Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:31
Static task
static1
Behavioral task
behavioral1
Sample
6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
Resource
win7-20240220-en
General
-
Target
6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
-
Size
2.6MB
-
MD5
55e393da1714013720ddf266c7906f43
-
SHA1
91a636913604184c010c2d9e0b331a804a2c0ab4
-
SHA256
6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957
-
SHA512
40a61e1d461717e45eff3be6b22561ac39c2ef1af39b46f7d149fe823d14a06bb99605a78e794d6447ece43ce6b4854192e47ad993ed4a2e78479bc7e155fe8a
-
SSDEEP
49152:VvONaX/Lpt/IvKfeF4tIDpdIA/gvCRtDKYZ8NfBcPQSqzULJgxl6Y4KB7KkP3C+Y:VGNajwvKfpyMdvCRNZZ8NJcPQSEU9Q6z
Malware Config
Extracted
redline
tg
163.5.112.53:51523
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\b.exe family_redline behavioral1/memory/2860-22-0x0000000000A40000-0x0000000000A5E000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\b.exe family_sectoprat behavioral1/memory/2860-22-0x0000000000A40000-0x0000000000A5E000-memory.dmp family_sectoprat -
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-215-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2208-216-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2208-218-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2208-219-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2208-220-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2208-221-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2208-222-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2208-223-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2208-224-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2208-225-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2208-228-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
a.exeb.exewfnmgjmvvtwt.exepid process 2304 a.exe 2860 b.exe 480 1340 wfnmgjmvvtwt.exe -
Loads dropped DLL 4 IoCs
Processes:
6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exepid process 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe 480 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2208-210-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-211-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-213-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-212-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-214-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-215-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-216-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-218-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-219-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-220-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-221-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-222-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-223-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-224-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-225-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2208-228-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
Processes:
powershell.exea.exepowershell.exewfnmgjmvvtwt.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe a.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe wfnmgjmvvtwt.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
wfnmgjmvvtwt.exedescription pid process target process PID 1340 set thread context of 2892 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 set thread context of 2208 1340 wfnmgjmvvtwt.exe conhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
wusa.exewusa.exedescription ioc process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1328 sc.exe 1768 sc.exe 2116 sc.exe 2224 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0ae4eeee884da01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exeb.exea.exepowershell.exewfnmgjmvvtwt.exepowershell.execonhost.exepid process 1408 powershell.exe 1508 powershell.exe 2860 b.exe 2860 b.exe 2304 a.exe 1908 powershell.exe 2304 a.exe 2304 a.exe 2304 a.exe 2304 a.exe 2304 a.exe 1340 wfnmgjmvvtwt.exe 3068 powershell.exe 1340 wfnmgjmvvtwt.exe 1340 wfnmgjmvvtwt.exe 1340 wfnmgjmvvtwt.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe 2208 conhost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exeb.exepowershell.exepowershell.execonhost.exedescription pid process Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 2860 b.exe Token: SeDebugPrivilege 1908 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeLockMemoryPrivilege 2208 conhost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.execmd.exewfnmgjmvvtwt.execmd.exedescription pid process target process PID 2368 wrote to memory of 1508 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe powershell.exe PID 2368 wrote to memory of 1508 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe powershell.exe PID 2368 wrote to memory of 1508 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe powershell.exe PID 2368 wrote to memory of 1508 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe powershell.exe PID 2368 wrote to memory of 1408 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe powershell.exe PID 2368 wrote to memory of 1408 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe powershell.exe PID 2368 wrote to memory of 1408 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe powershell.exe PID 2368 wrote to memory of 1408 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe powershell.exe PID 2368 wrote to memory of 2304 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe a.exe PID 2368 wrote to memory of 2304 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe a.exe PID 2368 wrote to memory of 2304 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe a.exe PID 2368 wrote to memory of 2304 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe a.exe PID 2368 wrote to memory of 2860 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe b.exe PID 2368 wrote to memory of 2860 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe b.exe PID 2368 wrote to memory of 2860 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe b.exe PID 2368 wrote to memory of 2860 2368 6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe b.exe PID 964 wrote to memory of 1708 964 cmd.exe wusa.exe PID 964 wrote to memory of 1708 964 cmd.exe wusa.exe PID 964 wrote to memory of 1708 964 cmd.exe wusa.exe PID 1340 wrote to memory of 2892 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2892 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2892 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2892 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2892 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2892 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2892 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2892 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2892 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2208 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2208 1340 wfnmgjmvvtwt.exe conhost.exe PID 3024 wrote to memory of 2604 3024 cmd.exe wusa.exe PID 3024 wrote to memory of 2604 3024 cmd.exe wusa.exe PID 3024 wrote to memory of 2604 3024 cmd.exe wusa.exe PID 1340 wrote to memory of 2208 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2208 1340 wfnmgjmvvtwt.exe conhost.exe PID 1340 wrote to memory of 2208 1340 wfnmgjmvvtwt.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe"C:\Users\Admin\AppData\Local\Temp\6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABpACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAcABhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGMAbwBtAHAAdQB0AGUAcgAgAGkAcwAgAG4AbwB0ACAAcwB1AHAAcABvAHIAdABlAGQALAAgAHAAbABlAGEAcwBlACAAdAByAHkAIABhAGcAYQBpAG4AIABvAG4AIABhAG4AbwB0AGgAZQByACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB5AGMAYQAjAD4A"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAagBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAcAB5ACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\a.exe"C:\Users\Admin\AppData\Roaming\a.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "TDFIYZSJ"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "TDFIYZSJ" binpath= "C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "TDFIYZSJ"3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\b.exe"C:\Users\Admin\AppData\Roaming\b.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exeC:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Tar3598.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\tmp379B.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp37A1.tmpFilesize
92KB
MD518e04095708297d6889a6962f81e8d8f
SHA19a25645db1da0217092c06579599b04982192124
SHA2564ed16c019fe50bb4ab1c9dcedf0e52f93454b5dbaf18615d60761e7927b69fb7
SHA51245ec57bddeeb8bca05babcf8da83bf9db630819b23076a1cf79f2e54b3e88e14cd7db650332554026ab5e8634061dd699f322bcba6683765063e67ac47ea1caf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD55ebd527ccfc5c79e96be774618428df6
SHA1a05cac24a2accfecedcd286d817a996ef899d2fb
SHA25697659018d9bcc675fd8bb14d9c02e4be738533dbd3e15de22f2a62cd6f65ac2d
SHA5129a03840179065fc9badca7c81081b1c427d375434255be1f56225e3d7d9fa34207c819e742e7abe583c53a7e7d374319cfdf1149c329af3f6858968e5bc139d4
-
\Users\Admin\AppData\Roaming\a.exeFilesize
2.5MB
MD56fd62e635b39a02ba8cac6fc124c9475
SHA1e13080b9cc546e44a9f1c419ba86aeb190a14b2d
SHA25678b9d7e485026278b02a1961999ad99cdfa988fbf4403767db5d10d1473e9870
SHA512e77432582e6abcc0fd86ed997c9c4619bd67a044d33a752e1cf3ceb8008cea27c540949183b80f9dee8a41614cff54afe79c5db294efcb72b27685fcf1010cdc
-
\Users\Admin\AppData\Roaming\b.exeFilesize
95KB
MD5184ac479b3a878e9ac5535770ca34a2b
SHA11f99039911cc2cfd1a62ce348429ddd0f4435a60
SHA2568e28a0090832a76cf71c417cb1bf7990b9af86be258b732117a47f624387083c
SHA512e0f5185ae890b902ea5325066df23959106712e7990e120a1b9752bbd0331cac968af5ddd6092f75a1c576d4c83f4093dfbf53a2c90870d1c02b31a0e8282bb4
-
memory/1408-25-0x0000000000220000-0x0000000000260000-memory.dmpFilesize
256KB
-
memory/1408-33-0x00000000738E0000-0x0000000073E8B000-memory.dmpFilesize
5.7MB
-
memory/1408-29-0x0000000000220000-0x0000000000260000-memory.dmpFilesize
256KB
-
memory/1408-24-0x00000000738E0000-0x0000000073E8B000-memory.dmpFilesize
5.7MB
-
memory/1408-26-0x00000000738E0000-0x0000000073E8B000-memory.dmpFilesize
5.7MB
-
memory/1508-31-0x0000000002750000-0x0000000002790000-memory.dmpFilesize
256KB
-
memory/1508-23-0x00000000738E0000-0x0000000073E8B000-memory.dmpFilesize
5.7MB
-
memory/1508-27-0x00000000738E0000-0x0000000073E8B000-memory.dmpFilesize
5.7MB
-
memory/1508-34-0x00000000738E0000-0x0000000073E8B000-memory.dmpFilesize
5.7MB
-
memory/1508-30-0x0000000002750000-0x0000000002790000-memory.dmpFilesize
256KB
-
memory/1908-181-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmpFilesize
9.6MB
-
memory/1908-185-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmpFilesize
9.6MB
-
memory/1908-184-0x0000000002A90000-0x0000000002B10000-memory.dmpFilesize
512KB
-
memory/1908-176-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmpFilesize
9.6MB
-
memory/1908-175-0x000000001B5B0000-0x000000001B892000-memory.dmpFilesize
2.9MB
-
memory/1908-178-0x00000000025E0000-0x00000000025E8000-memory.dmpFilesize
32KB
-
memory/1908-177-0x0000000002A90000-0x0000000002B10000-memory.dmpFilesize
512KB
-
memory/1908-182-0x0000000002A90000-0x0000000002B10000-memory.dmpFilesize
512KB
-
memory/1908-180-0x0000000002A90000-0x0000000002B10000-memory.dmpFilesize
512KB
-
memory/2208-217-0x00000000000B0000-0x00000000000D0000-memory.dmpFilesize
128KB
-
memory/2208-220-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-230-0x0000000000870000-0x0000000000890000-memory.dmpFilesize
128KB
-
memory/2208-229-0x0000000000830000-0x0000000000850000-memory.dmpFilesize
128KB
-
memory/2208-228-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-227-0x0000000000870000-0x0000000000890000-memory.dmpFilesize
128KB
-
memory/2208-226-0x0000000000830000-0x0000000000850000-memory.dmpFilesize
128KB
-
memory/2208-225-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-224-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-223-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-222-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-221-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-219-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-218-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-216-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-215-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-214-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-212-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-210-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-211-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2208-213-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2860-179-0x00000000731F0000-0x00000000738DE000-memory.dmpFilesize
6.9MB
-
memory/2860-191-0x00000000731F0000-0x00000000738DE000-memory.dmpFilesize
6.9MB
-
memory/2860-32-0x0000000000680000-0x00000000006C0000-memory.dmpFilesize
256KB
-
memory/2860-183-0x0000000000680000-0x00000000006C0000-memory.dmpFilesize
256KB
-
memory/2860-28-0x00000000731F0000-0x00000000738DE000-memory.dmpFilesize
6.9MB
-
memory/2860-22-0x0000000000A40000-0x0000000000A5E000-memory.dmpFilesize
120KB
-
memory/2892-205-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2892-204-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2892-203-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2892-201-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2892-202-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2892-207-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3068-193-0x000007FEF5080000-0x000007FEF5A1D000-memory.dmpFilesize
9.6MB
-
memory/3068-199-0x0000000001620000-0x00000000016A0000-memory.dmpFilesize
512KB
-
memory/3068-194-0x0000000000990000-0x0000000000998000-memory.dmpFilesize
32KB
-
memory/3068-195-0x0000000001620000-0x00000000016A0000-memory.dmpFilesize
512KB
-
memory/3068-192-0x000000001A140000-0x000000001A422000-memory.dmpFilesize
2.9MB
-
memory/3068-200-0x000007FEF5080000-0x000007FEF5A1D000-memory.dmpFilesize
9.6MB
-
memory/3068-198-0x0000000001620000-0x00000000016A0000-memory.dmpFilesize
512KB
-
memory/3068-196-0x000007FEF5080000-0x000007FEF5A1D000-memory.dmpFilesize
9.6MB
-
memory/3068-197-0x0000000001620000-0x00000000016A0000-memory.dmpFilesize
512KB