Analysis
-
max time kernel
158s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
26-03-2024 17:17
General
-
Target
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe
-
Size
1.8MB
-
MD5
75c5abaeb9f1654c1daf75aab1e032dd
-
SHA1
9ccdcdc00e4108b0cf873b8948919b6015e7f118
-
SHA256
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429
-
SHA512
f8103bea2707cabeb2207128f2782ccce77c99b73a41425760eb03c2c1bfabbee856789ec4f3e0349584b6eb07099da664f2c670814bea18298e6503e4b9bcd6
-
SSDEEP
24576:aE6MsqRTgfRkmMSDyNnBVv0zO6jRjXFVPQlgKHxKPA/Otoi+4mn1q+yn1KsM:GMs0MRGSDqJYFjVV0pHQIuVmnufM
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe"C:\Users\Admin\AppData\Local\Temp\02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ukw.0.exe"C:\Users\Admin\AppData\Local\Temp\ukw.0.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe"C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 22405⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\ukw.1.exe"C:\Users\Admin\AppData\Local\Temp\ukw.1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 14044⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\904519900954_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3988 --field-trial-handle=3084,i,11997299123381683778,5904351605020331957,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3220 --field-trial-handle=3084,i,11997299123381683778,5904351605020331957,262144 --variations-seed-version /prefetch:31⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 752 -ip 7521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2188 -ip 21881⤵
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.4MB
MD54f00a62c93018e52cc015f5f627ea54c
SHA1870eacc1d0758148062975a3f29f8b32decc6fef
SHA2563d2d7ea589d2a44402899eb3c3a3f3d88c10f304e2dd6ebaef03838bef7c53a5
SHA512cd021b47f62adfa68fd979dc5c3f736cdd2c7742cfd1dc0a8db3112caabf6a395cac72afd484cde7a712e4a865591b03968eacb59767720e07e99638b1560200
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.4MB
MD5d2d875d3e3ce8a0c241ef185a69f4d6e
SHA16c15739713d6e5570430e3815ddc7741c754fc19
SHA2567ce82b8d397c3871ffe7c81adf80da52c89cb3b0d947ab152d894ee4a817d7d8
SHA512f6174864622646c754346ce0f4a70a7e5a98ec42dd704f705efdbae8508150bede74682b038479cd2c114170f946ba8e895cfb077d3cb58de6622a31a8823c74
-
C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exeFilesize
443KB
MD5f9a326be924c06ed9629a7ee3f4a1285
SHA16a880cb1e65cf267b81f67dc03641d14f8ce86f3
SHA256a61fec43ebc4191c3c62278f5255585cf3e2c53b86f8be1c05514c60d328c240
SHA5123294c9a5fca715ee0ca344ff11ec7cdc38a85e0242d6e205434bda48125b53d2ccfb5d3e614d67d4859fca03e4e147bc9e503da86ce31d663c7e596fe7fa44df
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exeFilesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbqazxq4.tzx.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ukw.0.exeFilesize
299KB
MD5bf81c7e629eaa2c4a995c9945b98a933
SHA1145f783f7ea60f1a759dcd2fcc8cb501dac868df
SHA2567ec38e1e46dbe3557ac9e7dadf0c1adf7e189f2ab820df7f6e08443b5333b1c5
SHA512fcf7bd1ac1da2e3ce8199cfc462c589f5e303744dfa29eebf4a24e526db3a23221cc8d2198a33af7ab7115e9b5b00f11a6e33e889710536d9e1e4e15ac66d399
-
C:\Users\Admin\AppData\Local\Temp\ukw.1.exeFilesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\Temp\Task.batFilesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
memory/752-62-0x0000000000C80000-0x0000000000D80000-memory.dmpFilesize
1024KB
-
memory/752-136-0x0000000000400000-0x0000000000B18000-memory.dmpFilesize
7.1MB
-
memory/752-169-0x0000000000400000-0x0000000000B18000-memory.dmpFilesize
7.1MB
-
memory/752-64-0x0000000000400000-0x0000000000B18000-memory.dmpFilesize
7.1MB
-
memory/752-154-0x0000000000C80000-0x0000000000D80000-memory.dmpFilesize
1024KB
-
memory/752-63-0x0000000002760000-0x00000000027CE000-memory.dmpFilesize
440KB
-
memory/1380-7-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/1380-6-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/1380-5-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/1380-4-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/1380-3-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/1380-8-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/1380-0-0x00000000007A0000-0x0000000000C5A000-memory.dmpFilesize
4.7MB
-
memory/1380-9-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/1380-2-0x00000000007A0000-0x0000000000C5A000-memory.dmpFilesize
4.7MB
-
memory/1380-10-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/1380-15-0x00000000007A0000-0x0000000000C5A000-memory.dmpFilesize
4.7MB
-
memory/1380-1-0x0000000077094000-0x0000000077096000-memory.dmpFilesize
8KB
-
memory/2188-211-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2188-194-0x0000000000C50000-0x0000000000C77000-memory.dmpFilesize
156KB
-
memory/2188-79-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/2188-76-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2188-75-0x0000000000C50000-0x0000000000C77000-memory.dmpFilesize
156KB
-
memory/2188-74-0x0000000000E40000-0x0000000000F40000-memory.dmpFilesize
1024KB
-
memory/2188-207-0x0000000000E40000-0x0000000000F40000-memory.dmpFilesize
1024KB
-
memory/2188-185-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2188-212-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2188-236-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2188-256-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/3076-24-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/3076-26-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/3076-278-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-276-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-274-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-272-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-270-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-268-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-262-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-18-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-255-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-184-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-148-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-78-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-77-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-28-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/3076-19-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-27-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/3076-23-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/3076-25-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/3076-213-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-20-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/3076-22-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/3076-235-0x0000000000020000-0x00000000004DA000-memory.dmpFilesize
4.7MB
-
memory/3076-21-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/3260-149-0x0000000000400000-0x0000000000930000-memory.dmpFilesize
5.2MB
-
memory/3260-237-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/3260-206-0x0000000000400000-0x0000000000930000-memory.dmpFilesize
5.2MB
-
memory/3260-150-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/4444-168-0x00000211E2E10000-0x00000211E2E20000-memory.dmpFilesize
64KB
-
memory/4444-173-0x00000211E32B0000-0x00000211E32BA000-memory.dmpFilesize
40KB
-
memory/4444-172-0x00000211E32D0000-0x00000211E32E2000-memory.dmpFilesize
72KB
-
memory/4444-180-0x00007FF8ECF00000-0x00007FF8ED9C1000-memory.dmpFilesize
10.8MB
-
memory/4444-155-0x00000211E2F20000-0x00000211E2F42000-memory.dmpFilesize
136KB
-
memory/4444-167-0x00000211E2E10000-0x00000211E2E20000-memory.dmpFilesize
64KB
-
memory/4444-166-0x00000211E2E10000-0x00000211E2E20000-memory.dmpFilesize
64KB
-
memory/4444-165-0x00007FF8ECF00000-0x00007FF8ED9C1000-memory.dmpFilesize
10.8MB
-
memory/5968-257-0x0000000071550000-0x0000000071D00000-memory.dmpFilesize
7.7MB
-
memory/5968-258-0x0000000000660000-0x0000000000680000-memory.dmpFilesize
128KB
-
memory/5968-263-0x0000000002910000-0x0000000002920000-memory.dmpFilesize
64KB
-
memory/5968-266-0x0000000071550000-0x0000000071D00000-memory.dmpFilesize
7.7MB