Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-03-2024 17:17
Static task
static1
Behavioral task
behavioral1
Sample
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe
Resource
win10v2004-20240226-en
General
-
Target
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe
-
Size
1.8MB
-
MD5
75c5abaeb9f1654c1daf75aab1e032dd
-
SHA1
9ccdcdc00e4108b0cf873b8948919b6015e7f118
-
SHA256
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429
-
SHA512
f8103bea2707cabeb2207128f2782ccce77c99b73a41425760eb03c2c1bfabbee856789ec4f3e0349584b6eb07099da664f2c670814bea18298e6503e4b9bcd6
-
SSDEEP
24576:aE6MsqRTgfRkmMSDyNnBVv0zO6jRjXFVPQlgKHxKPA/Otoi+4mn1q+yn1KsM:GMs0MRGSDqJYFjVV0pHQIuVmnufM
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
explorgu.exe02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 13 2028 rundll32.exe 14 4772 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorgu.exe02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe -
Executes dropped EXE 6 IoCs
Processes:
explorgu.exeNewB.exeISetup8.exeu1og.0.exeu1og.1.exeNewB.exepid process 4036 explorgu.exe 2044 NewB.exe 2176 ISetup8.exe 2484 u1og.0.exe 2340 u1og.1.exe 3232 NewB.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exeexplorgu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine explorgu.exe -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exerundll32.exeu1og.0.exerundll32.exepid process 3736 rundll32.exe 2028 rundll32.exe 2484 u1og.0.exe 2484 u1og.0.exe 4772 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\u1og.1.exe upx behavioral2/memory/2340-88-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/memory/2340-137-0x0000000000400000-0x0000000000930000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exeexplorgu.exepid process 3140 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe 4036 explorgu.exe -
Drops file in Windows directory 1 IoCs
Processes:
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exedescription ioc process File created C:\Windows\Tasks\explorgu.job 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3236 2176 WerFault.exe ISetup8.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u1og.0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u1og.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u1og.0.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2336 schtasks.exe 4608 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exeexplorgu.exeu1og.0.exerundll32.exepowershell.exepid process 3140 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe 3140 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe 4036 explorgu.exe 4036 explorgu.exe 2484 u1og.0.exe 2484 u1og.0.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 4960 powershell.exe 4960 powershell.exe 2484 u1og.0.exe 2484 u1og.0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4960 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
u1og.1.exepid process 2340 u1og.1.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
explorgu.exeNewB.exeISetup8.exeu1og.1.execmd.exerundll32.exerundll32.exedescription pid process target process PID 4036 wrote to memory of 2044 4036 explorgu.exe NewB.exe PID 4036 wrote to memory of 2044 4036 explorgu.exe NewB.exe PID 4036 wrote to memory of 2044 4036 explorgu.exe NewB.exe PID 2044 wrote to memory of 4608 2044 NewB.exe schtasks.exe PID 2044 wrote to memory of 4608 2044 NewB.exe schtasks.exe PID 2044 wrote to memory of 4608 2044 NewB.exe schtasks.exe PID 2044 wrote to memory of 2176 2044 NewB.exe ISetup8.exe PID 2044 wrote to memory of 2176 2044 NewB.exe ISetup8.exe PID 2044 wrote to memory of 2176 2044 NewB.exe ISetup8.exe PID 2176 wrote to memory of 2484 2176 ISetup8.exe u1og.0.exe PID 2176 wrote to memory of 2484 2176 ISetup8.exe u1og.0.exe PID 2176 wrote to memory of 2484 2176 ISetup8.exe u1og.0.exe PID 2176 wrote to memory of 2340 2176 ISetup8.exe u1og.1.exe PID 2176 wrote to memory of 2340 2176 ISetup8.exe u1og.1.exe PID 2176 wrote to memory of 2340 2176 ISetup8.exe u1og.1.exe PID 2340 wrote to memory of 2976 2340 u1og.1.exe cmd.exe PID 2340 wrote to memory of 2976 2340 u1og.1.exe cmd.exe PID 2340 wrote to memory of 2976 2340 u1og.1.exe cmd.exe PID 2976 wrote to memory of 4948 2976 cmd.exe chcp.com PID 2976 wrote to memory of 4948 2976 cmd.exe chcp.com PID 2976 wrote to memory of 4948 2976 cmd.exe chcp.com PID 2976 wrote to memory of 2336 2976 cmd.exe schtasks.exe PID 2976 wrote to memory of 2336 2976 cmd.exe schtasks.exe PID 2976 wrote to memory of 2336 2976 cmd.exe schtasks.exe PID 4036 wrote to memory of 3736 4036 explorgu.exe rundll32.exe PID 4036 wrote to memory of 3736 4036 explorgu.exe rundll32.exe PID 4036 wrote to memory of 3736 4036 explorgu.exe rundll32.exe PID 3736 wrote to memory of 2028 3736 rundll32.exe rundll32.exe PID 3736 wrote to memory of 2028 3736 rundll32.exe rundll32.exe PID 2028 wrote to memory of 1796 2028 rundll32.exe netsh.exe PID 2028 wrote to memory of 1796 2028 rundll32.exe netsh.exe PID 2028 wrote to memory of 4960 2028 rundll32.exe powershell.exe PID 2028 wrote to memory of 4960 2028 rundll32.exe powershell.exe PID 4036 wrote to memory of 4772 4036 explorgu.exe rundll32.exe PID 4036 wrote to memory of 4772 4036 explorgu.exe rundll32.exe PID 4036 wrote to memory of 4772 4036 explorgu.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe"C:\Users\Admin\AppData\Local\Temp\02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u1og.0.exe"C:\Users\Admin\AppData\Local\Temp\u1og.0.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\u1og.1.exe"C:\Users\Admin\AppData\Local\Temp\u1og.1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 9764⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2176 -ip 21761⤵
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.8MB
MD575c5abaeb9f1654c1daf75aab1e032dd
SHA19ccdcdc00e4108b0cf873b8948919b6015e7f118
SHA25602bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429
SHA512f8103bea2707cabeb2207128f2782ccce77c99b73a41425760eb03c2c1bfabbee856789ec4f3e0349584b6eb07099da664f2c670814bea18298e6503e4b9bcd6
-
C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exeFilesize
443KB
MD5f9a326be924c06ed9629a7ee3f4a1285
SHA16a880cb1e65cf267b81f67dc03641d14f8ce86f3
SHA256a61fec43ebc4191c3c62278f5255585cf3e2c53b86f8be1c05514c60d328c240
SHA5123294c9a5fca715ee0ca344ff11ec7cdc38a85e0242d6e205434bda48125b53d2ccfb5d3e614d67d4859fca03e4e147bc9e503da86ce31d663c7e596fe7fa44df
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zipFilesize
177KB
MD589536108bf2e6235f6b5569f4beabe0e
SHA179f55cd1287b88e998f1ef530931d183b672032b
SHA256bbfdcf2badc57cf259be2d6d0fbde1bbe3874baf7700e529c6e40c0a9f507a5f
SHA512cbde62170fc5079fafb3ac290ff47a4bbf2b43ba35226520b82d5b5ca636d48dbcae0d49b05315153a81ed8a41b8d6b9f19c888838a2dd55b2973539ded5547a
-
C:\Users\Admin\AppData\Local\Temp\_Files_\SplitConvertFrom.xlsxFilesize
177KB
MD58bd623f31c41f87df5097b9af346787b
SHA1e442100355306b40ceee10b9f33cc0145da71b71
SHA256e6dbdb9b884e99cfdfb9d37870ff63d4d5072693b43799bfccc7ea31223ca19f
SHA512591a5c6f696c033bb5463241cee871a2ae37b298c92ff25ae49a944a6fe0bab324a71ee40929b6609d1729e63028d96c08d75644b83697bf0f4f063f308b9f73
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_it4hrlkr.int.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\u1og.0.exeFilesize
299KB
MD5bf81c7e629eaa2c4a995c9945b98a933
SHA1145f783f7ea60f1a759dcd2fcc8cb501dac868df
SHA2567ec38e1e46dbe3557ac9e7dadf0c1adf7e189f2ab820df7f6e08443b5333b1c5
SHA512fcf7bd1ac1da2e3ce8199cfc462c589f5e303744dfa29eebf4a24e526db3a23221cc8d2198a33af7ab7115e9b5b00f11a6e33e889710536d9e1e4e15ac66d399
-
C:\Users\Admin\AppData\Local\Temp\u1og.1.exeFilesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\Temp\Task.batFilesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
memory/2176-64-0x0000000000400000-0x0000000000B18000-memory.dmpFilesize
7.1MB
-
memory/2176-63-0x00000000028A0000-0x000000000290E000-memory.dmpFilesize
440KB
-
memory/2176-62-0x0000000000DA0000-0x0000000000EA0000-memory.dmpFilesize
1024KB
-
memory/2176-91-0x0000000000400000-0x0000000000B18000-memory.dmpFilesize
7.1MB
-
memory/2340-88-0x0000000000400000-0x0000000000930000-memory.dmpFilesize
5.2MB
-
memory/2340-90-0x00000000028F0000-0x00000000028F1000-memory.dmpFilesize
4KB
-
memory/2340-164-0x00000000028F0000-0x00000000028F1000-memory.dmpFilesize
4KB
-
memory/2340-137-0x0000000000400000-0x0000000000930000-memory.dmpFilesize
5.2MB
-
memory/2484-191-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2484-96-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/2484-225-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2484-235-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2484-251-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2484-254-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2484-146-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2484-145-0x0000000000DF0000-0x0000000000EF0000-memory.dmpFilesize
1024KB
-
memory/2484-74-0x0000000000DF0000-0x0000000000EF0000-memory.dmpFilesize
1024KB
-
memory/2484-75-0x0000000000D60000-0x0000000000D87000-memory.dmpFilesize
156KB
-
memory/2484-76-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2484-144-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/2484-135-0x0000000000400000-0x0000000000AF5000-memory.dmpFilesize
7.0MB
-
memory/3140-10-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/3140-7-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/3140-5-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/3140-4-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/3140-3-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/3140-6-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/3140-8-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/3140-2-0x00000000002C0000-0x000000000077A000-memory.dmpFilesize
4.7MB
-
memory/3140-1-0x0000000077166000-0x0000000077168000-memory.dmpFilesize
8KB
-
memory/3140-9-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/3140-0-0x00000000002C0000-0x000000000077A000-memory.dmpFilesize
4.7MB
-
memory/3140-15-0x00000000002C0000-0x000000000077A000-memory.dmpFilesize
4.7MB
-
memory/4036-24-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/4036-237-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-136-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-95-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-256-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-18-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-19-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-250-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-21-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/4036-244-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-241-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-89-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-150-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-28-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/4036-190-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-27-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/4036-26-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/4036-25-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/4036-23-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/4036-224-0x0000000000C10000-0x00000000010CA000-memory.dmpFilesize
4.7MB
-
memory/4036-20-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/4036-22-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/4960-185-0x00007FFFC1470000-0x00007FFFC1F32000-memory.dmpFilesize
10.8MB
-
memory/4960-180-0x000001FF72D30000-0x000001FF72D3A000-memory.dmpFilesize
40KB
-
memory/4960-179-0x000001FF72E40000-0x000001FF72E52000-memory.dmpFilesize
72KB
-
memory/4960-178-0x000001FF5AA20000-0x000001FF5AA30000-memory.dmpFilesize
64KB
-
memory/4960-177-0x000001FF5AA20000-0x000001FF5AA30000-memory.dmpFilesize
64KB
-
memory/4960-176-0x000001FF5AA20000-0x000001FF5AA30000-memory.dmpFilesize
64KB
-
memory/4960-175-0x00007FFFC1470000-0x00007FFFC1F32000-memory.dmpFilesize
10.8MB
-
memory/4960-174-0x000001FF72CB0000-0x000001FF72CD2000-memory.dmpFilesize
136KB