Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:16
General
-
Target
12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a.exe
-
Size
7.3MB
-
MD5
91fcc906d24350286fc38d756bdacbfc
-
SHA1
b96e73c04be4d15ed18e2e7811b951554cf57e7b
-
SHA256
12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a
-
SHA512
b6cbca675648d967620e4d133345445a070896d2adebd44f58d9ad7f012db5bac0223d2304e86818bc9096e6c72087241c3917efed273d44809a7a1276787b3e
-
SSDEEP
196608:tH/rieS1u4+zl+k7GJWhlTC7BUQ4qye9tkvQ2y3w3W9uWD:tDiFk4+zhLOBB4qT9tk6EW9
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
socks5systemz
51.159.66.125
217.23.6.51
151.80.38.159
217.23.9.168
37.187.122.227
http://datasheet.fun/manual/avon_3_2022.pdf?%.8x
-
rc4_key
heyfg645fdhwi
Signatures
-
Detect Socks5Systemz Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 1 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Loads dropped DLL 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 64 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a.exe"C:\Users\Admin\AppData\Local\Temp\12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\kos2.exe"C:\Users\Admin\AppData\Local\Temp\kos2.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\set16.exe"C:\Users\Admin\AppData\Local\Temp\set16.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-JAODN.tmp\is-36D4Q.tmp"C:\Users\Admin\AppData\Local\Temp\is-JAODN.tmp\is-36D4Q.tmp" /SL4 $701EA "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 522245⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 206⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 207⤵
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query6⤵
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\K.exe"C:\Users\Admin\AppData\Local\Temp\K.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5D9C.exeC:\Users\Admin\AppData\Local\Temp\5D9C.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\65AB.exeC:\Users\Admin\AppData\Local\Temp\65AB.exe2⤵
- Executes dropped EXE
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Roaming\dbfitaaC:\Users\Admin\AppData\Roaming\dbfitaa1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dbfitaaC:\Users\Admin\AppData\Roaming\dbfitaa2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\MyBurn\MyBurn.exeFilesize
2.1MB
MD5f0fd986799e64ba888a8031782181dc7
SHA1df5a8420ebdcb1d036867fbc9c3f9ca143cf587c
SHA256a85af12749a97eeae8f64b767e63780978c859f389139cd153bedb432d1bfb4f
SHA51209d8b0a6e39139c1853b5f05b1f87bbed5f38b51562cd3da8eb87be1125e8b28c2a3409d4977359cf8551a76c045de39c0419ddcef6459d9f87e10a945545233
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Temp\5D9C.exeFilesize
5.0MB
MD510ef283264e5050eb40f465feabeea60
SHA15c2b60ad7c2089db827532fed6069bdf74b505f8
SHA2566d45d61463e3521aa6d3d31bd7e953d38c6381c0e1b526dcb28c7f2786669eb6
SHA512c4e4080840991a829b05c76a55f6da6bffc9f618c7a1214d4d0b84e6e714d7b0e5646a99a5d92188f71801e6b7269069728f328d3a3b3fda577191372f399080
-
C:\Users\Admin\AppData\Local\Temp\65AB.exeFilesize
385KB
MD5bdbfccc2b71c0d7f9de70aba81597b52
SHA1ebb97f2a7fe51ff607a1d1b7557c995dd1cc275a
SHA256082e8792e48e6ae0b16330f6bde833c42158ba2c9b75fad31ebc3d939f8a0042
SHA512fba755745e82b6acd1e74e15ce9bc729a9b0e85bbb1975959c1b5d7ab1e6859efc715de87c3f4b6ef4bb21a25d9246142e96323cfc5d732ae6007b4690dcd417
-
C:\Users\Admin\AppData\Local\Temp\K.exeFilesize
8KB
MD5ac65407254780025e8a71da7b925c4f3
SHA15c7ae625586c1c00ec9d35caa4f71b020425a6ba
SHA25626cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e
SHA51227d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeFilesize
212B
MD5963da09532e9758adedf9745c76ec700
SHA1bc976476358cffdbc3f22b6e491f94ccbf15308d
SHA2568720b9487cee7dae6db3f8f73273bcbbc56377400b830ca0f089473ebc9603f2
SHA5122da299bd10de6d425ee84fc2d17f514d003995f489946cdebafa0dcea4058419bcc38beabc2cbbd4546c2117fcf502292b97edffd57da555017762c4f05122f6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0mvqjmr.4ac.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\is-8HDB4.tmp\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-8HDB4.tmp\_isdecmp.dllFilesize
12KB
MD57cee19d7e00e9a35fc5e7884fd9d1ad8
SHA12c5e8de13bdb6ddc290a9596113f77129ecd26bc
SHA25658ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace
SHA512a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8
-
C:\Users\Admin\AppData\Local\Temp\is-JAODN.tmp\is-36D4Q.tmpFilesize
642KB
MD5e57693101a63b1f934f462bc7a2ef093
SHA12748ea8c66b980f14c9ce36c1c3061e690cf3ce7
SHA25671267ff94c9fc72cbffaeed3bc2f33cef1eeb1887c29c574d7f26595d1a6235f
SHA5123dcda686a85b19a9c7b4c96d132e90ed43c7df13ce9456beb2b88c278d8068cc3abcbfe25b1607c7b8281d276efb24809730f352927b326254f3208cbdf54a3e
-
C:\Users\Admin\AppData\Local\Temp\kos2.exeFilesize
1.5MB
MD5665db9794d6e6e7052e7c469f48de771
SHA1ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA51269585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74
-
C:\Users\Admin\AppData\Local\Temp\latestX.exeFilesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
C:\Users\Admin\AppData\Local\Temp\set16.exeFilesize
1.5MB
MD5b224196c88f09b615527b2df0e860e49
SHA1f9ae161836a34264458d8c0b2a083c98093f1dec
SHA2562a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exeFilesize
260KB
MD5f39a0110a564f4a1c6b96c03982906ec
SHA108e66c93b575c9ac0a18f06741dabcabc88a358b
SHA256f794a557ad952ff155b4bfe5665b3f448453c3a50c766478d070368cab69f481
SHA512c6659f926f95a8bed1ff779c8445470c3089823abe8c1199f591c313ecee0bd793478cdaab95905c0e8ae2a2b18737daabe887263b7cde1eaaa9ee6976ff7d00
-
C:\Windows\System32\drivers\etc\hostsFilesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
memory/216-179-0x0000020686BA0000-0x0000020686BB0000-memory.dmpFilesize
64KB
-
memory/216-177-0x0000020686BA0000-0x0000020686BB0000-memory.dmpFilesize
64KB
-
memory/216-196-0x00007FFD29680000-0x00007FFD2A141000-memory.dmpFilesize
10.8MB
-
memory/216-176-0x0000020686BA0000-0x0000020686BB0000-memory.dmpFilesize
64KB
-
memory/216-194-0x0000020686BA0000-0x0000020686BB0000-memory.dmpFilesize
64KB
-
memory/216-175-0x00007FFD29680000-0x00007FFD2A141000-memory.dmpFilesize
10.8MB
-
memory/636-221-0x0000000000A90000-0x0000000000B90000-memory.dmpFilesize
1024KB
-
memory/664-224-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/664-229-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1068-299-0x00007FF63C250000-0x00007FF63C7F1000-memory.dmpFilesize
5.6MB
-
memory/1068-307-0x00007FF63C250000-0x00007FF63C7F1000-memory.dmpFilesize
5.6MB
-
memory/1068-234-0x00007FF63C250000-0x00007FF63C7F1000-memory.dmpFilesize
5.6MB
-
memory/1068-205-0x00007FF63C250000-0x00007FF63C7F1000-memory.dmpFilesize
5.6MB
-
memory/1208-146-0x000001EE7E3D0000-0x000001EE7E3F2000-memory.dmpFilesize
136KB
-
memory/1208-163-0x00007FFD29680000-0x00007FFD2A141000-memory.dmpFilesize
10.8MB
-
memory/1208-160-0x000001EE7E320000-0x000001EE7E330000-memory.dmpFilesize
64KB
-
memory/1208-159-0x000001EE7E320000-0x000001EE7E330000-memory.dmpFilesize
64KB
-
memory/1208-157-0x000001EE7E320000-0x000001EE7E330000-memory.dmpFilesize
64KB
-
memory/1208-158-0x000001EE7E320000-0x000001EE7E330000-memory.dmpFilesize
64KB
-
memory/1208-156-0x00007FFD29680000-0x00007FFD2A141000-memory.dmpFilesize
10.8MB
-
memory/1604-90-0x0000000000930000-0x0000000000939000-memory.dmpFilesize
36KB
-
memory/1604-89-0x0000000000A10000-0x0000000000B10000-memory.dmpFilesize
1024KB
-
memory/2016-260-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/2016-333-0x0000000000880000-0x00000000008C9000-memory.dmpFilesize
292KB
-
memory/2016-309-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/2016-134-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/2016-226-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/2016-201-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/2016-213-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/2016-190-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/2016-316-0x0000000000880000-0x00000000008C9000-memory.dmpFilesize
292KB
-
memory/2028-61-0x0000000000A40000-0x0000000000A50000-memory.dmpFilesize
64KB
-
memory/2028-126-0x0000000000A40000-0x0000000000A50000-memory.dmpFilesize
64KB
-
memory/2028-135-0x00007FFD29560000-0x00007FFD2A021000-memory.dmpFilesize
10.8MB
-
memory/2028-55-0x0000000000280000-0x0000000000288000-memory.dmpFilesize
32KB
-
memory/2028-122-0x00007FFD29560000-0x00007FFD2A021000-memory.dmpFilesize
10.8MB
-
memory/2028-59-0x00007FFD29560000-0x00007FFD2A021000-memory.dmpFilesize
10.8MB
-
memory/2252-211-0x0000000000F20000-0x0000000000FA6000-memory.dmpFilesize
536KB
-
memory/2252-207-0x00000000FFDB0000-0x00000000FFE38000-memory.dmpFilesize
544KB
-
memory/2252-206-0x0000000000F20000-0x0000000000FA6000-memory.dmpFilesize
536KB
-
memory/2252-212-0x00000000FFDD4000-0x00000000FFE38000-memory.dmpFilesize
400KB
-
memory/2340-202-0x0000000000010000-0x0000000000076000-memory.dmpFilesize
408KB
-
memory/2340-186-0x0000000000010000-0x0000000000076000-memory.dmpFilesize
408KB
-
memory/2340-192-0x0000000076A80000-0x0000000076C95000-memory.dmpFilesize
2.1MB
-
memory/2696-93-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2696-98-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2696-91-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3120-23-0x0000000074FB0000-0x0000000075760000-memory.dmpFilesize
7.7MB
-
memory/3120-21-0x00000000003A0000-0x000000000051E000-memory.dmpFilesize
1.5MB
-
memory/3120-58-0x0000000074FB0000-0x0000000075760000-memory.dmpFilesize
7.7MB
-
memory/3344-97-0x0000000007220000-0x0000000007236000-memory.dmpFilesize
88KB
-
memory/3344-228-0x00000000028E0000-0x00000000028F6000-memory.dmpFilesize
88KB
-
memory/3568-199-0x00007FF6F23C0000-0x00007FF6F2961000-memory.dmpFilesize
5.6MB
-
memory/3568-94-0x00007FF6F23C0000-0x00007FF6F2961000-memory.dmpFilesize
5.6MB
-
memory/3568-188-0x00007FF6F23C0000-0x00007FF6F2961000-memory.dmpFilesize
5.6MB
-
memory/3824-51-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3824-95-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3928-0-0x0000000074FB0000-0x0000000075760000-memory.dmpFilesize
7.7MB
-
memory/3928-1-0x0000000000B70000-0x00000000012CC000-memory.dmpFilesize
7.4MB
-
memory/3928-44-0x0000000074FB0000-0x0000000075760000-memory.dmpFilesize
7.7MB
-
memory/4016-125-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/4016-127-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/4016-129-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/4016-123-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/4192-312-0x00000000018B0000-0x00000000018F0000-memory.dmpFilesize
256KB
-
memory/4192-329-0x0000000011EC0000-0x0000000011EE0000-memory.dmpFilesize
128KB
-
memory/4192-308-0x0000000000A00000-0x0000000000A20000-memory.dmpFilesize
128KB
-
memory/4328-300-0x00000200A0420000-0x00000200A0430000-memory.dmpFilesize
64KB
-
memory/4328-289-0x00007FF439100000-0x00007FF439110000-memory.dmpFilesize
64KB
-
memory/4328-288-0x00000200A0420000-0x00000200A0430000-memory.dmpFilesize
64KB
-
memory/4328-287-0x00000200A0420000-0x00000200A0430000-memory.dmpFilesize
64KB
-
memory/4328-286-0x00007FFD29680000-0x00007FFD2A141000-memory.dmpFilesize
10.8MB
-
memory/4328-302-0x00007FFD29680000-0x00007FFD2A141000-memory.dmpFilesize
10.8MB
-
memory/4636-247-0x00007FF4E7040000-0x00007FF4E7050000-memory.dmpFilesize
64KB
-
memory/4636-259-0x0000021CB3A50000-0x0000021CB3A6C000-memory.dmpFilesize
112KB
-
memory/4636-235-0x00007FFD29680000-0x00007FFD2A141000-memory.dmpFilesize
10.8MB
-
memory/4636-269-0x0000021C9A5F0000-0x0000021C9A600000-memory.dmpFilesize
64KB
-
memory/4636-266-0x0000021CB3A80000-0x0000021CB3A8A000-memory.dmpFilesize
40KB
-
memory/4636-265-0x0000021CB3A70000-0x0000021CB3A76000-memory.dmpFilesize
24KB
-
memory/4636-264-0x0000021CB3A40000-0x0000021CB3A48000-memory.dmpFilesize
32KB
-
memory/4636-263-0x0000021CB3A90000-0x0000021CB3AAA000-memory.dmpFilesize
104KB
-
memory/4636-262-0x0000021CB3A30000-0x0000021CB3A3A000-memory.dmpFilesize
40KB
-
memory/4636-272-0x00007FFD29680000-0x00007FFD2A141000-memory.dmpFilesize
10.8MB
-
memory/4636-258-0x0000021CB38E0000-0x0000021CB38EA000-memory.dmpFilesize
40KB
-
memory/4636-236-0x0000021C9A5F0000-0x0000021C9A600000-memory.dmpFilesize
64KB
-
memory/4636-257-0x0000021CB3820000-0x0000021CB38D5000-memory.dmpFilesize
724KB
-
memory/4636-256-0x0000021CB3800000-0x0000021CB381C000-memory.dmpFilesize
112KB
-
memory/4724-80-0x00000000020D0000-0x00000000020D1000-memory.dmpFilesize
4KB
-
memory/4724-96-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/4724-132-0x00000000020D0000-0x00000000020D1000-memory.dmpFilesize
4KB
-
memory/4724-138-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB