Analysis
-
max time kernel
131s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
11-04-2023 10:00
General
-
Target
8770ff5b3d2f1da6bf295679f93711118cc7f3e61fcf576f4809e3f3da4ada59.exe
-
Size
844KB
-
MD5
126799c6425e999b562bbbbd779d97e8
-
SHA1
cbbd5b1f37a3d52297b75e7103bacf9d82068f40
-
SHA256
8770ff5b3d2f1da6bf295679f93711118cc7f3e61fcf576f4809e3f3da4ada59
-
SHA512
a6d2aed578c86a6f5811ac3dc9c89486c01bd0ba5170f94973edf80e85f8f192c8199288c8ae574465084c096a89de6e150704f00128576f0511df255cad5eb6
-
SSDEEP
24576:7yyg1xQoCFjw7/b4nrro2gc3D4mqpN8XraM4OOzR:uyggoQjm4Hg+W8X2Mq
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
nahui
176.113.115.145:4125
-
auth_value
b9ed10946d21e28d58d0c72c535cde6f
Extracted
amadey
3.70
77.91.124.207/plays/chapter/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8770ff5b3d2f1da6bf295679f93711118cc7f3e61fcf576f4809e3f3da4ada59.exe"C:\Users\Admin\AppData\Local\Temp\8770ff5b3d2f1da6bf295679f93711118cc7f3e61fcf576f4809e3f3da4ada59.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un015229.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un015229.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un792605.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un792605.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr151960.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr151960.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 10805⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu107544.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu107544.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 13685⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk421649.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk421649.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si375245.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si375245.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 216 -ip 2161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2056 -ip 20561⤵
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si375245.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si375245.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un015229.exeFilesize
661KB
MD5a823dcdebfb810df754f64d2875ff12a
SHA19e2297a05feace329009b9c3c0edfc39239e1dfd
SHA256bacd50711cc037f835c56e5764af5e39e7c86ac12daa8d8d4c615ef0b02daf4e
SHA5122833d80113c5c789ef77f18f30bc33ebb3c3f1995cf674a2953fe0e088905afa6dcb4007ac05f388c042a1490f58266186a2c40b3a24e080d93842d9508a0b05
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un015229.exeFilesize
661KB
MD5a823dcdebfb810df754f64d2875ff12a
SHA19e2297a05feace329009b9c3c0edfc39239e1dfd
SHA256bacd50711cc037f835c56e5764af5e39e7c86ac12daa8d8d4c615ef0b02daf4e
SHA5122833d80113c5c789ef77f18f30bc33ebb3c3f1995cf674a2953fe0e088905afa6dcb4007ac05f388c042a1490f58266186a2c40b3a24e080d93842d9508a0b05
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk421649.exeFilesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk421649.exeFilesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un792605.exeFilesize
519KB
MD5710efa1e5610b3a730b282372079a7e4
SHA11eaba3bad79b780bb473f31ae0eef961c1aceb8e
SHA256be447a8541575e3a28d545e9e16db22c262e2bbdeaf8bb101b862ccb2f6c1fa5
SHA512cd29d9e6510c8f4341f18c1b24b09dadbd05f3a51fc4fb5f9102291f8960dfecd5faea1a9e081aea0c15dc35d14a2d538e8ace2172c161fe8b18894eb9936318
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un792605.exeFilesize
519KB
MD5710efa1e5610b3a730b282372079a7e4
SHA11eaba3bad79b780bb473f31ae0eef961c1aceb8e
SHA256be447a8541575e3a28d545e9e16db22c262e2bbdeaf8bb101b862ccb2f6c1fa5
SHA512cd29d9e6510c8f4341f18c1b24b09dadbd05f3a51fc4fb5f9102291f8960dfecd5faea1a9e081aea0c15dc35d14a2d538e8ace2172c161fe8b18894eb9936318
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr151960.exeFilesize
239KB
MD5b63335c6133200288caa5e9e0368ebdb
SHA1f35a15a179021bec45d19850f3f5cf761cc74386
SHA2566ca67c9e23d316f0f1d5a3d2caa03fc586d31b50bcfab91bdc95cf270763eda8
SHA512d41cebe9aded6b176b775c0e84c0dd3ad3fdea0a25e4af9d89f54907a0905c01898702cd69b07e4903a8b5c7004121a864e2637df06b2e4b7c39b06126c6273f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr151960.exeFilesize
239KB
MD5b63335c6133200288caa5e9e0368ebdb
SHA1f35a15a179021bec45d19850f3f5cf761cc74386
SHA2566ca67c9e23d316f0f1d5a3d2caa03fc586d31b50bcfab91bdc95cf270763eda8
SHA512d41cebe9aded6b176b775c0e84c0dd3ad3fdea0a25e4af9d89f54907a0905c01898702cd69b07e4903a8b5c7004121a864e2637df06b2e4b7c39b06126c6273f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu107544.exeFilesize
299KB
MD58a6cc904d2dc9c3c1391df050f2b002e
SHA185eefed9eb435e850ea2d3d2da1fac6f277557c9
SHA25629bb0e7da48bb27de4b0e7ed7b132ae60eec41f4ff67beb6f72a0b527a9570c0
SHA512eba7bb0a4e0bc977b3564597b9db73849907aaae8fe01ca4cf41763e2fd2a783ff423889318daa5ce586bf0be567c3b75daf70ec4e15086d4e7b083ed79b7e2d
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu107544.exeFilesize
299KB
MD58a6cc904d2dc9c3c1391df050f2b002e
SHA185eefed9eb435e850ea2d3d2da1fac6f277557c9
SHA25629bb0e7da48bb27de4b0e7ed7b132ae60eec41f4ff67beb6f72a0b527a9570c0
SHA512eba7bb0a4e0bc977b3564597b9db73849907aaae8fe01ca4cf41763e2fd2a783ff423889318daa5ce586bf0be567c3b75daf70ec4e15086d4e7b083ed79b7e2d
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
memory/216-171-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-191-0x0000000004B90000-0x0000000004BA0000-memory.dmpFilesize
64KB
-
memory/216-173-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-175-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-177-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-179-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-181-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-183-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-185-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-187-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-188-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/216-189-0x0000000004B90000-0x0000000004BA0000-memory.dmpFilesize
64KB
-
memory/216-190-0x0000000004B90000-0x0000000004BA0000-memory.dmpFilesize
64KB
-
memory/216-169-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-193-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/216-167-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-165-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-163-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-161-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-160-0x0000000004A10000-0x0000000004A22000-memory.dmpFilesize
72KB
-
memory/216-159-0x0000000004BA0000-0x0000000005144000-memory.dmpFilesize
5.6MB
-
memory/216-158-0x0000000004B90000-0x0000000004BA0000-memory.dmpFilesize
64KB
-
memory/216-157-0x0000000004B90000-0x0000000004BA0000-memory.dmpFilesize
64KB
-
memory/216-156-0x0000000004B90000-0x0000000004BA0000-memory.dmpFilesize
64KB
-
memory/216-155-0x0000000000630000-0x000000000065D000-memory.dmpFilesize
180KB
-
memory/2056-209-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-1117-0x0000000004B00000-0x0000000004B10000-memory.dmpFilesize
64KB
-
memory/2056-221-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-223-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-225-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-227-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-229-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-231-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-449-0x0000000004B00000-0x0000000004B10000-memory.dmpFilesize
64KB
-
memory/2056-447-0x0000000002010000-0x000000000205B000-memory.dmpFilesize
300KB
-
memory/2056-451-0x0000000004B00000-0x0000000004B10000-memory.dmpFilesize
64KB
-
memory/2056-454-0x0000000004B00000-0x0000000004B10000-memory.dmpFilesize
64KB
-
memory/2056-1108-0x0000000005240000-0x0000000005858000-memory.dmpFilesize
6.1MB
-
memory/2056-1109-0x00000000058A0000-0x00000000059AA000-memory.dmpFilesize
1.0MB
-
memory/2056-1110-0x00000000059E0000-0x00000000059F2000-memory.dmpFilesize
72KB
-
memory/2056-1111-0x0000000005A00000-0x0000000005A3C000-memory.dmpFilesize
240KB
-
memory/2056-1112-0x0000000004B00000-0x0000000004B10000-memory.dmpFilesize
64KB
-
memory/2056-1113-0x0000000005CF0000-0x0000000005D82000-memory.dmpFilesize
584KB
-
memory/2056-1114-0x0000000005D90000-0x0000000005DF6000-memory.dmpFilesize
408KB
-
memory/2056-219-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-1116-0x0000000004B00000-0x0000000004B10000-memory.dmpFilesize
64KB
-
memory/2056-1118-0x0000000004B00000-0x0000000004B10000-memory.dmpFilesize
64KB
-
memory/2056-1119-0x00000000066F0000-0x00000000068B2000-memory.dmpFilesize
1.8MB
-
memory/2056-1120-0x00000000068D0000-0x0000000006DFC000-memory.dmpFilesize
5.2MB
-
memory/2056-1121-0x0000000006F40000-0x0000000006FB6000-memory.dmpFilesize
472KB
-
memory/2056-1122-0x0000000006FC0000-0x0000000007010000-memory.dmpFilesize
320KB
-
memory/2056-1123-0x0000000004B00000-0x0000000004B10000-memory.dmpFilesize
64KB
-
memory/2056-198-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-217-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-215-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-213-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-211-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-207-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-205-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-203-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-201-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2056-199-0x00000000050C0000-0x00000000050FF000-memory.dmpFilesize
252KB
-
memory/2152-1129-0x00000000000D0000-0x0000000000102000-memory.dmpFilesize
200KB
-
memory/2152-1130-0x0000000004C90000-0x0000000004CA0000-memory.dmpFilesize
64KB