Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
24-03-2023 10:29
General
-
Target
30540da27965a9cd1974fb8f600222c5b7e4fc5d58e7ad2275f70a02eba7630e.exe
-
Size
1009KB
-
MD5
f1e2f24310f4e69fbe644f642f304568
-
SHA1
dd1737505b0e211f692ed8acde42c4c627601bc7
-
SHA256
30540da27965a9cd1974fb8f600222c5b7e4fc5d58e7ad2275f70a02eba7630e
-
SHA512
39e7811babd7f2c1d2f75cee22a3cc5071532cb8ab09d647ec78118144d1edf8ac3fa1678ddcd768923147acf02c30de9e1f5d8c54db5ae5eb3c3272369b789d
-
SSDEEP
24576:Zyu6x9Whc+67EGMhsyUKxndPx4eVsiGw07m9bJcqnk4rxnqF/:Mui9c6EGMhsyUIndPx4eVsiGD7m1OqnV
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
roxi
193.233.20.31:4125
-
auth_value
9d8be78c896acc3cf8b8a6637a221376
Extracted
amadey
3.68
31.41.244.200/games/category/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\30540da27965a9cd1974fb8f600222c5b7e4fc5d58e7ad2275f70a02eba7630e.exe"C:\Users\Admin\AppData\Local\Temp\30540da27965a9cd1974fb8f600222c5b7e4fc5d58e7ad2275f70a02eba7630e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2608.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2608.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8481.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8481.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9795.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9795.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7377.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7377.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9852.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9852.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 10806⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDN62s53.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDN62s53.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 13565⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en628951.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en628951.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge875741.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge875741.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4176 -ip 41761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 668 -ip 6681⤵
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge875741.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge875741.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2608.exeFilesize
827KB
MD5e50cc5511311c72d7c4abd5c6821cab7
SHA1d5a28b8faf4bd21e50ee7f73e5e464bf7d64ba78
SHA2562c6ca5a89abef21bca32ca54ec75facd98c51881c1ae29dfc482f03cb71009e1
SHA512cfa7c3d6a4fb0a08cc8ba714786366227f54413df55444e776f22982b34d89eaafffc2695fefa557d2c64e82c10eb26e3991c47c93e1b7a83d6f36abdd3a498f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2608.exeFilesize
827KB
MD5e50cc5511311c72d7c4abd5c6821cab7
SHA1d5a28b8faf4bd21e50ee7f73e5e464bf7d64ba78
SHA2562c6ca5a89abef21bca32ca54ec75facd98c51881c1ae29dfc482f03cb71009e1
SHA512cfa7c3d6a4fb0a08cc8ba714786366227f54413df55444e776f22982b34d89eaafffc2695fefa557d2c64e82c10eb26e3991c47c93e1b7a83d6f36abdd3a498f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en628951.exeFilesize
175KB
MD530bf410db5f6c05f0dee763f5a0fe5b7
SHA11f4187925e1af163603a12bb116e869f8f137455
SHA256d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178
SHA5125edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en628951.exeFilesize
175KB
MD530bf410db5f6c05f0dee763f5a0fe5b7
SHA11f4187925e1af163603a12bb116e869f8f137455
SHA256d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178
SHA5125edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8481.exeFilesize
685KB
MD5ba697ee6f8fbeb3ffd24cd2e5e7e239d
SHA1ef016ca8eb8ef0cc903836b95c586728edb8a3c5
SHA2568f681f742e5434133c312441c3a65d2eeffee39353b7064dcb366afda8bfc9d7
SHA512c78715014f36e5823fabe4935dadf2388710d1ed0377c3c379cd1aae349e36759bb65fb4156ca2cd4ad7861956285a442b4640d603b7d115691126e07e5d4bc4
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8481.exeFilesize
685KB
MD5ba697ee6f8fbeb3ffd24cd2e5e7e239d
SHA1ef016ca8eb8ef0cc903836b95c586728edb8a3c5
SHA2568f681f742e5434133c312441c3a65d2eeffee39353b7064dcb366afda8bfc9d7
SHA512c78715014f36e5823fabe4935dadf2388710d1ed0377c3c379cd1aae349e36759bb65fb4156ca2cd4ad7861956285a442b4640d603b7d115691126e07e5d4bc4
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDN62s53.exeFilesize
355KB
MD549740d871d78461630d7049c9329c6f1
SHA12080663936fb9e91b04e2d51503503b953254b3d
SHA256bb499f9d38d1927a7f1d1d26fd3b6e57c2c1e9ac8d4f52733d97fdf86170be0e
SHA51255a0e537bf23306546e500e3f8373801da281e1179849380fb1134f1fcda4939376edcd3fb98cdf59ce71631a6cbacc655edc421be63a062eb29bae6c3503977
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDN62s53.exeFilesize
355KB
MD549740d871d78461630d7049c9329c6f1
SHA12080663936fb9e91b04e2d51503503b953254b3d
SHA256bb499f9d38d1927a7f1d1d26fd3b6e57c2c1e9ac8d4f52733d97fdf86170be0e
SHA51255a0e537bf23306546e500e3f8373801da281e1179849380fb1134f1fcda4939376edcd3fb98cdf59ce71631a6cbacc655edc421be63a062eb29bae6c3503977
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9795.exeFilesize
340KB
MD5211f9b3598c71d2fd8d005f5f4342f56
SHA1214d887ed83bf3ead891e5fe449ce534161a636e
SHA25669f96c35c897af3ca826630760acc807d383d7275947e66d7aed744aa909897a
SHA512b49b7b902e3f8e3b6dec08dc79d9f83492a759f57bfa275616b34ad98ebfad6852e4403b8ba8d617b32afc01bbd63a5ab5eca315983ce0911bc55b1362830943
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9795.exeFilesize
340KB
MD5211f9b3598c71d2fd8d005f5f4342f56
SHA1214d887ed83bf3ead891e5fe449ce534161a636e
SHA25669f96c35c897af3ca826630760acc807d383d7275947e66d7aed744aa909897a
SHA512b49b7b902e3f8e3b6dec08dc79d9f83492a759f57bfa275616b34ad98ebfad6852e4403b8ba8d617b32afc01bbd63a5ab5eca315983ce0911bc55b1362830943
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7377.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7377.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9852.exeFilesize
298KB
MD5d5cf412c448f4657c973391371fd4a97
SHA184367dab9d5a453300633e7c7cb8efa9144aeb82
SHA256b526119681bb856825c5c3b3ea21c9c2bceb39c8eb7eb89a00d598bf72108b9f
SHA5127d1beafedb5d373aa427f2240ee697dcd78d776fddb8f54eacd546e98a23a7424b8a9ac7e98d72dc25b91c10afb7b889162df8d4fc560c9d5fb1b15f4908b5af
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9852.exeFilesize
298KB
MD5d5cf412c448f4657c973391371fd4a97
SHA184367dab9d5a453300633e7c7cb8efa9144aeb82
SHA256b526119681bb856825c5c3b3ea21c9c2bceb39c8eb7eb89a00d598bf72108b9f
SHA5127d1beafedb5d373aa427f2240ee697dcd78d776fddb8f54eacd546e98a23a7424b8a9ac7e98d72dc25b91c10afb7b889162df8d4fc560c9d5fb1b15f4908b5af
-
memory/668-1123-0x0000000007280000-0x0000000007290000-memory.dmpFilesize
64KB
-
memory/668-234-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-1134-0x0000000007280000-0x0000000007290000-memory.dmpFilesize
64KB
-
memory/668-1133-0x0000000008F40000-0x000000000946C000-memory.dmpFilesize
5.2MB
-
memory/668-1132-0x0000000008D70000-0x0000000008F32000-memory.dmpFilesize
1.8MB
-
memory/668-1131-0x0000000008D00000-0x0000000008D50000-memory.dmpFilesize
320KB
-
memory/668-1130-0x0000000008C80000-0x0000000008CF6000-memory.dmpFilesize
472KB
-
memory/668-1129-0x0000000007280000-0x0000000007290000-memory.dmpFilesize
64KB
-
memory/668-1128-0x0000000007280000-0x0000000007290000-memory.dmpFilesize
64KB
-
memory/668-1127-0x0000000007280000-0x0000000007290000-memory.dmpFilesize
64KB
-
memory/668-1126-0x0000000008460000-0x00000000084C6000-memory.dmpFilesize
408KB
-
memory/668-1125-0x00000000083C0000-0x0000000008452000-memory.dmpFilesize
584KB
-
memory/668-1122-0x00000000080D0000-0x000000000810C000-memory.dmpFilesize
240KB
-
memory/668-1121-0x00000000080B0000-0x00000000080C2000-memory.dmpFilesize
72KB
-
memory/668-1120-0x0000000007F70000-0x000000000807A000-memory.dmpFilesize
1.0MB
-
memory/668-1119-0x0000000007940000-0x0000000007F58000-memory.dmpFilesize
6.1MB
-
memory/668-209-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-210-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-212-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-214-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-216-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-218-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-222-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-220-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-223-0x0000000002C60000-0x0000000002CAB000-memory.dmpFilesize
300KB
-
memory/668-226-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-225-0x0000000007280000-0x0000000007290000-memory.dmpFilesize
64KB
-
memory/668-229-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-228-0x0000000007280000-0x0000000007290000-memory.dmpFilesize
64KB
-
memory/668-230-0x0000000007280000-0x0000000007290000-memory.dmpFilesize
64KB
-
memory/668-232-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-246-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-236-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-238-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-240-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-242-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/668-244-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/3312-1140-0x0000000000FD0000-0x0000000001002000-memory.dmpFilesize
200KB
-
memory/3312-1141-0x0000000005B90000-0x0000000005BA0000-memory.dmpFilesize
64KB
-
memory/3460-161-0x0000000000C10000-0x0000000000C1A000-memory.dmpFilesize
40KB
-
memory/4176-201-0x0000000004D00000-0x0000000004D10000-memory.dmpFilesize
64KB
-
memory/4176-188-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-178-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-184-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-200-0x0000000004D00000-0x0000000004D10000-memory.dmpFilesize
64KB
-
memory/4176-199-0x0000000000400000-0x0000000002B79000-memory.dmpFilesize
39.5MB
-
memory/4176-198-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-196-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-194-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-192-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-190-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-202-0x0000000004D00000-0x0000000004D10000-memory.dmpFilesize
64KB
-
memory/4176-186-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-176-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-174-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-204-0x0000000000400000-0x0000000002B79000-memory.dmpFilesize
39.5MB
-
memory/4176-182-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-172-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-171-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB
-
memory/4176-170-0x0000000004D00000-0x0000000004D10000-memory.dmpFilesize
64KB
-
memory/4176-169-0x0000000004D00000-0x0000000004D10000-memory.dmpFilesize
64KB
-
memory/4176-168-0x0000000002C80000-0x0000000002CAD000-memory.dmpFilesize
180KB
-
memory/4176-167-0x0000000007190000-0x0000000007734000-memory.dmpFilesize
5.6MB
-
memory/4176-180-0x0000000004CB0000-0x0000000004CC2000-memory.dmpFilesize
72KB