Analysis
-
max time kernel
110s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
01-04-2023 09:41
General
-
Target
ac1331b96aad274bcba551ed2bccba3eedbe068b77a5bc1dc06db17b13256c15.exe
-
Size
992KB
-
MD5
8b39c1a80305abe4573d9b8dc1504a57
-
SHA1
730081e5a09f23947c443fa3d91593b881a402b7
-
SHA256
ac1331b96aad274bcba551ed2bccba3eedbe068b77a5bc1dc06db17b13256c15
-
SHA512
11388d710852a95498701d6a1f2d9ef54a54e9fda78ef5f9706fe6376c3a5eeed5bb593d4a09454cbb1dde2d3e3673786bbebf6332dc9329ce5adc49fe9054b0
-
SSDEEP
24576:Jyqe4HJvH44+mb1fwyG/uTrUCUPuUbxmPwt3TQ2Ph8/8qP/:8qeIJvH4rmb9o/SkuDP8zi/8y
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
lift
176.113.115.145:4125
-
auth_value
94f33c242a83de9dcc729e29ec435dfb
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac1331b96aad274bcba551ed2bccba3eedbe068b77a5bc1dc06db17b13256c15.exe"C:\Users\Admin\AppData\Local\Temp\ac1331b96aad274bcba551ed2bccba3eedbe068b77a5bc1dc06db17b13256c15.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2583.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2583.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1267.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1267.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6201.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6201.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6935.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6935.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6021Oi.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6021Oi.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 10806⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w40Ft00.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w40Ft00.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 15645⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xZssk84.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xZssk84.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y62NU65.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y62NU65.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c5d2db5804" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c5d2db5804" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1172 -ip 11721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3132 -ip 31321⤵
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y62NU65.exeFilesize
236KB
MD5de1c84004d69ad1dcc613a2b2f7aecd3
SHA1e296ab500772502c400058a660115848ca93810b
SHA25624af9fb2d4312dff97a4fa24d3087bbfbee9e4242a7b1789414bdb7021eab38b
SHA51282f93f2423d0dfe5f9772dca6298158d18e3b25f8b0f65d839d1a58e40bcd9fc4e12589da783da27eca8be05dfa168e48d590ee2f45a3ee8a90a189c330935d1
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y62NU65.exeFilesize
236KB
MD5de1c84004d69ad1dcc613a2b2f7aecd3
SHA1e296ab500772502c400058a660115848ca93810b
SHA25624af9fb2d4312dff97a4fa24d3087bbfbee9e4242a7b1789414bdb7021eab38b
SHA51282f93f2423d0dfe5f9772dca6298158d18e3b25f8b0f65d839d1a58e40bcd9fc4e12589da783da27eca8be05dfa168e48d590ee2f45a3ee8a90a189c330935d1
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2583.exeFilesize
808KB
MD586be147bb19b856f5941c35f7e7c52f4
SHA1f8d913028699e8ba0bd42154cf99ee43afa7124b
SHA25604d573a973d317957cb81dbbf7d84281be8da256dfe4a3f3173a13067a06edd0
SHA5128b512516cc3d8205beef668d913ed188319e261dcc459c6582fb182a5186278b2a23d6054218634d5ec88af718ca5271817b15ffad960adfecc8ac7bda98b60e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2583.exeFilesize
808KB
MD586be147bb19b856f5941c35f7e7c52f4
SHA1f8d913028699e8ba0bd42154cf99ee43afa7124b
SHA25604d573a973d317957cb81dbbf7d84281be8da256dfe4a3f3173a13067a06edd0
SHA5128b512516cc3d8205beef668d913ed188319e261dcc459c6582fb182a5186278b2a23d6054218634d5ec88af718ca5271817b15ffad960adfecc8ac7bda98b60e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xZssk84.exeFilesize
175KB
MD5baaa8bee4b077660f2e792616205776b
SHA1e049de75ce5e0d68a1a176ae4e1f3a1d4731e994
SHA256c4fd09751a4799cc101863ceb84eb20a042508dc77b69e1b267b6c5c29d3a546
SHA5121a87ff52fe76358656d8f110d6313d294ca06521dbddf1a0daccb966671eb8218af76a8a9ad59598bad1d441a9f0fa7e99a5e7cf7c1643d46fc8ffe05fcf80b7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xZssk84.exeFilesize
175KB
MD5baaa8bee4b077660f2e792616205776b
SHA1e049de75ce5e0d68a1a176ae4e1f3a1d4731e994
SHA256c4fd09751a4799cc101863ceb84eb20a042508dc77b69e1b267b6c5c29d3a546
SHA5121a87ff52fe76358656d8f110d6313d294ca06521dbddf1a0daccb966671eb8218af76a8a9ad59598bad1d441a9f0fa7e99a5e7cf7c1643d46fc8ffe05fcf80b7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1267.exeFilesize
665KB
MD50042989582b2bd8d9d794ecf96600c6b
SHA141aa9f15201f7df2a948ccb64a9a13e85d74f4e4
SHA2560eb090e403a80207eae989662a7e279f125d451e59b308fcc014ab46a116c053
SHA51270a3f7a5264e0fcb19ea1c3060546dfb521c6b8a866392ef71e38c3fb3d4579038d4ce6888b42295c582a2d9267bc7aee8ed05c595dec3fb5eac054998319ac1
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1267.exeFilesize
665KB
MD50042989582b2bd8d9d794ecf96600c6b
SHA141aa9f15201f7df2a948ccb64a9a13e85d74f4e4
SHA2560eb090e403a80207eae989662a7e279f125d451e59b308fcc014ab46a116c053
SHA51270a3f7a5264e0fcb19ea1c3060546dfb521c6b8a866392ef71e38c3fb3d4579038d4ce6888b42295c582a2d9267bc7aee8ed05c595dec3fb5eac054998319ac1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w40Ft00.exeFilesize
342KB
MD5a2d00e5e4b5d1e27383da21eba93cc57
SHA11e489041ec4ac90db9d657cef571c809699c2905
SHA2563899f3ed5fa31c320300257e626c8a0e66bfd105a8dba10d5a7552f7f5ab6e84
SHA5125809a555797714516562cb19b6213e01e4e07f2b4a91bf02d292cc53e13640ffe1e4d5e4bf6233c3146ae384658b252ee59be3798d3815bc264eff53229165e7
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w40Ft00.exeFilesize
342KB
MD5a2d00e5e4b5d1e27383da21eba93cc57
SHA11e489041ec4ac90db9d657cef571c809699c2905
SHA2563899f3ed5fa31c320300257e626c8a0e66bfd105a8dba10d5a7552f7f5ab6e84
SHA5125809a555797714516562cb19b6213e01e4e07f2b4a91bf02d292cc53e13640ffe1e4d5e4bf6233c3146ae384658b252ee59be3798d3815bc264eff53229165e7
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6201.exeFilesize
329KB
MD5f09a4f754edccc112c7007ad91847dcb
SHA1eca9f45513edf991df409330665cf798355a8889
SHA2568065f6bdd02f788b5c71d78bf819a1ce041f4f433b21ef0ea763f69feedfacb9
SHA5123cffe93f6777e7fb6125c68f11d9a99c975b5f029ddab2ca6cb6b5b9fe6ba51c70339697ef4854a2a068ca98debbeedc2be54eb2a626a8b096986540abaa0a18
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6201.exeFilesize
329KB
MD5f09a4f754edccc112c7007ad91847dcb
SHA1eca9f45513edf991df409330665cf798355a8889
SHA2568065f6bdd02f788b5c71d78bf819a1ce041f4f433b21ef0ea763f69feedfacb9
SHA5123cffe93f6777e7fb6125c68f11d9a99c975b5f029ddab2ca6cb6b5b9fe6ba51c70339697ef4854a2a068ca98debbeedc2be54eb2a626a8b096986540abaa0a18
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6935.exeFilesize
12KB
MD56df59c7df838c6d370ff62e08d594d7c
SHA1fccefb792e947ae376aadad55133cbaef4c0e8b3
SHA2566cd25bb7fc4d9cf74da0d218a04a8bf8d94a7c446a063b932217d09869ff566f
SHA5120ae4fa9e289e3ee93cb8ca404aa268e87c32be44b0bec8ea2b1717a600d9d0d94a6484d9eb0c50d331fa32620ae8df42c1f247284cbbee57e62d0b6421beb27c
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6935.exeFilesize
12KB
MD56df59c7df838c6d370ff62e08d594d7c
SHA1fccefb792e947ae376aadad55133cbaef4c0e8b3
SHA2566cd25bb7fc4d9cf74da0d218a04a8bf8d94a7c446a063b932217d09869ff566f
SHA5120ae4fa9e289e3ee93cb8ca404aa268e87c32be44b0bec8ea2b1717a600d9d0d94a6484d9eb0c50d331fa32620ae8df42c1f247284cbbee57e62d0b6421beb27c
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6021Oi.exeFilesize
284KB
MD5ea8c1425311e3f222f3823145e1eb007
SHA1cd65c11e87c453afccecfabdbdc75221f3857eb4
SHA256df21d2559fc14cfc8ce05c28f37bddafbe5a6087ab4c306dae443e7b82537c37
SHA5124dabff4c2085dfae63fe283a3759b2143012d66d441a2b4d156827e2e5ae948b536bcc2695a144fb9428ab05b40d119af60b4e5c74d45d687acf8ab9a09f0f65
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6021Oi.exeFilesize
284KB
MD5ea8c1425311e3f222f3823145e1eb007
SHA1cd65c11e87c453afccecfabdbdc75221f3857eb4
SHA256df21d2559fc14cfc8ce05c28f37bddafbe5a6087ab4c306dae443e7b82537c37
SHA5124dabff4c2085dfae63fe283a3759b2143012d66d441a2b4d156827e2e5ae948b536bcc2695a144fb9428ab05b40d119af60b4e5c74d45d687acf8ab9a09f0f65
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeFilesize
236KB
MD5de1c84004d69ad1dcc613a2b2f7aecd3
SHA1e296ab500772502c400058a660115848ca93810b
SHA25624af9fb2d4312dff97a4fa24d3087bbfbee9e4242a7b1789414bdb7021eab38b
SHA51282f93f2423d0dfe5f9772dca6298158d18e3b25f8b0f65d839d1a58e40bcd9fc4e12589da783da27eca8be05dfa168e48d590ee2f45a3ee8a90a189c330935d1
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeFilesize
236KB
MD5de1c84004d69ad1dcc613a2b2f7aecd3
SHA1e296ab500772502c400058a660115848ca93810b
SHA25624af9fb2d4312dff97a4fa24d3087bbfbee9e4242a7b1789414bdb7021eab38b
SHA51282f93f2423d0dfe5f9772dca6298158d18e3b25f8b0f65d839d1a58e40bcd9fc4e12589da783da27eca8be05dfa168e48d590ee2f45a3ee8a90a189c330935d1
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeFilesize
236KB
MD5de1c84004d69ad1dcc613a2b2f7aecd3
SHA1e296ab500772502c400058a660115848ca93810b
SHA25624af9fb2d4312dff97a4fa24d3087bbfbee9e4242a7b1789414bdb7021eab38b
SHA51282f93f2423d0dfe5f9772dca6298158d18e3b25f8b0f65d839d1a58e40bcd9fc4e12589da783da27eca8be05dfa168e48d590ee2f45a3ee8a90a189c330935d1
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeFilesize
236KB
MD5de1c84004d69ad1dcc613a2b2f7aecd3
SHA1e296ab500772502c400058a660115848ca93810b
SHA25624af9fb2d4312dff97a4fa24d3087bbfbee9e4242a7b1789414bdb7021eab38b
SHA51282f93f2423d0dfe5f9772dca6298158d18e3b25f8b0f65d839d1a58e40bcd9fc4e12589da783da27eca8be05dfa168e48d590ee2f45a3ee8a90a189c330935d1
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
memory/1172-180-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-186-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-188-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-190-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-192-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-194-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-196-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-198-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-199-0x0000000000400000-0x0000000002B75000-memory.dmpFilesize
39.5MB
-
memory/1172-200-0x0000000007390000-0x00000000073A0000-memory.dmpFilesize
64KB
-
memory/1172-202-0x0000000000400000-0x0000000002B75000-memory.dmpFilesize
39.5MB
-
memory/1172-184-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-182-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-178-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-176-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-174-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-172-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-171-0x0000000004AE0000-0x0000000004AF2000-memory.dmpFilesize
72KB
-
memory/1172-170-0x00000000073A0000-0x0000000007944000-memory.dmpFilesize
5.6MB
-
memory/1172-169-0x0000000007390000-0x00000000073A0000-memory.dmpFilesize
64KB
-
memory/1172-168-0x0000000007390000-0x00000000073A0000-memory.dmpFilesize
64KB
-
memory/1172-167-0x0000000002BC0000-0x0000000002BED000-memory.dmpFilesize
180KB
-
memory/3132-220-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-1126-0x0000000008C20000-0x000000000914C000-memory.dmpFilesize
5.2MB
-
memory/3132-232-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-234-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-236-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-239-0x00000000047C0000-0x000000000480B000-memory.dmpFilesize
300KB
-
memory/3132-238-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-241-0x00000000072A0000-0x00000000072B0000-memory.dmpFilesize
64KB
-
memory/3132-242-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-243-0x00000000072A0000-0x00000000072B0000-memory.dmpFilesize
64KB
-
memory/3132-245-0x00000000072A0000-0x00000000072B0000-memory.dmpFilesize
64KB
-
memory/3132-1117-0x0000000007860000-0x0000000007E78000-memory.dmpFilesize
6.1MB
-
memory/3132-1118-0x0000000007E80000-0x0000000007F8A000-memory.dmpFilesize
1.0MB
-
memory/3132-1119-0x0000000007280000-0x0000000007292000-memory.dmpFilesize
72KB
-
memory/3132-1120-0x0000000007F90000-0x0000000007FCC000-memory.dmpFilesize
240KB
-
memory/3132-1121-0x00000000072A0000-0x00000000072B0000-memory.dmpFilesize
64KB
-
memory/3132-1123-0x0000000008280000-0x0000000008312000-memory.dmpFilesize
584KB
-
memory/3132-1124-0x0000000008320000-0x0000000008386000-memory.dmpFilesize
408KB
-
memory/3132-1125-0x0000000008A40000-0x0000000008C02000-memory.dmpFilesize
1.8MB
-
memory/3132-230-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-1127-0x00000000072A0000-0x00000000072B0000-memory.dmpFilesize
64KB
-
memory/3132-1128-0x00000000072A0000-0x00000000072B0000-memory.dmpFilesize
64KB
-
memory/3132-1129-0x00000000072A0000-0x00000000072B0000-memory.dmpFilesize
64KB
-
memory/3132-1130-0x0000000009380000-0x00000000093F6000-memory.dmpFilesize
472KB
-
memory/3132-228-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-1131-0x0000000009410000-0x0000000009460000-memory.dmpFilesize
320KB
-
memory/3132-207-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-208-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-210-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-212-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-226-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-224-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-222-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-218-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-216-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3132-214-0x0000000004D00000-0x0000000004D3F000-memory.dmpFilesize
252KB
-
memory/3760-161-0x0000000000E30000-0x0000000000E3A000-memory.dmpFilesize
40KB
-
memory/4112-1139-0x00000000057F0000-0x0000000005800000-memory.dmpFilesize
64KB
-
memory/4112-1138-0x00000000057F0000-0x0000000005800000-memory.dmpFilesize
64KB
-
memory/4112-1137-0x0000000000C40000-0x0000000000C72000-memory.dmpFilesize
200KB