Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
15-11-2022 10:10
General
-
Target
750af2e33ff183e381e853af4fd7a4b16500639a6d109e1600a04f5fba65caed.exe
-
Size
153KB
-
MD5
c9b8a56ae44d31bf77e38425277cf79f
-
SHA1
ef24cff7cc9e4b9fbb6888f7d80d51a91855211e
-
SHA256
750af2e33ff183e381e853af4fd7a4b16500639a6d109e1600a04f5fba65caed
-
SHA512
084b3131d17c26e751ee6273ad759b9773f3a174d88c26de82c2a712ee8b6b16f3f2163c16252e4dd7d9c6d32c9068d8a622101cc24188de924f35d3e7f02620
-
SSDEEP
3072:FYY5LEyU+qcXE55bUfmsLppTR5A69wAEVzTlVwWbqS7:nLEyU+9YWmOppTR6swAE9lVbuK
Malware Config
Extracted
redline
rozena1114
jalocliche.xyz:81
chardhesha.xyz:81
-
auth_value
9fefd743a3b62bcd7c3e17a70fbdb3a8
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 2 IoCs
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\750af2e33ff183e381e853af4fd7a4b16500639a6d109e1600a04f5fba65caed.exe"C:\Users\Admin\AppData\Local\Temp\750af2e33ff183e381e853af4fd7a4b16500639a6d109e1600a04f5fba65caed.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\EB3F.exeC:\Users\Admin\AppData\Local\Temp\EB3F.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 12602⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\F18A.exeC:\Users\Admin\AppData\Local\Temp\F18A.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\F573.exeC:\Users\Admin\AppData\Local\Temp\F573.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 12842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4168 -ip 41681⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 4242⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2900 -ip 29001⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 620 -ip 6201⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 4242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 332 -ip 3321⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
242KB
MD519617bdb19b1aeb574c718a27abc3c31
SHA1369cd7c11f56a89d0f97e4cefdbe02d7120e0b25
SHA256ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07
SHA512b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
242KB
MD519617bdb19b1aeb574c718a27abc3c31
SHA1369cd7c11f56a89d0f97e4cefdbe02d7120e0b25
SHA256ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07
SHA512b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
242KB
MD519617bdb19b1aeb574c718a27abc3c31
SHA1369cd7c11f56a89d0f97e4cefdbe02d7120e0b25
SHA256ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07
SHA512b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
242KB
MD519617bdb19b1aeb574c718a27abc3c31
SHA1369cd7c11f56a89d0f97e4cefdbe02d7120e0b25
SHA256ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07
SHA512b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753
-
C:\Users\Admin\AppData\Local\Temp\EB3F.exeFilesize
323KB
MD5a6869e666a3b4cbd2632772d25f7b33a
SHA1e837579c9719b3edb858b83e01356107f770d890
SHA25654fa63ddc9285929344019496f269ccfe08998368d346f62aa01068cc86a7cc9
SHA5128fa412fc4ce9424ad1c183ab3221c06ecc9cc5c5b2bf3a83b125d1eb0ec982ebc54589a751dbd420872deb4e1235f0f2fa9ed7e1611a02a65b400b74335e6b9c
-
C:\Users\Admin\AppData\Local\Temp\EB3F.exeFilesize
323KB
MD5a6869e666a3b4cbd2632772d25f7b33a
SHA1e837579c9719b3edb858b83e01356107f770d890
SHA25654fa63ddc9285929344019496f269ccfe08998368d346f62aa01068cc86a7cc9
SHA5128fa412fc4ce9424ad1c183ab3221c06ecc9cc5c5b2bf3a83b125d1eb0ec982ebc54589a751dbd420872deb4e1235f0f2fa9ed7e1611a02a65b400b74335e6b9c
-
C:\Users\Admin\AppData\Local\Temp\F18A.exeFilesize
1.1MB
MD55e7c07b9aa0668fa2971747bb4fade1e
SHA17fae544f73f2a8fb7a340a20ec47f76370fbd487
SHA256431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361
SHA5125c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f
-
C:\Users\Admin\AppData\Local\Temp\F18A.exeFilesize
1.1MB
MD55e7c07b9aa0668fa2971747bb4fade1e
SHA17fae544f73f2a8fb7a340a20ec47f76370fbd487
SHA256431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361
SHA5125c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f
-
C:\Users\Admin\AppData\Local\Temp\F573.exeFilesize
242KB
MD519617bdb19b1aeb574c718a27abc3c31
SHA1369cd7c11f56a89d0f97e4cefdbe02d7120e0b25
SHA256ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07
SHA512b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753
-
C:\Users\Admin\AppData\Local\Temp\F573.exeFilesize
242KB
MD519617bdb19b1aeb574c718a27abc3c31
SHA1369cd7c11f56a89d0f97e4cefdbe02d7120e0b25
SHA256ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07
SHA512b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753
-
C:\Users\Admin\AppData\Local\Temp\advapi32.dllFilesize
1.1MB
MD5486536825ff5e3219a8702319e064907
SHA134f7f9211e2fd9c166fb36ed1d4121ebd427bebd
SHA2566ab2023a2bd76692a694a812bf86c341696810c61666586c09a343832f05dc01
SHA512f77404db724b9f8e93d84f2f9f0cee10b05638bda4445facbfd262eca52f073e285c10f153133fc35f9a426eb84e87e8e0b320f2815b2405ca3ada7ac2fded4c
-
C:\Users\Admin\AppData\Local\Temp\advapi32.dllFilesize
1.1MB
MD5486536825ff5e3219a8702319e064907
SHA134f7f9211e2fd9c166fb36ed1d4121ebd427bebd
SHA2566ab2023a2bd76692a694a812bf86c341696810c61666586c09a343832f05dc01
SHA512f77404db724b9f8e93d84f2f9f0cee10b05638bda4445facbfd262eca52f073e285c10f153133fc35f9a426eb84e87e8e0b320f2815b2405ca3ada7ac2fded4c
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/116-154-0x0000000002220000-0x000000000272E000-memory.dmpFilesize
5.1MB
-
memory/116-165-0x000000000B280000-0x000000000B3FF000-memory.dmpFilesize
1.5MB
-
memory/116-166-0x0000000002831000-0x000000000292F000-memory.dmpFilesize
1016KB
-
memory/116-164-0x000000000B280000-0x000000000B3FF000-memory.dmpFilesize
1.5MB
-
memory/116-198-0x0000000002831000-0x000000000292F000-memory.dmpFilesize
1016KB
-
memory/116-143-0x0000000000000000-mapping.dmp
-
memory/332-232-0x0000000000400000-0x00000000005A1000-memory.dmpFilesize
1.6MB
-
memory/332-231-0x00000000006BC000-0x00000000006DA000-memory.dmpFilesize
120KB
-
memory/620-207-0x0000000007B40000-0x000000000806C000-memory.dmpFilesize
5.2MB
-
memory/620-147-0x00000000055E0000-0x0000000005BF8000-memory.dmpFilesize
6.1MB
-
memory/620-142-0x0000000004D30000-0x0000000004DC2000-memory.dmpFilesize
584KB
-
memory/620-141-0x0000000004E40000-0x00000000053E4000-memory.dmpFilesize
5.6MB
-
memory/620-145-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/620-140-0x00000000006F0000-0x000000000072E000-memory.dmpFilesize
248KB
-
memory/620-139-0x00000000008B9000-0x00000000008EA000-memory.dmpFilesize
196KB
-
memory/620-136-0x0000000000000000-mapping.dmp
-
memory/620-192-0x00000000008B9000-0x00000000008EA000-memory.dmpFilesize
196KB
-
memory/620-218-0x00000000008B9000-0x00000000008EA000-memory.dmpFilesize
196KB
-
memory/620-149-0x0000000005540000-0x0000000005552000-memory.dmpFilesize
72KB
-
memory/620-187-0x0000000005E80000-0x0000000005EE6000-memory.dmpFilesize
408KB
-
memory/620-148-0x0000000005410000-0x000000000551A000-memory.dmpFilesize
1.0MB
-
memory/620-153-0x0000000005560000-0x000000000559C000-memory.dmpFilesize
240KB
-
memory/620-217-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/620-206-0x0000000007930000-0x0000000007AF2000-memory.dmpFilesize
1.8MB
-
memory/936-213-0x00000000007D0000-0x00000000007D8000-memory.dmpFilesize
32KB
-
memory/936-226-0x00000000007D0000-0x00000000007D8000-memory.dmpFilesize
32KB
-
memory/936-214-0x00000000007C0000-0x00000000007CB000-memory.dmpFilesize
44KB
-
memory/936-210-0x0000000000000000-mapping.dmp
-
memory/1028-163-0x0000000000000000-mapping.dmp
-
memory/1296-191-0x0000000000000000-mapping.dmp
-
memory/1296-222-0x0000000000F50000-0x0000000000F72000-memory.dmpFilesize
136KB
-
memory/1296-193-0x0000000000F50000-0x0000000000F72000-memory.dmpFilesize
136KB
-
memory/1296-194-0x0000000000F20000-0x0000000000F47000-memory.dmpFilesize
156KB
-
memory/1420-171-0x0000000000000000-mapping.dmp
-
memory/1484-174-0x0000000000000000-mapping.dmp
-
memory/1772-172-0x0000000000000000-mapping.dmp
-
memory/2088-133-0x0000000000660000-0x0000000000669000-memory.dmpFilesize
36KB
-
memory/2088-134-0x0000000000400000-0x000000000058C000-memory.dmpFilesize
1.5MB
-
memory/2088-132-0x0000000000698000-0x00000000006A9000-memory.dmpFilesize
68KB
-
memory/2088-135-0x0000000000400000-0x000000000058C000-memory.dmpFilesize
1.5MB
-
memory/2660-227-0x0000000000000000-mapping.dmp
-
memory/2872-161-0x0000000000000000-mapping.dmp
-
memory/2900-212-0x0000000000400000-0x00000000005A1000-memory.dmpFilesize
1.6MB
-
memory/2900-211-0x00000000005EC000-0x000000000060B000-memory.dmpFilesize
124KB
-
memory/2980-220-0x0000000000F70000-0x0000000000F75000-memory.dmpFilesize
20KB
-
memory/2980-179-0x0000000000000000-mapping.dmp
-
memory/2980-185-0x0000000000F70000-0x0000000000F75000-memory.dmpFilesize
20KB
-
memory/2980-186-0x0000000000F60000-0x0000000000F69000-memory.dmpFilesize
36KB
-
memory/3108-173-0x0000000000000000-mapping.dmp
-
memory/3168-216-0x0000000000400000-0x00000000005A1000-memory.dmpFilesize
1.6MB
-
memory/3168-169-0x0000000000400000-0x00000000005A1000-memory.dmpFilesize
1.6MB
-
memory/3168-155-0x0000000000000000-mapping.dmp
-
memory/3168-167-0x0000000000648000-0x0000000000667000-memory.dmpFilesize
124KB
-
memory/3168-215-0x0000000000648000-0x0000000000667000-memory.dmpFilesize
124KB
-
memory/3348-219-0x0000000000DE0000-0x0000000000DE9000-memory.dmpFilesize
36KB
-
memory/3348-183-0x0000000000DE0000-0x0000000000DE9000-memory.dmpFilesize
36KB
-
memory/3348-175-0x0000000000000000-mapping.dmp
-
memory/3348-178-0x0000000000DD0000-0x0000000000DDF000-memory.dmpFilesize
60KB
-
memory/3472-208-0x0000000000F30000-0x0000000000F37000-memory.dmpFilesize
28KB
-
memory/3472-205-0x0000000000000000-mapping.dmp
-
memory/3472-209-0x0000000000F20000-0x0000000000F2D000-memory.dmpFilesize
52KB
-
memory/3472-225-0x0000000000F30000-0x0000000000F37000-memory.dmpFilesize
28KB
-
memory/3656-170-0x0000000000000000-mapping.dmp
-
memory/3660-168-0x0000000000000000-mapping.dmp
-
memory/3660-176-0x0000000000460000-0x0000000000467000-memory.dmpFilesize
28KB
-
memory/3660-177-0x0000000000450000-0x000000000045B000-memory.dmpFilesize
44KB
-
memory/3932-203-0x0000000000FB0000-0x0000000000FBB000-memory.dmpFilesize
44KB
-
memory/3932-202-0x0000000000FC0000-0x0000000000FC6000-memory.dmpFilesize
24KB
-
memory/3932-201-0x0000000000000000-mapping.dmp
-
memory/3932-224-0x0000000000FC0000-0x0000000000FC6000-memory.dmpFilesize
24KB
-
memory/4068-181-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4068-180-0x0000000000000000-mapping.dmp
-
memory/4068-184-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4144-223-0x0000000000FC0000-0x0000000000FC5000-memory.dmpFilesize
20KB
-
memory/4144-195-0x0000000000000000-mapping.dmp
-
memory/4144-200-0x0000000000FB0000-0x0000000000FB9000-memory.dmpFilesize
36KB
-
memory/4144-199-0x0000000000FC0000-0x0000000000FC5000-memory.dmpFilesize
20KB
-
memory/4168-160-0x0000000000400000-0x00000000005A1000-memory.dmpFilesize
1.6MB
-
memory/4168-150-0x0000000000000000-mapping.dmp
-
memory/4168-158-0x00000000005F9000-0x0000000000618000-memory.dmpFilesize
124KB
-
memory/4168-159-0x00000000021E0000-0x000000000221E000-memory.dmpFilesize
248KB
-
memory/4248-162-0x0000000000000000-mapping.dmp
-
memory/4620-221-0x0000000000340000-0x0000000000346000-memory.dmpFilesize
24KB
-
memory/4620-190-0x0000000000330000-0x000000000033C000-memory.dmpFilesize
48KB
-
memory/4620-189-0x0000000000340000-0x0000000000346000-memory.dmpFilesize
24KB
-
memory/4620-188-0x0000000000000000-mapping.dmp