Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
16-11-2022 13:42
General
-
Target
f92204daaa2c5479c0ded55fc8b5ec5a99d92df67031ab4d2f411fda5fa3468c.exe
-
Size
231KB
-
MD5
a008b300f27aadb2361336f3cfebfeff
-
SHA1
32118e7684ce8cd89db3ff20dc9e72244a884acb
-
SHA256
f92204daaa2c5479c0ded55fc8b5ec5a99d92df67031ab4d2f411fda5fa3468c
-
SHA512
578718e59a3fae21e01042f8ba575e3d9a9696def7f9428c270feaa5c6ebbff671068bfdb9a06dca437782e9c27446e66b940ebfd69bd5171b60c47f37fc6042
-
SSDEEP
3072:MXOhMnLz+fzKStW72ZhHbdAIGCkW+T5Hs2VyhxX9McK8Xk156mcIQMmWXt9P0:IJnLzRStbZBdAIC9lMI+X9tXkq2mUXP
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 4 IoCs
-
Detects Smokeloader packer 1 IoCs
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f92204daaa2c5479c0ded55fc8b5ec5a99d92df67031ab4d2f411fda5fa3468c.exe"C:\Users\Admin\AppData\Local\Temp\f92204daaa2c5479c0ded55fc8b5ec5a99d92df67031ab4d2f411fda5fa3468c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2913.exeC:\Users\Admin\AppData\Local\Temp\2913.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4130.exeC:\Users\Admin\AppData\Local\Temp\4130.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\47E8.exeC:\Users\Admin\AppData\Local\Temp\47E8.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Users\Admin\AppData\Roaming\1000098000\Eternity.exe"C:\Users\Admin\AppData\Roaming\1000098000\Eternity.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
-
C:\Windows\system32\findstr.exefindstr All5⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key4⤵
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear5⤵
-
C:\Windows\system32\findstr.exefindstr Key5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000104001\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000104001\linda5.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" -y .\9_HrXG.64⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 11442⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1756 -ip 17561⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3068 -ip 30681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000104001\linda5.exeFilesize
1.8MB
MD5a31bb7c6081db2e836981b76ab5358e1
SHA1cb00dc662ecda1f9a98c6ddbeb7347a9985fb0cb
SHA256c851b65e6e205aea7d6b994e230c1986264ce0f00bf14089ce3f4760132bd6e6
SHA512c24896f55f017b2e01dbbd94bfe442c88f7ff54e17661780ec97d9c07fbb634669f69081bb66034a7248a473e9d7abe881822920d9c6fdd9eb8643f124049c04
-
C:\Users\Admin\AppData\Local\Temp\1000104001\linda5.exeFilesize
1.8MB
MD5a31bb7c6081db2e836981b76ab5358e1
SHA1cb00dc662ecda1f9a98c6ddbeb7347a9985fb0cb
SHA256c851b65e6e205aea7d6b994e230c1986264ce0f00bf14089ce3f4760132bd6e6
SHA512c24896f55f017b2e01dbbd94bfe442c88f7ff54e17661780ec97d9c07fbb634669f69081bb66034a7248a473e9d7abe881822920d9c6fdd9eb8643f124049c04
-
C:\Users\Admin\AppData\Local\Temp\2913.exeFilesize
3.9MB
MD5b7ef39daab5e3c8eb94053c2637ad252
SHA11de342a6012f4a46092634b4ea4ab04ae9af5076
SHA256dbaa428d2670b8e09503e1b0b16de38a6c5c6d91df93eac8db917847545080fb
SHA51240eacb327a718c8d8279e0df82236b3fad8369c67cd8a5b706b91a78c0bf83317b244c6e17b8a1388992c10a4f0d10b07356270b9fbf95262304c281e68cbd1d
-
C:\Users\Admin\AppData\Local\Temp\4130.exeFilesize
3.0MB
MD536da8ca92f8725823be3112ad6387a19
SHA1daff6fee3427fcc8d5578c38473e9cef64af8bf6
SHA256c1ec537c48cc89eb36163eea90e1b6de9a0d5a23ee1b9fd6b9188057bb168fe2
SHA512a52e8ff50df8260bfb8368a1c53959fedf0b609c5cf5fb1d3fde5de0b800603e637f9afac939bddb7234e2215ba2b83a28af0fbc4cc5fbb2c7c2012c1b30ac2d
-
C:\Users\Admin\AppData\Local\Temp\4130.exeFilesize
3.0MB
MD536da8ca92f8725823be3112ad6387a19
SHA1daff6fee3427fcc8d5578c38473e9cef64af8bf6
SHA256c1ec537c48cc89eb36163eea90e1b6de9a0d5a23ee1b9fd6b9188057bb168fe2
SHA512a52e8ff50df8260bfb8368a1c53959fedf0b609c5cf5fb1d3fde5de0b800603e637f9afac939bddb7234e2215ba2b83a28af0fbc4cc5fbb2c7c2012c1b30ac2d
-
C:\Users\Admin\AppData\Local\Temp\47E8.exeFilesize
270KB
MD58a5ff092f6fe6ffe6aa7288ae30b13a6
SHA1508a6e4e0b6926ba89fab4cfb3875da6973fe4fd
SHA256efbf0a85791b2839bdf495e399a16a0a880507bfc77c9fde67dc93b5ee740c08
SHA5120d173ba210534663b57dd436c9d74091a546827ce1ac88fa404ecacc61d9ff76999de0fe3a20fb64a11c5ba065c6cb16213339704d2429ed0cfd6d8b0876b1f7
-
C:\Users\Admin\AppData\Local\Temp\47E8.exeFilesize
270KB
MD58a5ff092f6fe6ffe6aa7288ae30b13a6
SHA1508a6e4e0b6926ba89fab4cfb3875da6973fe4fd
SHA256efbf0a85791b2839bdf495e399a16a0a880507bfc77c9fde67dc93b5ee740c08
SHA5120d173ba210534663b57dd436c9d74091a546827ce1ac88fa404ecacc61d9ff76999de0fe3a20fb64a11c5ba065c6cb16213339704d2429ed0cfd6d8b0876b1f7
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
270KB
MD58a5ff092f6fe6ffe6aa7288ae30b13a6
SHA1508a6e4e0b6926ba89fab4cfb3875da6973fe4fd
SHA256efbf0a85791b2839bdf495e399a16a0a880507bfc77c9fde67dc93b5ee740c08
SHA5120d173ba210534663b57dd436c9d74091a546827ce1ac88fa404ecacc61d9ff76999de0fe3a20fb64a11c5ba065c6cb16213339704d2429ed0cfd6d8b0876b1f7
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
270KB
MD58a5ff092f6fe6ffe6aa7288ae30b13a6
SHA1508a6e4e0b6926ba89fab4cfb3875da6973fe4fd
SHA256efbf0a85791b2839bdf495e399a16a0a880507bfc77c9fde67dc93b5ee740c08
SHA5120d173ba210534663b57dd436c9d74091a546827ce1ac88fa404ecacc61d9ff76999de0fe3a20fb64a11c5ba065c6cb16213339704d2429ed0cfd6d8b0876b1f7
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
270KB
MD58a5ff092f6fe6ffe6aa7288ae30b13a6
SHA1508a6e4e0b6926ba89fab4cfb3875da6973fe4fd
SHA256efbf0a85791b2839bdf495e399a16a0a880507bfc77c9fde67dc93b5ee740c08
SHA5120d173ba210534663b57dd436c9d74091a546827ce1ac88fa404ecacc61d9ff76999de0fe3a20fb64a11c5ba065c6cb16213339704d2429ed0cfd6d8b0876b1f7
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
270KB
MD58a5ff092f6fe6ffe6aa7288ae30b13a6
SHA1508a6e4e0b6926ba89fab4cfb3875da6973fe4fd
SHA256efbf0a85791b2839bdf495e399a16a0a880507bfc77c9fde67dc93b5ee740c08
SHA5120d173ba210534663b57dd436c9d74091a546827ce1ac88fa404ecacc61d9ff76999de0fe3a20fb64a11c5ba065c6cb16213339704d2429ed0cfd6d8b0876b1f7
-
C:\Users\Admin\AppData\Local\Temp\9_HrXG.6Filesize
2.2MB
MD5fbe716fd8eb887749c24f5dc3d507bb2
SHA1ce5a6abbc0d6d14c8421b99469f34bccbe1cafd4
SHA256e8ee78eb833e158e799b20e18f67449c94b8ed881f1b2f49b5883ee10df3542e
SHA512489e78241927b6e3b7ab1b72bebea20972e4362d466a0a580245ab091bb9e6cda15f8f4596f13b9862b4bf0bf578b52558472b1d7c73c92b2cee6c6c411f919e
-
C:\Users\Admin\AppData\Local\Temp\9_HrXG.6Filesize
2.2MB
MD5fbe716fd8eb887749c24f5dc3d507bb2
SHA1ce5a6abbc0d6d14c8421b99469f34bccbe1cafd4
SHA256e8ee78eb833e158e799b20e18f67449c94b8ed881f1b2f49b5883ee10df3542e
SHA512489e78241927b6e3b7ab1b72bebea20972e4362d466a0a580245ab091bb9e6cda15f8f4596f13b9862b4bf0bf578b52558472b1d7c73c92b2cee6c6c411f919e
-
C:\Users\Admin\AppData\Roaming\1000098000\Eternity.exeFilesize
334KB
MD5a841724e4e82cecd3a00fac001ca9230
SHA1dd311ab9e15bbf519a0f4c0beaa6e4580f6a7b12
SHA2569e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59
SHA51229755bd7da2bfb99902d76f6283c07380a1af1ef4a3580e35466a508ae1c511b93fb5d6bb2cc9ffff8db39d17f3988c7fc1abc5b3b62b99f1dfd12667db2bac9
-
C:\Users\Admin\AppData\Roaming\1000098000\Eternity.exeFilesize
334KB
MD5a841724e4e82cecd3a00fac001ca9230
SHA1dd311ab9e15bbf519a0f4c0beaa6e4580f6a7b12
SHA2569e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59
SHA51229755bd7da2bfb99902d76f6283c07380a1af1ef4a3580e35466a508ae1c511b93fb5d6bb2cc9ffff8db39d17f3988c7fc1abc5b3b62b99f1dfd12667db2bac9
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/616-216-0x0000000000000000-mapping.dmp
-
memory/656-212-0x0000000000000000-mapping.dmp
-
memory/820-154-0x0000000006320000-0x00000000064E2000-memory.dmpFilesize
1.8MB
-
memory/820-143-0x0000000000400000-0x0000000000C6C000-memory.dmpFilesize
8.4MB
-
memory/820-152-0x00000000062B0000-0x00000000062C2000-memory.dmpFilesize
72KB
-
memory/820-150-0x0000000005AA0000-0x00000000060B8000-memory.dmpFilesize
6.1MB
-
memory/820-151-0x0000000006130000-0x000000000623A000-memory.dmpFilesize
1.0MB
-
memory/820-149-0x0000000005350000-0x00000000053A0000-memory.dmpFilesize
320KB
-
memory/820-148-0x0000000005A20000-0x0000000005A96000-memory.dmpFilesize
472KB
-
memory/820-147-0x0000000005980000-0x0000000005A12000-memory.dmpFilesize
584KB
-
memory/820-146-0x0000000000400000-0x0000000000C6C000-memory.dmpFilesize
8.4MB
-
memory/820-145-0x00000000053D0000-0x0000000005974000-memory.dmpFilesize
5.6MB
-
memory/820-144-0x0000000000400000-0x0000000000C6C000-memory.dmpFilesize
8.4MB
-
memory/820-153-0x00000000062E0000-0x000000000631C000-memory.dmpFilesize
240KB
-
memory/820-186-0x0000000077370000-0x0000000077513000-memory.dmpFilesize
1.6MB
-
memory/820-136-0x0000000000000000-mapping.dmp
-
memory/820-219-0x00000000073C0000-0x00000000078EC000-memory.dmpFilesize
5.2MB
-
memory/820-223-0x0000000000400000-0x0000000000C6C000-memory.dmpFilesize
8.4MB
-
memory/820-224-0x0000000077370000-0x0000000077513000-memory.dmpFilesize
1.6MB
-
memory/820-141-0x0000000000400000-0x0000000000C6C000-memory.dmpFilesize
8.4MB
-
memory/820-142-0x0000000077370000-0x0000000077513000-memory.dmpFilesize
1.6MB
-
memory/820-140-0x0000000000400000-0x0000000000C6C000-memory.dmpFilesize
8.4MB
-
memory/820-139-0x0000000000400000-0x0000000000C6C000-memory.dmpFilesize
8.4MB
-
memory/820-138-0x0000000000400000-0x0000000000C6C000-memory.dmpFilesize
8.4MB
-
memory/820-178-0x0000000006A00000-0x0000000006A66000-memory.dmpFilesize
408KB
-
memory/932-182-0x0000000000000000-mapping.dmp
-
memory/1160-183-0x0000000000000000-mapping.dmp
-
memory/1196-204-0x0000000000680000-0x0000000000689000-memory.dmpFilesize
36KB
-
memory/1196-250-0x0000000000690000-0x0000000000695000-memory.dmpFilesize
20KB
-
memory/1196-196-0x0000000000000000-mapping.dmp
-
memory/1196-203-0x0000000000690000-0x0000000000695000-memory.dmpFilesize
20KB
-
memory/1292-184-0x0000000000000000-mapping.dmp
-
memory/1756-239-0x0000000000D10000-0x0000000000D4E000-memory.dmpFilesize
248KB
-
memory/1756-238-0x0000000000A1A000-0x0000000000A39000-memory.dmpFilesize
124KB
-
memory/1756-241-0x0000000000400000-0x0000000000846000-memory.dmpFilesize
4.3MB
-
memory/1756-240-0x0000000000A1A000-0x0000000000A39000-memory.dmpFilesize
124KB
-
memory/1964-158-0x0000000000000000-mapping.dmp
-
memory/1964-174-0x0000000000A87000-0x0000000000AA6000-memory.dmpFilesize
124KB
-
memory/1964-165-0x0000000000A87000-0x0000000000AA6000-memory.dmpFilesize
124KB
-
memory/1964-166-0x00000000009A0000-0x00000000009DE000-memory.dmpFilesize
248KB
-
memory/1964-167-0x0000000000400000-0x0000000000846000-memory.dmpFilesize
4.3MB
-
memory/1964-175-0x0000000000400000-0x0000000000846000-memory.dmpFilesize
4.3MB
-
memory/1976-214-0x0000000000F10000-0x0000000000F16000-memory.dmpFilesize
24KB
-
memory/1976-209-0x0000000000F00000-0x0000000000F0B000-memory.dmpFilesize
44KB
-
memory/1976-206-0x0000000000000000-mapping.dmp
-
memory/1988-218-0x0000000000000000-mapping.dmp
-
memory/2000-217-0x0000000000EB0000-0x0000000000EBD000-memory.dmpFilesize
52KB
-
memory/2000-211-0x0000000000000000-mapping.dmp
-
memory/2000-215-0x0000000000EC0000-0x0000000000EC7000-memory.dmpFilesize
28KB
-
memory/2056-192-0x0000000000000000-mapping.dmp
-
memory/2152-163-0x0000000000F10000-0x0000000000F17000-memory.dmpFilesize
28KB
-
memory/2152-161-0x0000000000000000-mapping.dmp
-
memory/2152-233-0x0000000000F10000-0x0000000000F17000-memory.dmpFilesize
28KB
-
memory/2152-164-0x0000000000F00000-0x0000000000F0B000-memory.dmpFilesize
44KB
-
memory/2192-213-0x0000000000000000-mapping.dmp
-
memory/2360-188-0x0000000000000000-mapping.dmp
-
memory/2464-200-0x0000027EA2B50000-0x0000027EA2BAA000-memory.dmpFilesize
360KB
-
memory/2464-197-0x0000000000000000-mapping.dmp
-
memory/2464-202-0x0000027EBE840000-0x0000027EBE890000-memory.dmpFilesize
320KB
-
memory/2464-232-0x00007FFAB5F20000-0x00007FFAB69E1000-memory.dmpFilesize
10.8MB
-
memory/2464-208-0x00007FFAB5F20000-0x00007FFAB69E1000-memory.dmpFilesize
10.8MB
-
memory/2596-181-0x0000000000000000-mapping.dmp
-
memory/2936-155-0x0000000000000000-mapping.dmp
-
memory/3100-207-0x0000000000000000-mapping.dmp
-
memory/3300-205-0x0000000000000000-mapping.dmp
-
memory/3456-259-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/3456-255-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/3456-258-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/3456-256-0x0000000000BE8EA0-mapping.dmp
-
memory/3456-257-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/3760-195-0x0000000000F00000-0x0000000000F27000-memory.dmpFilesize
156KB
-
memory/3760-193-0x0000000000000000-mapping.dmp
-
memory/3760-194-0x0000000000F30000-0x0000000000F52000-memory.dmpFilesize
136KB
-
memory/3760-246-0x0000000000F30000-0x0000000000F52000-memory.dmpFilesize
136KB
-
memory/3816-225-0x0000000000000000-mapping.dmp
-
memory/3868-180-0x0000000000000000-mapping.dmp
-
memory/3900-168-0x00000000012B0000-0x00000000012B9000-memory.dmpFilesize
36KB
-
memory/3900-162-0x0000000000000000-mapping.dmp
-
memory/3900-169-0x00000000012A0000-0x00000000012AF000-memory.dmpFilesize
60KB
-
memory/3900-234-0x00000000012B0000-0x00000000012B9000-memory.dmpFilesize
36KB
-
memory/3976-243-0x0000000000400000-0x0000000000846000-memory.dmpFilesize
4.3MB
-
memory/3976-242-0x0000000000C26000-0x0000000000C45000-memory.dmpFilesize
124KB
-
memory/3976-170-0x0000000000000000-mapping.dmp
-
memory/3976-187-0x0000000000C26000-0x0000000000C45000-memory.dmpFilesize
124KB
-
memory/3976-189-0x0000000000400000-0x0000000000846000-memory.dmpFilesize
4.3MB
-
memory/4072-201-0x0000000000000000-mapping.dmp
-
memory/4304-173-0x0000000000000000-mapping.dmp
-
memory/4304-176-0x00000000010F0000-0x00000000010F5000-memory.dmpFilesize
20KB
-
memory/4304-177-0x00000000010E0000-0x00000000010E9000-memory.dmpFilesize
36KB
-
memory/4304-235-0x00000000010F0000-0x00000000010F5000-memory.dmpFilesize
20KB
-
memory/4480-247-0x00000000031C0000-0x0000000003276000-memory.dmpFilesize
728KB
-
memory/4480-245-0x00000000030E0000-0x00000000031AA000-memory.dmpFilesize
808KB
-
memory/4480-229-0x0000000000000000-mapping.dmp
-
memory/4480-237-0x0000000002FC0000-0x00000000030DD000-memory.dmpFilesize
1.1MB
-
memory/4480-236-0x0000000002D10000-0x0000000002E93000-memory.dmpFilesize
1.5MB
-
memory/4492-191-0x0000000000550000-0x000000000055C000-memory.dmpFilesize
48KB
-
memory/4492-244-0x0000000000560000-0x0000000000566000-memory.dmpFilesize
24KB
-
memory/4492-179-0x0000000000000000-mapping.dmp
-
memory/4492-190-0x0000000000560000-0x0000000000566000-memory.dmpFilesize
24KB
-
memory/4532-185-0x0000000000000000-mapping.dmp
-
memory/4684-265-0x0000000000DB0000-0x0000000000DD4000-memory.dmpFilesize
144KB
-
memory/4684-261-0x0000000000000000-mapping.dmp
-
memory/4980-133-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/4980-134-0x0000000000400000-0x000000000083D000-memory.dmpFilesize
4.2MB
-
memory/4980-132-0x0000000000B17000-0x0000000000B2C000-memory.dmpFilesize
84KB
-
memory/4980-135-0x0000000000400000-0x000000000083D000-memory.dmpFilesize
4.2MB
-
memory/5036-222-0x0000000000190000-0x000000000019B000-memory.dmpFilesize
44KB
-
memory/5036-220-0x0000000000000000-mapping.dmp
-
memory/5036-221-0x00000000001A0000-0x00000000001A8000-memory.dmpFilesize
32KB
-
memory/5056-210-0x0000000000000000-mapping.dmp