Analysis
-
max time kernel
142s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
31-03-2023 19:56
General
-
Target
3a5702f870308e7b163aa4340a489a2401b7b785aceb2d053dea6fed31e0ec20.exe
-
Size
1001KB
-
MD5
e2bd4fc89cb325e560c655180279866a
-
SHA1
1af3cccfc8685e698f877e79aec3466a8a718d8a
-
SHA256
3a5702f870308e7b163aa4340a489a2401b7b785aceb2d053dea6fed31e0ec20
-
SHA512
8d37bf5b666dc1cb317b3228f130ff46ae896a45846ebc9e1325cd5e21c0966db2b9ef8314caaa38bd33438cb02d17db6a2e71a07276fc7abfcd029c22f70ce9
-
SSDEEP
24576:syJFknU4JT8zpL4BTjzZ/bR36XILQPbruNE:bPSIp0BTB/MYEjr4
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
lift
176.113.115.145:4125
-
auth_value
94f33c242a83de9dcc729e29ec435dfb
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a5702f870308e7b163aa4340a489a2401b7b785aceb2d053dea6fed31e0ec20.exe"C:\Users\Admin\AppData\Local\Temp\3a5702f870308e7b163aa4340a489a2401b7b785aceb2d053dea6fed31e0ec20.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2459.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2459.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3439.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3439.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1168.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1168.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3128.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3128.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1509jH.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1509jH.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 10806⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w07Zl49.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w07Zl49.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 11525⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkGWB26.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkGWB26.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44HF81.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44HF81.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c5d2db5804" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c5d2db5804" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1892 -ip 18921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4808 -ip 48081⤵
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44HF81.exeFilesize
236KB
MD5f72f4aa774d9e51df7f666de99dc648b
SHA1b531cb0b6ff3ea4724be230807fd95777eb0d926
SHA256b1247388913612bca333f1d19eaec885b02f4321dd4d97dab8987474947836ef
SHA512bda3f64ff3cae28ad9f12039292e94a32309fdb17a884e39858602f1b265c6af4a59648a6f4783ae79904fc657ba2ff00ea2746da6a816b20cfa50de1c85881d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44HF81.exeFilesize
236KB
MD5f72f4aa774d9e51df7f666de99dc648b
SHA1b531cb0b6ff3ea4724be230807fd95777eb0d926
SHA256b1247388913612bca333f1d19eaec885b02f4321dd4d97dab8987474947836ef
SHA512bda3f64ff3cae28ad9f12039292e94a32309fdb17a884e39858602f1b265c6af4a59648a6f4783ae79904fc657ba2ff00ea2746da6a816b20cfa50de1c85881d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2459.exeFilesize
817KB
MD503494f3121f98154082f76c2280cf332
SHA1649bd1ffda6d5225efc96c550bfcc5258ab8a49a
SHA2562c74c00719c7caf6b63733d68416c40a2db27dda884a4c4bf8d6dd90830513f8
SHA51200bff169ae4e05cbaf58306c8c859dc3cd62b603708c76cfadf52ff99717382ff4fc3bc1eac0a4e7c68f4c8fbf28cd7a176d9a9fabd06ba2c2ff6843c63cd2e8
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2459.exeFilesize
817KB
MD503494f3121f98154082f76c2280cf332
SHA1649bd1ffda6d5225efc96c550bfcc5258ab8a49a
SHA2562c74c00719c7caf6b63733d68416c40a2db27dda884a4c4bf8d6dd90830513f8
SHA51200bff169ae4e05cbaf58306c8c859dc3cd62b603708c76cfadf52ff99717382ff4fc3bc1eac0a4e7c68f4c8fbf28cd7a176d9a9fabd06ba2c2ff6843c63cd2e8
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkGWB26.exeFilesize
175KB
MD5c697a5660d11a4a8f5900eec648fc428
SHA19f030f6f0e5d1353db5499764d4cd357aebf568b
SHA2568ee74aa1ace1a73d64f7672d98f5b83c05023e621fb455b0b244be30a02b2705
SHA512d86ffccddaea8125ef287398fbd5c168793a55881277f0fdbea3d0cc4727b68610702363b7322ad03d9cfc3692ed56e57e5a60ea98815f11c8e3af65a2fc8321
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkGWB26.exeFilesize
175KB
MD5c697a5660d11a4a8f5900eec648fc428
SHA19f030f6f0e5d1353db5499764d4cd357aebf568b
SHA2568ee74aa1ace1a73d64f7672d98f5b83c05023e621fb455b0b244be30a02b2705
SHA512d86ffccddaea8125ef287398fbd5c168793a55881277f0fdbea3d0cc4727b68610702363b7322ad03d9cfc3692ed56e57e5a60ea98815f11c8e3af65a2fc8321
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3439.exeFilesize
675KB
MD57eb32e1446dc3e20c00b4a6c13a3dc9c
SHA116fe8ad0b72ef2220e921e9c3aed4da3af05feab
SHA256a3673ea9af2be2f6988f302ad2a4f90b30ed2674a975be158928d881c60610d0
SHA512b011d2ed43ee897cd7c37e178e1f624574db176b1039bf2165b0ccd3490fc69c476cbd732941768ea0d251635fb90b5051816afc6a922524e3f0a617fa7d7784
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3439.exeFilesize
675KB
MD57eb32e1446dc3e20c00b4a6c13a3dc9c
SHA116fe8ad0b72ef2220e921e9c3aed4da3af05feab
SHA256a3673ea9af2be2f6988f302ad2a4f90b30ed2674a975be158928d881c60610d0
SHA512b011d2ed43ee897cd7c37e178e1f624574db176b1039bf2165b0ccd3490fc69c476cbd732941768ea0d251635fb90b5051816afc6a922524e3f0a617fa7d7784
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w07Zl49.exeFilesize
318KB
MD5bdc52ae29a411dc4550eb3e0e0b67852
SHA1a2b2c913af1cc3b01db9cd8eb9d74f46443d7ff0
SHA2565d55da88f77dd242a451b2f43f4627445138ca75585f0c4352809dc384e7365e
SHA512cf0fbadf92fddb83587a922128b9d3780e086611da37a3df6e0f35e8002a773dc2118e43229bed2120ef39874915d952f7b66f112c5c9943fea1b6d93146d1b3
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w07Zl49.exeFilesize
318KB
MD5bdc52ae29a411dc4550eb3e0e0b67852
SHA1a2b2c913af1cc3b01db9cd8eb9d74f46443d7ff0
SHA2565d55da88f77dd242a451b2f43f4627445138ca75585f0c4352809dc384e7365e
SHA512cf0fbadf92fddb83587a922128b9d3780e086611da37a3df6e0f35e8002a773dc2118e43229bed2120ef39874915d952f7b66f112c5c9943fea1b6d93146d1b3
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1168.exeFilesize
334KB
MD5a3e2c3654346dfbd2d13bbd296d1890b
SHA17f2896614abd651acce3ee0660f3880f46ef1c0d
SHA2563f1dc263798fb63bec9dcd796ad28f4f7d7d99b837bfe97e22aff4e07a245a23
SHA512ca1d88aeccf6e37cf7159282594ac633d04909bde9bb8ad5d2f00ed381305bfba4fb8ebe684919549167046afec56d88246461f20a81903daa9e9037edfc9219
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1168.exeFilesize
334KB
MD5a3e2c3654346dfbd2d13bbd296d1890b
SHA17f2896614abd651acce3ee0660f3880f46ef1c0d
SHA2563f1dc263798fb63bec9dcd796ad28f4f7d7d99b837bfe97e22aff4e07a245a23
SHA512ca1d88aeccf6e37cf7159282594ac633d04909bde9bb8ad5d2f00ed381305bfba4fb8ebe684919549167046afec56d88246461f20a81903daa9e9037edfc9219
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3128.exeFilesize
11KB
MD5cd0e7d6b8708d7c23c17e609a57da634
SHA1c43bc62972567a23dda0d599f94da8efa25164ab
SHA25685d8d17fabf5106ad16eb2b8b141cd6166b696c8c92a979a5329321786acbf06
SHA5127d5ffcc60e4cd63a56645a3e9c02decbc94b1512a75430e6f24dc9892cf90d3c99a4493857d8c4b5990febf7d7c7fd3eb779794bb93058d806179300ff279cdc
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3128.exeFilesize
11KB
MD5cd0e7d6b8708d7c23c17e609a57da634
SHA1c43bc62972567a23dda0d599f94da8efa25164ab
SHA25685d8d17fabf5106ad16eb2b8b141cd6166b696c8c92a979a5329321786acbf06
SHA5127d5ffcc60e4cd63a56645a3e9c02decbc94b1512a75430e6f24dc9892cf90d3c99a4493857d8c4b5990febf7d7c7fd3eb779794bb93058d806179300ff279cdc
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1509jH.exeFilesize
260KB
MD547a64eef13e6be9dec275f1a259c3b28
SHA1802fade3531680cdd309ba650203782d8371b556
SHA25650ee3d2d0197db9218b035d3acae180c2c0598118c24db374f750a58ba0a8c08
SHA512465df47d3db0e039345ef9f65a7e540c7004ce5a30ca847a65d5130305555c4098b44a25298eea134ff00e14601c809cce1aa691136d721ade5abd128d698523
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1509jH.exeFilesize
260KB
MD547a64eef13e6be9dec275f1a259c3b28
SHA1802fade3531680cdd309ba650203782d8371b556
SHA25650ee3d2d0197db9218b035d3acae180c2c0598118c24db374f750a58ba0a8c08
SHA512465df47d3db0e039345ef9f65a7e540c7004ce5a30ca847a65d5130305555c4098b44a25298eea134ff00e14601c809cce1aa691136d721ade5abd128d698523
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeFilesize
236KB
MD5f72f4aa774d9e51df7f666de99dc648b
SHA1b531cb0b6ff3ea4724be230807fd95777eb0d926
SHA256b1247388913612bca333f1d19eaec885b02f4321dd4d97dab8987474947836ef
SHA512bda3f64ff3cae28ad9f12039292e94a32309fdb17a884e39858602f1b265c6af4a59648a6f4783ae79904fc657ba2ff00ea2746da6a816b20cfa50de1c85881d
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeFilesize
236KB
MD5f72f4aa774d9e51df7f666de99dc648b
SHA1b531cb0b6ff3ea4724be230807fd95777eb0d926
SHA256b1247388913612bca333f1d19eaec885b02f4321dd4d97dab8987474947836ef
SHA512bda3f64ff3cae28ad9f12039292e94a32309fdb17a884e39858602f1b265c6af4a59648a6f4783ae79904fc657ba2ff00ea2746da6a816b20cfa50de1c85881d
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeFilesize
236KB
MD5f72f4aa774d9e51df7f666de99dc648b
SHA1b531cb0b6ff3ea4724be230807fd95777eb0d926
SHA256b1247388913612bca333f1d19eaec885b02f4321dd4d97dab8987474947836ef
SHA512bda3f64ff3cae28ad9f12039292e94a32309fdb17a884e39858602f1b265c6af4a59648a6f4783ae79904fc657ba2ff00ea2746da6a816b20cfa50de1c85881d
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeFilesize
236KB
MD5f72f4aa774d9e51df7f666de99dc648b
SHA1b531cb0b6ff3ea4724be230807fd95777eb0d926
SHA256b1247388913612bca333f1d19eaec885b02f4321dd4d97dab8987474947836ef
SHA512bda3f64ff3cae28ad9f12039292e94a32309fdb17a884e39858602f1b265c6af4a59648a6f4783ae79904fc657ba2ff00ea2746da6a816b20cfa50de1c85881d
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeFilesize
236KB
MD5f72f4aa774d9e51df7f666de99dc648b
SHA1b531cb0b6ff3ea4724be230807fd95777eb0d926
SHA256b1247388913612bca333f1d19eaec885b02f4321dd4d97dab8987474947836ef
SHA512bda3f64ff3cae28ad9f12039292e94a32309fdb17a884e39858602f1b265c6af4a59648a6f4783ae79904fc657ba2ff00ea2746da6a816b20cfa50de1c85881d
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
memory/1892-185-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-183-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-187-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-189-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-191-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-193-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-195-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-197-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-199-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-200-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1892-201-0x0000000004B70000-0x0000000004B80000-memory.dmpFilesize
64KB
-
memory/1892-202-0x0000000004B70000-0x0000000004B80000-memory.dmpFilesize
64KB
-
memory/1892-203-0x0000000004B70000-0x0000000004B80000-memory.dmpFilesize
64KB
-
memory/1892-205-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1892-167-0x0000000000730000-0x000000000075D000-memory.dmpFilesize
180KB
-
memory/1892-168-0x0000000004B80000-0x0000000005124000-memory.dmpFilesize
5.6MB
-
memory/1892-181-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-179-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-177-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-175-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-173-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-172-0x0000000004A20000-0x0000000004A32000-memory.dmpFilesize
72KB
-
memory/1892-171-0x0000000004B70000-0x0000000004B80000-memory.dmpFilesize
64KB
-
memory/1892-170-0x0000000004B70000-0x0000000004B80000-memory.dmpFilesize
64KB
-
memory/1892-169-0x0000000004B70000-0x0000000004B80000-memory.dmpFilesize
64KB
-
memory/3592-1142-0x00000000004B0000-0x00000000004E2000-memory.dmpFilesize
200KB
-
memory/3592-1144-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/3592-1143-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/4124-161-0x0000000000A30000-0x0000000000A3A000-memory.dmpFilesize
40KB
-
memory/4808-217-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-239-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-242-0x0000000000760000-0x00000000007AB000-memory.dmpFilesize
300KB
-
memory/4808-241-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-244-0x0000000004B50000-0x0000000004B60000-memory.dmpFilesize
64KB
-
memory/4808-246-0x0000000004B50000-0x0000000004B60000-memory.dmpFilesize
64KB
-
memory/4808-248-0x0000000004B50000-0x0000000004B60000-memory.dmpFilesize
64KB
-
memory/4808-245-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-1120-0x0000000005210000-0x0000000005828000-memory.dmpFilesize
6.1MB
-
memory/4808-1121-0x00000000058A0000-0x00000000059AA000-memory.dmpFilesize
1.0MB
-
memory/4808-1122-0x00000000059E0000-0x00000000059F2000-memory.dmpFilesize
72KB
-
memory/4808-1123-0x0000000005A00000-0x0000000005A3C000-memory.dmpFilesize
240KB
-
memory/4808-1124-0x0000000004B50000-0x0000000004B60000-memory.dmpFilesize
64KB
-
memory/4808-1125-0x0000000005CF0000-0x0000000005D82000-memory.dmpFilesize
584KB
-
memory/4808-1126-0x0000000005D90000-0x0000000005DF6000-memory.dmpFilesize
408KB
-
memory/4808-1128-0x00000000065C0000-0x0000000006782000-memory.dmpFilesize
1.8MB
-
memory/4808-1129-0x0000000006790000-0x0000000006CBC000-memory.dmpFilesize
5.2MB
-
memory/4808-1130-0x0000000004B50000-0x0000000004B60000-memory.dmpFilesize
64KB
-
memory/4808-1131-0x0000000004B50000-0x0000000004B60000-memory.dmpFilesize
64KB
-
memory/4808-1132-0x0000000004B50000-0x0000000004B60000-memory.dmpFilesize
64KB
-
memory/4808-1133-0x0000000006DF0000-0x0000000006E66000-memory.dmpFilesize
472KB
-
memory/4808-237-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-235-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-233-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-231-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-229-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-227-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-225-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-223-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-221-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-219-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-215-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-213-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-211-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-210-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/4808-1134-0x0000000006E80000-0x0000000006ED0000-memory.dmpFilesize
320KB
-
memory/4808-1135-0x0000000004B50000-0x0000000004B60000-memory.dmpFilesize
64KB