Analysis
-
max time kernel
155s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
31-03-2024 20:16
General
-
Target
d2f6356be2cc20d1abb41234ee8ab3263ee58bbd81d53b0300ca52a7c298733c.exe
-
Size
268KB
-
MD5
1295525e00ff284ccaadf0d5497896c8
-
SHA1
38d7ba3a9ef2a3f6a09190fcf9b2f28acadf83a7
-
SHA256
d2f6356be2cc20d1abb41234ee8ab3263ee58bbd81d53b0300ca52a7c298733c
-
SHA512
0d67c92e14169a6d01f5bcca93745d26880972db2412f30bf00256d38dab95b40810270ed165b69bdaaa8937a4b5c905ec5e02eda3bb06e3185655ade54b9ea2
-
SSDEEP
3072:FJGWnqpfqN6+RwZXhqEGbudQ5yyUmWx0gXDf2Ps+9JSOBlVa:FJEBE6FtGbudQcyaxDLCdJ5B
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
Signatures
-
Detected Djvu ransomware 10 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 5 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 22 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 37 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2f6356be2cc20d1abb41234ee8ab3263ee58bbd81d53b0300ca52a7c298733c.exe"C:\Users\Admin\AppData\Local\Temp\d2f6356be2cc20d1abb41234ee8ab3263ee58bbd81d53b0300ca52a7c298733c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AA93.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\B86F.exeC:\Users\Admin\AppData\Local\Temp\B86F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B86F.exeC:\Users\Admin\AppData\Local\Temp\B86F.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\e75b2726-2d68-4fa8-8962-f4c834f4112e" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B86F.exe"C:\Users\Admin\AppData\Local\Temp\B86F.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B86F.exe"C:\Users\Admin\AppData\Local\Temp\B86F.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 5685⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\EBB5.exeC:\Users\Admin\AppData\Local\Temp\EBB5.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F693.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\FAA.exeC:\Users\Admin\AppData\Local\Temp\FAA.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\FAA.exe"C:\Users\Admin\AppData\Local\Temp\FAA.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4056 -ip 40561⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5998bb0326f3b0f09e3807b631dc5d7b8
SHA11266cdd46c71687067d517a8873fbc892216b5b9
SHA25686d01464baba49c3a243770da3f12642373f82f6502d88e8b54fde107a638434
SHA5126122adabd9b20c12d9b39a9708aabd1862c62a06ea12a22f4a4d9679d177b6b19907a06c5b6091f121cdd8d056d7d0716c56a8ace5209e5355ad135ce3c953ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD589355755a4acd26e58e07402f2268c50
SHA1150fea8e1cf714ab8203f8c41358974bd5f4de99
SHA25607e7046b52f52b67c4cf41812aa86b56a1ab160f86a8017f4571ffe3270d3da7
SHA512b710244f326b47cc8a2d4ea2fb9ff03acefd93e970083216dbcba9588057a8c4bcd6d2903deca7bbb0704c442a26c5a201128cf3632d9146a735b526ceb91bb1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133563899427314674.txtFilesize
74KB
MD580dffedad36ef4c303579f8c9be9dbd7
SHA1792ca2a83d616ca82d973ece361ed9e95c95a0d8
SHA256590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e
SHA512826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Q5ROSPP2\microsoft.windows[1].xmlFilesize
97B
MD5bdb8a591dda2dd9c96d20d4b44a5d041
SHA19e75f7deb9825c0cda7e25f66f0221f5c74c8d72
SHA2567fcf82e6510873bad2d4687d21bc368fdc7e8576a8d54fc94284e1dbedda172f
SHA51279166507556413e667d3bc7d5f24f1d87aed86d7b03e04b5591343cf307468b7b0446adfdf0452edbd657e97e840fa446314be0250d2b2966bff67d1261db439
-
C:\Users\Admin\AppData\Local\Temp\AA93.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\B86F.exeFilesize
774KB
MD5f62a3ad4d7efc44f53d3d9c3902dc870
SHA11df2ee2f5953702a1d4cbcc39ef0bf3f1d046656
SHA2566afdde50a1dcb548843dfe1fc32c3f087df2741715d1ba9608317f6fddf825fd
SHA512a99a5abcbc3b4633274f00c1390a03dc64cc20d71bba26c09c8326aaa03306ba0e866bed7a869f8b243e3461fae418075c6abf8293d6b91b7eea99d554c94aff
-
C:\Users\Admin\AppData\Local\Temp\EBB5.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\FAA.exeFilesize
4.2MB
MD5e68b58b7ae8f8b11b1df370b38b6ced3
SHA1085730281c49d6e47599a56d35e1777923959d98
SHA25620c3548c4c692e43c3f97da3ad787a82566bcef9b86a5d4b2f7684f3dfe2ba35
SHA512980fcb298763ec01ec2dfedc8801615e3854470b21ae886235a80f9698bd0d5eac6068dfd332d1848fab1d28c92fbfbb195c28deb363d523ff7e8ab5b26a7afb
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zt5avm3m.nix.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD57210f892c151b18a474b6401c7176f4b
SHA1545c58b5cf7c32ac847257dab3d79171088d1605
SHA25614af41a0f2cb763011ccd6d99bff28395f9f663396da4f593e496cdc3fe76fa4
SHA512436f00471c8f1e842442df0b2f5814dbb51ff9cb6f6c4293a78865c842543d57b316606d9c57fd1c03d95fa21b879a24128e9137c3387040e2d6e5c8de3857b0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD554886f87994be0f6eefca1c31f36d678
SHA1fbe884a6677abe01cd0ab678aa9dae803bec4c56
SHA256348cb61f2700ef833bf4b69e0dff1b57ba5cf24d87235d89e170bf86e7df6526
SHA512e5c3f4c8ee8007fad4a98b5e3e045cca41698bb2fbd315495d39c22702d67c6c487c3c8925305f7da6f51902420510b89ddda552ee6d0ccb56d729f8783ff635
-
C:\Windows\rss\csrss.exeFilesize
1.1MB
MD56410c975bfa2855d331f3db6ce8a4fc7
SHA115490523bb334a099233b5de4b0f3379a4d012d6
SHA2560f01a3b1ceb5850ee19b5d898299b491446d3f5a1d43af6d15c0984178ad7555
SHA512de5be74dec754f866638649dae94eb93568c75355eaba11b71067f8c8602464db2177da8d84f69fa820b7e77be6eb226fb926d074d4f8ac47da0f8fdf25147ae
-
C:\Windows\rss\csrss.exeFilesize
773KB
MD57085fdb53a02eaa6f444b5888c4d6297
SHA1fc402a02479ae6993c43e85aebbac32cd60db95e
SHA25623f9acf7f7f6775112a242ab56807ff1d31bf3727d6c25feec68f5a44e7eecc6
SHA51263e610f073f0ce754df0b99dabb8f4000cbf435d4c8a3d52db5cf45f00d1b5a85e4c453db4850538b1e7cbe4bccc7ed2675d9439fd08ad4feb661a4ccfd41581
-
memory/396-373-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/1028-8-0x0000000004A90000-0x0000000004A9B000-memory.dmpFilesize
44KB
-
memory/1028-5-0x0000000000400000-0x0000000002D42000-memory.dmpFilesize
41.3MB
-
memory/1028-3-0x0000000000400000-0x0000000002D42000-memory.dmpFilesize
41.3MB
-
memory/1028-2-0x0000000004A90000-0x0000000004A9B000-memory.dmpFilesize
44KB
-
memory/1028-1-0x0000000002FD0000-0x00000000030D0000-memory.dmpFilesize
1024KB
-
memory/1464-94-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-112-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-57-0x0000000000500000-0x00000000011E5000-memory.dmpFilesize
12.9MB
-
memory/1464-58-0x0000000003380000-0x00000000033B2000-memory.dmpFilesize
200KB
-
memory/1464-59-0x0000000003380000-0x00000000033B2000-memory.dmpFilesize
200KB
-
memory/1464-60-0x0000000003380000-0x00000000033B2000-memory.dmpFilesize
200KB
-
memory/1464-61-0x0000000003380000-0x00000000033B2000-memory.dmpFilesize
200KB
-
memory/1464-62-0x0000000003380000-0x00000000033B2000-memory.dmpFilesize
200KB
-
memory/1464-63-0x0000000003380000-0x00000000033B2000-memory.dmpFilesize
200KB
-
memory/1464-64-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-65-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-67-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-66-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-70-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-44-0x0000000000500000-0x00000000011E5000-memory.dmpFilesize
12.9MB
-
memory/1464-68-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-74-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-75-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-76-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-77-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-78-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-79-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-80-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-81-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-82-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-83-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-84-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-85-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-86-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-87-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-88-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-89-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-90-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-91-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-92-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-93-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-55-0x0000000003350000-0x0000000003351000-memory.dmpFilesize
4KB
-
memory/1464-95-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-96-0x0000000003DA0000-0x0000000003EA0000-memory.dmpFilesize
1024KB
-
memory/1464-97-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-100-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-101-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-104-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-50-0x0000000000500000-0x00000000011E5000-memory.dmpFilesize
12.9MB
-
memory/1464-107-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-110-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-111-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-56-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/1464-105-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-103-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-102-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-113-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-114-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-115-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-116-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-117-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-118-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-119-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-120-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-121-0x0000000003EA0000-0x0000000003EE0000-memory.dmpFilesize
256KB
-
memory/1464-54-0x0000000003340000-0x0000000003341000-memory.dmpFilesize
4KB
-
memory/1464-51-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/1464-52-0x0000000003300000-0x0000000003301000-memory.dmpFilesize
4KB
-
memory/1464-53-0x0000000003330000-0x0000000003331000-memory.dmpFilesize
4KB
-
memory/1724-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1724-23-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1724-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1724-48-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1724-69-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1724-27-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3412-187-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/3412-4-0x00000000020C0000-0x00000000020D6000-memory.dmpFilesize
88KB
-
memory/3460-251-0x000001A6832F0000-0x000001A683310000-memory.dmpFilesize
128KB
-
memory/3460-254-0x000001A6832B0000-0x000001A6832D0000-memory.dmpFilesize
128KB
-
memory/3460-259-0x000001A6838C0000-0x000001A6838E0000-memory.dmpFilesize
128KB
-
memory/3700-397-0x0000022318E00000-0x0000022318E20000-memory.dmpFilesize
128KB
-
memory/3700-401-0x0000022318BB0000-0x0000022318BD0000-memory.dmpFilesize
128KB
-
memory/3700-403-0x00000223191C0000-0x00000223191E0000-memory.dmpFilesize
128KB
-
memory/3908-109-0x00000000048D9000-0x000000000496A000-memory.dmpFilesize
580KB
-
memory/4056-164-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4056-168-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4056-171-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4340-22-0x0000000004AE0000-0x0000000004BFB000-memory.dmpFilesize
1.1MB
-
memory/4340-21-0x00000000048B0000-0x0000000004951000-memory.dmpFilesize
644KB
-
memory/4428-180-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4428-297-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4428-268-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4428-190-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4504-317-0x0000000004000000-0x0000000004001000-memory.dmpFilesize
4KB
-
memory/4720-342-0x000001899E5D0000-0x000001899E5F0000-memory.dmpFilesize
128KB
-
memory/4720-340-0x000001899E120000-0x000001899E140000-memory.dmpFilesize
128KB
-
memory/4720-338-0x000001899E160000-0x000001899E180000-memory.dmpFilesize
128KB
-
memory/5020-390-0x00000000045B0000-0x00000000045B1000-memory.dmpFilesize
4KB
-
memory/5080-243-0x0000000003000000-0x0000000003001000-memory.dmpFilesize
4KB