Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2022 07:51
Behavioral task
behavioral1
Sample
966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe
Resource
win10v2004-20221111-en
General
-
Target
966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe
-
Size
111KB
-
MD5
27063953e8334bc1d395274a3ff8e66f
-
SHA1
c99c0c640f2cf83d15a5d77851b01f46351925db
-
SHA256
966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352
-
SHA512
c55dab437eeef8a533361e3c406011b2bcee256ba05e654d27ccbb7acdfe739bdb62ca20cc0130b01ccb3c718424e26ca6bcb3c5260b633741105a137459e331
-
SSDEEP
1536:zK5oJuznccI1E2POyocnQZZZZZZZZZonfnGiA1kMb7cSt6gCYU4dZji:zKdccI1E2POyoUfY1kMb7c86g9DZji
Malware Config
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exepid process 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exedescription ioc process File renamed C:\Users\Admin\Pictures\RevokeWatch.png => C:\Users\Admin\Pictures\RevokeWatch.png.ecrp 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 6 IoCs
Processes:
966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.ecrp\shell\open\command 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.ecrp\shell 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.ecrp\shell\open 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.ecrp\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\ServiceHub\\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe %1" 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.ecrp\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\ServiceHub\\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe %1" 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.ecrp 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exepid process 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exevssvc.exe966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exedescription pid process Token: SeDebugPrivilege 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe Token: SeBackupPrivilege 520 vssvc.exe Token: SeRestorePrivilege 520 vssvc.exe Token: SeAuditPrivilege 520 vssvc.exe Token: SeDebugPrivilege 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.execmd.exe966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.execmd.exe966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.execmd.exedescription pid process target process PID 4940 wrote to memory of 1924 4940 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe cmd.exe PID 4940 wrote to memory of 1924 4940 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe cmd.exe PID 4940 wrote to memory of 1924 4940 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe cmd.exe PID 1924 wrote to memory of 5004 1924 cmd.exe chcp.com PID 1924 wrote to memory of 5004 1924 cmd.exe chcp.com PID 1924 wrote to memory of 5004 1924 cmd.exe chcp.com PID 1924 wrote to memory of 2472 1924 cmd.exe PING.EXE PID 1924 wrote to memory of 2472 1924 cmd.exe PING.EXE PID 1924 wrote to memory of 2472 1924 cmd.exe PING.EXE PID 1924 wrote to memory of 4576 1924 cmd.exe schtasks.exe PID 1924 wrote to memory of 4576 1924 cmd.exe schtasks.exe PID 1924 wrote to memory of 4576 1924 cmd.exe schtasks.exe PID 1924 wrote to memory of 3196 1924 cmd.exe 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe PID 1924 wrote to memory of 3196 1924 cmd.exe 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe PID 1924 wrote to memory of 3196 1924 cmd.exe 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe PID 3196 wrote to memory of 4208 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe cmd.exe PID 3196 wrote to memory of 4208 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe cmd.exe PID 3196 wrote to memory of 4208 3196 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe cmd.exe PID 4208 wrote to memory of 2300 4208 cmd.exe chcp.com PID 4208 wrote to memory of 2300 4208 cmd.exe chcp.com PID 4208 wrote to memory of 2300 4208 cmd.exe chcp.com PID 3144 wrote to memory of 4660 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe cmd.exe PID 3144 wrote to memory of 4660 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe cmd.exe PID 3144 wrote to memory of 4660 3144 966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe cmd.exe PID 4660 wrote to memory of 732 4660 cmd.exe chcp.com PID 4660 wrote to memory of 732 4660 cmd.exe chcp.com PID 4660 wrote to memory of 732 4660 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe"C:\Users\Admin\AppData\Local\Temp\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe"C:\Users\Admin\AppData\Local\ServiceHub\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\ServiceHub\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exeC:\Users\Admin\AppData\Local\ServiceHub\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exe.logFilesize
609B
MD5d12b2202c8663de63120a7239216f4c9
SHA1f0263381d735e0d3a029378de06e6c49f386bb4f
SHA256a1523cbbb1efe7eaed779caf6077a067519945accb1ab61a4c39323fffea6e5d
SHA512942e728bb334cd3a7c634617c04cc2848124505a7a5b3f3081e5d46334e313b1f6fbf854e94d4f44dd51692c39cd19d239b15de3f0aa443ebd8d60db2868ab80
-
C:\Users\Admin\AppData\Local\ServiceHub\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exeFilesize
111KB
MD527063953e8334bc1d395274a3ff8e66f
SHA1c99c0c640f2cf83d15a5d77851b01f46351925db
SHA256966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352
SHA512c55dab437eeef8a533361e3c406011b2bcee256ba05e654d27ccbb7acdfe739bdb62ca20cc0130b01ccb3c718424e26ca6bcb3c5260b633741105a137459e331
-
C:\Users\Admin\AppData\Local\ServiceHub\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exeFilesize
111KB
MD527063953e8334bc1d395274a3ff8e66f
SHA1c99c0c640f2cf83d15a5d77851b01f46351925db
SHA256966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352
SHA512c55dab437eeef8a533361e3c406011b2bcee256ba05e654d27ccbb7acdfe739bdb62ca20cc0130b01ccb3c718424e26ca6bcb3c5260b633741105a137459e331
-
C:\Users\Admin\AppData\Local\ServiceHub\966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352.exeFilesize
111KB
MD527063953e8334bc1d395274a3ff8e66f
SHA1c99c0c640f2cf83d15a5d77851b01f46351925db
SHA256966d30370c36f1e4f75655756f96ee424e3402427b20cfce5c93d9f4238d6352
SHA512c55dab437eeef8a533361e3c406011b2bcee256ba05e654d27ccbb7acdfe739bdb62ca20cc0130b01ccb3c718424e26ca6bcb3c5260b633741105a137459e331
-
memory/732-149-0x0000000000000000-mapping.dmp
-
memory/1924-135-0x0000000000000000-mapping.dmp
-
memory/2300-145-0x0000000000000000-mapping.dmp
-
memory/2472-137-0x0000000000000000-mapping.dmp
-
memory/3196-143-0x0000000004FE0000-0x0000000005046000-memory.dmpFilesize
408KB
-
memory/3196-146-0x00000000068F0000-0x00000000068FA000-memory.dmpFilesize
40KB
-
memory/3196-139-0x0000000000000000-mapping.dmp
-
memory/4208-144-0x0000000000000000-mapping.dmp
-
memory/4576-138-0x0000000000000000-mapping.dmp
-
memory/4660-148-0x0000000000000000-mapping.dmp
-
memory/4940-132-0x0000000000E20000-0x0000000000E42000-memory.dmpFilesize
136KB
-
memory/4940-134-0x00000000057E0000-0x0000000005872000-memory.dmpFilesize
584KB
-
memory/4940-133-0x0000000005E60000-0x0000000006404000-memory.dmpFilesize
5.6MB
-
memory/5004-136-0x0000000000000000-mapping.dmp