB
-
memory/212-78-0x0000000006790000-0x0000000006DA8000-memory.dmpFilesize
6.1MB
-
memory/436-72-0x0000000002AD0000-0x0000000004AD0000-memory.dmpFilesize
32.0MB
-
memory/436-71-0x0000000073A50000-0x0000000074200000-memory.dmpFilesize
7.7MB
-
memory/436-65-0x0000000005050000-0x0000000005060000-memory.dmpFilesize
64KB
-
memory/436-64-0x0000000073A50000-0x0000000074200000-memory.dmpFilesize
7.7MB
-
memory/436-63-0x0000000000620000-0x000000000069A000-memory.dmpFilesize
488KB
-
memory/436-143-0x0000000002AD0000-0x0000000004AD0000-memory.dmpFilesize
32.0MB
-
memory/924-213-0x0000000005120000-0x0000000005130000-memory.dmpFilesize
64KB
-
memory/924-191-0x0000000073A50000-0x0000000074200000-memory.dmpFilesize
7.7MB
-
memory/924-235-0x0000000005D70000-0x0000000005DE6000-memory.dmpFilesize
472KB
-
memory/924-201-0x0000000000830000-0x0000000000882000-memory.dmpFilesize
328KB
-
memory/1036-7-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/1036-6-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/1036-1-0x0000000077E44000-0x0000000077E46000-memory.dmpFilesize
8KB
-
memory/1036-4-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/1036-15-0x0000000000BC0000-0x000000000107A000-memory.dmpFilesize
4.7MB
-
memory/1036-0-0x0000000000BC0000-0x000000000107A000-memory.dmpFilesize
4.7MB
-
memory/1036-9-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/1036-10-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/1036-8-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/1036-2-0x0000000000BC0000-0x000000000107A000-memory.dmpFilesize
4.7MB
-
memory/1036-3-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/1036-5-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/1592-358-0x00000000005E0000-0x0000000000977000-memory.dmpFilesize
3.6MB
-
memory/2140-113-0x0000022B78D40000-0x0000022B78D50000-memory.dmpFilesize
64KB
-
memory/2140-122-0x00007FFD53700000-0x00007FFD541C1000-memory.dmpFilesize
10.8MB
-
memory/2140-116-0x0000022B78E20000-0x0000022B78E2A000-memory.dmpFilesize
40KB
-
memory/2140-115-0x0000022B792A0000-0x0000022B792B2000-memory.dmpFilesize
72KB
-
memory/2140-114-0x0000022B78D40000-0x0000022B78D50000-memory.dmpFilesize
64KB
-
memory/2140-112-0x00007FFD53700000-0x00007FFD541C1000-memory.dmpFilesize
10.8MB
-
memory/2140-107-0x0000022B78DA0000-0x0000022B78DC2000-memory.dmpFilesize
136KB
-
memory/2264-294-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-210-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-22-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/2264-21-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/2264-26-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/2264-27-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/2264-18-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-19-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-367-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-83-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-25-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/2264-302-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-337-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-24-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/2264-84-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-317-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-23-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/2264-20-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/2264-314-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-86-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2264-101-0x0000000000F70000-0x000000000142A000-memory.dmpFilesize
4.7MB
-
memory/2696-244-0x0000000000400000-0x0000000002D4D000-memory.dmpFilesize
41.3MB
-
memory/2696-232-0x0000000002E60000-0x0000000002E6B000-memory.dmpFilesize
44KB
-
memory/3516-243-0x0000000000EE0000-0x0000000000EF6000-memory.dmpFilesize
88KB
-
memory/3964-144-0x0000000073A50000-0x0000000074200000-memory.dmpFilesize
7.7MB
-
memory/3964-145-0x0000000002390000-0x00000000023A0000-memory.dmpFilesize
64KB
-
memory/3964-142-0x0000000000060000-0x000000000021C000-memory.dmpFilesize
1.7MB
-
memory/3964-157-0x0000000073A50000-0x0000000074200000-memory.dmpFilesize
7.7MB
-
memory/3964-158-0x0000000002520000-0x0000000004520000-memory.dmpFilesize
32.0MB
-
memory/4772-149-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4772-160-0x0000000073A50000-0x0000000074200000-memory.dmpFilesize
7.7MB
-
memory/5020-220-0x00007FFD53EB0000-0x00007FFD54971000-memory.dmpFilesize
10.8MB
-
memory/5020-216-0x00000000003B0000-0x000000000043C000-memory.dmpFilesize
560KB