Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
01-05-2023 16:47
General
-
Target
63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe
-
Size
1.2MB
-
MD5
dcfb5b038ac3723af9f4f8edcb9001f5
-
SHA1
34d4150135543e6a7c8bceb76675da82c1a09e61
-
SHA256
63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39
-
SHA512
02c08d8f5e4710df611e34208d6b6d46eff327e97ba08f156c4be81b798fc9ba8308baf91c4f06ef5c1276a709950f3948c964a794ebd7dc33fe9909d8eba745
-
SSDEEP
24576:uyeORhvlcH7Vi+TeTgYgbqlvPDZUiGVRb4CBjVRTTlvtZ3Z9DTF:9JRh67Qlguv7WECBj7RzDT
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe"C:\Users\Admin\AppData\Local\Temp\63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z70311161.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z70311161.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z73431010.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z73431010.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z82597285.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z82597285.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s07808503.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s07808503.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 15206⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t50783388.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t50783388.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\u71135013.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\u71135013.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v66111472.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v66111472.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 316 -ip 3161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeFilesize
231KB
MD5eb527be7212ad4ad4a5991ce46216ea2
SHA117e45d30a67fbeed193d326f717097452ae741a1
SHA2566b290f39cd36064857236f62d7a03ab8f0c30031f3d1be2f585b93d82f88b0b1
SHA51226c0c76921dadc83ea82f1a2dc68dcd17014ea085da684f1225256bea834b350c5e807484449adcbe0223dfc10b20cfa6efcf51f80e759cfedba0b42f55e0e17
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeFilesize
231KB
MD5eb527be7212ad4ad4a5991ce46216ea2
SHA117e45d30a67fbeed193d326f717097452ae741a1
SHA2566b290f39cd36064857236f62d7a03ab8f0c30031f3d1be2f585b93d82f88b0b1
SHA51226c0c76921dadc83ea82f1a2dc68dcd17014ea085da684f1225256bea834b350c5e807484449adcbe0223dfc10b20cfa6efcf51f80e759cfedba0b42f55e0e17
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeFilesize
231KB
MD5eb527be7212ad4ad4a5991ce46216ea2
SHA117e45d30a67fbeed193d326f717097452ae741a1
SHA2566b290f39cd36064857236f62d7a03ab8f0c30031f3d1be2f585b93d82f88b0b1
SHA51226c0c76921dadc83ea82f1a2dc68dcd17014ea085da684f1225256bea834b350c5e807484449adcbe0223dfc10b20cfa6efcf51f80e759cfedba0b42f55e0e17
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z70311161.exeFilesize
1.0MB
MD5542575865f3fb44ad412825f94e91486
SHA11cac46ad65ff3dc9d6c1184e99106dc4555fcae0
SHA256fe862a085377a9977e54dee74204c95ea90af9f1e6d9e0b8c749884d785212bf
SHA5123676b97e9720a30fb2a1dd35a84a87f0c4a14bd177eb1e930f347b512eb850b3cde6e00fac56833e494ed233a1d7e60f6f2d1e5f6ecedb79ee5030ab982860ec
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z70311161.exeFilesize
1.0MB
MD5542575865f3fb44ad412825f94e91486
SHA11cac46ad65ff3dc9d6c1184e99106dc4555fcae0
SHA256fe862a085377a9977e54dee74204c95ea90af9f1e6d9e0b8c749884d785212bf
SHA5123676b97e9720a30fb2a1dd35a84a87f0c4a14bd177eb1e930f347b512eb850b3cde6e00fac56833e494ed233a1d7e60f6f2d1e5f6ecedb79ee5030ab982860ec
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v66111472.exeFilesize
318KB
MD53cb09ebb29eaccbbcedbc2f03dda0568
SHA16c2600ba24a277c824141f8bdefbf8b5e5a89e28
SHA2561b37faf52cb931830ed300371e8d0ad02664f6b8c5c51eef7d05abc302bd48cb
SHA512580b657dcf80a12e74cee3f99fa1bea8f290b1d5408f223720b32d5f97c6d5b584ee7d8e8963ca9301380d65008791ddd404653c8de483df213734a22aef7d81
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v66111472.exeFilesize
318KB
MD53cb09ebb29eaccbbcedbc2f03dda0568
SHA16c2600ba24a277c824141f8bdefbf8b5e5a89e28
SHA2561b37faf52cb931830ed300371e8d0ad02664f6b8c5c51eef7d05abc302bd48cb
SHA512580b657dcf80a12e74cee3f99fa1bea8f290b1d5408f223720b32d5f97c6d5b584ee7d8e8963ca9301380d65008791ddd404653c8de483df213734a22aef7d81
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z73431010.exeFilesize
760KB
MD5579b36d3d93d5c047ca874b3d2dbac82
SHA193db531eeaa0d8ded7ff99067d0a7da180c78707
SHA256cd3420423f908cc4b30c156d47ecef9d9d29c2ef47e8bf6a54aaab3cc3ece224
SHA5124c0f1351fffc9d8537be4751f62fbe193010743ca990426163582e0515f8d2e0022f0ea0619dd50a7a1a9217f26cac60d46fbc3d38064541a8af87934c67efe3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z73431010.exeFilesize
760KB
MD5579b36d3d93d5c047ca874b3d2dbac82
SHA193db531eeaa0d8ded7ff99067d0a7da180c78707
SHA256cd3420423f908cc4b30c156d47ecef9d9d29c2ef47e8bf6a54aaab3cc3ece224
SHA5124c0f1351fffc9d8537be4751f62fbe193010743ca990426163582e0515f8d2e0022f0ea0619dd50a7a1a9217f26cac60d46fbc3d38064541a8af87934c67efe3
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\u71135013.exeFilesize
231KB
MD5eb527be7212ad4ad4a5991ce46216ea2
SHA117e45d30a67fbeed193d326f717097452ae741a1
SHA2566b290f39cd36064857236f62d7a03ab8f0c30031f3d1be2f585b93d82f88b0b1
SHA51226c0c76921dadc83ea82f1a2dc68dcd17014ea085da684f1225256bea834b350c5e807484449adcbe0223dfc10b20cfa6efcf51f80e759cfedba0b42f55e0e17
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\u71135013.exeFilesize
231KB
MD5eb527be7212ad4ad4a5991ce46216ea2
SHA117e45d30a67fbeed193d326f717097452ae741a1
SHA2566b290f39cd36064857236f62d7a03ab8f0c30031f3d1be2f585b93d82f88b0b1
SHA51226c0c76921dadc83ea82f1a2dc68dcd17014ea085da684f1225256bea834b350c5e807484449adcbe0223dfc10b20cfa6efcf51f80e759cfedba0b42f55e0e17
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z82597285.exeFilesize
578KB
MD52cdeee7d26cb31ad61a6b7e8994e3d8a
SHA1a0294d0439ebc7bc89f3cf7b1a972a2faba84621
SHA256dea04a4bd306a1d8782d76e73744edf35e271e8106c8921019e83ae78528d8c0
SHA5125708d9bbca89075d430502d721db3ee262f07c04d5e46bfb1995e983be7df9a806544d1ccc16832cb9cf4cef039a1af1607d7f4eabb1ed9d747375f8773e358f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z82597285.exeFilesize
578KB
MD52cdeee7d26cb31ad61a6b7e8994e3d8a
SHA1a0294d0439ebc7bc89f3cf7b1a972a2faba84621
SHA256dea04a4bd306a1d8782d76e73744edf35e271e8106c8921019e83ae78528d8c0
SHA5125708d9bbca89075d430502d721db3ee262f07c04d5e46bfb1995e983be7df9a806544d1ccc16832cb9cf4cef039a1af1607d7f4eabb1ed9d747375f8773e358f
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s07808503.exeFilesize
502KB
MD5cf96586dd8f85714b7a5b949c613e403
SHA1f45c5add69c3cefa48483f7acb6ae269136d9fc1
SHA256bb9abad0b536ea3ab3cc867face6c36fc35c5e403db530f20921b4ebc6f5e908
SHA512e8af51310f53d2f04ef67677e7b0d1b3545c204694b9c615cfeb219e656d68f416846cbbad7d8b5fd13c1a872462200f7593d346941acb1df9160f079006782f
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s07808503.exeFilesize
502KB
MD5cf96586dd8f85714b7a5b949c613e403
SHA1f45c5add69c3cefa48483f7acb6ae269136d9fc1
SHA256bb9abad0b536ea3ab3cc867face6c36fc35c5e403db530f20921b4ebc6f5e908
SHA512e8af51310f53d2f04ef67677e7b0d1b3545c204694b9c615cfeb219e656d68f416846cbbad7d8b5fd13c1a872462200f7593d346941acb1df9160f079006782f
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t50783388.exeFilesize
169KB
MD5739c5ad2e7a49c97aa59bb48c5a5d72e
SHA1e131e1c105a13dd4390ea301f6111577cb9853fc
SHA256de1063c59c10558882f40fa1169e8f591e4a5f709f302295399e93808af00049
SHA512ceacf27ec0d922c2abe62fe54bc3aaf5caab301796b703674290d75eb1e8f7b895f6f39c25757e81568efcb82cb5e322e822bac48cb9546bc5c34768a53827c6
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t50783388.exeFilesize
169KB
MD5739c5ad2e7a49c97aa59bb48c5a5d72e
SHA1e131e1c105a13dd4390ea301f6111577cb9853fc
SHA256de1063c59c10558882f40fa1169e8f591e4a5f709f302295399e93808af00049
SHA512ceacf27ec0d922c2abe62fe54bc3aaf5caab301796b703674290d75eb1e8f7b895f6f39c25757e81568efcb82cb5e322e822bac48cb9546bc5c34768a53827c6
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
memory/316-210-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-2162-0x0000000000900000-0x000000000095B000-memory.dmpFilesize
364KB
-
memory/316-174-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-176-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-180-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-178-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-182-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-184-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-186-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-188-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-190-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-192-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-194-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-196-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-198-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-200-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-202-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-204-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-206-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-208-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-214-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-212-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-170-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-216-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-218-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-220-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-222-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-224-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-226-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-228-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-230-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-172-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-2315-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/316-2316-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/316-2317-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/316-2319-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/316-2321-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/316-162-0x0000000000900000-0x000000000095B000-memory.dmpFilesize
364KB
-
memory/316-163-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/316-164-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/316-165-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/316-166-0x0000000005120000-0x00000000056C4000-memory.dmpFilesize
5.6MB
-
memory/316-167-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/316-168-0x00000000056D0000-0x0000000005730000-memory.dmpFilesize
384KB
-
memory/2780-2347-0x00000000048B0000-0x00000000048C0000-memory.dmpFilesize
64KB
-
memory/2780-2346-0x00000000000E0000-0x000000000010E000-memory.dmpFilesize
184KB
-
memory/2780-2349-0x00000000048B0000-0x00000000048C0000-memory.dmpFilesize
64KB
-
memory/2780-2350-0x0000000004C70000-0x0000000004CE6000-memory.dmpFilesize
472KB
-
memory/2780-2351-0x0000000004D90000-0x0000000004E22000-memory.dmpFilesize
584KB
-
memory/2780-2352-0x0000000004E30000-0x0000000004E96000-memory.dmpFilesize
408KB
-
memory/2780-2353-0x0000000005990000-0x00000000059E0000-memory.dmpFilesize
320KB
-
memory/2780-2355-0x00000000082B0000-0x00000000087DC000-memory.dmpFilesize
5.2MB
-
memory/3384-2404-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/3384-2406-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/3384-2403-0x00000000008F0000-0x000000000091D000-memory.dmpFilesize
180KB
-
memory/3384-2405-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/3520-2348-0x0000000003060000-0x0000000003070000-memory.dmpFilesize
64KB
-
memory/3520-2354-0x000000000C460000-0x000000000C622000-memory.dmpFilesize
1.8MB
-
memory/3520-2338-0x000000000AA70000-0x000000000AA82000-memory.dmpFilesize
72KB
-
memory/3520-2337-0x000000000AB40000-0x000000000AC4A000-memory.dmpFilesize
1.0MB
-
memory/3520-2336-0x000000000AFD0000-0x000000000B5E8000-memory.dmpFilesize
6.1MB
-
memory/3520-2335-0x0000000000D00000-0x0000000000D2E000-memory.dmpFilesize
184KB
-
memory/3520-2340-0x0000000003060000-0x0000000003070000-memory.dmpFilesize
64KB
-
memory/3520-2341-0x000000000AAD0000-0x000000000AB0C000-memory.dmpFilesize
240KB