Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-04-2024 13:16
Static task
static1
Behavioral task
behavioral1
Sample
55E393DA1714013720DDF266C7906F43.exe
Resource
win7-20240221-en
General
-
Target
55E393DA1714013720DDF266C7906F43.exe
-
Size
2.6MB
-
MD5
55e393da1714013720ddf266c7906f43
-
SHA1
91a636913604184c010c2d9e0b331a804a2c0ab4
-
SHA256
6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957
-
SHA512
40a61e1d461717e45eff3be6b22561ac39c2ef1af39b46f7d149fe823d14a06bb99605a78e794d6447ece43ce6b4854192e47ad993ed4a2e78479bc7e155fe8a
-
SSDEEP
49152:VvONaX/Lpt/IvKfeF4tIDpdIA/gvCRtDKYZ8NfBcPQSqzULJgxl6Y4KB7KkP3C+Y:VGNajwvKfpyMdvCRNZZ8NJcPQSEU9Q6z
Malware Config
Extracted
redline
tg
163.5.112.53:51523
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\b.exe family_redline behavioral1/memory/2624-22-0x00000000011A0000-0x00000000011BE000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\b.exe family_sectoprat behavioral1/memory/2624-22-0x00000000011A0000-0x00000000011BE000-memory.dmp family_sectoprat -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/2644-231-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2644-232-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2644-234-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2644-235-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2644-236-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2644-237-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2644-238-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2644-239-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2644-240-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
a.exeb.exewfnmgjmvvtwt.exepid process 1880 a.exe 2624 b.exe 480 2492 wfnmgjmvvtwt.exe -
Loads dropped DLL 4 IoCs
Processes:
55E393DA1714013720DDF266C7906F43.exepid process 2196 55E393DA1714013720DDF266C7906F43.exe 2196 55E393DA1714013720DDF266C7906F43.exe 2196 55E393DA1714013720DDF266C7906F43.exe 480 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2644-225-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-227-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-228-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-229-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-230-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-231-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-232-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-234-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-235-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-236-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-237-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-238-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-239-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2644-240-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
Processes:
powershell.exea.exepowershell.exewfnmgjmvvtwt.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe a.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe wfnmgjmvvtwt.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
wfnmgjmvvtwt.exedescription pid process target process PID 2492 set thread context of 2964 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 set thread context of 2644 2492 wfnmgjmvvtwt.exe conhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
wusa.exewusa.exedescription ioc process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 3012 sc.exe 1748 sc.exe 2324 sc.exe 2080 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 207075d63684da01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exea.exeb.exepowershell.exewfnmgjmvvtwt.exepowershell.execonhost.exepid process 2852 powershell.exe 1988 powershell.exe 1880 a.exe 2624 b.exe 2624 b.exe 800 powershell.exe 1880 a.exe 1880 a.exe 1880 a.exe 1880 a.exe 1880 a.exe 2492 wfnmgjmvvtwt.exe 2356 powershell.exe 2492 wfnmgjmvvtwt.exe 2492 wfnmgjmvvtwt.exe 2492 wfnmgjmvvtwt.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe 2644 conhost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exeb.exepowershell.exepowershell.execonhost.exedescription pid process Token: SeDebugPrivilege 2852 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 2624 b.exe Token: SeDebugPrivilege 800 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeLockMemoryPrivilege 2644 conhost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
55E393DA1714013720DDF266C7906F43.execmd.exewfnmgjmvvtwt.execmd.exedescription pid process target process PID 2196 wrote to memory of 2852 2196 55E393DA1714013720DDF266C7906F43.exe powershell.exe PID 2196 wrote to memory of 2852 2196 55E393DA1714013720DDF266C7906F43.exe powershell.exe PID 2196 wrote to memory of 2852 2196 55E393DA1714013720DDF266C7906F43.exe powershell.exe PID 2196 wrote to memory of 2852 2196 55E393DA1714013720DDF266C7906F43.exe powershell.exe PID 2196 wrote to memory of 1988 2196 55E393DA1714013720DDF266C7906F43.exe powershell.exe PID 2196 wrote to memory of 1988 2196 55E393DA1714013720DDF266C7906F43.exe powershell.exe PID 2196 wrote to memory of 1988 2196 55E393DA1714013720DDF266C7906F43.exe powershell.exe PID 2196 wrote to memory of 1988 2196 55E393DA1714013720DDF266C7906F43.exe powershell.exe PID 2196 wrote to memory of 1880 2196 55E393DA1714013720DDF266C7906F43.exe a.exe PID 2196 wrote to memory of 1880 2196 55E393DA1714013720DDF266C7906F43.exe a.exe PID 2196 wrote to memory of 1880 2196 55E393DA1714013720DDF266C7906F43.exe a.exe PID 2196 wrote to memory of 1880 2196 55E393DA1714013720DDF266C7906F43.exe a.exe PID 2196 wrote to memory of 2624 2196 55E393DA1714013720DDF266C7906F43.exe b.exe PID 2196 wrote to memory of 2624 2196 55E393DA1714013720DDF266C7906F43.exe b.exe PID 2196 wrote to memory of 2624 2196 55E393DA1714013720DDF266C7906F43.exe b.exe PID 2196 wrote to memory of 2624 2196 55E393DA1714013720DDF266C7906F43.exe b.exe PID 1152 wrote to memory of 2992 1152 cmd.exe wusa.exe PID 1152 wrote to memory of 2992 1152 cmd.exe wusa.exe PID 1152 wrote to memory of 2992 1152 cmd.exe wusa.exe PID 2492 wrote to memory of 2964 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2964 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2964 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2964 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2964 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2964 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2964 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2964 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2964 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2644 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2644 2492 wfnmgjmvvtwt.exe conhost.exe PID 2616 wrote to memory of 2436 2616 cmd.exe wusa.exe PID 2616 wrote to memory of 2436 2616 cmd.exe wusa.exe PID 2616 wrote to memory of 2436 2616 cmd.exe wusa.exe PID 2492 wrote to memory of 2644 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2644 2492 wfnmgjmvvtwt.exe conhost.exe PID 2492 wrote to memory of 2644 2492 wfnmgjmvvtwt.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55E393DA1714013720DDF266C7906F43.exe"C:\Users\Admin\AppData\Local\Temp\55E393DA1714013720DDF266C7906F43.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABpACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAcABhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGMAbwBtAHAAdQB0AGUAcgAgAGkAcwAgAG4AbwB0ACAAcwB1AHAAcABvAHIAdABlAGQALAAgAHAAbABlAGEAcwBlACAAdAByAHkAIABhAGcAYQBpAG4AIABvAG4AIABhAG4AbwB0AGgAZQByACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB5AGMAYQAjAD4A"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAagBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAcAB5ACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\a.exe"C:\Users\Admin\AppData\Roaming\a.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "TDFIYZSJ"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "TDFIYZSJ" binpath= "C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "TDFIYZSJ"3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\b.exe"C:\Users\Admin\AppData\Roaming\b.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exeC:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Tar6A10.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\tmp723D.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp7253.tmpFilesize
92KB
MD5cca646afddab881d02bb60864ff72e23
SHA125b462e62a0219857cc854f6433e8acea77e3dbc
SHA256c7223e5de0b0db22b3e193b2d48215816c75472ccdf9330a0ab66d4731b2e49e
SHA512c35da6cfe5e4a3f887a876b38b4e5b9e6d5c035cf8d6f20158f89ee14a196941fd6a29faa1f90f64cd253556536670773ec15cd358014d994483a8745c41587d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5828b1f65b9ebcf54d592cccb7df9edac
SHA117ccf75da3c00d2bad2e717fbd9010cb3bfffdbe
SHA25630ddd01a8ce3172a2c36eb4216a16e0de95fc8bfb1ff11eef460c4f9ecc83ac8
SHA51207d1cd15d331435ddd07cae19ab0be6a28742a68199dbe649541984249a07c4ed276e0563952167ec68286eb5175b5862428fd88634fb1f7bba7198178aa13d4
-
\Users\Admin\AppData\Roaming\a.exeFilesize
2.5MB
MD56fd62e635b39a02ba8cac6fc124c9475
SHA1e13080b9cc546e44a9f1c419ba86aeb190a14b2d
SHA25678b9d7e485026278b02a1961999ad99cdfa988fbf4403767db5d10d1473e9870
SHA512e77432582e6abcc0fd86ed997c9c4619bd67a044d33a752e1cf3ceb8008cea27c540949183b80f9dee8a41614cff54afe79c5db294efcb72b27685fcf1010cdc
-
\Users\Admin\AppData\Roaming\b.exeFilesize
95KB
MD5184ac479b3a878e9ac5535770ca34a2b
SHA11f99039911cc2cfd1a62ce348429ddd0f4435a60
SHA2568e28a0090832a76cf71c417cb1bf7990b9af86be258b732117a47f624387083c
SHA512e0f5185ae890b902ea5325066df23959106712e7990e120a1b9752bbd0331cac968af5ddd6092f75a1c576d4c83f4093dfbf53a2c90870d1c02b31a0e8282bb4
-
memory/800-201-0x00000000029A0000-0x0000000002A20000-memory.dmpFilesize
512KB
-
memory/800-196-0x0000000001CE0000-0x0000000001CE8000-memory.dmpFilesize
32KB
-
memory/800-197-0x000007FEF5990000-0x000007FEF632D000-memory.dmpFilesize
9.6MB
-
memory/800-198-0x00000000029A0000-0x0000000002A20000-memory.dmpFilesize
512KB
-
memory/800-199-0x00000000029A0000-0x0000000002A20000-memory.dmpFilesize
512KB
-
memory/800-195-0x00000000029A0000-0x0000000002A20000-memory.dmpFilesize
512KB
-
memory/800-193-0x000000001B590000-0x000000001B872000-memory.dmpFilesize
2.9MB
-
memory/800-202-0x000007FEF5990000-0x000007FEF632D000-memory.dmpFilesize
9.6MB
-
memory/800-194-0x000007FEF5990000-0x000007FEF632D000-memory.dmpFilesize
9.6MB
-
memory/1988-27-0x0000000072B20000-0x00000000730CB000-memory.dmpFilesize
5.7MB
-
memory/1988-29-0x00000000028A0000-0x00000000028E0000-memory.dmpFilesize
256KB
-
memory/1988-32-0x0000000072B20000-0x00000000730CB000-memory.dmpFilesize
5.7MB
-
memory/1988-25-0x0000000072B20000-0x00000000730CB000-memory.dmpFilesize
5.7MB
-
memory/2356-213-0x00000000015B0000-0x0000000001630000-memory.dmpFilesize
512KB
-
memory/2356-210-0x00000000015B0000-0x0000000001630000-memory.dmpFilesize
512KB
-
memory/2356-212-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmpFilesize
9.6MB
-
memory/2356-214-0x00000000015B0000-0x0000000001630000-memory.dmpFilesize
512KB
-
memory/2356-215-0x00000000015B0000-0x0000000001630000-memory.dmpFilesize
512KB
-
memory/2356-216-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmpFilesize
9.6MB
-
memory/2356-208-0x0000000019E60000-0x000000001A142000-memory.dmpFilesize
2.9MB
-
memory/2356-209-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmpFilesize
9.6MB
-
memory/2356-211-0x0000000001240000-0x0000000001248000-memory.dmpFilesize
32KB
-
memory/2624-188-0x00000000730D0000-0x00000000737BE000-memory.dmpFilesize
6.9MB
-
memory/2624-23-0x00000000730D0000-0x00000000737BE000-memory.dmpFilesize
6.9MB
-
memory/2624-200-0x0000000000CB0000-0x0000000000CF0000-memory.dmpFilesize
256KB
-
memory/2624-22-0x00000000011A0000-0x00000000011BE000-memory.dmpFilesize
120KB
-
memory/2624-31-0x0000000000CB0000-0x0000000000CF0000-memory.dmpFilesize
256KB
-
memory/2624-243-0x00000000730D0000-0x00000000737BE000-memory.dmpFilesize
6.9MB
-
memory/2644-235-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-238-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-245-0x0000000000EA0000-0x0000000000EC0000-memory.dmpFilesize
128KB
-
memory/2644-244-0x0000000000E80000-0x0000000000EA0000-memory.dmpFilesize
128KB
-
memory/2644-225-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-242-0x0000000000EA0000-0x0000000000EC0000-memory.dmpFilesize
128KB
-
memory/2644-227-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-228-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-240-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-241-0x0000000000E80000-0x0000000000EA0000-memory.dmpFilesize
128KB
-
memory/2644-239-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-237-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-236-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-229-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-230-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-231-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-232-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2644-233-0x0000000000510000-0x0000000000530000-memory.dmpFilesize
128KB
-
memory/2644-234-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2852-30-0x0000000002880000-0x00000000028C0000-memory.dmpFilesize
256KB
-
memory/2852-24-0x0000000072B20000-0x00000000730CB000-memory.dmpFilesize
5.7MB
-
memory/2852-33-0x0000000072B20000-0x00000000730CB000-memory.dmpFilesize
5.7MB
-
memory/2852-28-0x0000000072B20000-0x00000000730CB000-memory.dmpFilesize
5.7MB
-
memory/2852-26-0x0000000002880000-0x00000000028C0000-memory.dmpFilesize
256KB
-
memory/2964-218-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2964-219-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2964-220-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2964-221-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2964-217-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2964-224-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB