Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-11-2021 13:55
Static task
static1
Behavioral task
behavioral1
Sample
e8dc8e4b914e931ccf2217f143553559.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
e8dc8e4b914e931ccf2217f143553559.exe
Resource
win10-en-20211104
General
-
Target
e8dc8e4b914e931ccf2217f143553559.exe
-
Size
160KB
-
MD5
e8dc8e4b914e931ccf2217f143553559
-
SHA1
f2797a12055c0bfc7c4fad3ba9388e15d77f9859
-
SHA256
64fb4e1e41bf9ae4718f58c61cbe994a3ebd64e5aeced84f196ff392ffbe35db
-
SHA512
195d11de811b2fd2e047aa5a37cb4ddef21bc51762e5994f3294f46b4b2f98140391a321039326428b128c10911d0d7abd5f10d9f511c70034ddfdcc8cd14f2d
Malware Config
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
redline
185.159.80.90:38637
Extracted
raccoon
1.8.3-hotfix
ddf183af4241e3172885cf1b2c4c1fb4ee03d05a
-
url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1948-80-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1948-81-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1948-82-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1948-83-0x0000000000418EEA-mapping.dmp family_redline behavioral1/memory/1948-85-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Arkei Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1692-113-0x00000000002D0000-0x00000000002F1000-memory.dmp family_arkei behavioral1/memory/1692-114-0x0000000000400000-0x000000000043B000-memory.dmp family_arkei -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
D633.exeD633.exeEDAA.exeEDAA.exe456.exe2233.exe2D4C.exe44F1.exepid process 624 D633.exe 412 D633.exe 1816 EDAA.exe 1948 EDAA.exe 1028 456.exe 888 2233.exe 1704 2D4C.exe 1692 44F1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2D4C.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2D4C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2D4C.exe -
Deletes itself 1 IoCs
Processes:
pid process 1268 -
Loads dropped DLL 2 IoCs
Processes:
D633.exeEDAA.exepid process 624 D633.exe 1816 EDAA.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\2D4C.exe themida behavioral1/memory/1704-101-0x0000000000F70000-0x0000000000F71000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
2D4C.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2D4C.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2D4C.exepid process 1704 2D4C.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
e8dc8e4b914e931ccf2217f143553559.exeD633.exeEDAA.exedescription pid process target process PID 956 set thread context of 800 956 e8dc8e4b914e931ccf2217f143553559.exe e8dc8e4b914e931ccf2217f143553559.exe PID 624 set thread context of 412 624 D633.exe D633.exe PID 1816 set thread context of 1948 1816 EDAA.exe EDAA.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2233.exeD633.exee8dc8e4b914e931ccf2217f143553559.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2233.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI D633.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2233.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e8dc8e4b914e931ccf2217f143553559.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI D633.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI D633.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2233.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e8dc8e4b914e931ccf2217f143553559.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e8dc8e4b914e931ccf2217f143553559.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e8dc8e4b914e931ccf2217f143553559.exepid process 800 e8dc8e4b914e931ccf2217f143553559.exe 800 e8dc8e4b914e931ccf2217f143553559.exe 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1268 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
e8dc8e4b914e931ccf2217f143553559.exeD633.exe2233.exepid process 800 e8dc8e4b914e931ccf2217f143553559.exe 412 D633.exe 888 2233.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
EDAA.exe2D4C.exedescription pid process Token: SeShutdownPrivilege 1268 Token: SeShutdownPrivilege 1268 Token: SeShutdownPrivilege 1268 Token: SeDebugPrivilege 1948 EDAA.exe Token: SeDebugPrivilege 1704 2D4C.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1268 1268 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1268 1268 -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
e8dc8e4b914e931ccf2217f143553559.exeD633.exeEDAA.exedescription pid process target process PID 956 wrote to memory of 800 956 e8dc8e4b914e931ccf2217f143553559.exe e8dc8e4b914e931ccf2217f143553559.exe PID 956 wrote to memory of 800 956 e8dc8e4b914e931ccf2217f143553559.exe e8dc8e4b914e931ccf2217f143553559.exe PID 956 wrote to memory of 800 956 e8dc8e4b914e931ccf2217f143553559.exe e8dc8e4b914e931ccf2217f143553559.exe PID 956 wrote to memory of 800 956 e8dc8e4b914e931ccf2217f143553559.exe e8dc8e4b914e931ccf2217f143553559.exe PID 956 wrote to memory of 800 956 e8dc8e4b914e931ccf2217f143553559.exe e8dc8e4b914e931ccf2217f143553559.exe PID 956 wrote to memory of 800 956 e8dc8e4b914e931ccf2217f143553559.exe e8dc8e4b914e931ccf2217f143553559.exe PID 956 wrote to memory of 800 956 e8dc8e4b914e931ccf2217f143553559.exe e8dc8e4b914e931ccf2217f143553559.exe PID 1268 wrote to memory of 624 1268 D633.exe PID 1268 wrote to memory of 624 1268 D633.exe PID 1268 wrote to memory of 624 1268 D633.exe PID 1268 wrote to memory of 624 1268 D633.exe PID 624 wrote to memory of 412 624 D633.exe D633.exe PID 624 wrote to memory of 412 624 D633.exe D633.exe PID 624 wrote to memory of 412 624 D633.exe D633.exe PID 624 wrote to memory of 412 624 D633.exe D633.exe PID 624 wrote to memory of 412 624 D633.exe D633.exe PID 624 wrote to memory of 412 624 D633.exe D633.exe PID 624 wrote to memory of 412 624 D633.exe D633.exe PID 1268 wrote to memory of 1816 1268 EDAA.exe PID 1268 wrote to memory of 1816 1268 EDAA.exe PID 1268 wrote to memory of 1816 1268 EDAA.exe PID 1268 wrote to memory of 1816 1268 EDAA.exe PID 1816 wrote to memory of 1948 1816 EDAA.exe EDAA.exe PID 1816 wrote to memory of 1948 1816 EDAA.exe EDAA.exe PID 1816 wrote to memory of 1948 1816 EDAA.exe EDAA.exe PID 1816 wrote to memory of 1948 1816 EDAA.exe EDAA.exe PID 1816 wrote to memory of 1948 1816 EDAA.exe EDAA.exe PID 1816 wrote to memory of 1948 1816 EDAA.exe EDAA.exe PID 1816 wrote to memory of 1948 1816 EDAA.exe EDAA.exe PID 1816 wrote to memory of 1948 1816 EDAA.exe EDAA.exe PID 1816 wrote to memory of 1948 1816 EDAA.exe EDAA.exe PID 1268 wrote to memory of 1028 1268 456.exe PID 1268 wrote to memory of 1028 1268 456.exe PID 1268 wrote to memory of 1028 1268 456.exe PID 1268 wrote to memory of 1028 1268 456.exe PID 1268 wrote to memory of 888 1268 2233.exe PID 1268 wrote to memory of 888 1268 2233.exe PID 1268 wrote to memory of 888 1268 2233.exe PID 1268 wrote to memory of 888 1268 2233.exe PID 1268 wrote to memory of 1704 1268 2D4C.exe PID 1268 wrote to memory of 1704 1268 2D4C.exe PID 1268 wrote to memory of 1704 1268 2D4C.exe PID 1268 wrote to memory of 1704 1268 2D4C.exe PID 1268 wrote to memory of 1692 1268 44F1.exe PID 1268 wrote to memory of 1692 1268 44F1.exe PID 1268 wrote to memory of 1692 1268 44F1.exe PID 1268 wrote to memory of 1692 1268 44F1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8dc8e4b914e931ccf2217f143553559.exe"C:\Users\Admin\AppData\Local\Temp\e8dc8e4b914e931ccf2217f143553559.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e8dc8e4b914e931ccf2217f143553559.exe"C:\Users\Admin\AppData\Local\Temp\e8dc8e4b914e931ccf2217f143553559.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D633.exeC:\Users\Admin\AppData\Local\Temp\D633.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D633.exeC:\Users\Admin\AppData\Local\Temp\D633.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\EDAA.exeC:\Users\Admin\AppData\Local\Temp\EDAA.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EDAA.exeC:\Users\Admin\AppData\Local\Temp\EDAA.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\456.exeC:\Users\Admin\AppData\Local\Temp\456.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2233.exeC:\Users\Admin\AppData\Local\Temp\2233.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2D4C.exeC:\Users\Admin\AppData\Local\Temp\2D4C.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\44F1.exeC:\Users\Admin\AppData\Local\Temp\44F1.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2233.exeMD5
03651bfa0fa57d86e5a612e0cc81bc09
SHA167738024bea02128f0d7a9939e193dc706bcd0d8
SHA25648183fd297159559ea5ca3f626bf6ade7bdbaeefec816116a30da7969642ce6b
SHA512b9efdef3230478dc4691034bc7e556c313c536115166e4493f7754755d6ab9515c771f51620a5bf5c21bf19b42eb77d95bd040b0f1d3205c715cb21175cffbd4
-
C:\Users\Admin\AppData\Local\Temp\2D4C.exeMD5
c8d5fdc4a0e45f4ea541aa74ffa7e1f5
SHA11e5fc15f69d2d81e46b52c91b771348fcd15d4ab
SHA256b38413496a5a7dd3c1d596ae8ced753cbe96568b713c4e4570e16285d9c6b3bb
SHA512a1e94c80e2fdcc3d00a65d924758c78ca0ca7056bf9397a8a2fb77cfea4839120550448a0aee41e2bc23afa9cdf64d6671c03db1d1f6e0aa18aa0da31f1183ce
-
C:\Users\Admin\AppData\Local\Temp\44F1.exeMD5
0adbcb0e3f47a2c1d2ff1b7fa4de1774
SHA1b194cba5e8502e846806208056079872ff79290f
SHA256fc8529e123690f3fd209b2aa5fe9f301a4feee94ba9d1ec052bfe5de7be8c235
SHA5125ace16a284e1215477f20839125f286b7bfe2a0103151adea7ccbfe3bfe1a1df4337625cfb52a4aaad4143fe5d4ce0894dc96b3f3408222ea6e5041d6f48c753
-
C:\Users\Admin\AppData\Local\Temp\456.exeMD5
a93ee3be032ac2a200af6f5673ecc492
SHA1a6fb35b4230ae92ae50a2f3a4e7f0ca7341e9f1c
SHA256f106e2efb90c57289bbe57b3be618c063c1bc70f3eaabd2afa73e53c2168a54d
SHA512d4796fda3e4de570d77ffb5dd9efa8172647832e3e2e491d12578d19b9f8de6b876b349f827050f1aa6f6121cf0a5558e4cd4e4c920a33f2f46732b1ca99e321
-
C:\Users\Admin\AppData\Local\Temp\D633.exeMD5
a8dd6ce53e82adb45fd6e0d779d1ed12
SHA150d09ebbfa56320b22de6b8746e54280e1c9d1a2
SHA2569d81e1969c48dc374442810ab6b517f06aaba4a2c17bb7749c411d1245727edc
SHA5129d23c10a2d632f66258fcdb866a909fae7afa19ccdc0569d4399b37c8fbd62e3fc583622f4f8298541ffd13ba315b5036ee12be1083e47744d94c4282379592d
-
C:\Users\Admin\AppData\Local\Temp\D633.exeMD5
a8dd6ce53e82adb45fd6e0d779d1ed12
SHA150d09ebbfa56320b22de6b8746e54280e1c9d1a2
SHA2569d81e1969c48dc374442810ab6b517f06aaba4a2c17bb7749c411d1245727edc
SHA5129d23c10a2d632f66258fcdb866a909fae7afa19ccdc0569d4399b37c8fbd62e3fc583622f4f8298541ffd13ba315b5036ee12be1083e47744d94c4282379592d
-
C:\Users\Admin\AppData\Local\Temp\D633.exeMD5
a8dd6ce53e82adb45fd6e0d779d1ed12
SHA150d09ebbfa56320b22de6b8746e54280e1c9d1a2
SHA2569d81e1969c48dc374442810ab6b517f06aaba4a2c17bb7749c411d1245727edc
SHA5129d23c10a2d632f66258fcdb866a909fae7afa19ccdc0569d4399b37c8fbd62e3fc583622f4f8298541ffd13ba315b5036ee12be1083e47744d94c4282379592d
-
C:\Users\Admin\AppData\Local\Temp\EDAA.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\EDAA.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\EDAA.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
\Users\Admin\AppData\Local\Temp\D633.exeMD5
a8dd6ce53e82adb45fd6e0d779d1ed12
SHA150d09ebbfa56320b22de6b8746e54280e1c9d1a2
SHA2569d81e1969c48dc374442810ab6b517f06aaba4a2c17bb7749c411d1245727edc
SHA5129d23c10a2d632f66258fcdb866a909fae7afa19ccdc0569d4399b37c8fbd62e3fc583622f4f8298541ffd13ba315b5036ee12be1083e47744d94c4282379592d
-
\Users\Admin\AppData\Local\Temp\EDAA.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
memory/412-66-0x0000000000402DD8-mapping.dmp
-
memory/624-69-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/624-61-0x0000000000000000-mapping.dmp
-
memory/800-55-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/800-57-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/800-56-0x0000000000402DD8-mapping.dmp
-
memory/888-106-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/888-103-0x00000000011AB000-0x00000000011BC000-memory.dmpFilesize
68KB
-
memory/888-94-0x0000000000000000-mapping.dmp
-
memory/888-107-0x0000000000400000-0x0000000001085000-memory.dmpFilesize
12.5MB
-
memory/956-59-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/956-58-0x0000000000220000-0x0000000000228000-memory.dmpFilesize
32KB
-
memory/1028-92-0x0000000001C40000-0x0000000001CCF000-memory.dmpFilesize
572KB
-
memory/1028-88-0x0000000000000000-mapping.dmp
-
memory/1028-91-0x00000000001B0000-0x00000000001FF000-memory.dmpFilesize
316KB
-
memory/1028-93-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/1268-60-0x0000000002B60000-0x0000000002B76000-memory.dmpFilesize
88KB
-
memory/1268-75-0x0000000002B90000-0x0000000002BA6000-memory.dmpFilesize
88KB
-
memory/1268-110-0x0000000003E30000-0x0000000003E46000-memory.dmpFilesize
88KB
-
memory/1692-114-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/1692-112-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1692-108-0x0000000000000000-mapping.dmp
-
memory/1692-113-0x00000000002D0000-0x00000000002F1000-memory.dmpFilesize
132KB
-
memory/1704-96-0x0000000000000000-mapping.dmp
-
memory/1704-101-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/1704-105-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/1816-76-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/1816-70-0x0000000000000000-mapping.dmp
-
memory/1816-73-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/1948-81-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-87-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/1948-79-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-80-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-78-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-82-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-83-0x0000000000418EEA-mapping.dmp
-
memory/1948-85-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB