Analysis
-
max time kernel
99s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
31-03-2024 16:50
General
-
Target
23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
-
Size
277KB
-
MD5
0a4050b41baf35977e32749d092364dc
-
SHA1
e86798879b46d78b80442390e3bf16576597bbd0
-
SHA256
23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a
-
SHA512
baf663684dcdce2e39c18ebe22bbfb6c649200ab2a72269b5fba6d263c2eba5bafa12455d5bc569810f538e2f8b9bd05185536509897255da49dfefcdea8c4a9
-
SSDEEP
3072:MOGWS6M7qGfIDp+pwZXhmnuJqkQt5LxxCNGZyAEr2vnV1cywTBlMTKa:MOYeKEpdrhQhfkXqvnHUBCT
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
Signatures
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 7 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 9 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe"C:\Users\Admin\AppData\Local\Temp\23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D47.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\2B13.exeC:\Users\Admin\AppData\Local\Temp\2B13.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2B13.exeC:\Users\Admin\AppData\Local\Temp\2B13.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b5a10631-4eed-440f-bd52-fa0ddc93e3f2" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\2B13.exe"C:\Users\Admin\AppData\Local\Temp\2B13.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2B13.exe"C:\Users\Admin\AppData\Local\Temp\2B13.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 5685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1956 -ip 19561⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\5FC1.exeC:\Users\Admin\AppData\Local\Temp\5FC1.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6281.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3536 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:31⤵
-
C:\Users\Admin\AppData\Local\Temp\9BB2.exeC:\Users\Admin\AppData\Local\Temp\9BB2.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9BB2.exe"C:\Users\Admin\AppData\Local\Temp\9BB2.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Modify Registry
2Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5998bb0326f3b0f09e3807b631dc5d7b8
SHA11266cdd46c71687067d517a8873fbc892216b5b9
SHA25686d01464baba49c3a243770da3f12642373f82f6502d88e8b54fde107a638434
SHA5126122adabd9b20c12d9b39a9708aabd1862c62a06ea12a22f4a4d9679d177b6b19907a06c5b6091f121cdd8d056d7d0716c56a8ace5209e5355ad135ce3c953ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD59b812f9d1490dcc962bdf27bf50f8aa6
SHA147935ff37701b0732453258bef965ce23b47017a
SHA256074e2c64212408627c55ef385d62e479b67dea01e053d972d938ab723021df19
SHA5124deecd0acd7075baf62aa73b0ebe4dc136ee443c45aad136232e6a1c5a28c452a1439eca01761c9ee0cc8a2c42ff427fdffbecf0d6dadc1510eac4061b3de73a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD51b36056f3436e28f65018f569a67d3ac
SHA1345a1e0d0b7c0fd5464c9efd3b79b66839a634ff
SHA2569ae93181c843acd86e0ee1cf0d7183c725a66bd8a975117a6e6e0e78cf39af38
SHA5127b2b4266054a4b8e23a70e6d28e58ba8a8f018590dc145a8511b19e425aa0f4a58f892b262cf84095a8e1b3088678fac463e1c03e38df6d5aa54011b2482ab2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Temp\1D47.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\2B13.exeFilesize
775KB
MD50bce94914b6f342ca9d88f651a8f0288
SHA105c05ed36c5b04aa64eaf420d9e418f85dd8fd8a
SHA2567ced079f6b9a845d2d0cc88a14bc09cab9221b9d56fa99932271942fd42c8ce0
SHA51277c9c96a61027b60b398f6a57db6423624624673327b5da3d19c5d0dd956ee2b32befcf65e8dc5d4aa5086e52c3997c18e9cda143e6cfacb3b7f43fdc871cd10
-
C:\Users\Admin\AppData\Local\Temp\5FC1.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\9BB2.exeFilesize
4.2MB
MD5476514eddb25ed48777bf4238279afe9
SHA1c53659834d9cc0534f0b5940904a807e51f4810c
SHA256ea3d885839531350640a55d4360f139c749dd24a8f0858b0af8e46faf2fdab58
SHA51220756843bcf0d95bcf79e06abef3c83016a7bcf38e36e90f227029616c9a8579f64035edce3bd38014cdf7c7bdd369b248d74d18d271e06768958e5d05878bf9
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ddcmrpx.3cr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5445696b7d012aa0ed7c02edb958cbb65
SHA11dfb54228a2e529daa7f71296e33c0c937e01d94
SHA256c636f056a8d37f8b337ba5fccd3473ace755b7690100289627854664fcd32167
SHA51211ec1b7e983f58df2894e39076f5c598bbeacca884903fac0b910294d6c0d4e77edbeeb03e997b821856bc881ba787f6cc860044421682c0e4e4bfa66850f6e5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58e818ab7f4770be88a9efd01d89e62df
SHA10fe729dae2f77ad54a5927253fafdd5b8efa12da
SHA256001794bd53155cfd21d2a4146a6d36b1e1a09987f29429c85eae08fc26bc7aab
SHA51249662b203cbdc459dd12acac1ebe1d61705545be4260b1bb53c13edfcb66db55418833fc594b9525ef8b6561592d8d413080c1024491ecf5e9caf8b1dfd98256
-
memory/1692-23-0x0000000004AF0000-0x0000000004C0B000-memory.dmpFilesize
1.1MB
-
memory/1692-22-0x0000000004A50000-0x0000000004AE6000-memory.dmpFilesize
600KB
-
memory/1956-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1956-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1956-47-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2084-210-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/2084-155-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/2084-223-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/2096-41-0x0000000002F70000-0x0000000003011000-memory.dmpFilesize
644KB
-
memory/2528-7-0x0000000000400000-0x0000000002D44000-memory.dmpFilesize
41.3MB
-
memory/2528-9-0x0000000004A90000-0x0000000004A9B000-memory.dmpFilesize
44KB
-
memory/2528-4-0x0000000000400000-0x0000000002D44000-memory.dmpFilesize
41.3MB
-
memory/2528-3-0x0000000000400000-0x0000000002D44000-memory.dmpFilesize
41.3MB
-
memory/2528-2-0x0000000004A90000-0x0000000004A9B000-memory.dmpFilesize
44KB
-
memory/2528-1-0x0000000002ED0000-0x0000000002FD0000-memory.dmpFilesize
1024KB
-
memory/2616-241-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/2616-272-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/2616-303-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/2616-342-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/3356-5-0x0000000003280000-0x0000000003296000-memory.dmpFilesize
88KB
-
memory/3356-180-0x0000000001080000-0x0000000001081000-memory.dmpFilesize
4KB
-
memory/3368-269-0x000001F911A40000-0x000001F911A60000-memory.dmpFilesize
128KB
-
memory/3748-88-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-114-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-80-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-78-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-79-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-81-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-83-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-82-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-84-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-86-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-85-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-87-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-91-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-92-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-90-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-93-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-89-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-76-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-101-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-103-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-102-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-100-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-99-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-98-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-97-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-96-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-95-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-109-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-113-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-115-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-111-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-116-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-117-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-118-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-119-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-77-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-112-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-110-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-121-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-122-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-120-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-108-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-107-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-123-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-125-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-75-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-124-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-106-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-105-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-104-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-94-0x0000000003010000-0x0000000003050000-memory.dmpFilesize
256KB
-
memory/3748-74-0x0000000003010000-0x0000000003011000-memory.dmpFilesize
4KB
-
memory/3748-73-0x0000000003010000-0x0000000003011000-memory.dmpFilesize
4KB
-
memory/3748-72-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/3748-71-0x0000000000B20000-0x0000000001805000-memory.dmpFilesize
12.9MB
-
memory/3748-70-0x0000000000B20000-0x0000000001805000-memory.dmpFilesize
12.9MB
-
memory/3748-69-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/3748-68-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/3748-67-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/3748-65-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/3748-66-0x0000000000B20000-0x0000000001805000-memory.dmpFilesize
12.9MB
-
memory/3748-58-0x0000000000B20000-0x0000000001805000-memory.dmpFilesize
12.9MB
-
memory/3748-64-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/3748-63-0x0000000000620000-0x0000000000621000-memory.dmpFilesize
4KB
-
memory/4468-38-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4468-28-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4468-27-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4468-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4468-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4600-259-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB