Analysis
-
max time kernel
116s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2023 22:54
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
421KB
-
MD5
42ff1c611e429a621a4b52be1d497380
-
SHA1
48082f398f1e5833e4c5a877eae26ed0cb2639df
-
SHA256
239f77c06654cd3c053d0abdf088fdb484ab502efb368776f45f9ed6ce7b1ec0
-
SHA512
68d2ad7bf6b67ad7708b74ec77e69fd10e6d047bb59a27e44bedd1a3cc030720690eeaa07c901fe0d778d6a1776ac857aa2ccffda882544b2f173e181f2370b4
-
SSDEEP
6144:g4u+5Sbfj+2KWMhoxptjwacFt8hjqe4wKc9TMDhwiJZKYXl7jt:e+AdKoxpea4tcjqeHADmiJYYXl7jt
Malware Config
Extracted
redline
cheat
154.91.0.57:28105
Extracted
netwire
thesirenmika.com:55713
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
ziggy123
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4612-172-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/4612-175-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/4612-176-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/4612-200-0x0000000000400000-0x000000000044F000-memory.dmp netwire -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_redline C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_redline C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_redline behavioral2/memory/1168-165-0x0000000000870000-0x000000000088E000-memory.dmp family_redline -
SectopRAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_sectoprat C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_sectoprat C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe family_sectoprat behavioral2/memory/1168-165-0x0000000000870000-0x000000000088E000-memory.dmp family_sectoprat -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation tmp.exe -
Executes dropped EXE 4 IoCs
Processes:
Svchost.exeEdgeUpdater.exeSqlite4Service.exeSvchostUpdater.exepid process 1984 Svchost.exe 1168 EdgeUpdater.exe 4012 Sqlite4Service.exe 3816 SvchostUpdater.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Svchost.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceHostUpdate = "C:\\Users\\Admin\\AppData\\Local\\SvchostUpdater.exe" Svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sqlite4 = "C:\\Users\\Admin\\AppData\\Roaming\\Sqlite4\\SqliteService.exe" powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sqlite4Service.exedescription pid process target process PID 4012 set thread context of 4612 4012 Sqlite4Service.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Sqlite4Service.exepowershell.exepid process 4012 Sqlite4Service.exe 4012 Sqlite4Service.exe 4012 Sqlite4Service.exe 4012 Sqlite4Service.exe 3068 powershell.exe 3068 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Sqlite4Service.exepowershell.exeEdgeUpdater.exedescription pid process Token: SeDebugPrivilege 4012 Sqlite4Service.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 1168 EdgeUpdater.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
tmp.exeSvchost.execmd.execmd.exeSqlite4Service.execmd.execmd.exedescription pid process target process PID 2680 wrote to memory of 1984 2680 tmp.exe Svchost.exe PID 2680 wrote to memory of 1984 2680 tmp.exe Svchost.exe PID 2680 wrote to memory of 1168 2680 tmp.exe EdgeUpdater.exe PID 2680 wrote to memory of 1168 2680 tmp.exe EdgeUpdater.exe PID 2680 wrote to memory of 1168 2680 tmp.exe EdgeUpdater.exe PID 1984 wrote to memory of 5044 1984 Svchost.exe cmd.exe PID 1984 wrote to memory of 5044 1984 Svchost.exe cmd.exe PID 2680 wrote to memory of 4012 2680 tmp.exe Sqlite4Service.exe PID 2680 wrote to memory of 4012 2680 tmp.exe Sqlite4Service.exe PID 2680 wrote to memory of 4012 2680 tmp.exe Sqlite4Service.exe PID 5044 wrote to memory of 3288 5044 cmd.exe cmd.exe PID 5044 wrote to memory of 3288 5044 cmd.exe cmd.exe PID 3288 wrote to memory of 1800 3288 cmd.exe PING.EXE PID 3288 wrote to memory of 1800 3288 cmd.exe PING.EXE PID 4012 wrote to memory of 3068 4012 Sqlite4Service.exe powershell.exe PID 4012 wrote to memory of 3068 4012 Sqlite4Service.exe powershell.exe PID 4012 wrote to memory of 3068 4012 Sqlite4Service.exe powershell.exe PID 4012 wrote to memory of 4976 4012 Sqlite4Service.exe cmd.exe PID 4012 wrote to memory of 4976 4012 Sqlite4Service.exe cmd.exe PID 4012 wrote to memory of 4976 4012 Sqlite4Service.exe cmd.exe PID 4012 wrote to memory of 736 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 736 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 736 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 2948 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 2948 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 2948 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 4612 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 4612 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 4612 4012 Sqlite4Service.exe RegAsm.exe PID 4976 wrote to memory of 1292 4976 cmd.exe schtasks.exe PID 4976 wrote to memory of 1292 4976 cmd.exe schtasks.exe PID 4976 wrote to memory of 1292 4976 cmd.exe schtasks.exe PID 4012 wrote to memory of 4612 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 4612 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 4612 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 4612 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 4612 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 4612 4012 Sqlite4Service.exe RegAsm.exe PID 4012 wrote to memory of 4612 4012 Sqlite4Service.exe RegAsm.exe PID 3288 wrote to memory of 4744 3288 cmd.exe attrib.exe PID 3288 wrote to memory of 4744 3288 cmd.exe attrib.exe PID 3288 wrote to memory of 4900 3288 cmd.exe icacls.exe PID 3288 wrote to memory of 4900 3288 cmd.exe icacls.exe PID 3288 wrote to memory of 2336 3288 cmd.exe cmd.exe PID 3288 wrote to memory of 2336 3288 cmd.exe cmd.exe PID 2336 wrote to memory of 3816 2336 cmd.exe SvchostUpdater.exe PID 2336 wrote to memory of 3816 2336 cmd.exe SvchostUpdater.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe"C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe" "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" && icacls "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" && exit" && && exit "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe" "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" && icacls "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\SvchostUpdater.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\attrib.exeattrib +r +h +a "C:\Users\Admin\AppData\Local\SvchostUpdater.exe"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\AppData\Local\SvchostUpdater.exe" /deny "everyone":(WD,AD,WEA,WA)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.execmd /C "start "C:\Users\Admin\AppData\Local\SvchostUpdater.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\SvchostUpdater.exeC:\Users\Admin\AppData\Local\SvchostUpdater.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe"C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Sqlite4\Sqlite4Service.exe"C:\Users\Admin\AppData\Roaming\Sqlite4\Sqlite4Service.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sqlite4';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sqlite4' -Value '"C:\Users\Admin\AppData\Roaming\Sqlite4\SqliteService.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \Sqlite4 /tr "C:\Users\Admin\AppData\Roaming\Sqlite4\SqliteService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \Sqlite4 /tr "C:\Users\Admin\AppData\Roaming\Sqlite4\SqliteService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\SvchostUpdater.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
C:\Users\Admin\AppData\Local\SvchostUpdater.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iq1edcrf.b2g.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
C:\Users\Admin\AppData\Roaming\Adobe\Svchost.exeFilesize
80KB
MD533912d54cad7b7a4d095d840161d565d
SHA1ad468ac81b0ad62d3c13b30931682d1ddcd06972
SHA25670a6e183abdd883a665cce8559cdb085ff1280b39cead767d662e0a0e52bbba2
SHA51270cd7ac8e1448479686a07378976608e9dfe0ef38cc24dfed8087d2aad3baef0524f209a47e3e76f73e85f61dd2546dc90fe2517616ee6d05c7c3abdea3e275b
-
C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exeFilesize
95KB
MD5b8917ccaf4e1b766fe5c0b5208a6ff94
SHA18f9d002df89dba6beac91838c1d0f6968d64e7f0
SHA2569e72c4e193e2f2b4171345202ce1658091479bfe158a18f8d1bdde9a82847b18
SHA512d195fce1700b6a6e444497ef0a5174f2ab239a09621c371d982804ea8482500aedbede6c4cfd1bda5d86f781c40c6dfb54b08c257809c5afd94cfc1bdcbdb29d
-
C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exeFilesize
95KB
MD5b8917ccaf4e1b766fe5c0b5208a6ff94
SHA18f9d002df89dba6beac91838c1d0f6968d64e7f0
SHA2569e72c4e193e2f2b4171345202ce1658091479bfe158a18f8d1bdde9a82847b18
SHA512d195fce1700b6a6e444497ef0a5174f2ab239a09621c371d982804ea8482500aedbede6c4cfd1bda5d86f781c40c6dfb54b08c257809c5afd94cfc1bdcbdb29d
-
C:\Users\Admin\AppData\Roaming\Edge\EdgeUpdater.exeFilesize
95KB
MD5b8917ccaf4e1b766fe5c0b5208a6ff94
SHA18f9d002df89dba6beac91838c1d0f6968d64e7f0
SHA2569e72c4e193e2f2b4171345202ce1658091479bfe158a18f8d1bdde9a82847b18
SHA512d195fce1700b6a6e444497ef0a5174f2ab239a09621c371d982804ea8482500aedbede6c4cfd1bda5d86f781c40c6dfb54b08c257809c5afd94cfc1bdcbdb29d
-
C:\Users\Admin\AppData\Roaming\Sqlite4\Sqlite4Service.exeFilesize
311KB
MD51de7379e172c333c51622d6789cd5280
SHA16c49a2d510702bc90b07bb5eda3c27f4cfd7abe0
SHA25606677d1a424735b5e8b0c2a4c8139bb5fa30966501441554c2f6e18ac60bde6e
SHA512976ad15f220b6c5fd4ba7e486c20ebbc159bd32fab5c739556d81ef80e63f9578d7d654a1e0ed81df5e0a0cb908e0d2e3257a0a914d02829192a58deb0b30dc6
-
C:\Users\Admin\AppData\Roaming\Sqlite4\Sqlite4Service.exeFilesize
311KB
MD51de7379e172c333c51622d6789cd5280
SHA16c49a2d510702bc90b07bb5eda3c27f4cfd7abe0
SHA25606677d1a424735b5e8b0c2a4c8139bb5fa30966501441554c2f6e18ac60bde6e
SHA512976ad15f220b6c5fd4ba7e486c20ebbc159bd32fab5c739556d81ef80e63f9578d7d654a1e0ed81df5e0a0cb908e0d2e3257a0a914d02829192a58deb0b30dc6
-
C:\Users\Admin\AppData\Roaming\Sqlite4\Sqlite4Service.exeFilesize
311KB
MD51de7379e172c333c51622d6789cd5280
SHA16c49a2d510702bc90b07bb5eda3c27f4cfd7abe0
SHA25606677d1a424735b5e8b0c2a4c8139bb5fa30966501441554c2f6e18ac60bde6e
SHA512976ad15f220b6c5fd4ba7e486c20ebbc159bd32fab5c739556d81ef80e63f9578d7d654a1e0ed81df5e0a0cb908e0d2e3257a0a914d02829192a58deb0b30dc6
-
memory/1168-165-0x0000000000870000-0x000000000088E000-memory.dmpFilesize
120KB
-
memory/1168-168-0x0000000005780000-0x0000000005D98000-memory.dmpFilesize
6.1MB
-
memory/1168-169-0x00000000050C0000-0x00000000050D2000-memory.dmpFilesize
72KB
-
memory/1168-171-0x0000000005160000-0x000000000519C000-memory.dmpFilesize
240KB
-
memory/1168-222-0x00000000066B0000-0x0000000006872000-memory.dmpFilesize
1.8MB
-
memory/1168-223-0x0000000006DB0000-0x00000000072DC000-memory.dmpFilesize
5.2MB
-
memory/1168-193-0x00000000053D0000-0x00000000054DA000-memory.dmpFilesize
1.0MB
-
memory/1168-184-0x0000000005150000-0x0000000005160000-memory.dmpFilesize
64KB
-
memory/2680-134-0x00000000011B0000-0x00000000011C0000-memory.dmpFilesize
64KB
-
memory/3068-213-0x0000000002CE0000-0x0000000002CF0000-memory.dmpFilesize
64KB
-
memory/3068-202-0x0000000072E10000-0x0000000072E5C000-memory.dmpFilesize
304KB
-
memory/3068-185-0x0000000005F60000-0x0000000005FC6000-memory.dmpFilesize
408KB
-
memory/3068-186-0x0000000006040000-0x00000000060A6000-memory.dmpFilesize
408KB
-
memory/3068-181-0x0000000002CE0000-0x0000000002CF0000-memory.dmpFilesize
64KB
-
memory/3068-182-0x0000000002CE0000-0x0000000002CF0000-memory.dmpFilesize
64KB
-
memory/3068-225-0x0000000007CA0000-0x0000000007CC2000-memory.dmpFilesize
136KB
-
memory/3068-177-0x0000000005830000-0x0000000005E58000-memory.dmpFilesize
6.2MB
-
memory/3068-221-0x0000000007C60000-0x0000000007C68000-memory.dmpFilesize
32KB
-
memory/3068-173-0x0000000002D40000-0x0000000002D76000-memory.dmpFilesize
216KB
-
memory/3068-199-0x0000000006640000-0x000000000665E000-memory.dmpFilesize
120KB
-
memory/3068-220-0x0000000007C80000-0x0000000007C9A000-memory.dmpFilesize
104KB
-
memory/3068-201-0x0000000006C10000-0x0000000006C42000-memory.dmpFilesize
200KB
-
memory/3068-183-0x0000000005660000-0x0000000005682000-memory.dmpFilesize
136KB
-
memory/3068-212-0x0000000006BF0000-0x0000000006C0E000-memory.dmpFilesize
120KB
-
memory/3068-219-0x0000000007B70000-0x0000000007B7E000-memory.dmpFilesize
56KB
-
memory/3068-214-0x000000007F1A0000-0x000000007F1B0000-memory.dmpFilesize
64KB
-
memory/3068-215-0x0000000007F90000-0x000000000860A000-memory.dmpFilesize
6.5MB
-
memory/3068-216-0x0000000007940000-0x000000000795A000-memory.dmpFilesize
104KB
-
memory/3068-217-0x00000000079B0000-0x00000000079BA000-memory.dmpFilesize
40KB
-
memory/3068-218-0x0000000007BC0000-0x0000000007C56000-memory.dmpFilesize
600KB
-
memory/4012-167-0x0000000005A00000-0x0000000005FA4000-memory.dmpFilesize
5.6MB
-
memory/4012-166-0x0000000000C20000-0x0000000000C74000-memory.dmpFilesize
336KB
-
memory/4612-172-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/4612-200-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/4612-175-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/4612-176-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB