Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
24-03-2023 10:32
General
-
Target
4af25802c7331314577f95ee4c80d8c330e6af29b8564f286fa667ca9b0d2c9d.exe
-
Size
1010KB
-
MD5
cb92615c88c9a1a6a3b011d74c2f93d9
-
SHA1
a0e7a12a24b05ac7cd366dc072f799a975f76820
-
SHA256
4af25802c7331314577f95ee4c80d8c330e6af29b8564f286fa667ca9b0d2c9d
-
SHA512
f152a2964fddc8ce2b720d626d11ddb4f1186532eeac6d41cee854037abbe4507c0bfac57916efb7afa19b3f57742de41ea95722a8054fe45012297c04e18534
-
SSDEEP
24576:VySK5Fut91Dd+cA+hL4PDH8Xlb6WEUdX0yBmV9j/5P:wSK5ob1DdM+hMrcdhEUdXP
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
roxi
193.233.20.31:4125
-
auth_value
9d8be78c896acc3cf8b8a6637a221376
Extracted
amadey
3.68
31.41.244.200/games/category/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4af25802c7331314577f95ee4c80d8c330e6af29b8564f286fa667ca9b0d2c9d.exe"C:\Users\Admin\AppData\Local\Temp\4af25802c7331314577f95ee4c80d8c330e6af29b8564f286fa667ca9b0d2c9d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1977.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1977.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4410.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4410.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9931.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9931.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1773.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1773.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3326.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3326.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 10646⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dem55s06.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dem55s06.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 14405⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en561427.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en561427.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge098582.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge098582.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3988 -ip 39881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4380 -ip 43801⤵
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge098582.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge098582.exeFilesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1977.exeFilesize
828KB
MD5ce3d41e3fd2c9c499b2a8aa3b809404b
SHA1427cee80cffcaee234d8944dd24ca4784a8cfecb
SHA2568cd665d71868ca1ebc0e5f0655eeefbd951fe4175de0f9031197623ff5803030
SHA51299a89b21e4560e06178d121a2aed6c7776c691a8b3d5ff483a462ab782afe110997963a222eb3f1cb5dbb7d5e448f9a05e46463f0329e9e3c9fa7077f3c6e195
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1977.exeFilesize
828KB
MD5ce3d41e3fd2c9c499b2a8aa3b809404b
SHA1427cee80cffcaee234d8944dd24ca4784a8cfecb
SHA2568cd665d71868ca1ebc0e5f0655eeefbd951fe4175de0f9031197623ff5803030
SHA51299a89b21e4560e06178d121a2aed6c7776c691a8b3d5ff483a462ab782afe110997963a222eb3f1cb5dbb7d5e448f9a05e46463f0329e9e3c9fa7077f3c6e195
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en561427.exeFilesize
175KB
MD530bf410db5f6c05f0dee763f5a0fe5b7
SHA11f4187925e1af163603a12bb116e869f8f137455
SHA256d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178
SHA5125edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en561427.exeFilesize
175KB
MD530bf410db5f6c05f0dee763f5a0fe5b7
SHA11f4187925e1af163603a12bb116e869f8f137455
SHA256d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178
SHA5125edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4410.exeFilesize
686KB
MD59a26f33a2697304db6ce0e6fdcec8d9c
SHA17bb7fe318b6ad9190bf2ed46c5eb023979683899
SHA256225a3c8e213c3b0f0ac4c953255262895543214ca835f200b6056b0490676893
SHA51262b0c7cd0e5b47e765771e851429f543058425d721c384005be322011659d68ef7cb1362b54d9ed5b2feafc5710c1199fd6a7244ed07aa768b6b4d37243b90ab
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4410.exeFilesize
686KB
MD59a26f33a2697304db6ce0e6fdcec8d9c
SHA17bb7fe318b6ad9190bf2ed46c5eb023979683899
SHA256225a3c8e213c3b0f0ac4c953255262895543214ca835f200b6056b0490676893
SHA51262b0c7cd0e5b47e765771e851429f543058425d721c384005be322011659d68ef7cb1362b54d9ed5b2feafc5710c1199fd6a7244ed07aa768b6b4d37243b90ab
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dem55s06.exeFilesize
355KB
MD5a14434ff408d7682c7bf0bf1467cc284
SHA12e2157c5d5dc59e19fc7b552f2ec421feaa94334
SHA256a525915d93c8aa90837fc6b7fce97f6f0b59c921fabe69cf7916896f08494fef
SHA5129454927020a04508b7484e4352b7ade9c8b5c98a7a48c2c92da4b4b4699d72d3054133337dd98729c7aca46ead08d585f5651250263887fc7bf981930f8d8028
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dem55s06.exeFilesize
355KB
MD5a14434ff408d7682c7bf0bf1467cc284
SHA12e2157c5d5dc59e19fc7b552f2ec421feaa94334
SHA256a525915d93c8aa90837fc6b7fce97f6f0b59c921fabe69cf7916896f08494fef
SHA5129454927020a04508b7484e4352b7ade9c8b5c98a7a48c2c92da4b4b4699d72d3054133337dd98729c7aca46ead08d585f5651250263887fc7bf981930f8d8028
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9931.exeFilesize
339KB
MD5ee5c6b17a52da59a52ea38e1daba0205
SHA11ef3e182a31036fc138eee834b9851d44a74bcfb
SHA2560569bd8209f3007a40b3a62bcc2603d5604a83318715c4b3ba8dc98cbd78921a
SHA512ae812f3dcdc078658ef57a5023f52c1bcf2eb6ec9e8ef4266bbc39465fcfaa05d688ebf6b5a09655b37dc33d6d49a6b999b262263e9dc47f5d63d50288b71d41
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9931.exeFilesize
339KB
MD5ee5c6b17a52da59a52ea38e1daba0205
SHA11ef3e182a31036fc138eee834b9851d44a74bcfb
SHA2560569bd8209f3007a40b3a62bcc2603d5604a83318715c4b3ba8dc98cbd78921a
SHA512ae812f3dcdc078658ef57a5023f52c1bcf2eb6ec9e8ef4266bbc39465fcfaa05d688ebf6b5a09655b37dc33d6d49a6b999b262263e9dc47f5d63d50288b71d41
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1773.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1773.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3326.exeFilesize
298KB
MD56f07db9ca59a635a4ddced42587858ab
SHA14ef637743a6f92f6df962096d9173332b8b9d903
SHA256afa0d45fb6af26c25376ace25a6cba454ba1c94eac2a5d2ca1f1d44560d698a7
SHA5129ffb0cda0a9249b9b5b6ecbc908f11d72780cc8d078f9ffe61c5b2cb710acf866565ce7f901a0a4d9c13fe09ead1b47b7b4d9d9ea47f8959cc9f822911f7abb6
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3326.exeFilesize
298KB
MD56f07db9ca59a635a4ddced42587858ab
SHA14ef637743a6f92f6df962096d9173332b8b9d903
SHA256afa0d45fb6af26c25376ace25a6cba454ba1c94eac2a5d2ca1f1d44560d698a7
SHA5129ffb0cda0a9249b9b5b6ecbc908f11d72780cc8d078f9ffe61c5b2cb710acf866565ce7f901a0a4d9c13fe09ead1b47b7b4d9d9ea47f8959cc9f822911f7abb6
-
memory/2480-161-0x0000000000C80000-0x0000000000C8A000-memory.dmpFilesize
40KB
-
memory/3988-176-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-196-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-178-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-180-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-182-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-184-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-186-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-188-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-190-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-192-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-194-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-174-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-198-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-199-0x0000000000400000-0x0000000002B79000-memory.dmpFilesize
39.5MB
-
memory/3988-200-0x0000000007390000-0x00000000073A0000-memory.dmpFilesize
64KB
-
memory/3988-203-0x0000000007390000-0x00000000073A0000-memory.dmpFilesize
64KB
-
memory/3988-202-0x0000000007390000-0x00000000073A0000-memory.dmpFilesize
64KB
-
memory/3988-204-0x0000000000400000-0x0000000002B79000-memory.dmpFilesize
39.5MB
-
memory/3988-172-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-171-0x0000000007230000-0x0000000007242000-memory.dmpFilesize
72KB
-
memory/3988-170-0x0000000007390000-0x00000000073A0000-memory.dmpFilesize
64KB
-
memory/3988-169-0x0000000007390000-0x00000000073A0000-memory.dmpFilesize
64KB
-
memory/3988-168-0x0000000002C50000-0x0000000002C7D000-memory.dmpFilesize
180KB
-
memory/3988-167-0x00000000073A0000-0x0000000007944000-memory.dmpFilesize
5.6MB
-
memory/4380-214-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-1122-0x0000000004D90000-0x0000000004DCC000-memory.dmpFilesize
240KB
-
memory/4380-223-0x0000000002C60000-0x0000000002CAB000-memory.dmpFilesize
300KB
-
memory/4380-225-0x0000000007470000-0x0000000007480000-memory.dmpFilesize
64KB
-
memory/4380-227-0x0000000007470000-0x0000000007480000-memory.dmpFilesize
64KB
-
memory/4380-229-0x0000000007470000-0x0000000007480000-memory.dmpFilesize
64KB
-
memory/4380-230-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-226-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-232-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-234-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-236-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-238-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-240-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-242-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-244-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-246-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-1119-0x0000000007B30000-0x0000000008148000-memory.dmpFilesize
6.1MB
-
memory/4380-1120-0x0000000008150000-0x000000000825A000-memory.dmpFilesize
1.0MB
-
memory/4380-1121-0x0000000004D70000-0x0000000004D82000-memory.dmpFilesize
72KB
-
memory/4380-222-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-1123-0x0000000007470000-0x0000000007480000-memory.dmpFilesize
64KB
-
memory/4380-1125-0x00000000083C0000-0x0000000008452000-memory.dmpFilesize
584KB
-
memory/4380-1126-0x0000000008460000-0x00000000084C6000-memory.dmpFilesize
408KB
-
memory/4380-1127-0x0000000007470000-0x0000000007480000-memory.dmpFilesize
64KB
-
memory/4380-1128-0x0000000007470000-0x0000000007480000-memory.dmpFilesize
64KB
-
memory/4380-1129-0x0000000007470000-0x0000000007480000-memory.dmpFilesize
64KB
-
memory/4380-1130-0x0000000008F00000-0x00000000090C2000-memory.dmpFilesize
1.8MB
-
memory/4380-1131-0x00000000090E0000-0x000000000960C000-memory.dmpFilesize
5.2MB
-
memory/4380-1132-0x0000000009750000-0x00000000097C6000-memory.dmpFilesize
472KB
-
memory/4380-1133-0x00000000097E0000-0x0000000009830000-memory.dmpFilesize
320KB
-
memory/4380-1135-0x0000000007470000-0x0000000007480000-memory.dmpFilesize
64KB
-
memory/4380-209-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-210-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-220-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-218-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-216-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/4380-212-0x0000000004BD0000-0x0000000004C0E000-memory.dmpFilesize
248KB
-
memory/5080-1141-0x0000000004A40000-0x0000000004A50000-memory.dmpFilesize
64KB
-
memory/5080-1140-0x0000000000160000-0x0000000000192000-memory.dmpFilesize
200KB