Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 02:43
Static task
static1
Behavioral task
behavioral1
Sample
eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe
Resource
win10v2004-20220901-en
General
-
Target
eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe
-
Size
331KB
-
MD5
69f4b2f80e0bb8ae4b22e14d2fb4ed87
-
SHA1
43e11e9ff4a7473bb4b03c8df232b65e3422302e
-
SHA256
eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
-
SHA512
b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
SSDEEP
6144:+ZLTnLkTdx5/lGB+vtRGYVauDSIDcMCVS:+ZL7LIlVvtnVaQDcBVS
Malware Config
Extracted
amadey
3.50
77.73.133.72/hfk3vK9/index.php
Extracted
redline
@2023
79.137.192.28:20723
-
auth_value
93b4b7d0dc8e9415e261a402587c6710
Signatures
-
Detect Amadey credential stealer module 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module behavioral1/memory/3404-173-0x00000000007E0000-0x0000000000804000-memory.dmp amadey_cred_module C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 35 3404 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
gntuud.exesoftx64.exegntuud.exegntuud.exegntuud.exepid process 3508 gntuud.exe 672 softx64.exe 2832 gntuud.exe 2460 gntuud.exe 1588 gntuud.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exegntuud.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation gntuud.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 3404 rundll32.exe 3404 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\softx64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\softx64.exe" gntuud.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
softx64.exedescription pid process target process PID 672 set thread context of 4812 672 softx64.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 19 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1096 1612 WerFault.exe eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe 2296 1612 WerFault.exe eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe 1628 1612 WerFault.exe eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe 3712 672 WerFault.exe softx64.exe 3068 2832 WerFault.exe gntuud.exe 364 2832 WerFault.exe gntuud.exe 4056 2832 WerFault.exe gntuud.exe 4248 2832 WerFault.exe gntuud.exe 4280 2832 WerFault.exe gntuud.exe 4088 2460 WerFault.exe gntuud.exe 424 2460 WerFault.exe gntuud.exe 1084 2460 WerFault.exe gntuud.exe 4064 2460 WerFault.exe gntuud.exe 3652 2460 WerFault.exe gntuud.exe 2692 1588 WerFault.exe gntuud.exe 3552 1588 WerFault.exe gntuud.exe 4640 1588 WerFault.exe gntuud.exe 672 1588 WerFault.exe gntuud.exe 1868 1588 WerFault.exe gntuud.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exerundll32.exepid process 4812 vbc.exe 3404 rundll32.exe 3404 rundll32.exe 3404 rundll32.exe 3404 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 4812 vbc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exegntuud.exesoftx64.exedescription pid process target process PID 1612 wrote to memory of 3508 1612 eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe gntuud.exe PID 1612 wrote to memory of 3508 1612 eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe gntuud.exe PID 1612 wrote to memory of 3508 1612 eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe gntuud.exe PID 3508 wrote to memory of 224 3508 gntuud.exe schtasks.exe PID 3508 wrote to memory of 224 3508 gntuud.exe schtasks.exe PID 3508 wrote to memory of 224 3508 gntuud.exe schtasks.exe PID 3508 wrote to memory of 672 3508 gntuud.exe softx64.exe PID 3508 wrote to memory of 672 3508 gntuud.exe softx64.exe PID 3508 wrote to memory of 672 3508 gntuud.exe softx64.exe PID 672 wrote to memory of 4812 672 softx64.exe vbc.exe PID 672 wrote to memory of 4812 672 softx64.exe vbc.exe PID 672 wrote to memory of 4812 672 softx64.exe vbc.exe PID 672 wrote to memory of 4812 672 softx64.exe vbc.exe PID 672 wrote to memory of 4812 672 softx64.exe vbc.exe PID 3508 wrote to memory of 3404 3508 gntuud.exe rundll32.exe PID 3508 wrote to memory of 3404 3508 gntuud.exe rundll32.exe PID 3508 wrote to memory of 3404 3508 gntuud.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe"C:\Users\Admin\AppData\Local\Temp\eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 3364⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 13042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 13122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 13082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1612 -ip 16121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1612 -ip 16121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1612 -ip 16121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 672 -ip 6721⤵
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 5442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 5522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 7962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 8362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2832 -ip 28321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2832 -ip 28321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2832 -ip 28321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2832 -ip 28321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2832 -ip 28321⤵
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 5402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 5482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 7962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 8162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2460 -ip 24601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2460 -ip 24601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2460 -ip 24601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2460 -ip 24601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2460 -ip 24601⤵
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 5442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 5522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 7962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 8162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1588 -ip 15881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
277KB
MD54f7358c27ddf88af37f87127239aaa97
SHA1e6c66e755ad804b66a12d92c88cfe4465bd64710
SHA25680a57a2c22e7ea3318f2027af5d4fb57ecc76a0de5236c087b9554b739350aa6
SHA512d9a9b73ee1ae0ff73915ab6c26f9a347f038b4df2fa3a240be287f83400f67fa9f66d39867132d08aa1f1daa3aee36f60194fdc448333f1e8ec7e6f2e2d41fbd
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
277KB
MD54f7358c27ddf88af37f87127239aaa97
SHA1e6c66e755ad804b66a12d92c88cfe4465bd64710
SHA25680a57a2c22e7ea3318f2027af5d4fb57ecc76a0de5236c087b9554b739350aa6
SHA512d9a9b73ee1ae0ff73915ab6c26f9a347f038b4df2fa3a240be287f83400f67fa9f66d39867132d08aa1f1daa3aee36f60194fdc448333f1e8ec7e6f2e2d41fbd
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
331KB
MD569f4b2f80e0bb8ae4b22e14d2fb4ed87
SHA143e11e9ff4a7473bb4b03c8df232b65e3422302e
SHA256eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
SHA512b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
331KB
MD569f4b2f80e0bb8ae4b22e14d2fb4ed87
SHA143e11e9ff4a7473bb4b03c8df232b65e3422302e
SHA256eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
SHA512b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
331KB
MD569f4b2f80e0bb8ae4b22e14d2fb4ed87
SHA143e11e9ff4a7473bb4b03c8df232b65e3422302e
SHA256eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
SHA512b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
331KB
MD569f4b2f80e0bb8ae4b22e14d2fb4ed87
SHA143e11e9ff4a7473bb4b03c8df232b65e3422302e
SHA256eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
SHA512b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
331KB
MD569f4b2f80e0bb8ae4b22e14d2fb4ed87
SHA143e11e9ff4a7473bb4b03c8df232b65e3422302e
SHA256eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
SHA512b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
memory/224-141-0x0000000000000000-mapping.dmp
-
memory/672-142-0x0000000000000000-mapping.dmp
-
memory/1588-181-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1588-180-0x000000000067C000-0x000000000069A000-memory.dmpFilesize
120KB
-
memory/1588-182-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1612-148-0x00000000006C8000-0x00000000006E7000-memory.dmpFilesize
124KB
-
memory/1612-151-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1612-134-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1612-132-0x00000000006C8000-0x00000000006E7000-memory.dmpFilesize
124KB
-
memory/1612-133-0x00000000005F0000-0x000000000062E000-memory.dmpFilesize
248KB
-
memory/2460-178-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2460-177-0x00000000007DC000-0x00000000007FB000-memory.dmpFilesize
124KB
-
memory/2460-176-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2460-175-0x00000000007DC000-0x00000000007FB000-memory.dmpFilesize
124KB
-
memory/2832-158-0x000000000062C000-0x000000000064B000-memory.dmpFilesize
124KB
-
memory/2832-167-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2832-159-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2832-166-0x000000000062C000-0x000000000064B000-memory.dmpFilesize
124KB
-
memory/3404-173-0x00000000007E0000-0x0000000000804000-memory.dmpFilesize
144KB
-
memory/3404-169-0x0000000000000000-mapping.dmp
-
memory/3508-140-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3508-135-0x0000000000000000-mapping.dmp
-
memory/3508-139-0x0000000000520000-0x000000000055E000-memory.dmpFilesize
248KB
-
memory/3508-138-0x0000000000588000-0x00000000005A7000-memory.dmpFilesize
124KB
-
memory/3508-161-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3508-160-0x0000000000588000-0x00000000005A7000-memory.dmpFilesize
124KB
-
memory/4812-156-0x0000000007380000-0x00000000073BC000-memory.dmpFilesize
240KB
-
memory/4812-165-0x0000000008250000-0x0000000008412000-memory.dmpFilesize
1.8MB
-
memory/4812-155-0x0000000007320000-0x0000000007332000-memory.dmpFilesize
72KB
-
memory/4812-154-0x0000000007410000-0x000000000751A000-memory.dmpFilesize
1.0MB
-
memory/4812-153-0x0000000005A80000-0x0000000006098000-memory.dmpFilesize
6.1MB
-
memory/4812-146-0x0000000000540000-0x0000000000572000-memory.dmpFilesize
200KB
-
memory/4812-145-0x0000000000000000-mapping.dmp
-
memory/4812-162-0x0000000008440000-0x00000000089E4000-memory.dmpFilesize
5.6MB
-
memory/4812-168-0x0000000008F20000-0x000000000944C000-memory.dmpFilesize
5.2MB
-
memory/4812-163-0x0000000007F70000-0x0000000008002000-memory.dmpFilesize
584KB
-
memory/4812-164-0x0000000008010000-0x0000000008076000-memory.dmpFilesize
408KB