Analysis
-
max time kernel
132s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 11:26
Static task
static1
Behavioral task
behavioral1
Sample
vpn.bin.exe
Resource
win7v20210410
General
-
Target
vpn.bin.exe
-
Size
1.1MB
-
MD5
5a4f537ffd75be93484d34543127898c
-
SHA1
3b70254cce9cfcae221637c00610c6a7543f0272
-
SHA256
d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74
-
SHA512
871b2c0ab547ac8e8dd38f6500fd59a190cc04f53282a2eee77641d2e5139c9788aa40cd9dc4ae8bccfc2be04fadb7ce20f3f36592b660a404d93972d90c1a87
Malware Config
Extracted
danabot
1827
3
23.106.123.185:443
192.210.198.12:443
192.236.147.83:443
23.106.123.141:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
RUNDLL32.EXEWScript.exeflow pid process 31 2436 RUNDLL32.EXE 33 196 WScript.exe 35 196 WScript.exe 37 196 WScript.exe 39 196 WScript.exe 40 2436 RUNDLL32.EXE 41 2436 RUNDLL32.EXE 42 2436 RUNDLL32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
Trascinava.exe.comTrascinava.exe.comnvuohktp.exepid process 2124 Trascinava.exe.com 2688 Trascinava.exe.com 1928 nvuohktp.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1720 rundll32.exe 2436 RUNDLL32.EXE 2436 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Trascinava.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Trascinava.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Trascinava.exe.com -
Modifies registry class 1 IoCs
Processes:
Trascinava.exe.comdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Trascinava.exe.com -
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1720 rundll32.exe Token: SeDebugPrivilege 2436 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
vpn.bin.execmd.execmd.exeTrascinava.exe.comTrascinava.exe.comnvuohktp.exerundll32.exedescription pid process target process PID 2840 wrote to memory of 208 2840 vpn.bin.exe makecab.exe PID 2840 wrote to memory of 208 2840 vpn.bin.exe makecab.exe PID 2840 wrote to memory of 208 2840 vpn.bin.exe makecab.exe PID 2840 wrote to memory of 3544 2840 vpn.bin.exe cmd.exe PID 2840 wrote to memory of 3544 2840 vpn.bin.exe cmd.exe PID 2840 wrote to memory of 3544 2840 vpn.bin.exe cmd.exe PID 3544 wrote to memory of 3348 3544 cmd.exe cmd.exe PID 3544 wrote to memory of 3348 3544 cmd.exe cmd.exe PID 3544 wrote to memory of 3348 3544 cmd.exe cmd.exe PID 3348 wrote to memory of 1176 3348 cmd.exe findstr.exe PID 3348 wrote to memory of 1176 3348 cmd.exe findstr.exe PID 3348 wrote to memory of 1176 3348 cmd.exe findstr.exe PID 3348 wrote to memory of 2124 3348 cmd.exe Trascinava.exe.com PID 3348 wrote to memory of 2124 3348 cmd.exe Trascinava.exe.com PID 3348 wrote to memory of 2124 3348 cmd.exe Trascinava.exe.com PID 3348 wrote to memory of 3844 3348 cmd.exe PING.EXE PID 3348 wrote to memory of 3844 3348 cmd.exe PING.EXE PID 3348 wrote to memory of 3844 3348 cmd.exe PING.EXE PID 2124 wrote to memory of 2688 2124 Trascinava.exe.com Trascinava.exe.com PID 2124 wrote to memory of 2688 2124 Trascinava.exe.com Trascinava.exe.com PID 2124 wrote to memory of 2688 2124 Trascinava.exe.com Trascinava.exe.com PID 2688 wrote to memory of 1928 2688 Trascinava.exe.com nvuohktp.exe PID 2688 wrote to memory of 1928 2688 Trascinava.exe.com nvuohktp.exe PID 2688 wrote to memory of 1928 2688 Trascinava.exe.com nvuohktp.exe PID 2688 wrote to memory of 3044 2688 Trascinava.exe.com WScript.exe PID 2688 wrote to memory of 3044 2688 Trascinava.exe.com WScript.exe PID 2688 wrote to memory of 3044 2688 Trascinava.exe.com WScript.exe PID 1928 wrote to memory of 1720 1928 nvuohktp.exe rundll32.exe PID 1928 wrote to memory of 1720 1928 nvuohktp.exe rundll32.exe PID 1928 wrote to memory of 1720 1928 nvuohktp.exe rundll32.exe PID 1720 wrote to memory of 2436 1720 rundll32.exe RUNDLL32.EXE PID 1720 wrote to memory of 2436 1720 rundll32.exe RUNDLL32.EXE PID 1720 wrote to memory of 2436 1720 rundll32.exe RUNDLL32.EXE PID 2688 wrote to memory of 196 2688 Trascinava.exe.com WScript.exe PID 2688 wrote to memory of 196 2688 Trascinava.exe.com WScript.exe PID 2688 wrote to memory of 196 2688 Trascinava.exe.com WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vpn.bin.exe"C:\Users\Admin\AppData\Local\Temp\vpn.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\makecab.exe"C:\Windows\System32\makecab.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c RlFBBTBnWWwxXYwFINyxjFlP & APjAehxPNGRyRlxhFSeDuKfwKH & cmd < Aprile.msi2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^gPIKOQDiOVOQAkxOJpjaiBEhzvnzmHdsLNWlyPxotLIoNpJmItLcVfDMkcdsalIiEvtNgpITPtgcTcmlNYKxWUvvplZJnePUrBDdyWkmcRGRwoSQWuDxmhlJqIDtlZcMg$" Tese.msi4⤵
-
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.comTrascinava.exe.com Y4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.comC:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.com Y5⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nvuohktp.exe"C:\Users\Admin\AppData\Local\Temp\nvuohktp.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\NVUOHK~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\nvuohktp.exe7⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\NVUOHK~1.DLL,bRdWZI2Y8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\raepcpokq.vbs"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cxarttygjso.vbs"6⤵
- Blocklisted process makes network request
- Modifies system certificate store
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\NVUOHK~1.DLLMD5
aafd670c8407318a89a14453c1bfbcc1
SHA1ebc4ffd7e7c17c25d17047581e9f728bb18e527c
SHA2568c9ea69aa624cce70ba8cc22d42d306eed5decadaac3799fad19001f2b6eafd1
SHA5127885593205fc96dd99c3691a960b562199f916c840d1ee70a826827dcdf1e2fd7c6340b8ff01a983d39994340ddc2d87d50be2c2f7e3e86f577aacb13a40e6fa
-
C:\Users\Admin\AppData\Local\Temp\cxarttygjso.vbsMD5
7ad6c6a64022cfef4136f25615702927
SHA11f32aafa5115143bc21f15539426538f7918679a
SHA256e7a869f7bd412fa2eae066c5007664ffbb28b2069f3e8ab123aaf90a135ec574
SHA512c9d6c09f6a4dbdcfe62ac571428a698aecfbf9972b541c38143719ca1cc44c55a6de19e82a4750d03d0e43e4ac5e3cb92b6d62cf8eb05545969066e2e5826fc0
-
C:\Users\Admin\AppData\Local\Temp\nvuohktp.exeMD5
f884aebec5fa77261ff0ebeb9cf7cb70
SHA1dbe55e9b4f5243d28841627b942dc642ddcb9dba
SHA25690c99980edda505c3ce727884dfab5fbf1f6955442737254d92cb9f439e6039a
SHA512f196a97dd6515be4308d84e8d61c45169af72db60b290dbe798b40791a99a15b6f404f542a22a60c86d6db050502e17cdc3c93994e67c0924580c41e877a2a0e
-
C:\Users\Admin\AppData\Local\Temp\nvuohktp.exeMD5
f884aebec5fa77261ff0ebeb9cf7cb70
SHA1dbe55e9b4f5243d28841627b942dc642ddcb9dba
SHA25690c99980edda505c3ce727884dfab5fbf1f6955442737254d92cb9f439e6039a
SHA512f196a97dd6515be4308d84e8d61c45169af72db60b290dbe798b40791a99a15b6f404f542a22a60c86d6db050502e17cdc3c93994e67c0924580c41e877a2a0e
-
C:\Users\Admin\AppData\Local\Temp\raepcpokq.vbsMD5
a3c373d31957da79f9bef3694963cb7f
SHA1e8c2bc257ac4d88ba6da63014845b89ac93501f5
SHA25641bab97eaf58ee39f5cee4acfd92c05b90c825ae7d6921c5aa0ab66c2264dfe8
SHA51249b292dc5a054dbfcafcc3b66ef37f42472fa5a74155e38e0fd65e0ef6b4848650ff507348dbe8194c3bdbda559b883f97dabf9f0cb4dcc3782c00bee2534a6e
-
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Aprile.msiMD5
8467341efcb627b3b7c7997b9d18a2b3
SHA17902e7833c474f2fe4bd88669fcb103c8191617e
SHA2567f8560f97d2f23f4006ca8bef5d9682f1e621636f821cc03ba2187835443dab4
SHA512fb59e9b9c0a463977f1100076f37193dcfa29e2dac2487a19914409c78134b741ecdf59cf3797ccffb5628be008068e0e09d57326487dcc9f3c7864e859cf418
-
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Distrugge.msiMD5
ca9ab8aa57ce91b56ea5f97fc2ff6deb
SHA10aed949c17de918b8fcdc28112279bd949660369
SHA2561c62c5b0f8c9f1f6ebbe1df515175b6a5620c6c623d3c51b05042a1646bb4d02
SHA5124f4f6037802a2dca4cee15c8564a2f0755aeb94903eb4467407c1a735d980333a4eb7b1b1ef4cf0923aefdb5a42fc6d4287139a7357ea9daa83783f8e1cb5c53
-
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Invece.msiMD5
47ebadd7365c2186dacce71f058e30f0
SHA13ed2838977d943570245762f220ab6e790cc1a05
SHA2569ef508c77abe54699966ce4bb3328e7fc76f3b8ad3b22e53ff5e449f238b7b2f
SHA5122cebcac856c1b07f852edeed14b004db34204ca072c21daae5b0ebe726107243f5bf37062b4694a50a558add81ec9b546c3bc1c0f5fa6bb7cd73afebd82a3c41
-
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Tese.msiMD5
c5de73401a4ad08730d7448f9db41add
SHA181bc3db1099aba71c987f8fd889d706a23618ca7
SHA256aefe8c340ebcceae51f9017ccf56a74a6f5efc5012523d68a76b2d397dbc238a
SHA5123004583935d5c1aa2e118abbe197bcac4c2f2f005741b9aef751d8de0b35acbc71ecd7993de44b32c4df45458c74e54c387fe88b842086583383f8625dc7cdb2
-
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\YMD5
ca9ab8aa57ce91b56ea5f97fc2ff6deb
SHA10aed949c17de918b8fcdc28112279bd949660369
SHA2561c62c5b0f8c9f1f6ebbe1df515175b6a5620c6c623d3c51b05042a1646bb4d02
SHA5124f4f6037802a2dca4cee15c8564a2f0755aeb94903eb4467407c1a735d980333a4eb7b1b1ef4cf0923aefdb5a42fc6d4287139a7357ea9daa83783f8e1cb5c53
-
\Users\Admin\AppData\Local\Temp\NVUOHK~1.DLLMD5
aafd670c8407318a89a14453c1bfbcc1
SHA1ebc4ffd7e7c17c25d17047581e9f728bb18e527c
SHA2568c9ea69aa624cce70ba8cc22d42d306eed5decadaac3799fad19001f2b6eafd1
SHA5127885593205fc96dd99c3691a960b562199f916c840d1ee70a826827dcdf1e2fd7c6340b8ff01a983d39994340ddc2d87d50be2c2f7e3e86f577aacb13a40e6fa
-
\Users\Admin\AppData\Local\Temp\NVUOHK~1.DLLMD5
aafd670c8407318a89a14453c1bfbcc1
SHA1ebc4ffd7e7c17c25d17047581e9f728bb18e527c
SHA2568c9ea69aa624cce70ba8cc22d42d306eed5decadaac3799fad19001f2b6eafd1
SHA5127885593205fc96dd99c3691a960b562199f916c840d1ee70a826827dcdf1e2fd7c6340b8ff01a983d39994340ddc2d87d50be2c2f7e3e86f577aacb13a40e6fa
-
\Users\Admin\AppData\Local\Temp\NVUOHK~1.DLLMD5
aafd670c8407318a89a14453c1bfbcc1
SHA1ebc4ffd7e7c17c25d17047581e9f728bb18e527c
SHA2568c9ea69aa624cce70ba8cc22d42d306eed5decadaac3799fad19001f2b6eafd1
SHA5127885593205fc96dd99c3691a960b562199f916c840d1ee70a826827dcdf1e2fd7c6340b8ff01a983d39994340ddc2d87d50be2c2f7e3e86f577aacb13a40e6fa
-
memory/196-151-0x0000000000000000-mapping.dmp
-
memory/208-114-0x0000000000000000-mapping.dmp
-
memory/1176-118-0x0000000000000000-mapping.dmp
-
memory/1720-146-0x0000000005181000-0x00000000057DF000-memory.dmpFilesize
6.4MB
-
memory/1720-135-0x0000000000000000-mapping.dmp
-
memory/1720-148-0x0000000003190000-0x0000000003191000-memory.dmpFilesize
4KB
-
memory/1928-130-0x0000000000000000-mapping.dmp
-
memory/1928-138-0x0000000001740000-0x0000000001E34000-memory.dmpFilesize
7.0MB
-
memory/1928-139-0x0000000000400000-0x0000000000B00000-memory.dmpFilesize
7.0MB
-
memory/1928-140-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/2124-121-0x0000000000000000-mapping.dmp
-
memory/2436-143-0x0000000000000000-mapping.dmp
-
memory/2436-147-0x00000000041A0000-0x000000000475A000-memory.dmpFilesize
5.7MB
-
memory/2436-149-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/2436-150-0x0000000004DB1000-0x000000000540F000-memory.dmpFilesize
6.4MB
-
memory/2688-128-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/2688-125-0x0000000000000000-mapping.dmp
-
memory/3044-133-0x0000000000000000-mapping.dmp
-
memory/3348-117-0x0000000000000000-mapping.dmp
-
memory/3544-115-0x0000000000000000-mapping.dmp
-
memory/3844-123-0x0000000000000000-mapping.dmp