Analysis
-
max time kernel
323s -
max time network
330s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30-06-2024 10:39
General
-
Target
585dad4590d9a7722a93434b59d8c37a5d21ff9deb0d5fff0b242d8b8268db98.exe
-
Size
1.8MB
-
MD5
908243a9511f16a9e6365cd83328b032
-
SHA1
9c5c9f3b75dac14e77303933c11df64e2649c5c1
-
SHA256
585dad4590d9a7722a93434b59d8c37a5d21ff9deb0d5fff0b242d8b8268db98
-
SHA512
0b601ae823a9d07b0e8a2250d7ab1ddf7779fedf4713521d3afca81a0bb0fba87bbe32d1aebc748d590639d20a407a84f025ecc5541cf2364c9588d871bb64da
-
SSDEEP
49152:RMhIGBD39f7f1bjW5Q0BzH4p6xbeOBbJAPI7e:RvGBD39LNa5Q0pA6xbtAPI
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: LoadsDriver 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\585dad4590d9a7722a93434b59d8c37a5d21ff9deb0d5fff0b242d8b8268db98.exe"C:\Users\Admin\AppData\Local\Temp\585dad4590d9a7722a93434b59d8c37a5d21ff9deb0d5fff0b242d8b8268db98.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3364.0.260948173\1979891318" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfcc10b9-9037-48c2-93fe-f59d5891c274} 3364 "\\.\pipe\gecko-crash-server-pipe.3364" 1680 23029d10c58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3364.1.1170796260\1388674210" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {885b5649-2667-4436-82bf-5300146087e9} 3364 "\\.\pipe\gecko-crash-server-pipe.3364" 2416 23015b8a258 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3364.2.85485476\1449938347" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {755904f7-c9d8-4080-be42-b018040a5614} 3364 "\\.\pipe\gecko-crash-server-pipe.3364" 2996 2302c7df858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3364.3.1173037990\1054850465" -childID 2 -isForBrowser -prefsHandle 4224 -prefMapHandle 2748 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d6b8b31-ca2a-4d12-b640-5611088c6a36} 3364 "\\.\pipe\gecko-crash-server-pipe.3364" 4236 2302cf2f058 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3364.4.1188718637\264586918" -childID 3 -isForBrowser -prefsHandle 5060 -prefMapHandle 5056 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ee2c066-7994-4995-8ce1-9958f2faa4aa} 3364 "\\.\pipe\gecko-crash-server-pipe.3364" 5004 23030b4da58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3364.5.1010350377\225415804" -childID 4 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {403d639a-3790-498f-9352-b533e6a57c51} 3364 "\\.\pipe\gecko-crash-server-pipe.3364" 5204 23030b4e058 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3364.6.1369747729\699943154" -childID 5 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {552541f2-7eca-4b12-838d-90b6d2fb5795} 3364 "\\.\pipe\gecko-crash-server-pipe.3364" 5396 23030bf9758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3364.7.1173630689\834058976" -childID 6 -isForBrowser -prefsHandle 5876 -prefMapHandle 5872 -prefsLen 28172 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17a3f4ad-0e14-4a7d-9ab5-f850e5f90fdd} 3364 "\\.\pipe\gecko-crash-server-pipe.3364" 5884 23030bf9458 tab3⤵
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmpFilesize
26KB
MD5003473f5b1310023c548a6f38d1e2483
SHA1c5c8bcbf9acc2629039b95aa5f076b7dcee2dca5
SHA2567b5344691fa369a19fe21fad4755c11e09c8823f7deed6528f30597fecbc9b93
SHA512a47a7dbd4670c5ba88d875c74e8ef2050c7cf0580bcbf80ae91fbb69a109312088d4fb8b12a616d48eaa6bef3a50245bc59c4de16fa51373c4ef7d25665d9963
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeFilesize
1.8MB
MD5908243a9511f16a9e6365cd83328b032
SHA19c5c9f3b75dac14e77303933c11df64e2649c5c1
SHA256585dad4590d9a7722a93434b59d8c37a5d21ff9deb0d5fff0b242d8b8268db98
SHA5120b601ae823a9d07b0e8a2250d7ab1ddf7779fedf4713521d3afca81a0bb0fba87bbe32d1aebc748d590639d20a407a84f025ecc5541cf2364c9588d871bb64da
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.jsFilesize
7KB
MD521f02bffc60ff6bba13f71bb36c11865
SHA1d3a2d14f4c29ce09b0c718df0ea467cfe76a1401
SHA25686e532b3301fec64a7688ec3937cacbe5121cee8a16307bef5a9ea02798b08f3
SHA512cd0d56aec403cbbe0d45bdbc84df911a0bb1705f4daa24a11681a83f13bc0e70cf1ad38ce9f2f89a65eec980ed1fac593b82f693e726a84a4dc469ae0ee256e7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.jsFilesize
7KB
MD5e02590400f1783bf1db3900bf733784d
SHA1d771c2c56dd3d592b92a4b26c699cd1c45e558de
SHA256be5b91a25c37109f0be74238628dd66680f50e43f76b8f1bd67073db128cacee
SHA5129d67c6ea70f63c847e6d3446ad6364e39925ec2a0784770989065352f3044e4c88179194994dfee4cb47a706dccfb2f7d71800d0288a3910261d86ad88e076f9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.jsFilesize
7KB
MD5bd1ecd9b269e7184d71a6164a8f6c942
SHA142c57652ecc49a28a1a6fa372561bd721792056e
SHA256178f8eb756b2759d35a35b3382444588f4c77fc1d7becc845f53eb8809358a44
SHA51242a67630ae8da73922816c5d951fded8c0e6030277538ebee425aa61cdf836e67f346c55a4cd99e967c86e7d6b735e9d0e7be8658719bdf656b0424e31348b98
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.jsFilesize
6KB
MD587fe51ffe2b6e41424760f36987a3eff
SHA107dbf85be9ee7143da05f431c91e7d97ce0f7481
SHA256c0280ca64a8d7e7424d0797d926ce84e6f14fa950486091e7de8f6d21d9f27ab
SHA5122b8c571955c9e9d7f0199cc83a012540e3fcb254e1dc7165df13063c989aacf6a37a8771e0ed69104a3de8011cdb08bbe2afcffcb90ad72ae5692878cae53a48
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD53b59b45b799b36aa0549f046c7a22351
SHA10d4a3a9475a7869e0e42a18c1c38910f94b3c9ef
SHA256c1b75531fe2e4148edece28c57b7e2eafd6264e143ddd7370ba329d6fd5461c5
SHA512a7439a2de7d503c84cfa62eb91adcbef452d69b33bf2edd68c6cd167b1f53dc0e19f59d83d3e4edbc3baf4b1b2854dfd1108476b46051980de84854b85b023fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD520fa7c75a748ec448a7ce3d1d8549eb7
SHA1f09320302eabcc87e35a158574f4a131b3f8e532
SHA2560dd0d4f9e7d4c85a21b13268b36e164ab13f49db67c22f86e4cedc4ee8e48fe4
SHA5125b7dfd9e79964e382c927ba309368bfc47d77b109fa7099649a22a50d39c4bee7d56d51e841a6efaf34c796d579ddf7f8ea4bf4ae59e0f012d59c2a0330087c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD53806ba397ef3701232607c7abebe8eeb
SHA186adfd04db66d03bec3a31a98f0059d33ed7f840
SHA25642159f64a5eedbdddb54b750ebdd6c7f7b2b9055afba610a681497ce87862dc4
SHA512cbfb742a3760ba05c318160be2c113051f62750266edab52f303d9e09aeeeaa3f058e0cec2e344f6bd47ecfb85c68cb4e14833b8c9750148a15b3669641f8612
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore.jsonlz4Filesize
1KB
MD5547a69e840bc3b40072d6bf2da70ac58
SHA15e58fedafab0214881d84c2bef2af77bc45c9c84
SHA256402e3d7c048864be57f2e6ea4895ab4572d620da17515844b1a0bb04c3541e0a
SHA5122a0bda94299bf9fb99e56a753e2335ee63a85c99982780bbe600e444897803ec68fd8839512905fc6c3f2e1c56a4296061066793e45e632e2d7709745ce32ca6
-
memory/1860-123-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-54-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-23-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-24-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-25-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-26-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-264-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-263-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-262-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-185-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-32-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-33-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-34-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-35-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-36-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-37-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-182-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-164-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-42-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-43-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-44-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-45-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-46-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-47-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-159-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-146-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-51-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-52-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-53-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-22-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-55-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-21-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-19-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-97-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-20-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-141-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-140-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-131-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/1860-18-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/2036-162-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/2036-163-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/2076-28-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/2076-29-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/2076-30-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/2076-31-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/2996-39-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/2996-41-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/4252-122-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/4252-120-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/4500-50-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/4500-49-0x00000000002F0000-0x00000000007BB000-memory.dmpFilesize
4.8MB
-
memory/4564-5-0x0000000000460000-0x000000000092B000-memory.dmpFilesize
4.8MB
-
memory/4564-3-0x0000000000460000-0x000000000092B000-memory.dmpFilesize
4.8MB
-
memory/4564-2-0x0000000000461000-0x000000000048F000-memory.dmpFilesize
184KB
-
memory/4564-1-0x00000000778D4000-0x00000000778D6000-memory.dmpFilesize
8KB
-
memory/4564-0-0x0000000000460000-0x000000000092B000-memory.dmpFilesize
4.8MB
-
memory/4564-17-0x0000000000460000-0x000000000092B000-memory.dmpFilesize
4.8MB