Analysis
-
max time kernel
119s -
max time network
160s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
29-03-2024 13:27
General
-
Target
5b51136514eb31b78de1300b7aa72bef035f5dc96d9ed2e07a9d105e969b2271.exe
-
Size
202KB
-
MD5
5d9fa611fd20f2179188d8477e4056cf
-
SHA1
b514733a078730f8b74542660cf410f45d439abe
-
SHA256
5b51136514eb31b78de1300b7aa72bef035f5dc96d9ed2e07a9d105e969b2271
-
SHA512
93a267894241f95340b49f0d90cc3887c28ca56b1261d94f169ef0786769f09645584506e87e892ecd4e6a74c0cfb9898e73005f1c3d599150972549efc4d5c7
-
SSDEEP
3072:e7Y10Ql/4AfcISSzUlDfNQM6yWTD+Q3bz8QRsqUEWy7qxJ:e73Ql/4AfcIfIFI/+Q3bzLRs9EWy7
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS
Signatures
-
Detected Djvu ransomware 10 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 11 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b51136514eb31b78de1300b7aa72bef035f5dc96d9ed2e07a9d105e969b2271.exe"C:\Users\Admin\AppData\Local\Temp\5b51136514eb31b78de1300b7aa72bef035f5dc96d9ed2e07a9d105e969b2271.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FA1F.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\174D.exeC:\Users\Admin\AppData\Local\Temp\174D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\174D.exeC:\Users\Admin\AppData\Local\Temp\174D.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\2bcf287d-06fd-49ca-b6e8-641bf737104c" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\174D.exe"C:\Users\Admin\AppData\Local\Temp\174D.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\174D.exe"C:\Users\Admin\AppData\Local\Temp\174D.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 6005⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4392 -ip 43921⤵
-
C:\Users\Admin\AppData\Local\Temp\7378.exeC:\Users\Admin\AppData\Local\Temp\7378.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\999E.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\B45.exeC:\Users\Admin\AppData\Local\Temp\B45.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\344A.exeC:\Users\Admin\AppData\Local\Temp\344A.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\344A.exe"C:\Users\Admin\AppData\Local\Temp\344A.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Users\Admin\AppData\Roaming\rvweiudC:\Users\Admin\AppData\Roaming\rvweiud1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Modify Registry
2Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118AFilesize
312B
MD52260acab17518791f1c4caeca6d87bed
SHA1ba38cbbb69b750eda456c649004cd01af863c70b
SHA25689571247f878b30bdcd3db918f0ec2c42865fdde231b885087719c5ba470207c
SHA51267b94c8cd296fa7a735a8c359a35dbbe79d03e5314ec74ab21d7562ef6e58dd13cdee48e872516a98414b29473b29602df74d2ed762b67850f3c175b42429617
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118AFilesize
404B
MD5df47bcb6c9be8b7969022a61993aeb2f
SHA14a579e9207fb0039d137482a701dab9c7bb42026
SHA2562139579a5685290c9b889f0b4f767de36a1623fd2059d8830ca8031d5f8aceec
SHA5123e085cd0161cabafd855e1bb1526a99d2527efa0ce0811b3e789198a3eec438cf5f130ecbcffa29f89222abcdf230ee1bbfded43deb7a51429c9817ad138bfdf
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\33P75E8Z\www.bing[1].xmlFilesize
2KB
MD57e8c22741d8657c0fb2f7dc4cc5283e3
SHA1ab2c99ca892c55ec2530af0030090a4fde19b652
SHA25649ef4d145276187bb1991d46338c92fc476972836144b7583dc1918531743ca7
SHA5120ff91d2e864f9c6f01370aba479a1d2439b734d4414682347b1070612215f815fa65e1ada069fe55096f7d94773da1d3f0dca7a8c8999e1d9dc9af182a570f21
-
C:\Users\Admin\AppData\Local\Temp\174D.exeFilesize
731KB
MD54c04c7a489c9fc0f1e203e4081281829
SHA1bcd47803880138144d85cd4a03104bc6772d4636
SHA256877b1b32011af27f3faa864f07493b52cf6cb97e25c4708ded1f0aac5ceaabeb
SHA51274a9500a6f29cf14d8c576ce2d70a2edc56da0b92ab173268ae4e87d22bdd63f4e77ea9d6f4a7001b3f9ce75fd540b4e5807573c2eef2c44bf4bb1a532754187
-
C:\Users\Admin\AppData\Local\Temp\344A.exeFilesize
4.1MB
MD5fd2e46e46113302b7e6a95883acf8218
SHA1b85bb53f3e60c71249cead3350c9c84bf110c679
SHA256fa070544707c0c44dc9f221537cd273f8f9e4410df49436f98b12ecb31ee9e5b
SHA512a8d3595a89a1109fd1e38fbecd2bd058731c89002e17f45d87fa0c73937721ad64be561e0a17fdde67d844f0f3511620b8f97919fa1f21d57a8c4849a69f85bf
-
C:\Users\Admin\AppData\Local\Temp\7378.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\B45.exeFilesize
30.6MB
MD5ff35671d54d612772b0c22c141a3056e
SHA1d005a27cd48556bf17eb9c2b43af49b67347cc0e
SHA2562f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512
SHA5129a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e
-
C:\Users\Admin\AppData\Local\Temp\FA1F.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2tstoqgl.c2m.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\rvweiudFilesize
202KB
MD55d9fa611fd20f2179188d8477e4056cf
SHA1b514733a078730f8b74542660cf410f45d439abe
SHA2565b51136514eb31b78de1300b7aa72bef035f5dc96d9ed2e07a9d105e969b2271
SHA51293a267894241f95340b49f0d90cc3887c28ca56b1261d94f169ef0786769f09645584506e87e892ecd4e6a74c0cfb9898e73005f1c3d599150972549efc4d5c7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5f7b436c517745b83617235edf95d318e
SHA18b9ab5e3859afa959804bca8732a46f9353159a9
SHA25637d3a4ac72bab71813f87b9aa88d69c2a6180cbcacad30e507e7ddd30dee6af7
SHA5125cb00c00ada20f1221169ac6d34af03e8da0cdd364405e0e4e1ab0312475b96789edb8f26b59584f81868cf9f23d9a579f4d78eaef20a5b3a864b26d759d35a9
-
memory/1528-41-0x0000000002340000-0x00000000023E1000-memory.dmpFilesize
644KB
-
memory/1848-197-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/2548-261-0x000001D31E390000-0x000001D31E3B0000-memory.dmpFilesize
128KB
-
memory/2548-275-0x000001D32E760000-0x000001D32E860000-memory.dmpFilesize
1024KB
-
memory/2864-96-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-105-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-62-0x0000000003660000-0x0000000003661000-memory.dmpFilesize
4KB
-
memory/2864-59-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/2864-63-0x0000000003670000-0x0000000003671000-memory.dmpFilesize
4KB
-
memory/2864-64-0x0000000003680000-0x0000000003681000-memory.dmpFilesize
4KB
-
memory/2864-65-0x0000000003690000-0x0000000003691000-memory.dmpFilesize
4KB
-
memory/2864-67-0x00000000036A0000-0x00000000036E0000-memory.dmpFilesize
256KB
-
memory/2864-68-0x00000000036A0000-0x00000000036E0000-memory.dmpFilesize
256KB
-
memory/2864-70-0x00000000036A0000-0x00000000036E0000-memory.dmpFilesize
256KB
-
memory/2864-69-0x00000000036A0000-0x00000000036E0000-memory.dmpFilesize
256KB
-
memory/2864-72-0x00000000036A0000-0x00000000036E0000-memory.dmpFilesize
256KB
-
memory/2864-71-0x00000000036A0000-0x00000000036E0000-memory.dmpFilesize
256KB
-
memory/2864-73-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-74-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-75-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-76-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-77-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-78-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-79-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-80-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-81-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-83-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-82-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-84-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-85-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-86-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-87-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-88-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-89-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-90-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-91-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-92-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-94-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-93-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-95-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-60-0x0000000003630000-0x0000000003631000-memory.dmpFilesize
4KB
-
memory/2864-97-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-98-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-100-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-101-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-99-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-102-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-103-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-104-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-61-0x0000000000E90000-0x0000000001B75000-memory.dmpFilesize
12.9MB
-
memory/2864-106-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-108-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-109-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-107-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-111-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-110-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-112-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-113-0x00000000042D0000-0x00000000043D0000-memory.dmpFilesize
1024KB
-
memory/2864-114-0x00000000043D0000-0x00000000043D1000-memory.dmpFilesize
4KB
-
memory/2864-119-0x0000000000E90000-0x0000000001B75000-memory.dmpFilesize
12.9MB
-
memory/2864-54-0x0000000000E90000-0x0000000001B75000-memory.dmpFilesize
12.9MB
-
memory/3012-191-0x000000000B580000-0x000000000B596000-memory.dmpFilesize
88KB
-
memory/3308-163-0x0000000002910000-0x0000000002911000-memory.dmpFilesize
4KB
-
memory/3308-4-0x00000000028F0000-0x0000000002906000-memory.dmpFilesize
88KB
-
memory/3500-141-0x0000000005990000-0x0000000005FBA000-memory.dmpFilesize
6.2MB
-
memory/3500-138-0x0000000002FC0000-0x0000000002FF6000-memory.dmpFilesize
216KB
-
memory/3500-139-0x00000000747F0000-0x0000000074FA1000-memory.dmpFilesize
7.7MB
-
memory/3500-140-0x0000000003000000-0x0000000003010000-memory.dmpFilesize
64KB
-
memory/3836-342-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/3980-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3980-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3980-38-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3980-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3980-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4364-21-0x00000000023D0000-0x00000000024EB000-memory.dmpFilesize
1.1MB
-
memory/4364-20-0x0000000002210000-0x00000000022AE000-memory.dmpFilesize
632KB
-
memory/4392-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4392-47-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4392-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4724-166-0x00007FF6C7C80000-0x00007FF6C9BCC000-memory.dmpFilesize
31.3MB
-
memory/4724-132-0x00007FF6C7C80000-0x00007FF6C9BCC000-memory.dmpFilesize
31.3MB
-
memory/4724-171-0x00007FF6C7C80000-0x00007FF6C9BCC000-memory.dmpFilesize
31.3MB
-
memory/4780-266-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4780-167-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4780-135-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4780-134-0x0000000002F50000-0x000000000383B000-memory.dmpFilesize
8.9MB
-
memory/4780-133-0x0000000002B50000-0x0000000002F4A000-memory.dmpFilesize
4.0MB
-
memory/4912-5-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/4912-3-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/4912-2-0x0000000002380000-0x000000000238B000-memory.dmpFilesize
44KB
-
memory/4912-1-0x00000000005E0000-0x00000000006E0000-memory.dmpFilesize
1024KB
-
memory/4984-173-0x0000000000680000-0x00000000006CB000-memory.dmpFilesize
300KB
-
memory/4984-169-0x0000000000680000-0x00000000006CB000-memory.dmpFilesize
300KB