Analysis
-
max time kernel
101s -
max time network
114s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-03-2023 22:54
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
421KB
-
MD5
42ff1c611e429a621a4b52be1d497380
-
SHA1
48082f398f1e5833e4c5a877eae26ed0cb2639df
-
SHA256
239f77c06654cd3c053d0abdf088fdb484ab502efb368776f45f9ed6ce7b1ec0
-
SHA512
68d2ad7bf6b67ad7708b74ec77e69fd10e6d047bb59a27e44bedd1a3cc030720690eeaa07c901fe0d778d6a1776ac857aa2ccffda882544b2f173e181f2370b4
-
SSDEEP
6144:g4u+5Sbfj+2KWMhoxptjwacFt8hjqe4wKc9TMDhwiJZKYXl7jt:e+AdKoxpea4tcjqeHADmiJYYXl7jt
Malware Config
Extracted
redline
cheat
154.91.0.57:28105
Extracted
netwire
thesirenmika.com:55713
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
ziggy123
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1492-87-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1492-88-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1492-89-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1492-91-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1492-93-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1492-95-0x0000000000400000-0x000000000044F000-memory.dmp netwire -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_redline C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_redline C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_redline behavioral1/memory/772-73-0x0000000000060000-0x000000000007E000-memory.dmp family_redline -
SectopRAT payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_sectoprat C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_sectoprat C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_sectoprat behavioral1/memory/772-73-0x0000000000060000-0x000000000007E000-memory.dmp family_sectoprat -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 4 IoCs
Processes:
Svchost.exeEdgeUpdater.exeSqlite4Service.exeSvchostUpdater.exepid process 2008 Svchost.exe 772 EdgeUpdater.exe 1360 Sqlite4Service.exe 848 SvchostUpdater.exe -
Loads dropped DLL 4 IoCs
Processes:
tmp.execmd.exepid process 1204 tmp.exe 1204 tmp.exe 1204 tmp.exe 824 cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Svchost.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceHostUpdate = "C:\\Users\\Admin\\AppData\\Local\\SvchostUpdater.exe" Svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sqlite4 = "C:\\Users\\Admin\\AppData\\Roaming\\Sqlite4\\SqliteService.exe" powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sqlite4Service.exedescription pid process target process PID 1360 set thread context of 1492 1360 Sqlite4Service.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeEdgeUpdater.exedescription pid process Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 772 EdgeUpdater.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
tmp.exeSvchost.execmd.execmd.execmd.exeSqlite4Service.execmd.exedescription pid process target process PID 1204 wrote to memory of 2008 1204 tmp.exe Svchost.exe PID 1204 wrote to memory of 2008 1204 tmp.exe Svchost.exe PID 1204 wrote to memory of 2008 1204 tmp.exe Svchost.exe PID 1204 wrote to memory of 2008 1204 tmp.exe Svchost.exe PID 1204 wrote to memory of 772 1204 tmp.exe EdgeUpdater.exe PID 1204 wrote to memory of 772 1204 tmp.exe EdgeUpdater.exe PID 1204 wrote to memory of 772 1204 tmp.exe EdgeUpdater.exe PID 1204 wrote to memory of 772 1204 tmp.exe EdgeUpdater.exe PID 1204 wrote to memory of 772 1204 tmp.exe EdgeUpdater.exe PID 1204 wrote to memory of 772 1204 tmp.exe EdgeUpdater.exe PID 1204 wrote to memory of 772 1204 tmp.exe EdgeUpdater.exe PID 1204 wrote to memory of 1360 1204 tmp.exe Sqlite4Service.exe PID 1204 wrote to memory of 1360 1204 tmp.exe Sqlite4Service.exe PID 1204 wrote to memory of 1360 1204 tmp.exe Sqlite4Service.exe PID 1204 wrote to memory of 1360 1204 tmp.exe Sqlite4Service.exe PID 2008 wrote to memory of 1972 2008 Svchost.exe cmd.exe PID 2008 wrote to memory of 1972 2008 Svchost.exe cmd.exe PID 2008 wrote to memory of 1972 2008 Svchost.exe cmd.exe PID 1972 wrote to memory of 1760 1972 cmd.exe cmd.exe PID 1972 wrote to memory of 1760 1972 cmd.exe cmd.exe PID 1972 wrote to memory of 1760 1972 cmd.exe cmd.exe PID 1760 wrote to memory of 1804 1760 cmd.exe PING.EXE PID 1760 wrote to memory of 1804 1760 cmd.exe PING.EXE PID 1760 wrote to memory of 1804 1760 cmd.exe PING.EXE PID 1760 wrote to memory of 1388 1760 cmd.exe attrib.exe PID 1760 wrote to memory of 1388 1760 cmd.exe attrib.exe PID 1760 wrote to memory of 1388 1760 cmd.exe attrib.exe PID 1760 wrote to memory of 1208 1760 cmd.exe icacls.exe PID 1760 wrote to memory of 1208 1760 cmd.exe icacls.exe PID 1760 wrote to memory of 1208 1760 cmd.exe icacls.exe PID 1760 wrote to memory of 824 1760 cmd.exe cmd.exe PID 1760 wrote to memory of 824 1760 cmd.exe cmd.exe PID 1760 wrote to memory of 824 1760 cmd.exe cmd.exe PID 824 wrote to memory of 848 824 cmd.exe SvchostUpdater.exe PID 824 wrote to memory of 848 824 cmd.exe SvchostUpdater.exe PID 824 wrote to memory of 848 824 cmd.exe SvchostUpdater.exe PID 1360 wrote to memory of 1660 1360 Sqlite4Service.exe powershell.exe PID 1360 wrote to memory of 1660 1360 Sqlite4Service.exe powershell.exe PID 1360 wrote to memory of 1660 1360 Sqlite4Service.exe powershell.exe PID 1360 wrote to memory of 1660 1360 Sqlite4Service.exe powershell.exe PID 1360 wrote to memory of 1776 1360 Sqlite4Service.exe cmd.exe PID 1360 wrote to memory of 1776 1360 Sqlite4Service.exe cmd.exe PID 1360 wrote to memory of 1776 1360 Sqlite4Service.exe cmd.exe PID 1360 wrote to memory of 1776 1360 Sqlite4Service.exe cmd.exe PID 1776 wrote to memory of 1784 1776 cmd.exe schtasks.exe PID 1776 wrote to memory of 1784 1776 cmd.exe schtasks.exe PID 1776 wrote to memory of 1784 1776 cmd.exe schtasks.exe PID 1776 wrote to memory of 1784 1776 cmd.exe schtasks.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe PID 1360 wrote to memory of 1492 1360 Sqlite4Service.exe RegAsm.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe"C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe" "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" && icacls "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" && exit" && && exit "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe" "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" && icacls "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\SvchostUpdater.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\attrib.exeattrib +r +h +a "C:\Users\Admin\AppData\Local\SvchostUpdater.exe"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" /deny "everyone":(WD,AD,WEA,WA)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.execmd /C "start "C:\Users\Admin\AppData\Local\SvchostUpdater.exe5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\SvchostUpdater.exeC:\Users\Admin\AppData\Local\SvchostUpdater.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe"C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Sqlite4\Sqlite4Service.exe"C:\Users\Admin\AppData\Roaming\Sqlite4\Sqlite4Service.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sqlite4';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sqlite4' -Value '"C:\Users\Admin\AppData\Roaming\Sqlite4\SqliteService.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \Sqlite4 /tr "C:\Users\Admin\AppData\Roaming\Sqlite4\SqliteService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \Sqlite4 /tr "C:\Users\Admin\AppData\Roaming\Sqlite4\SqliteService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\SvchostUpdater.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
C:\Users\Admin\AppData\Local\SvchostUpdater.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
C:\Users\Admin\AppData\Local\SvchostUpdater.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exeFilesize
95KB
MD5b8917ccaf4e1b766fe5c0b5208a6ff94
SHA18f9d002df89dba6beac91838c1d0f6968d64e7f0
SHA2569e72c4e193e2f2b4171345202ce1658091479bfe158a18f8d1bdde9a82847b18
SHA512d195fce1700b6a6e444497ef0a5174f2ab239a09621c371d982804ea8482500aedbede6c4cfd1bda5d86f781c40c6dfb54b08c257809c5afd94cfc1bdcbdb29d
-
C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exeFilesize
95KB
MD5b8917ccaf4e1b766fe5c0b5208a6ff94
SHA18f9d002df89dba6beac91838c1d0f6968d64e7f0
SHA2569e72c4e193e2f2b4171345202ce1658091479bfe158a18f8d1bdde9a82847b18
SHA512d195fce1700b6a6e444497ef0a5174f2ab239a09621c371d982804ea8482500aedbede6c4cfd1bda5d86f781c40c6dfb54b08c257809c5afd94cfc1bdcbdb29d
-
C:\Users\Admin\AppData\Roaming\Sqlite4\Sqlite4Service.exeFilesize
311KB
MD51de7379e172c333c51622d6789cd5280
SHA16c49a2d510702bc90b07bb5eda3c27f4cfd7abe0
SHA25606677d1a424735b5e8b0c2a4c8139bb5fa30966501441554c2f6e18ac60bde6e
SHA512976ad15f220b6c5fd4ba7e486c20ebbc159bd32fab5c739556d81ef80e63f9578d7d654a1e0ed81df5e0a0cb908e0d2e3257a0a914d02829192a58deb0b30dc6
-
C:\Users\Admin\AppData\Roaming\Sqlite4\Sqlite4Service.exeFilesize
311KB
MD51de7379e172c333c51622d6789cd5280
SHA16c49a2d510702bc90b07bb5eda3c27f4cfd7abe0
SHA25606677d1a424735b5e8b0c2a4c8139bb5fa30966501441554c2f6e18ac60bde6e
SHA512976ad15f220b6c5fd4ba7e486c20ebbc159bd32fab5c739556d81ef80e63f9578d7d654a1e0ed81df5e0a0cb908e0d2e3257a0a914d02829192a58deb0b30dc6
-
C:\Users\Admin\AppData\Roaming\Sqlite4\SqliteService.exeFilesize
311KB
MD51de7379e172c333c51622d6789cd5280
SHA16c49a2d510702bc90b07bb5eda3c27f4cfd7abe0
SHA25606677d1a424735b5e8b0c2a4c8139bb5fa30966501441554c2f6e18ac60bde6e
SHA512976ad15f220b6c5fd4ba7e486c20ebbc159bd32fab5c739556d81ef80e63f9578d7d654a1e0ed81df5e0a0cb908e0d2e3257a0a914d02829192a58deb0b30dc6
-
\Users\Admin\AppData\Local\SvchostUpdater.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
\Users\Admin\AppData\Roaming\Adobe\Svchost.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exeFilesize
95KB
MD5b8917ccaf4e1b766fe5c0b5208a6ff94
SHA18f9d002df89dba6beac91838c1d0f6968d64e7f0
SHA2569e72c4e193e2f2b4171345202ce1658091479bfe158a18f8d1bdde9a82847b18
SHA512d195fce1700b6a6e444497ef0a5174f2ab239a09621c371d982804ea8482500aedbede6c4cfd1bda5d86f781c40c6dfb54b08c257809c5afd94cfc1bdcbdb29d
-
\Users\Admin\AppData\Roaming\Sqlite4\Sqlite4Service.exeFilesize
311KB
MD51de7379e172c333c51622d6789cd5280
SHA16c49a2d510702bc90b07bb5eda3c27f4cfd7abe0
SHA25606677d1a424735b5e8b0c2a4c8139bb5fa30966501441554c2f6e18ac60bde6e
SHA512976ad15f220b6c5fd4ba7e486c20ebbc159bd32fab5c739556d81ef80e63f9578d7d654a1e0ed81df5e0a0cb908e0d2e3257a0a914d02829192a58deb0b30dc6
-
memory/772-73-0x0000000000060000-0x000000000007E000-memory.dmpFilesize
120KB
-
memory/772-97-0x00000000048F0000-0x0000000004930000-memory.dmpFilesize
256KB
-
memory/1360-74-0x0000000000980000-0x00000000009D4000-memory.dmpFilesize
336KB
-
memory/1492-85-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1492-86-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1492-87-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1492-88-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1492-89-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1492-90-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1492-91-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1492-93-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1492-95-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1492-84-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1660-96-0x0000000002960000-0x00000000029A0000-memory.dmpFilesize
256KB