Analysis
-
max time kernel
118s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
24-03-2023 11:04
General
-
Target
1e9eccad518779eec1e58da21477d5515fe8a2b210d3f3200a42ea4eba1cec61.exe
-
Size
1009KB
-
MD5
d1a727030677dbc33fa96964de8a5ae1
-
SHA1
cad22aa4d874aea1e2472a636cce662244d7807d
-
SHA256
1e9eccad518779eec1e58da21477d5515fe8a2b210d3f3200a42ea4eba1cec61
-
SHA512
3c2ecfaebf9afa884a90f66b9db795479759cf147a062962d4f2247d8bfe77391f618f0722d089af83fe9fdf32306b6d422c5320f452df6b146824f4478669b4
-
SSDEEP
12288:OMr1y90T6BAm07yAVy49jhV0awqnDhtPEEyFJR5MhfWRzLNxWBKJ2Otgsz3EYqFL:TyCuAVjfiaw4DsqfW5uBajA7xqWD
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
roxi
193.233.20.31:4125
-
auth_value
9d8be78c896acc3cf8b8a6637a221376
Extracted
amadey
3.68
31.41.244.200/games/category/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e9eccad518779eec1e58da21477d5515fe8a2b210d3f3200a42ea4eba1cec61.exe"C:\Users\Admin\AppData\Local\Temp\1e9eccad518779eec1e58da21477d5515fe8a2b210d3f3200a42ea4eba1cec61.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1153.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1153.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5322.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5322.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7263.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7263.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3073.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3073.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0469.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0469.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 10846⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dam50s26.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dam50s26.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 13725⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en566322.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en566322.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge531406.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge531406.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4320 -ip 43201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5104 -ip 51041⤵
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge531406.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge531406.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1153.exeFilesize
827KB
MD53d6374b80b0daa022a1782d10a91192f
SHA1a2c15cac76ad48ecc46c5464f4d7e0344c3fd889
SHA2563a2a76ecd1180955cc35b5697930deee0b352d06092e3edec029cf5d1e5d2ccc
SHA51208168e364de98e1405a0ec77a715c2a6cf73a4c85cc34d610c6a24bc1c04930e52c81f7d2c0b72bd6bd2b45e5c752d19a4c6ce992dc0cae70721e0b29683c27d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1153.exeFilesize
827KB
MD53d6374b80b0daa022a1782d10a91192f
SHA1a2c15cac76ad48ecc46c5464f4d7e0344c3fd889
SHA2563a2a76ecd1180955cc35b5697930deee0b352d06092e3edec029cf5d1e5d2ccc
SHA51208168e364de98e1405a0ec77a715c2a6cf73a4c85cc34d610c6a24bc1c04930e52c81f7d2c0b72bd6bd2b45e5c752d19a4c6ce992dc0cae70721e0b29683c27d
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en566322.exeFilesize
175KB
MD530bf410db5f6c05f0dee763f5a0fe5b7
SHA11f4187925e1af163603a12bb116e869f8f137455
SHA256d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178
SHA5125edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en566322.exeFilesize
175KB
MD530bf410db5f6c05f0dee763f5a0fe5b7
SHA11f4187925e1af163603a12bb116e869f8f137455
SHA256d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178
SHA5125edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5322.exeFilesize
685KB
MD5767d310f83fa39b7975779e5d291f48f
SHA1587023183c20df6144468536f49b54c565782db7
SHA256fa7f4f22e5a0384083966b842ab87f423b0c3acb917345e6c287534c01125eba
SHA51254516c73df176c83bb476be6d9346b931179b17efe27d35d3932d7894375630040ea06b8878a5c631eb46b905df23a72ba5ade083d6b018e5c17036e35150f09
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5322.exeFilesize
685KB
MD5767d310f83fa39b7975779e5d291f48f
SHA1587023183c20df6144468536f49b54c565782db7
SHA256fa7f4f22e5a0384083966b842ab87f423b0c3acb917345e6c287534c01125eba
SHA51254516c73df176c83bb476be6d9346b931179b17efe27d35d3932d7894375630040ea06b8878a5c631eb46b905df23a72ba5ade083d6b018e5c17036e35150f09
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dam50s26.exeFilesize
356KB
MD5f9dcce56c77c6a203e2200a46e09a86c
SHA13386304ba457f93cb4fa20581922fd06470b4ab6
SHA256fb29aed84ab3f5eea43eee58a47d2de3b27f3266dd434f4eb7526273066a8225
SHA512ba5f3fbab4b1e44548195f698fddbb0bfefdf33c9511e3eda79e1c61e25463b1c8977f11c71405d551ef1a8cdb57a2d2e120b0a2b82ed1c7b1554beb59b67f01
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dam50s26.exeFilesize
356KB
MD5f9dcce56c77c6a203e2200a46e09a86c
SHA13386304ba457f93cb4fa20581922fd06470b4ab6
SHA256fb29aed84ab3f5eea43eee58a47d2de3b27f3266dd434f4eb7526273066a8225
SHA512ba5f3fbab4b1e44548195f698fddbb0bfefdf33c9511e3eda79e1c61e25463b1c8977f11c71405d551ef1a8cdb57a2d2e120b0a2b82ed1c7b1554beb59b67f01
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7263.exeFilesize
338KB
MD556df91f713e4d060c19ea5ae54d4b45a
SHA14d843a180c7955ecebeda0fd02d277011cd3d193
SHA25674ac16ef641c05bf845a2599fe4afdc915abdf0c8475b94c9242b53822c134d8
SHA5124c34ca5cb59fab65a8b5838ae2b6f28375bc114375073b0d26a945e58eac3a3e23bd23ce89d08960fa3891b70bbf1aabe2fed151a7bb11946b3110aedb30bc62
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7263.exeFilesize
338KB
MD556df91f713e4d060c19ea5ae54d4b45a
SHA14d843a180c7955ecebeda0fd02d277011cd3d193
SHA25674ac16ef641c05bf845a2599fe4afdc915abdf0c8475b94c9242b53822c134d8
SHA5124c34ca5cb59fab65a8b5838ae2b6f28375bc114375073b0d26a945e58eac3a3e23bd23ce89d08960fa3891b70bbf1aabe2fed151a7bb11946b3110aedb30bc62
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3073.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3073.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0469.exeFilesize
298KB
MD56c4b69745ae7e0a47ea008ade1cb13ed
SHA1074e9fd9f9b13d34b938292177783c4f191084b6
SHA256b7e7c4be162b1a5d736ee4795a4d1a2fbd92bbd9faa3c0feb01d318803a08077
SHA512fecc6507eb14361401c406857e66ddae748d00f6ffd44aa7d275cfa806c3c5c79fbeefba0ac00b4f5af402a0fcf22f3b463e7a00af850407685b80c01cda32de
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0469.exeFilesize
298KB
MD56c4b69745ae7e0a47ea008ade1cb13ed
SHA1074e9fd9f9b13d34b938292177783c4f191084b6
SHA256b7e7c4be162b1a5d736ee4795a4d1a2fbd92bbd9faa3c0feb01d318803a08077
SHA512fecc6507eb14361401c406857e66ddae748d00f6ffd44aa7d275cfa806c3c5c79fbeefba0ac00b4f5af402a0fcf22f3b463e7a00af850407685b80c01cda32de
-
memory/1752-1142-0x0000000004E40000-0x0000000004E50000-memory.dmpFilesize
64KB
-
memory/1752-1141-0x0000000000530000-0x0000000000562000-memory.dmpFilesize
200KB
-
memory/3924-161-0x0000000000C50000-0x0000000000C5A000-memory.dmpFilesize
40KB
-
memory/4320-181-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-203-0x00000000073B0000-0x00000000073C0000-memory.dmpFilesize
64KB
-
memory/4320-183-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-189-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-187-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-199-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-197-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-195-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-193-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-191-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-185-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-200-0x0000000000400000-0x0000000002B79000-memory.dmpFilesize
39.5MB
-
memory/4320-202-0x00000000073B0000-0x00000000073C0000-memory.dmpFilesize
64KB
-
memory/4320-173-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-204-0x00000000073B0000-0x00000000073C0000-memory.dmpFilesize
64KB
-
memory/4320-205-0x0000000000400000-0x0000000002B79000-memory.dmpFilesize
39.5MB
-
memory/4320-175-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-177-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-179-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-172-0x0000000007220000-0x0000000007232000-memory.dmpFilesize
72KB
-
memory/4320-171-0x00000000073B0000-0x00000000073C0000-memory.dmpFilesize
64KB
-
memory/4320-170-0x00000000073B0000-0x00000000073C0000-memory.dmpFilesize
64KB
-
memory/4320-168-0x00000000073B0000-0x00000000073C0000-memory.dmpFilesize
64KB
-
memory/4320-169-0x00000000073C0000-0x0000000007964000-memory.dmpFilesize
5.6MB
-
memory/4320-167-0x0000000002B80000-0x0000000002BAD000-memory.dmpFilesize
180KB
-
memory/5104-213-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-229-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-231-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-233-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-235-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-237-0x0000000002DB0000-0x0000000002DFB000-memory.dmpFilesize
300KB
-
memory/5104-239-0x00000000072D0000-0x00000000072E0000-memory.dmpFilesize
64KB
-
memory/5104-240-0x00000000072D0000-0x00000000072E0000-memory.dmpFilesize
64KB
-
memory/5104-242-0x00000000072D0000-0x00000000072E0000-memory.dmpFilesize
64KB
-
memory/5104-243-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-245-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-247-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-238-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-1120-0x0000000007990000-0x0000000007FA8000-memory.dmpFilesize
6.1MB
-
memory/5104-1121-0x0000000007FB0000-0x00000000080BA000-memory.dmpFilesize
1.0MB
-
memory/5104-1122-0x00000000080C0000-0x00000000080D2000-memory.dmpFilesize
72KB
-
memory/5104-1123-0x00000000080E0000-0x000000000811C000-memory.dmpFilesize
240KB
-
memory/5104-1124-0x00000000072D0000-0x00000000072E0000-memory.dmpFilesize
64KB
-
memory/5104-1126-0x00000000072D0000-0x00000000072E0000-memory.dmpFilesize
64KB
-
memory/5104-1127-0x00000000072D0000-0x00000000072E0000-memory.dmpFilesize
64KB
-
memory/5104-1128-0x00000000072D0000-0x00000000072E0000-memory.dmpFilesize
64KB
-
memory/5104-1129-0x00000000083C0000-0x0000000008452000-memory.dmpFilesize
584KB
-
memory/5104-1130-0x0000000008460000-0x00000000084C6000-memory.dmpFilesize
408KB
-
memory/5104-1131-0x0000000008CC0000-0x0000000008D36000-memory.dmpFilesize
472KB
-
memory/5104-1132-0x0000000008D40000-0x0000000008D90000-memory.dmpFilesize
320KB
-
memory/5104-1133-0x0000000008DB0000-0x0000000008F72000-memory.dmpFilesize
1.8MB
-
memory/5104-225-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-227-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-223-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-221-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-217-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-219-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-215-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-211-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-210-0x00000000049C0000-0x00000000049FE000-memory.dmpFilesize
248KB
-
memory/5104-1134-0x0000000008F80000-0x00000000094AC000-memory.dmpFilesize
5.2MB
-
memory/5104-1135-0x00000000072D0000-0x00000000072E0000-memory.dmpFilesize
64KB