Analysis
-
max time kernel
122s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 21:01
Static task
static1
Behavioral task
behavioral1
Sample
117E4E3F1B6EDAE6745F82CF072008F1.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
117E4E3F1B6EDAE6745F82CF072008F1.exe
Resource
win10v20210410
General
-
Target
117E4E3F1B6EDAE6745F82CF072008F1.exe
-
Size
1.0MB
-
MD5
117e4e3f1b6edae6745f82cf072008f1
-
SHA1
62bcde8f6c592a4be16b0d0feeb5fa2df13b0619
-
SHA256
3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020
-
SHA512
f7e5ee09daf8e52729feb9259457659f0575f6695842611c01e327b8e70d7a10bc9901662fecb28a1c8b35ac57e86bd92f4a93d4fcca203f24502255274223c1
Malware Config
Extracted
redline
9874
nshoreyle.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3852-128-0x0000000000340000-0x000000000035C000-memory.dmp family_redline -
Executes dropped EXE 8 IoCs
Processes:
Sta.exe.comSta.exe.comRegAsm.exefile.exelchost.exesihost32.exeWUFServices.exesihost32.exepid process 788 Sta.exe.com 2100 Sta.exe.com 3852 RegAsm.exe 3188 file.exe 3432 lchost.exe 3156 sihost32.exe 1240 WUFServices.exe 4040 sihost32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
lchost.exeWUFServices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUFServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WUFServices.exe" lchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUFServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WUFServices.exe" WUFServices.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sta.exe.comdescription pid process target process PID 2100 set thread context of 3852 2100 Sta.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exelchost.exeWUFServices.exepid process 3852 RegAsm.exe 3432 lchost.exe 3432 lchost.exe 3432 lchost.exe 1240 WUFServices.exe 1240 WUFServices.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RegAsm.exelchost.exeWUFServices.exedescription pid process Token: SeDebugPrivilege 3852 RegAsm.exe Token: SeDebugPrivilege 3432 lchost.exe Token: SeDebugPrivilege 1240 WUFServices.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
117E4E3F1B6EDAE6745F82CF072008F1.execmd.execmd.exeSta.exe.comSta.exe.comRegAsm.exefile.exelchost.exeWUFServices.exedescription pid process target process PID 1016 wrote to memory of 3564 1016 117E4E3F1B6EDAE6745F82CF072008F1.exe cmd.exe PID 1016 wrote to memory of 3564 1016 117E4E3F1B6EDAE6745F82CF072008F1.exe cmd.exe PID 1016 wrote to memory of 3564 1016 117E4E3F1B6EDAE6745F82CF072008F1.exe cmd.exe PID 3564 wrote to memory of 3404 3564 cmd.exe cmd.exe PID 3564 wrote to memory of 3404 3564 cmd.exe cmd.exe PID 3564 wrote to memory of 3404 3564 cmd.exe cmd.exe PID 3404 wrote to memory of 1168 3404 cmd.exe findstr.exe PID 3404 wrote to memory of 1168 3404 cmd.exe findstr.exe PID 3404 wrote to memory of 1168 3404 cmd.exe findstr.exe PID 3404 wrote to memory of 788 3404 cmd.exe Sta.exe.com PID 3404 wrote to memory of 788 3404 cmd.exe Sta.exe.com PID 3404 wrote to memory of 788 3404 cmd.exe Sta.exe.com PID 3404 wrote to memory of 3968 3404 cmd.exe PING.EXE PID 3404 wrote to memory of 3968 3404 cmd.exe PING.EXE PID 3404 wrote to memory of 3968 3404 cmd.exe PING.EXE PID 788 wrote to memory of 2100 788 Sta.exe.com Sta.exe.com PID 788 wrote to memory of 2100 788 Sta.exe.com Sta.exe.com PID 788 wrote to memory of 2100 788 Sta.exe.com Sta.exe.com PID 2100 wrote to memory of 3852 2100 Sta.exe.com RegAsm.exe PID 2100 wrote to memory of 3852 2100 Sta.exe.com RegAsm.exe PID 2100 wrote to memory of 3852 2100 Sta.exe.com RegAsm.exe PID 2100 wrote to memory of 3852 2100 Sta.exe.com RegAsm.exe PID 2100 wrote to memory of 3852 2100 Sta.exe.com RegAsm.exe PID 3852 wrote to memory of 3188 3852 RegAsm.exe file.exe PID 3852 wrote to memory of 3188 3852 RegAsm.exe file.exe PID 3852 wrote to memory of 3188 3852 RegAsm.exe file.exe PID 3188 wrote to memory of 3432 3188 file.exe lchost.exe PID 3188 wrote to memory of 3432 3188 file.exe lchost.exe PID 3432 wrote to memory of 3156 3432 lchost.exe sihost32.exe PID 3432 wrote to memory of 3156 3432 lchost.exe sihost32.exe PID 3432 wrote to memory of 1240 3432 lchost.exe WUFServices.exe PID 3432 wrote to memory of 1240 3432 lchost.exe WUFServices.exe PID 1240 wrote to memory of 4040 1240 WUFServices.exe sihost32.exe PID 1240 wrote to memory of 4040 1240 WUFServices.exe sihost32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\117E4E3F1B6EDAE6745F82CF072008F1.exe"C:\Users\Admin\AppData\Local\Temp\117E4E3F1B6EDAE6745F82CF072008F1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c OjTdveCmOYGkwPuVcKiZNQpZgITQtdpOakAXUzIiXgaubigrkVRWUyRXrTwOpLxnOSSPfoqweZenbeCixQFpnhThxCU & cmd < Dai.mp42⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^aUkEmTrtPLftfXTJGsUJbGeamVtEFfQQoaHhAtLwnlFklwqAGOsXaZfLRTyEPmnAVmVWfGoBFTljwRobUEYRXSbprWcHZikZLyfKutlqFQanPeKqKIJkAHDewMTzlACbHlBV$" Lancio.mp44⤵
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comSta.exe.com x4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comC:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.com x5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exeC:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lchost.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lchost.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WUFServices.exe"C:\Users\Admin\AppData\Local\Temp\WUFServices.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lchost.exeMD5
f0ba720de445d0af4d3912b28edc24c2
SHA137059ad24c9df7b8bb673912c54798c6e91e0c84
SHA256b24e6170e3239878fe19073a8c934f3ca1103f2b60f1497182117a3e3b3ceb5e
SHA512479a065745cd10a97c857e4376bdd8ed5cef874e992c4c70c050778848f0b5f87494b88555cf2e6e2a8908405f12ea6088a2618c1557e94ba2e80e56682d3681
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lchost.exeMD5
f0ba720de445d0af4d3912b28edc24c2
SHA137059ad24c9df7b8bb673912c54798c6e91e0c84
SHA256b24e6170e3239878fe19073a8c934f3ca1103f2b60f1497182117a3e3b3ceb5e
SHA512479a065745cd10a97c857e4376bdd8ed5cef874e992c4c70c050778848f0b5f87494b88555cf2e6e2a8908405f12ea6088a2618c1557e94ba2e80e56682d3681
-
C:\Users\Admin\AppData\Local\Temp\WUFServices.exeMD5
f0ba720de445d0af4d3912b28edc24c2
SHA137059ad24c9df7b8bb673912c54798c6e91e0c84
SHA256b24e6170e3239878fe19073a8c934f3ca1103f2b60f1497182117a3e3b3ceb5e
SHA512479a065745cd10a97c857e4376bdd8ed5cef874e992c4c70c050778848f0b5f87494b88555cf2e6e2a8908405f12ea6088a2618c1557e94ba2e80e56682d3681
-
C:\Users\Admin\AppData\Local\Temp\WUFServices.exeMD5
f0ba720de445d0af4d3912b28edc24c2
SHA137059ad24c9df7b8bb673912c54798c6e91e0c84
SHA256b24e6170e3239878fe19073a8c934f3ca1103f2b60f1497182117a3e3b3ceb5e
SHA512479a065745cd10a97c857e4376bdd8ed5cef874e992c4c70c050778848f0b5f87494b88555cf2e6e2a8908405f12ea6088a2618c1557e94ba2e80e56682d3681
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
850bdc89b82630182327ed6c6bfe0812
SHA17c581104bba9679a3c2e9d95639bf3579e37ddfa
SHA2568c37c28bd52102b7634f3623b352fdabe975997cb11e46da5632d20e8d7faef0
SHA512c746fa0fba726509112c1c4ba1fc3f1c7235ae9f884cad9df38e97536ca9e98d36c391fb4a698e6cbfa43e0e078e742375a93c154859e8d9973a55559b230bcb
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
850bdc89b82630182327ed6c6bfe0812
SHA17c581104bba9679a3c2e9d95639bf3579e37ddfa
SHA2568c37c28bd52102b7634f3623b352fdabe975997cb11e46da5632d20e8d7faef0
SHA512c746fa0fba726509112c1c4ba1fc3f1c7235ae9f884cad9df38e97536ca9e98d36c391fb4a698e6cbfa43e0e078e742375a93c154859e8d9973a55559b230bcb
-
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exeMD5
f7e88551274c85cc257b62f02279d256
SHA1b390a4ce296c4b09fc2b72a4fa12365db0de6399
SHA25615b127ac2e4b12e284adb6d7c8ceedead35427e03963855bcc46ccc6c9cf8880
SHA5129bacdf8e0afe21dfdcb86b456a184705966758bb6b82d5f237c3e559c8d12358cabc16c825d48ec17277ad5202deeb0886225e4fab9872f62dcd6eedfb3720c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exeMD5
f7e88551274c85cc257b62f02279d256
SHA1b390a4ce296c4b09fc2b72a4fa12365db0de6399
SHA25615b127ac2e4b12e284adb6d7c8ceedead35427e03963855bcc46ccc6c9cf8880
SHA5129bacdf8e0afe21dfdcb86b456a184705966758bb6b82d5f237c3e559c8d12358cabc16c825d48ec17277ad5202deeb0886225e4fab9872f62dcd6eedfb3720c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exeMD5
f7e88551274c85cc257b62f02279d256
SHA1b390a4ce296c4b09fc2b72a4fa12365db0de6399
SHA25615b127ac2e4b12e284adb6d7c8ceedead35427e03963855bcc46ccc6c9cf8880
SHA5129bacdf8e0afe21dfdcb86b456a184705966758bb6b82d5f237c3e559c8d12358cabc16c825d48ec17277ad5202deeb0886225e4fab9872f62dcd6eedfb3720c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exeMD5
f7e88551274c85cc257b62f02279d256
SHA1b390a4ce296c4b09fc2b72a4fa12365db0de6399
SHA25615b127ac2e4b12e284adb6d7c8ceedead35427e03963855bcc46ccc6c9cf8880
SHA5129bacdf8e0afe21dfdcb86b456a184705966758bb6b82d5f237c3e559c8d12358cabc16c825d48ec17277ad5202deeb0886225e4fab9872f62dcd6eedfb3720c4
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Dai.mp4MD5
0e56f66476f6e3a85190704a7e046982
SHA1750712070aa3c7daf4b7a0b4c5e8af24f6f985d1
SHA2561e20974b76c4bb90a87c81baa20c8c53884ae2aa785049a2746b3ba674abcfe6
SHA5120e6a82d8418deae83fd0359ef528c2b1a40c8ea44b9e6a6a5800552b30ffb28c558f30b768bed19f4d093329ca3f0cd0bc35d7f2583a1215e3dc0be1206a31d8
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Dov.mp4MD5
e285cd820751c970d433c30be18f9b1f
SHA198f29b363800196529e365e2aaf9b19412b9a444
SHA2569e41888516b60390bcfed7d9e5ebed0425e759472629741a766cc9f6071bd3e3
SHA512938de25e5f6bf1a7d5eb3212232899eb38184104bea0d5205fa9bdbd3ed2e848a6b32816b865c14539af3461a9c8ea7ff61021a7b7dcd731026d43322133dee7
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Lancio.mp4MD5
6766c39c9986df037b4a80c79cb6bb57
SHA1dda7df5e57484eb7c9b976a0554e2dc720689d20
SHA256b970d4b3e1a03fded470a637d2adcddff6c7e2b933241fa22c626d46dabc2c47
SHA512824791e911cae758a437bcb32eb8389bd8963c4b5a53751bf5d8fb59fbb91dfbc5a3ddd796f5bae971099bd812c576a3620a9626727ce0cfe1db1f95e603eb1f
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Vedremo.mp4MD5
f38303433bf6beb49dcde52b2f19af65
SHA16f71a3cc54e96cdc326f5f1e4677d19e1357a1c5
SHA256ccb312ffe82d736ee2ca37bc89c665b6817b155766d1753d0dd70a8af1727d5e
SHA5128092a35a3eccedef93cdf0ef6a1502f5c490b481a024db7565c53f45bbc011f7c98c346735c3828c4d83909635725411f9e9d3c7fd0b87d0886f7d5d3502130a
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\xMD5
f38303433bf6beb49dcde52b2f19af65
SHA16f71a3cc54e96cdc326f5f1e4677d19e1357a1c5
SHA256ccb312ffe82d736ee2ca37bc89c665b6817b155766d1753d0dd70a8af1727d5e
SHA5128092a35a3eccedef93cdf0ef6a1502f5c490b481a024db7565c53f45bbc011f7c98c346735c3828c4d83909635725411f9e9d3c7fd0b87d0886f7d5d3502130a
-
memory/788-120-0x0000000000000000-mapping.dmp
-
memory/1168-117-0x0000000000000000-mapping.dmp
-
memory/1240-162-0x00000000019C0000-0x00000000019C2000-memory.dmpFilesize
8KB
-
memory/1240-163-0x0000000001940000-0x0000000001941000-memory.dmpFilesize
4KB
-
memory/1240-155-0x0000000000000000-mapping.dmp
-
memory/2100-124-0x0000000000000000-mapping.dmp
-
memory/2100-127-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/3156-152-0x0000000000000000-mapping.dmp
-
memory/3156-161-0x000000001C820000-0x000000001C822000-memory.dmpFilesize
8KB
-
memory/3156-156-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/3188-144-0x0000000000000000-mapping.dmp
-
memory/3404-116-0x0000000000000000-mapping.dmp
-
memory/3432-151-0x000000001C4F0000-0x000000001C4F2000-memory.dmpFilesize
8KB
-
memory/3432-147-0x0000000000000000-mapping.dmp
-
memory/3432-150-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/3564-114-0x0000000000000000-mapping.dmp
-
memory/3852-138-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/3852-134-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/3852-143-0x0000000006580000-0x0000000006581000-memory.dmpFilesize
4KB
-
memory/3852-140-0x0000000006010000-0x0000000006011000-memory.dmpFilesize
4KB
-
memory/3852-137-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/3852-136-0x0000000004A90000-0x0000000005096000-memory.dmpFilesize
6.0MB
-
memory/3852-135-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/3852-139-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/3852-141-0x0000000005DE0000-0x0000000005DE1000-memory.dmpFilesize
4KB
-
memory/3852-133-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/3852-128-0x0000000000340000-0x000000000035C000-memory.dmpFilesize
112KB
-
memory/3852-142-0x0000000006A40000-0x0000000006A41000-memory.dmpFilesize
4KB
-
memory/3968-123-0x0000000000000000-mapping.dmp
-
memory/4040-164-0x0000000000000000-mapping.dmp
-
memory/4040-169-0x000000001C890000-0x000000001C892000-memory.dmpFilesize
8KB