Analysis
-
max time kernel
129s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 05:22
Static task
static1
Behavioral task
behavioral1
Sample
e551858d7c25a5874ac81a13ca3ca24d.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
e551858d7c25a5874ac81a13ca3ca24d.exe
Resource
win10-en-20211014
General
-
Target
e551858d7c25a5874ac81a13ca3ca24d.exe
-
Size
823KB
-
MD5
e551858d7c25a5874ac81a13ca3ca24d
-
SHA1
a8b4217a9e68264e72c416b5c33dbc403c7acd3c
-
SHA256
f9349003a92f82606eede0b5ebd94af025f1a2a76a481df38075723e3af054be
-
SHA512
18be299b1156c490b381aa5b385a899113cf2c97225e01bb4120a4c1671d74496180495902603d0c34755040f1f54dbf682398b56d39ea1d47c0e74b109c644b
Malware Config
Extracted
redline
@pankoka
185.244.217.166:56316
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
123.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\Saved Pictures\\spoolsv.exe\", \"C:\\Windows\\System32\\WcnApi\\sihost.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\Saved Pictures\\spoolsv.exe\", \"C:\\Windows\\System32\\WcnApi\\sihost.exe\", \"C:\\Windows\\explorer\\explorer.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\Saved Pictures\\spoolsv.exe\", \"C:\\Windows\\System32\\WcnApi\\sihost.exe\", \"C:\\Windows\\explorer\\explorer.exe\", \"C:\\Windows\\System32\\spwizeng\\dwm.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\Saved Pictures\\spoolsv.exe\", \"C:\\Windows\\System32\\WcnApi\\sihost.exe\", \"C:\\Windows\\explorer\\explorer.exe\", \"C:\\Windows\\System32\\spwizeng\\dwm.exe\", \"C:\\Windows\\win\\explorer.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\Saved Pictures\\spoolsv.exe\", \"C:\\Windows\\System32\\WcnApi\\sihost.exe\", \"C:\\Windows\\explorer\\explorer.exe\", \"C:\\Windows\\System32\\spwizeng\\dwm.exe\", \"C:\\Windows\\win\\explorer.exe\", \"C:\\Boot\\nl-NL\\csrss.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\Saved Pictures\\spoolsv.exe\", \"C:\\Windows\\System32\\WcnApi\\sihost.exe\", \"C:\\Windows\\explorer\\explorer.exe\", \"C:\\Windows\\System32\\spwizeng\\dwm.exe\", \"C:\\Windows\\win\\explorer.exe\", \"C:\\Boot\\nl-NL\\csrss.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\smss.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\Saved Pictures\\spoolsv.exe\", \"C:\\Windows\\System32\\WcnApi\\sihost.exe\", \"C:\\Windows\\explorer\\explorer.exe\", \"C:\\Windows\\System32\\spwizeng\\dwm.exe\", \"C:\\Windows\\win\\explorer.exe\", \"C:\\Boot\\nl-NL\\csrss.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\smss.exe\", \"C:\\Windows\\System32\\InputInjectionBroker\\spoolsv.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\Saved Pictures\\spoolsv.exe\"" 123.exe -
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 1012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 1012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3724 1012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 1012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 1012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 1012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 1012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 1012 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1336-115-0x0000000000430000-0x0000000000461000-memory.dmp family_redline behavioral2/memory/1336-121-0x00000000008F0000-0x000000000090C000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
123.exespoolsv.exepid process 2856 123.exe 1728 spoolsv.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
123.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 123.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 123.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\123.exe themida C:\Users\Admin\AppData\Local\Temp\123.exe themida behavioral2/memory/2856-145-0x0000000000A60000-0x0000000000A61000-memory.dmp themida C:\Users\Admin\Pictures\Saved Pictures\spoolsv.exe themida C:\Users\Admin\Pictures\Saved Pictures\spoolsv.exe themida behavioral2/memory/1728-157-0x0000000000890000-0x0000000000891000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 16 IoCs
Processes:
123.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Pictures\\Saved Pictures\\spoolsv.exe\"" 123.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\win\\explorer.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\win\\explorer.exe\"" 123.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Documents\\My Pictures\\smss.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\WcnApi\\sihost.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\explorer\\explorer.exe\"" 123.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\spwizeng\\dwm.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\spwizeng\\dwm.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Boot\\nl-NL\\csrss.exe\"" 123.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\InputInjectionBroker\\spoolsv.exe\"" 123.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\WcnApi\\sihost.exe\"" 123.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\explorer\\explorer.exe\"" 123.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Boot\\nl-NL\\csrss.exe\"" 123.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Pictures\\Saved Pictures\\spoolsv.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Documents\\My Pictures\\smss.exe\"" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\InputInjectionBroker\\spoolsv.exe\"" 123.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
123.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 123.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 6 IoCs
Processes:
123.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WcnApi\sihost.exe 123.exe File created C:\Windows\SysWOW64\WcnApi\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 123.exe File opened for modification C:\Windows\SysWOW64\spwizeng\dwm.exe 123.exe File created C:\Windows\SysWOW64\spwizeng\6cb0b6c459d5d3455a3da700e713f2e2529862ff 123.exe File opened for modification C:\Windows\SysWOW64\InputInjectionBroker\spoolsv.exe 123.exe File created C:\Windows\SysWOW64\InputInjectionBroker\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 123.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
123.exespoolsv.exepid process 2856 123.exe 1728 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
123.exedescription ioc process File opened for modification C:\Windows\explorer\explorer.exe 123.exe File created C:\Windows\explorer\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 123.exe File opened for modification C:\Windows\win\explorer.exe 123.exe File created C:\Windows\win\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 123.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1076 schtasks.exe 3724 schtasks.exe 884 schtasks.exe 1540 schtasks.exe 1512 schtasks.exe 1544 schtasks.exe 2248 schtasks.exe 2520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
e551858d7c25a5874ac81a13ca3ca24d.exe123.exespoolsv.exepid process 1336 e551858d7c25a5874ac81a13ca3ca24d.exe 2856 123.exe 2856 123.exe 2856 123.exe 1728 spoolsv.exe 1728 spoolsv.exe 1728 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e551858d7c25a5874ac81a13ca3ca24d.exe123.exespoolsv.exedescription pid process Token: SeDebugPrivilege 1336 e551858d7c25a5874ac81a13ca3ca24d.exe Token: SeDebugPrivilege 2856 123.exe Token: SeDebugPrivilege 1728 spoolsv.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e551858d7c25a5874ac81a13ca3ca24d.exe123.exedescription pid process target process PID 1336 wrote to memory of 2856 1336 e551858d7c25a5874ac81a13ca3ca24d.exe 123.exe PID 1336 wrote to memory of 2856 1336 e551858d7c25a5874ac81a13ca3ca24d.exe 123.exe PID 1336 wrote to memory of 2856 1336 e551858d7c25a5874ac81a13ca3ca24d.exe 123.exe PID 2856 wrote to memory of 1728 2856 123.exe spoolsv.exe PID 2856 wrote to memory of 1728 2856 123.exe spoolsv.exe PID 2856 wrote to memory of 1728 2856 123.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e551858d7c25a5874ac81a13ca3ca24d.exe"C:\Users\Admin\AppData\Local\Temp\e551858d7c25a5874ac81a13ca3ca24d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Saved Pictures\spoolsv.exe"C:\Users\Admin\Pictures\Saved Pictures\spoolsv.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\WcnApi\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\explorer\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\spwizeng\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\win\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Boot\nl-NL\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\InputInjectionBroker\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
8a0fae504673180e1bb94c93260c2d7f
SHA1cd40ca333de4fd089aac8f3860a87e5d55074fcd
SHA25605f947d8923a8d5ed24cb33d205e1f3602ef91a82210f9fbe8f2342f45bd6072
SHA5120e54fd0ed023df7e800c2ee65aefa138dfd4843891b6e28d5dc3478ee1a0e4326412f7622ff0c69acf104c9c8ff0a4621580d54c59f6b83d087871efdb4ca6d0
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
8a0fae504673180e1bb94c93260c2d7f
SHA1cd40ca333de4fd089aac8f3860a87e5d55074fcd
SHA25605f947d8923a8d5ed24cb33d205e1f3602ef91a82210f9fbe8f2342f45bd6072
SHA5120e54fd0ed023df7e800c2ee65aefa138dfd4843891b6e28d5dc3478ee1a0e4326412f7622ff0c69acf104c9c8ff0a4621580d54c59f6b83d087871efdb4ca6d0
-
C:\Users\Admin\Pictures\Saved Pictures\spoolsv.exeMD5
8a0fae504673180e1bb94c93260c2d7f
SHA1cd40ca333de4fd089aac8f3860a87e5d55074fcd
SHA25605f947d8923a8d5ed24cb33d205e1f3602ef91a82210f9fbe8f2342f45bd6072
SHA5120e54fd0ed023df7e800c2ee65aefa138dfd4843891b6e28d5dc3478ee1a0e4326412f7622ff0c69acf104c9c8ff0a4621580d54c59f6b83d087871efdb4ca6d0
-
C:\Users\Admin\Pictures\Saved Pictures\spoolsv.exeMD5
8a0fae504673180e1bb94c93260c2d7f
SHA1cd40ca333de4fd089aac8f3860a87e5d55074fcd
SHA25605f947d8923a8d5ed24cb33d205e1f3602ef91a82210f9fbe8f2342f45bd6072
SHA5120e54fd0ed023df7e800c2ee65aefa138dfd4843891b6e28d5dc3478ee1a0e4326412f7622ff0c69acf104c9c8ff0a4621580d54c59f6b83d087871efdb4ca6d0
-
memory/1336-137-0x0000000007CB0000-0x0000000007CB1000-memory.dmpFilesize
4KB
-
memory/1336-134-0x00000000075E0000-0x00000000075E1000-memory.dmpFilesize
4KB
-
memory/1336-127-0x0000000002B80000-0x0000000002B81000-memory.dmpFilesize
4KB
-
memory/1336-128-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/1336-129-0x0000000002BB0000-0x0000000002BB1000-memory.dmpFilesize
4KB
-
memory/1336-130-0x0000000005524000-0x0000000005525000-memory.dmpFilesize
4KB
-
memory/1336-131-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/1336-132-0x0000000006DE0000-0x0000000006DE1000-memory.dmpFilesize
4KB
-
memory/1336-133-0x0000000006FB0000-0x0000000006FB1000-memory.dmpFilesize
4KB
-
memory/1336-126-0x0000000005523000-0x0000000005524000-memory.dmpFilesize
4KB
-
memory/1336-135-0x0000000007B40000-0x0000000007B41000-memory.dmpFilesize
4KB
-
memory/1336-136-0x0000000007C00000-0x0000000007C01000-memory.dmpFilesize
4KB
-
memory/1336-115-0x0000000000430000-0x0000000000461000-memory.dmpFilesize
196KB
-
memory/1336-138-0x0000000007DC0000-0x0000000007DC1000-memory.dmpFilesize
4KB
-
memory/1336-139-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/1336-121-0x00000000008F0000-0x000000000090C000-memory.dmpFilesize
112KB
-
memory/1336-124-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/1336-125-0x0000000005522000-0x0000000005523000-memory.dmpFilesize
4KB
-
memory/1336-123-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/1728-152-0x0000000000000000-mapping.dmp
-
memory/1728-157-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/1728-161-0x00000000033D0000-0x00000000033D6000-memory.dmpFilesize
24KB
-
memory/1728-162-0x00000000033E0000-0x00000000033E2000-memory.dmpFilesize
8KB
-
memory/1728-163-0x00000000055A0000-0x00000000055A5000-memory.dmpFilesize
20KB
-
memory/1728-165-0x0000000002C10000-0x0000000002C11000-memory.dmpFilesize
4KB
-
memory/1728-164-0x0000000077210000-0x000000007739E000-memory.dmpFilesize
1.6MB
-
memory/2856-149-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/2856-151-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/2856-148-0x0000000077210000-0x000000007739E000-memory.dmpFilesize
1.6MB
-
memory/2856-145-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/2856-140-0x0000000000000000-mapping.dmp