Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
31-03-2024 16:20
General
-
Target
d8e7df897c535c5ae0b84f0eddab9711bc171ba21905f5b82026c233ba1983b5.exe
-
Size
276KB
-
MD5
a8f58a9434757e7b2ff022e0e1e670f5
-
SHA1
0aa5202dc6345aeba38d4305b3a0716d6d95e851
-
SHA256
d8e7df897c535c5ae0b84f0eddab9711bc171ba21905f5b82026c233ba1983b5
-
SHA512
3dd1ceb3d92c0ab0ce9d18003835c0d8440dabf7465a6fd2a78dad30fb445880ab844e736e8158e41b48699354229bad54774f502db747196d49532d5cf02520
-
SSDEEP
3072:l8GSu2dLtaC+JwZXhrXnEgFC/KOe+hIY788jerENkVTvGBlMTOa:l8PREC11ntFMKd+hIg8QeEkVTGBCT
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
Signatures
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 2 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8e7df897c535c5ae0b84f0eddab9711bc171ba21905f5b82026c233ba1983b5.exe"C:\Users\Admin\AppData\Local\Temp\d8e7df897c535c5ae0b84f0eddab9711bc171ba21905f5b82026c233ba1983b5.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCA0.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\382.exeC:\Users\Admin\AppData\Local\Temp\382.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\382.exeC:\Users\Admin\AppData\Local\Temp\382.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f236a5d3-f698-4ded-9d4d-a03465859a3e" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\382.exe"C:\Users\Admin\AppData\Local\Temp\382.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\382.exe"C:\Users\Admin\AppData\Local\Temp\382.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 5685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2848 -ip 28481⤵
-
C:\Users\Admin\AppData\Local\Temp\5D7A.exeC:\Users\Admin\AppData\Local\Temp\5D7A.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6441.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3796 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:31⤵
-
C:\Users\Admin\AppData\Local\Temp\8576.exeC:\Users\Admin\AppData\Local\Temp\8576.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
-
C:\Users\Admin\AppData\Local\Temp\8576.exe"C:\Users\Admin\AppData\Local\Temp\8576.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5998bb0326f3b0f09e3807b631dc5d7b8
SHA11266cdd46c71687067d517a8873fbc892216b5b9
SHA25686d01464baba49c3a243770da3f12642373f82f6502d88e8b54fde107a638434
SHA5126122adabd9b20c12d9b39a9708aabd1862c62a06ea12a22f4a4d9679d177b6b19907a06c5b6091f121cdd8d056d7d0716c56a8ace5209e5355ad135ce3c953ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD5e3867bef67fcf7dbfe17175bf80eae6a
SHA112ec18ecca5412c9ca0c4fc623cfa3d7bc06675e
SHA256f2b3e3f378066841b8f81239e6bf953326f495613e40a7c9ef65d8fe14ca6743
SHA512ec63bde56c6fd48bbde6da8db5142fc119b45298c1aeb78cf5bd60e5596d66be9237cf2279d918ba27773b20bc271b9d064a819bbccc5274f1e2c43a8557cce3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TV3VV50F\microsoft.windows[1].xmlFilesize
97B
MD55b984c298841d3dc3a3a0f8a819790bc
SHA127ec8f9f31d80734493d88e29e639b7562276867
SHA256c9bc2d8c025943515a1412a4cb84dd9c184b73031125619bf2cd2d2d2efc2d66
SHA512884209f3ea5207c6ad508975e139b2a16a6b861152c6861a3c1f1459973c896387e92407230ee1c90a6d4a9a49c52aa18d9d292b281a5b906f219280b7f15a93
-
C:\Users\Admin\AppData\Local\Temp\382.exeFilesize
812KB
MD5e1c4f10677adcc136df799b235dbe4d8
SHA10b2df4e7438a4e1e0b3f50057b2d2ae21a71c258
SHA25642e0af781ac22fab976241ffc0475f76c514c90a60fd095533e867dd1c7d3e34
SHA51247c6e408ebfd4bc2906b8289392c9f79a696c08c6429523f4b48b0b0756c69ae9a7542b2ea996c13aa7200376a5ddd3947b752cfc697218e70ff690921a6f48c
-
C:\Users\Admin\AppData\Local\Temp\5D7A.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\8576.exeFilesize
4.2MB
MD5736e63b1bc1ebcc7fd7d9e323933262f
SHA1c7eb7a7a3ea02141e00b3d3e1d6746bc516eafcb
SHA2562ff74f83996a6969aea1565692678ed04ff3204b8c6a448905116236cea9f80a
SHA5127fd7c71daed24ca4159fe8a78d327871aa8be05d411d2f94508c66c9d3a9e79f577014e920cdd9c0e1122f95e604d7640084d5f1e29a2599ac7180e7c4c2dd20
-
C:\Users\Admin\AppData\Local\Temp\FCA0.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ywys2b4.uh0.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/368-96-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-65-0x0000000001620000-0x0000000001621000-memory.dmpFilesize
4KB
-
memory/368-116-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-119-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-123-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-126-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-129-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-130-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-128-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-52-0x0000000000270000-0x0000000000F55000-memory.dmpFilesize
12.9MB
-
memory/368-60-0x00000000015C0000-0x00000000015C1000-memory.dmpFilesize
4KB
-
memory/368-61-0x00000000015D0000-0x00000000015D1000-memory.dmpFilesize
4KB
-
memory/368-62-0x0000000000270000-0x0000000000F55000-memory.dmpFilesize
12.9MB
-
memory/368-63-0x0000000001600000-0x0000000001601000-memory.dmpFilesize
4KB
-
memory/368-64-0x0000000001610000-0x0000000001611000-memory.dmpFilesize
4KB
-
memory/368-101-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-66-0x0000000002FD0000-0x0000000002FD1000-memory.dmpFilesize
4KB
-
memory/368-67-0x0000000000270000-0x0000000000F55000-memory.dmpFilesize
12.9MB
-
memory/368-68-0x0000000002FE0000-0x0000000003012000-memory.dmpFilesize
200KB
-
memory/368-70-0x0000000002FE0000-0x0000000003012000-memory.dmpFilesize
200KB
-
memory/368-71-0x0000000002FE0000-0x0000000003012000-memory.dmpFilesize
200KB
-
memory/368-103-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-73-0x0000000002FE0000-0x0000000003012000-memory.dmpFilesize
200KB
-
memory/368-74-0x0000000002FE0000-0x0000000003012000-memory.dmpFilesize
200KB
-
memory/368-75-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-76-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-77-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-79-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-78-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-80-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-81-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-102-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-88-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-90-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-89-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-91-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-92-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-93-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-94-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-95-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-127-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-97-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-98-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-99-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-125-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-72-0x0000000002FE0000-0x0000000003012000-memory.dmpFilesize
200KB
-
memory/368-124-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-100-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-104-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-106-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-107-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-108-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-109-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-105-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-111-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-112-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-113-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-114-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-115-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-110-0x0000000003C50000-0x0000000003D50000-memory.dmpFilesize
1024KB
-
memory/368-117-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-118-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-120-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-121-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/368-122-0x0000000003D50000-0x0000000003F50000-memory.dmpFilesize
2.0MB
-
memory/428-345-0x0000025DC0AA0000-0x0000025DC0AC0000-memory.dmpFilesize
128KB
-
memory/428-343-0x0000025DC0480000-0x0000025DC04A0000-memory.dmpFilesize
128KB
-
memory/428-341-0x0000025DC04C0000-0x0000025DC04E0000-memory.dmpFilesize
128KB
-
memory/1360-277-0x000001B5EC2D0000-0x000001B5EC2F0000-memory.dmpFilesize
128KB
-
memory/1360-282-0x000001B5EC8A0000-0x000001B5EC8C0000-memory.dmpFilesize
128KB
-
memory/1360-280-0x000001B5EC290000-0x000001B5EC2B0000-memory.dmpFilesize
128KB
-
memory/2056-333-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/2404-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2404-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2404-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2404-36-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2404-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2448-241-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/2448-296-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/2848-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2848-43-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2848-42-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3480-4-0x00000000032A0000-0x00000000032B6000-memory.dmpFilesize
88KB
-
memory/3480-209-0x0000000001220000-0x0000000001221000-memory.dmpFilesize
4KB
-
memory/3880-268-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/4036-2-0x0000000002EF0000-0x0000000002EFB000-memory.dmpFilesize
44KB
-
memory/4036-7-0x0000000000400000-0x0000000002D44000-memory.dmpFilesize
41.3MB
-
memory/4036-1-0x0000000002F70000-0x0000000003070000-memory.dmpFilesize
1024KB
-
memory/4036-3-0x0000000000400000-0x0000000002D44000-memory.dmpFilesize
41.3MB
-
memory/4228-20-0x0000000004A60000-0x0000000004AFF000-memory.dmpFilesize
636KB
-
memory/4228-21-0x0000000004B10000-0x0000000004C2B000-memory.dmpFilesize
1.1MB
-
memory/4632-39-0x00000000048B0000-0x000000000494E000-memory.dmpFilesize
632KB