Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-05-2022 04:36
Static task
static1
General
-
Target
1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exe
-
Size
305KB
-
MD5
1dee390438973fdc5c4a1e9d0995d8db
-
SHA1
16d42736bc22187643b73e67b7828f199a34622d
-
SHA256
1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b
-
SHA512
9d48eeab3b80603ced3b823b2d4903097f7ae28dad458891b5d46f10d2e1db3ff97f92438deff22fb8e83ae9f92c0ce20c240256388fc7d02b2feb6386fcbfe8
Malware Config
Extracted
smokeloader
2020
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/
Extracted
redline
1
45.10.43.167:26696
-
auth_value
3a70a3e2f548aaf61e05be9e4cadc7c1
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-166-0x0000000000A80000-0x0000000000FA2000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 6 IoCs
Processes:
3F3B.exe7z.exe7z.exe7z.exe7z.exebenbenben.exepid process 2928 3F3B.exe 2152 7z.exe 1944 7z.exe 5016 7z.exe 4536 7z.exe 2032 benbenben.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
benbenben.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion benbenben.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion benbenben.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3F3B.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3F3B.exe -
Loads dropped DLL 4 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exepid process 2152 7z.exe 1944 7z.exe 5016 7z.exe 4536 7z.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
benbenben.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA benbenben.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4456 4108 WerFault.exe explorer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exepid process 2300 1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exe 2300 1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exe 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 3144 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3144 -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exepid process 2300 1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exe 3144 3144 3144 3144 -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exebenbenben.exedescription pid process Token: SeShutdownPrivilege 3144 Token: SeCreatePagefilePrivilege 3144 Token: SeShutdownPrivilege 3144 Token: SeCreatePagefilePrivilege 3144 Token: SeShutdownPrivilege 3144 Token: SeCreatePagefilePrivilege 3144 Token: SeRestorePrivilege 2152 7z.exe Token: 35 2152 7z.exe Token: SeSecurityPrivilege 2152 7z.exe Token: SeSecurityPrivilege 2152 7z.exe Token: SeRestorePrivilege 1944 7z.exe Token: 35 1944 7z.exe Token: SeSecurityPrivilege 1944 7z.exe Token: SeSecurityPrivilege 1944 7z.exe Token: SeRestorePrivilege 5016 7z.exe Token: 35 5016 7z.exe Token: SeSecurityPrivilege 5016 7z.exe Token: SeSecurityPrivilege 5016 7z.exe Token: SeRestorePrivilege 4536 7z.exe Token: 35 4536 7z.exe Token: SeSecurityPrivilege 4536 7z.exe Token: SeSecurityPrivilege 4536 7z.exe Token: SeDebugPrivilege 2032 benbenben.exe Token: SeShutdownPrivilege 3144 Token: SeCreatePagefilePrivilege 3144 Token: SeShutdownPrivilege 3144 Token: SeCreatePagefilePrivilege 3144 Token: SeShutdownPrivilege 3144 Token: SeCreatePagefilePrivilege 3144 -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
3F3B.execmd.exedescription pid process target process PID 3144 wrote to memory of 2928 3144 3F3B.exe PID 3144 wrote to memory of 2928 3144 3F3B.exe PID 3144 wrote to memory of 2928 3144 3F3B.exe PID 3144 wrote to memory of 4108 3144 explorer.exe PID 3144 wrote to memory of 4108 3144 explorer.exe PID 3144 wrote to memory of 4108 3144 explorer.exe PID 3144 wrote to memory of 4108 3144 explorer.exe PID 3144 wrote to memory of 4448 3144 explorer.exe PID 3144 wrote to memory of 4448 3144 explorer.exe PID 3144 wrote to memory of 4448 3144 explorer.exe PID 2928 wrote to memory of 3548 2928 3F3B.exe cmd.exe PID 2928 wrote to memory of 3548 2928 3F3B.exe cmd.exe PID 3548 wrote to memory of 1116 3548 cmd.exe mode.com PID 3548 wrote to memory of 1116 3548 cmd.exe mode.com PID 3548 wrote to memory of 2152 3548 cmd.exe 7z.exe PID 3548 wrote to memory of 2152 3548 cmd.exe 7z.exe PID 3548 wrote to memory of 1944 3548 cmd.exe 7z.exe PID 3548 wrote to memory of 1944 3548 cmd.exe 7z.exe PID 3548 wrote to memory of 5016 3548 cmd.exe 7z.exe PID 3548 wrote to memory of 5016 3548 cmd.exe 7z.exe PID 3548 wrote to memory of 4536 3548 cmd.exe 7z.exe PID 3548 wrote to memory of 4536 3548 cmd.exe 7z.exe PID 3548 wrote to memory of 2580 3548 cmd.exe attrib.exe PID 3548 wrote to memory of 2580 3548 cmd.exe attrib.exe PID 3548 wrote to memory of 2032 3548 cmd.exe benbenben.exe PID 3548 wrote to memory of 2032 3548 cmd.exe benbenben.exe PID 3548 wrote to memory of 2032 3548 cmd.exe benbenben.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exe"C:\Users\Admin\AppData\Local\Temp\1818bd0ec0389489454ccde42689c79925b67c5d65d53e4f3470bd2ba759095b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3F3B.exeC:\Users\Admin\AppData\Local\Temp\3F3B.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode 65,103⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p283462270827100258722140325330 -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +H "benbenben.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\main\benbenben.exe"benbenben.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 8922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4108 -ip 41081⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3F3B.exeFilesize
3.9MB
MD54f8a7c030aa8784e5f9726de742be5b5
SHA1b458828a0383defa2b1c79dc043d7e7e8cc712c4
SHA256b8885e1a627026d5ebbce5dfc321358a1d339e0b30c887ab39e4b9e972f90952
SHA5120c74b22a46d6362fc8e5a9d919c8d32f6a2e21e9c3bdbfb0be679407a753f8995cc929956c7bd0351e6f4b8e224ea7fa4ebdc9b8d07c324608ffa2e20b4b8d69
-
C:\Users\Admin\AppData\Local\Temp\3F3B.exeFilesize
3.9MB
MD54f8a7c030aa8784e5f9726de742be5b5
SHA1b458828a0383defa2b1c79dc043d7e7e8cc712c4
SHA256b8885e1a627026d5ebbce5dfc321358a1d339e0b30c887ab39e4b9e972f90952
SHA5120c74b22a46d6362fc8e5a9d919c8d32f6a2e21e9c3bdbfb0be679407a753f8995cc929956c7bd0351e6f4b8e224ea7fa4ebdc9b8d07c324608ffa2e20b4b8d69
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\main\benbenben.exeFilesize
1.5MB
MD54c76c4bb8969621583baa58bf9c625f4
SHA146fcb2f437241d330144ae3b9ec2980f9b12c209
SHA256e78a454a7fcf939c27d8beec97b8b77f851df342e2682143c9d2dc66fcab4340
SHA5125c52696822d339b0c9f53de3db0fabdf8c7158b6d00b42c59f78694b282243cf6f92066203c60cfcbf363b3684eba3ff10bdcd851557c05a46bfa38d0c856e0c
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DATFilesize
2.0MB
MD58f6c27385ab490689ddcc61866824ce8
SHA15b1874737e5cd1b1c52b7b8e10714d2c6e87d96d
SHA256d47d174fa9feac7cd178bd9a62d0f9183651c043f6f3c8d15bb7197fc1fc042f
SHA512046371e4c93c89ea54fceacd9b5f69e842f84debc00e668509d4b853e53621395cb4ac713093ff81368f9ad717f4621565a906a999d8dbfa3c0fad0278909c1f
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\benbenben.exeFilesize
1.5MB
MD54c76c4bb8969621583baa58bf9c625f4
SHA146fcb2f437241d330144ae3b9ec2980f9b12c209
SHA256e78a454a7fcf939c27d8beec97b8b77f851df342e2682143c9d2dc66fcab4340
SHA5125c52696822d339b0c9f53de3db0fabdf8c7158b6d00b42c59f78694b282243cf6f92066203c60cfcbf363b3684eba3ff10bdcd851557c05a46bfa38d0c856e0c
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zipFilesize
1.5MB
MD5a73635e84d7ab318619454487514f446
SHA1b492af29c93240c3479e69907f1ed74dec625ba6
SHA256ed19a2d5f65d95969d697f205d3fa91688c6daac6274ac7e4847789c9b3a4061
SHA512e8a0b92b3da67a60db0a9c65d7eb0bcd88d97ab1e72510eb602c1e0385b776c7834d08ff8618b805f805e457b21265884d71bdf9fafe6ca3da583ccd162b9f06
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zipFilesize
1.5MB
MD5620139174d311818701c05cbc8968c59
SHA17a427bf6653da862963e42c4f4a5a1ebd08ec061
SHA256df5e8ab12f09d0dc41e2a7c7e5043d6477a7dc6d9a4bbae0943bbbbcfbdc6b2a
SHA51221ebcfde72f38cc7d5feafe9168cb37e8b62c6fbf6a8c046fcba9cc9b6f079f5d4cc7dbf2b9d42e48fc4ff2909439a8cbff22c872b8453a944d0ad552792c37e
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zipFilesize
3.0MB
MD51a18731f1f1b9e3746a31b9bf7d6b901
SHA148cd2531251dff411b084dbb88c7fe6a73c437f8
SHA256149b8af8eb2eba7d584bbc72083fd26b0cbc678f75739fce532bd80cc6548cd7
SHA5124d298d564e4791f9404edafacd4d8ff2b70fb93152ca4e33a48fdd07f25c5d3b0bf616b4fe1cceb0a911093fb0ca47052a3529f115825729641b3dec1c82fafa
-
C:\Users\Admin\AppData\Local\Temp\main\file.binFilesize
3.0MB
MD503bd09b1b43203b5847bd65a390c7fe9
SHA115599a412e9d6934eaf35da04488a997ce88638f
SHA25611317bad4a6346566fec9f2cefcf1d0e97a074be1f85d2f25bebf4bbc532bd9a
SHA512058a97e75feb690afc35939017017b6d86725ab901c0a52473e6bb201ac38bbc20e052762f49567ba7f6cd4ea23c0dc94f42aaaae7b80644438f3e4ab0ed3118
-
C:\Users\Admin\AppData\Local\Temp\main\main.batFilesize
476B
MD521b6341d2b4fc3c54bca293b71545d0c
SHA1ba66216cd3552de6b3ad254f65ccb834188347b0
SHA256432347ce4e632e70cc0cb988ed72c43a17b81f8955a3905e43a93708029a0daf
SHA51204842ab2240d782fe7f3336f4776576f67f3a30ae522713b2bfb8e5c86ca30a2706f2c73ede5647495b8cde06ad36b6499bf8bd9c8908e794fdbdb8bd0d534d1
-
memory/1116-141-0x0000000000000000-mapping.dmp
-
memory/1944-147-0x0000000000000000-mapping.dmp
-
memory/2032-162-0x0000000000000000-mapping.dmp
-
memory/2032-176-0x00000000072D0000-0x0000000007492000-memory.dmpFilesize
1.8MB
-
memory/2032-174-0x00000000061C0000-0x00000000061DE000-memory.dmpFilesize
120KB
-
memory/2032-173-0x0000000006850000-0x0000000006DF4000-memory.dmpFilesize
5.6MB
-
memory/2032-172-0x0000000006200000-0x0000000006292000-memory.dmpFilesize
584KB
-
memory/2032-170-0x0000000005620000-0x000000000565C000-memory.dmpFilesize
240KB
-
memory/2032-169-0x00000000056F0000-0x00000000057FA000-memory.dmpFilesize
1.0MB
-
memory/2032-167-0x0000000005B40000-0x0000000006158000-memory.dmpFilesize
6.1MB
-
memory/2032-177-0x00000000080E0000-0x000000000860C000-memory.dmpFilesize
5.2MB
-
memory/2032-175-0x00000000065F0000-0x0000000006656000-memory.dmpFilesize
408KB
-
memory/2032-178-0x0000000007230000-0x0000000007280000-memory.dmpFilesize
320KB
-
memory/2032-171-0x0000000005960000-0x00000000059D6000-memory.dmpFilesize
472KB
-
memory/2032-168-0x00000000055C0000-0x00000000055D2000-memory.dmpFilesize
72KB
-
memory/2032-166-0x0000000000A80000-0x0000000000FA2000-memory.dmpFilesize
5.1MB
-
memory/2152-143-0x0000000000000000-mapping.dmp
-
memory/2300-130-0x0000000000592000-0x00000000005A2000-memory.dmpFilesize
64KB
-
memory/2300-131-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/2300-132-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/2580-161-0x0000000000000000-mapping.dmp
-
memory/2928-134-0x0000000000000000-mapping.dmp
-
memory/3144-133-0x0000000000720000-0x0000000000736000-memory.dmpFilesize
88KB
-
memory/3548-139-0x0000000000000000-mapping.dmp
-
memory/4108-137-0x0000000000000000-mapping.dmp
-
memory/4448-138-0x0000000000000000-mapping.dmp
-
memory/4536-155-0x0000000000000000-mapping.dmp
-
memory/5016-151-0x0000000000000000-mapping.dmp