Analysis
-
max time kernel
121s -
max time network
106s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
29-11-2022 15:46
Static task
static1
Behavioral task
behavioral1
Sample
o35IyQKf1OWr.exe
Resource
win10-20220812-en
General
-
Target
o35IyQKf1OWr.exe
-
Size
1.2MB
-
MD5
0157de5a2bc0a4a3ee44ce3a604b5a08
-
SHA1
8728fd4dca74a8ae0a28d0e2fb99b2727bd1b278
-
SHA256
235c44be3c65568e1550596182f0fe3b1b3540c95b62e63a00e2a4853c561b2c
-
SHA512
4dacc34bf5215de1add50d7b7332b1eaa15c0074ceb8d9fc02bfca530910333090573b39b9f7635d312aaaf6e732436d779cef39b292b51ee4082f1e68b3786a
-
SSDEEP
24576:MqoHvJlD2PGnBVrXTnuePJmt909gfuUNeye4Mrs:M1H2iBZXxPcTCgfHpeJs
Malware Config
Extracted
redline
RAMSES
77.73.134.54:19123
-
auth_value
3ba0ecb99f540fa197be387c2d886b1f
Extracted
redline
Main
109.206.243.58:81
-
auth_value
8d4fa15b87cebd556cbb5208a3db0fdc
Extracted
remcos
Main
109.206.243.58:4541
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
15
-
connect_interval
3
-
copy_file
jdk.exe
-
copy_folder
Java
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%UserProfile%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Main-IJCWI4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Java Updater
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4672-181-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/3612-318-0x00000000074C0000-0x00000000074E8000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
o35IyQKf1OWr.exedescription pid process target process PID 3512 created 2916 3512 o35IyQKf1OWr.exe taskhostw.exe -
Blocklisted process makes network request 2 IoCs
Processes:
cmd.exeflow pid process 19 2992 cmd.exe 21 2992 cmd.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
java.exepid process 3752 java.exe -
Loads dropped DLL 1 IoCs
Processes:
o35IyQKf1OWr.exepid process 3512 o35IyQKf1OWr.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
java.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\66D01695C4AC46979A3C33DE6C02F473 = "\"C:\\Users\\Admin\\AppData\\Roaming\\java.exe\"" java.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
o35IyQKf1OWr.exejava.exedescription pid process target process PID 3512 set thread context of 4672 3512 o35IyQKf1OWr.exe ngentask.exe PID 3752 set thread context of 2992 3752 java.exe cmd.exe -
Checks SCSI registry key(s) 3 TTPs 16 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
o35IyQKf1OWr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters o35IyQKf1OWr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters o35IyQKf1OWr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters o35IyQKf1OWr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters o35IyQKf1OWr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters o35IyQKf1OWr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 o35IyQKf1OWr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service o35IyQKf1OWr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters o35IyQKf1OWr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service o35IyQKf1OWr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 o35IyQKf1OWr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters o35IyQKf1OWr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 o35IyQKf1OWr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 o35IyQKf1OWr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service o35IyQKf1OWr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service o35IyQKf1OWr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters o35IyQKf1OWr.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
o35IyQKf1OWr.exengentask.exefontview.exepid process 3512 o35IyQKf1OWr.exe 3512 o35IyQKf1OWr.exe 3512 o35IyQKf1OWr.exe 3512 o35IyQKf1OWr.exe 3512 o35IyQKf1OWr.exe 3512 o35IyQKf1OWr.exe 3512 o35IyQKf1OWr.exe 3512 o35IyQKf1OWr.exe 3512 o35IyQKf1OWr.exe 3512 o35IyQKf1OWr.exe 3512 o35IyQKf1OWr.exe 3512 o35IyQKf1OWr.exe 4672 ngentask.exe 3612 fontview.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
o35IyQKf1OWr.exefontview.exengentask.exejava.exedescription pid process Token: SeLoadDriverPrivilege 3512 o35IyQKf1OWr.exe Token: SeDebugPrivilege 3612 fontview.exe Token: SeDebugPrivilege 4672 ngentask.exe Token: SeDebugPrivilege 3752 java.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
o35IyQKf1OWr.exefontview.exejava.exedescription pid process target process PID 3512 wrote to memory of 5048 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 5048 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 5048 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 4600 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 4600 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 4600 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 4604 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 4604 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 4604 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 3328 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 3328 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 3328 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 4672 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 4672 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 4672 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 4672 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 4672 3512 o35IyQKf1OWr.exe ngentask.exe PID 3512 wrote to memory of 3612 3512 o35IyQKf1OWr.exe fontview.exe PID 3512 wrote to memory of 3612 3512 o35IyQKf1OWr.exe fontview.exe PID 3512 wrote to memory of 3612 3512 o35IyQKf1OWr.exe fontview.exe PID 3512 wrote to memory of 3612 3512 o35IyQKf1OWr.exe fontview.exe PID 3612 wrote to memory of 3752 3612 fontview.exe java.exe PID 3612 wrote to memory of 3752 3612 fontview.exe java.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe PID 3752 wrote to memory of 2992 3752 java.exe cmd.exe
Processes
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SYSWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\java.exe"C:\Users\Admin\AppData\Roaming\java.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSWOW64\cmd.exe"C:\Windows\SYSWOW64\cmd.exe"4⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\o35IyQKf1OWr.exe"C:\Users\Admin\AppData\Local\Temp\o35IyQKf1OWr.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\java.exeFilesize
732KB
MD5d0a5cfb0d5be26a0ac372b6b56731760
SHA12c4d9df430e1a195dbbf96e09f8b65f3ed2527dd
SHA256dc1034a26e7c697b316a3e8eb51dfe68698a5ee294027823fc4647bae25694e4
SHA5125dbe3d37630bad98a4541318ec1fe65744fa30c2bc4fb643c85b5c2ed60644e882dc9f4ad5d67b1214dc729f142e4c5ca32ad3a994238e47237f86ef87aa5e15
-
C:\Users\Admin\AppData\Roaming\java.exeFilesize
732KB
MD5d0a5cfb0d5be26a0ac372b6b56731760
SHA12c4d9df430e1a195dbbf96e09f8b65f3ed2527dd
SHA256dc1034a26e7c697b316a3e8eb51dfe68698a5ee294027823fc4647bae25694e4
SHA5125dbe3d37630bad98a4541318ec1fe65744fa30c2bc4fb643c85b5c2ed60644e882dc9f4ad5d67b1214dc729f142e4c5ca32ad3a994238e47237f86ef87aa5e15
-
\Users\Admin\AppData\Local\Temp\advapi32.dllFilesize
107KB
MD58dde85ebe0a8c822c7202bc290c17262
SHA18a752c592bdc2a61d8ef2b36f02299b36a1e419e
SHA25625a046ef394bcacd60bc885790a669615cb4a3ff2e8884be4a5753b0d39c3974
SHA51273bfcbd0455d3deed35d5fd776c4724d9fac62dbde5c845a481ca85aee542ad4ed82eb903e2e8c4faa3adbe22ddf29ea9dd13a5bef417c93f0c6672a8f044b0e
-
memory/2992-799-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2992-756-0x000000000043292E-mapping.dmp
-
memory/3512-158-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-148-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-121-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-122-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-124-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-125-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-126-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-127-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-123-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-128-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-129-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-130-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-131-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-132-0x0000000002690000-0x0000000002B8B000-memory.dmpFilesize
5.0MB
-
memory/3512-133-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-134-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-135-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-136-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-137-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-138-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-139-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-140-0x00000000024E0000-0x00000000025E9000-memory.dmpFilesize
1.0MB
-
memory/3512-141-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-159-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-143-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-144-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-145-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-146-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-147-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-160-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-149-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-150-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-151-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-152-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-153-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-154-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-155-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-156-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-157-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-119-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-142-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-120-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-115-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-162-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-163-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-164-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-165-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-166-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-167-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-168-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-169-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-170-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-171-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-172-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-173-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-174-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-175-0x000000000D3D0000-0x000000000D547000-memory.dmpFilesize
1.5MB
-
memory/3512-176-0x000000000D3D0000-0x000000000D547000-memory.dmpFilesize
1.5MB
-
memory/3512-177-0x0000000002690000-0x0000000002B8B000-memory.dmpFilesize
5.0MB
-
memory/3512-178-0x00000000024E0000-0x00000000025E9000-memory.dmpFilesize
1.0MB
-
memory/3512-116-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-117-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-118-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3512-161-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/3612-258-0x0000000000000000-mapping.dmp
-
memory/3612-318-0x00000000074C0000-0x00000000074E8000-memory.dmpFilesize
160KB
-
memory/3612-331-0x0000000003280000-0x0000000003293000-memory.dmpFilesize
76KB
-
memory/3752-748-0x0000000000000000-mapping.dmp
-
memory/3752-754-0x000001F598E20000-0x000001F598EDA000-memory.dmpFilesize
744KB
-
memory/3752-752-0x000001F597190000-0x000001F59724C000-memory.dmpFilesize
752KB
-
memory/4672-251-0x0000000004E60000-0x0000000004F6A000-memory.dmpFilesize
1.0MB
-
memory/4672-179-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4672-269-0x0000000004F70000-0x0000000004FBB000-memory.dmpFilesize
300KB
-
memory/4672-181-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4672-183-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/4672-255-0x0000000004D90000-0x0000000004DA2000-memory.dmpFilesize
72KB
-
memory/4672-376-0x0000000006610000-0x00000000067D2000-memory.dmpFilesize
1.8MB
-
memory/4672-259-0x0000000004DF0000-0x0000000004E2E000-memory.dmpFilesize
248KB
-
memory/4672-250-0x0000000005300000-0x0000000005906000-memory.dmpFilesize
6.0MB
-
memory/4672-371-0x0000000006110000-0x000000000660E000-memory.dmpFilesize
5.0MB
-
memory/4672-372-0x0000000005CF0000-0x0000000005D82000-memory.dmpFilesize
584KB
-
memory/4672-344-0x0000000005130000-0x0000000005196000-memory.dmpFilesize
408KB
-
memory/4672-182-0x0000000077BE0000-0x0000000077D6E000-memory.dmpFilesize
1.6MB
-
memory/4672-382-0x0000000006D10000-0x000000000723C000-memory.dmpFilesize
5.2MB