Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 05:51
Static task
static1
Behavioral task
behavioral1
Sample
Orderconfirmation#27682.exe
Resource
win7-20230220-en
General
-
Target
Orderconfirmation#27682.exe
-
Size
365KB
-
MD5
0d9e38ba72b9994260768357559328a3
-
SHA1
180ee5d2b2d8c6f5e993f77a1d9e1df9bd437bbd
-
SHA256
24c78f9f8f15c94f2616a13adce3fda09255d3e1a4b762ef21b561318c082d65
-
SHA512
9aec08e46fd7676794bcb4a39d216157569cf47d585eb53fcd4ce7dbb35deac158b6e64af2708345626f014b6cb36a8045438afedc75a2d60d6c59cee4989507
-
SSDEEP
6144:2JAk9dNbuyG+VkT2Elng0ydlBDK9rPn9mYwYqYYw9/KSKTBdyjgpCrVaIYPX:Z49NsT2Eln1yZ29rP9mrdywm
Malware Config
Extracted
redline
cheat
adm1234.duckdns.org:20603
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 14 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-57-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2036-58-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2036-60-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2036-62-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2036-64-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2036-67-0x0000000004A20000-0x0000000004A60000-memory.dmp family_redline behavioral1/memory/2036-143-0x0000000004A20000-0x0000000004A60000-memory.dmp family_redline behavioral1/memory/1080-157-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1080-155-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1080-234-0x0000000004B60000-0x0000000004BA0000-memory.dmp family_redline behavioral1/memory/980-252-0x0000000000080000-0x000000000009E000-memory.dmp family_redline behavioral1/memory/980-249-0x0000000000080000-0x000000000009E000-memory.dmp family_redline behavioral1/memory/980-245-0x0000000000080000-0x000000000009E000-memory.dmp family_redline behavioral1/memory/980-253-0x0000000002060000-0x00000000020A0000-memory.dmp family_redline -
SectopRAT payload 14 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-57-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2036-58-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2036-60-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2036-62-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2036-64-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2036-67-0x0000000004A20000-0x0000000004A60000-memory.dmp family_sectoprat behavioral1/memory/2036-143-0x0000000004A20000-0x0000000004A60000-memory.dmp family_sectoprat behavioral1/memory/1080-157-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1080-155-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1080-234-0x0000000004B60000-0x0000000004BA0000-memory.dmp family_sectoprat behavioral1/memory/980-252-0x0000000000080000-0x000000000009E000-memory.dmp family_sectoprat behavioral1/memory/980-249-0x0000000000080000-0x000000000009E000-memory.dmp family_sectoprat behavioral1/memory/980-245-0x0000000000080000-0x000000000009E000-memory.dmp family_sectoprat behavioral1/memory/980-253-0x0000000002060000-0x00000000020A0000-memory.dmp family_sectoprat -
Executes dropped EXE 4 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exepid process 572 svchost.exe 1080 svchost.exe 632 svchost.exe 980 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Orderconfirmation#27682.exesvchost.exesvchost.exedescription pid process target process PID 1728 set thread context of 2036 1728 Orderconfirmation#27682.exe Orderconfirmation#27682.exe PID 572 set thread context of 1080 572 svchost.exe svchost.exe PID 632 set thread context of 980 632 svchost.exe svchost.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1788 schtasks.exe 2012 schtasks.exe 1740 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Orderconfirmation#27682.exesvchost.exesvchost.exepid process 2036 Orderconfirmation#27682.exe 2036 Orderconfirmation#27682.exe 1080 svchost.exe 1080 svchost.exe 980 svchost.exe 980 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Orderconfirmation#27682.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2036 Orderconfirmation#27682.exe Token: SeDebugPrivilege 1080 svchost.exe Token: SeDebugPrivilege 980 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Orderconfirmation#27682.execmd.exetaskeng.exesvchost.execmd.exesvchost.exedescription pid process target process PID 1728 wrote to memory of 2036 1728 Orderconfirmation#27682.exe Orderconfirmation#27682.exe PID 1728 wrote to memory of 2036 1728 Orderconfirmation#27682.exe Orderconfirmation#27682.exe PID 1728 wrote to memory of 2036 1728 Orderconfirmation#27682.exe Orderconfirmation#27682.exe PID 1728 wrote to memory of 2036 1728 Orderconfirmation#27682.exe Orderconfirmation#27682.exe PID 1728 wrote to memory of 2036 1728 Orderconfirmation#27682.exe Orderconfirmation#27682.exe PID 1728 wrote to memory of 2036 1728 Orderconfirmation#27682.exe Orderconfirmation#27682.exe PID 1728 wrote to memory of 2036 1728 Orderconfirmation#27682.exe Orderconfirmation#27682.exe PID 1728 wrote to memory of 2036 1728 Orderconfirmation#27682.exe Orderconfirmation#27682.exe PID 1728 wrote to memory of 2036 1728 Orderconfirmation#27682.exe Orderconfirmation#27682.exe PID 1728 wrote to memory of 1168 1728 Orderconfirmation#27682.exe cmd.exe PID 1728 wrote to memory of 1168 1728 Orderconfirmation#27682.exe cmd.exe PID 1728 wrote to memory of 1168 1728 Orderconfirmation#27682.exe cmd.exe PID 1728 wrote to memory of 1168 1728 Orderconfirmation#27682.exe cmd.exe PID 1728 wrote to memory of 1156 1728 Orderconfirmation#27682.exe cmd.exe PID 1728 wrote to memory of 1156 1728 Orderconfirmation#27682.exe cmd.exe PID 1728 wrote to memory of 1156 1728 Orderconfirmation#27682.exe cmd.exe PID 1728 wrote to memory of 1156 1728 Orderconfirmation#27682.exe cmd.exe PID 1728 wrote to memory of 340 1728 Orderconfirmation#27682.exe cmd.exe PID 1728 wrote to memory of 340 1728 Orderconfirmation#27682.exe cmd.exe PID 1728 wrote to memory of 340 1728 Orderconfirmation#27682.exe cmd.exe PID 1728 wrote to memory of 340 1728 Orderconfirmation#27682.exe cmd.exe PID 1156 wrote to memory of 1788 1156 cmd.exe schtasks.exe PID 1156 wrote to memory of 1788 1156 cmd.exe schtasks.exe PID 1156 wrote to memory of 1788 1156 cmd.exe schtasks.exe PID 1156 wrote to memory of 1788 1156 cmd.exe schtasks.exe PID 1168 wrote to memory of 572 1168 taskeng.exe svchost.exe PID 1168 wrote to memory of 572 1168 taskeng.exe svchost.exe PID 1168 wrote to memory of 572 1168 taskeng.exe svchost.exe PID 1168 wrote to memory of 572 1168 taskeng.exe svchost.exe PID 572 wrote to memory of 1080 572 svchost.exe svchost.exe PID 572 wrote to memory of 1080 572 svchost.exe svchost.exe PID 572 wrote to memory of 1080 572 svchost.exe svchost.exe PID 572 wrote to memory of 1080 572 svchost.exe svchost.exe PID 572 wrote to memory of 1080 572 svchost.exe svchost.exe PID 572 wrote to memory of 1080 572 svchost.exe svchost.exe PID 572 wrote to memory of 1080 572 svchost.exe svchost.exe PID 572 wrote to memory of 1080 572 svchost.exe svchost.exe PID 572 wrote to memory of 1080 572 svchost.exe svchost.exe PID 572 wrote to memory of 804 572 svchost.exe cmd.exe PID 572 wrote to memory of 804 572 svchost.exe cmd.exe PID 572 wrote to memory of 804 572 svchost.exe cmd.exe PID 572 wrote to memory of 804 572 svchost.exe cmd.exe PID 572 wrote to memory of 1948 572 svchost.exe cmd.exe PID 572 wrote to memory of 1948 572 svchost.exe cmd.exe PID 572 wrote to memory of 1948 572 svchost.exe cmd.exe PID 572 wrote to memory of 1948 572 svchost.exe cmd.exe PID 572 wrote to memory of 548 572 svchost.exe cmd.exe PID 572 wrote to memory of 548 572 svchost.exe cmd.exe PID 572 wrote to memory of 548 572 svchost.exe cmd.exe PID 572 wrote to memory of 548 572 svchost.exe cmd.exe PID 1948 wrote to memory of 2012 1948 cmd.exe schtasks.exe PID 1948 wrote to memory of 2012 1948 cmd.exe schtasks.exe PID 1948 wrote to memory of 2012 1948 cmd.exe schtasks.exe PID 1948 wrote to memory of 2012 1948 cmd.exe schtasks.exe PID 1168 wrote to memory of 632 1168 taskeng.exe svchost.exe PID 1168 wrote to memory of 632 1168 taskeng.exe svchost.exe PID 1168 wrote to memory of 632 1168 taskeng.exe svchost.exe PID 1168 wrote to memory of 632 1168 taskeng.exe svchost.exe PID 632 wrote to memory of 980 632 svchost.exe svchost.exe PID 632 wrote to memory of 980 632 svchost.exe svchost.exe PID 632 wrote to memory of 980 632 svchost.exe svchost.exe PID 632 wrote to memory of 980 632 svchost.exe svchost.exe PID 632 wrote to memory of 980 632 svchost.exe svchost.exe PID 632 wrote to memory of 980 632 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orderconfirmation#27682.exe"C:\Users\Admin\AppData\Local\Temp\Orderconfirmation#27682.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Orderconfirmation#27682.exe"C:\Users\Admin\AppData\Local\Temp\Orderconfirmation#27682.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Orderconfirmation#27682.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {75BFB197-9BFE-47A4-A00C-9DD746F5BDC2} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp23C9.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\tmp5AB6.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp5AEA.tmpFilesize
92KB
MD5d6492f228d1417a459765d7b9657cbba
SHA1ef73426c3634a16ac6c15803633e77035abd032c
SHA25675fbdce4223e0df5805b3fddc158d6c955b34b2112ed83d9967e731cc9f8cfb7
SHA51250c5c6955ac90ccc1602bc32fc2d03808f42fbde7be46c681d7b7e99eb4cfe222a868c6c73728e4afce1b5904d7b2148c29ed5b177c38a5c1bfaf047e86b5613
-
C:\Users\Admin\AppData\Local\Temp\tmpA00.tmpFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\Users\Admin\AppData\Local\Temp\tmpEC2.tmpFilesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
C:\Users\Admin\AppData\Local\Temp\tmpEC3.tmpFilesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
C:\Users\Admin\AppData\Local\Temp\tmpEC4.tmpFilesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
C:\Users\Admin\AppData\Local\Temp\tmpEC5.tmpFilesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
365KB
MD50d9e38ba72b9994260768357559328a3
SHA1180ee5d2b2d8c6f5e993f77a1d9e1df9bd437bbd
SHA25624c78f9f8f15c94f2616a13adce3fda09255d3e1a4b762ef21b561318c082d65
SHA5129aec08e46fd7676794bcb4a39d216157569cf47d585eb53fcd4ce7dbb35deac158b6e64af2708345626f014b6cb36a8045438afedc75a2d60d6c59cee4989507
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
365KB
MD50d9e38ba72b9994260768357559328a3
SHA1180ee5d2b2d8c6f5e993f77a1d9e1df9bd437bbd
SHA25624c78f9f8f15c94f2616a13adce3fda09255d3e1a4b762ef21b561318c082d65
SHA5129aec08e46fd7676794bcb4a39d216157569cf47d585eb53fcd4ce7dbb35deac158b6e64af2708345626f014b6cb36a8045438afedc75a2d60d6c59cee4989507
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
365KB
MD50d9e38ba72b9994260768357559328a3
SHA1180ee5d2b2d8c6f5e993f77a1d9e1df9bd437bbd
SHA25624c78f9f8f15c94f2616a13adce3fda09255d3e1a4b762ef21b561318c082d65
SHA5129aec08e46fd7676794bcb4a39d216157569cf47d585eb53fcd4ce7dbb35deac158b6e64af2708345626f014b6cb36a8045438afedc75a2d60d6c59cee4989507
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
365KB
MD50d9e38ba72b9994260768357559328a3
SHA1180ee5d2b2d8c6f5e993f77a1d9e1df9bd437bbd
SHA25624c78f9f8f15c94f2616a13adce3fda09255d3e1a4b762ef21b561318c082d65
SHA5129aec08e46fd7676794bcb4a39d216157569cf47d585eb53fcd4ce7dbb35deac158b6e64af2708345626f014b6cb36a8045438afedc75a2d60d6c59cee4989507
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
365KB
MD50d9e38ba72b9994260768357559328a3
SHA1180ee5d2b2d8c6f5e993f77a1d9e1df9bd437bbd
SHA25624c78f9f8f15c94f2616a13adce3fda09255d3e1a4b762ef21b561318c082d65
SHA5129aec08e46fd7676794bcb4a39d216157569cf47d585eb53fcd4ce7dbb35deac158b6e64af2708345626f014b6cb36a8045438afedc75a2d60d6c59cee4989507
-
memory/572-146-0x0000000000F20000-0x0000000000F82000-memory.dmpFilesize
392KB
-
memory/632-236-0x00000000000D0000-0x0000000000132000-memory.dmpFilesize
392KB
-
memory/980-281-0x0000000002060000-0x00000000020A0000-memory.dmpFilesize
256KB
-
memory/980-252-0x0000000000080000-0x000000000009E000-memory.dmpFilesize
120KB
-
memory/980-253-0x0000000002060000-0x00000000020A0000-memory.dmpFilesize
256KB
-
memory/980-249-0x0000000000080000-0x000000000009E000-memory.dmpFilesize
120KB
-
memory/980-245-0x0000000000080000-0x000000000009E000-memory.dmpFilesize
120KB
-
memory/980-241-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1080-157-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1080-234-0x0000000004B60000-0x0000000004BA0000-memory.dmpFilesize
256KB
-
memory/1080-158-0x0000000004B60000-0x0000000004BA0000-memory.dmpFilesize
256KB
-
memory/1080-155-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1080-151-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1728-54-0x0000000000340000-0x00000000003A2000-memory.dmpFilesize
392KB
-
memory/2036-67-0x0000000004A20000-0x0000000004A60000-memory.dmpFilesize
256KB
-
memory/2036-143-0x0000000004A20000-0x0000000004A60000-memory.dmpFilesize
256KB
-
memory/2036-64-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2036-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2036-60-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2036-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2036-58-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2036-57-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2036-56-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2036-55-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB