Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-05-2021 18:12
Static task
static1
Behavioral task
behavioral1
Sample
ae672455_by_Libranalysis.exe
Resource
win7v20210410
General
-
Target
ae672455_by_Libranalysis.exe
-
Size
1.0MB
-
MD5
ae672455612bde0a10259c441ffc97b3
-
SHA1
378527fc598c402982fc0816282fef5e97318a76
-
SHA256
83c713b4f6938fb03c8ddbbfd0830b90aa9dc33cc8309f8866396860e4b59243
-
SHA512
f366df4117ff648b3d205dd0c5713054a6733bc86e70018065514d0075c87c50b188a95a159dd6ccda72bce22f3baf5797e3cfc470ac150bf47e6c74851fbe81
Malware Config
Extracted
danabot
1827
3
23.106.123.185:443
192.210.198.12:443
192.236.147.83:443
37.220.31.94:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
RUNDLL32.EXEWScript.exeflow pid process 32 1760 RUNDLL32.EXE 34 1428 WScript.exe 36 1428 WScript.exe 38 1428 WScript.exe 40 1428 WScript.exe 41 1760 RUNDLL32.EXE 42 1760 RUNDLL32.EXE 45 1760 RUNDLL32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
Ama.exe.comAma.exe.comdshqkpq.exepid process 732 Ama.exe.com 2128 Ama.exe.com 700 dshqkpq.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 800 rundll32.exe 800 rundll32.exe 1760 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Ama.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Ama.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Ama.exe.com -
Modifies registry class 1 IoCs
Processes:
Ama.exe.comdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Ama.exe.com -
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 800 rundll32.exe Token: SeDebugPrivilege 1760 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
ae672455_by_Libranalysis.execmd.execmd.exeAma.exe.comAma.exe.comdshqkpq.exerundll32.exedescription pid process target process PID 708 wrote to memory of 868 708 ae672455_by_Libranalysis.exe svchost.exe PID 708 wrote to memory of 868 708 ae672455_by_Libranalysis.exe svchost.exe PID 708 wrote to memory of 868 708 ae672455_by_Libranalysis.exe svchost.exe PID 708 wrote to memory of 864 708 ae672455_by_Libranalysis.exe cmd.exe PID 708 wrote to memory of 864 708 ae672455_by_Libranalysis.exe cmd.exe PID 708 wrote to memory of 864 708 ae672455_by_Libranalysis.exe cmd.exe PID 864 wrote to memory of 188 864 cmd.exe cmd.exe PID 864 wrote to memory of 188 864 cmd.exe cmd.exe PID 864 wrote to memory of 188 864 cmd.exe cmd.exe PID 188 wrote to memory of 2752 188 cmd.exe findstr.exe PID 188 wrote to memory of 2752 188 cmd.exe findstr.exe PID 188 wrote to memory of 2752 188 cmd.exe findstr.exe PID 188 wrote to memory of 732 188 cmd.exe Ama.exe.com PID 188 wrote to memory of 732 188 cmd.exe Ama.exe.com PID 188 wrote to memory of 732 188 cmd.exe Ama.exe.com PID 188 wrote to memory of 1180 188 cmd.exe PING.EXE PID 188 wrote to memory of 1180 188 cmd.exe PING.EXE PID 188 wrote to memory of 1180 188 cmd.exe PING.EXE PID 732 wrote to memory of 2128 732 Ama.exe.com Ama.exe.com PID 732 wrote to memory of 2128 732 Ama.exe.com Ama.exe.com PID 732 wrote to memory of 2128 732 Ama.exe.com Ama.exe.com PID 2128 wrote to memory of 700 2128 Ama.exe.com dshqkpq.exe PID 2128 wrote to memory of 700 2128 Ama.exe.com dshqkpq.exe PID 2128 wrote to memory of 700 2128 Ama.exe.com dshqkpq.exe PID 2128 wrote to memory of 2820 2128 Ama.exe.com WScript.exe PID 2128 wrote to memory of 2820 2128 Ama.exe.com WScript.exe PID 2128 wrote to memory of 2820 2128 Ama.exe.com WScript.exe PID 700 wrote to memory of 800 700 dshqkpq.exe rundll32.exe PID 700 wrote to memory of 800 700 dshqkpq.exe rundll32.exe PID 700 wrote to memory of 800 700 dshqkpq.exe rundll32.exe PID 800 wrote to memory of 1760 800 rundll32.exe RUNDLL32.EXE PID 800 wrote to memory of 1760 800 rundll32.exe RUNDLL32.EXE PID 800 wrote to memory of 1760 800 rundll32.exe RUNDLL32.EXE PID 2128 wrote to memory of 1428 2128 Ama.exe.com WScript.exe PID 2128 wrote to memory of 1428 2128 Ama.exe.com WScript.exe PID 2128 wrote to memory of 1428 2128 Ama.exe.com WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae672455_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\ae672455_by_Libranalysis.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Avvenne.pst2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^OrbGtAtgShJATMzcwdgeFqmrVYufAJzwsUiIUTHcvjNANrHaHsmcZKvOExKyxOOpTIoYFKAiISGzjZdSsN$" Crudelta.pst4⤵
-
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.comAma.exe.com p4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.comC:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com p5⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dshqkpq.exe"C:\Users\Admin\AppData\Local\Temp\dshqkpq.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DSHQKP~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\dshqkpq.exe7⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DSHQKP~1.DLL,aDcx8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\myooblpr.vbs"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dvfyikagacl.vbs"6⤵
- Blocklisted process makes network request
- Modifies system certificate store
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DSHQKP~1.DLLMD5
ce2816dd27b6f679acfbfbad58c5ac6e
SHA12a1b1d7fa0b4f61ff178b197766943bb338bbe8c
SHA25690f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27
SHA5121f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e
-
C:\Users\Admin\AppData\Local\Temp\dshqkpq.exeMD5
eb8602732e7c8f8d2c055249c3784561
SHA18301959b248222c39521074cd1a55a98f1540a79
SHA2567b2fd2b8a39683717b5a5208dd5272aae5aad3d23fc87aae862633d7e6c8150e
SHA5125f6a63239dca93c9ba8cfbe0117477708bfb48da10173404dab16c69e302c2164220fc8ed48d133e0bcca9ec8183bb2e284e187e1aca617715628e2a276e652b
-
C:\Users\Admin\AppData\Local\Temp\dshqkpq.exeMD5
eb8602732e7c8f8d2c055249c3784561
SHA18301959b248222c39521074cd1a55a98f1540a79
SHA2567b2fd2b8a39683717b5a5208dd5272aae5aad3d23fc87aae862633d7e6c8150e
SHA5125f6a63239dca93c9ba8cfbe0117477708bfb48da10173404dab16c69e302c2164220fc8ed48d133e0bcca9ec8183bb2e284e187e1aca617715628e2a276e652b
-
C:\Users\Admin\AppData\Local\Temp\dvfyikagacl.vbsMD5
8b2181ccfe04faab9532c16a613eb8d8
SHA18430af4b9258a52a3a63970d7ca4cf3a60d5a302
SHA2562849a1c43bc753c9489770da6c869db042c54c7d2d46493b26cb484c19b60c50
SHA512f8de3bb4ebf88f066ae99677bb9b8d73d45fb3d36c3d28fa2abb988c05da5d83a4be7a4c8b5d18339407c48583524ddb1e60e01cb33624b338d2c6e8e4929d94
-
C:\Users\Admin\AppData\Local\Temp\myooblpr.vbsMD5
819d8369903b08b6098027928bda9553
SHA179cd944c5ec5c541a1016cf1589cfa68ae0e646f
SHA256b77ebdd00fe2fe4ac406ca5069397291293d70064271f28cec6189a5bb5b0b82
SHA51257745a04bd4bd710f05d2326338cc08ac04fe4d55c3162e7db3925817af0c4712e1bf4449351b351f15f7c713dd56ccc0a975b103050ad3fa7f1e12995d8cb81
-
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Arcate.pstMD5
cb84d48d8a79791bee0d1e52740ccb92
SHA1902e3d817e09274d47c1d00fc10e0e831a0a4964
SHA256f253dece3b82426eecbd65c4f34d9a5dcb02a8710c83fc4a48d9edc8f6b89f65
SHA51220d0dccc6e80dc44c2beba3c0dceaf23e886e68b3b36de6675a8357f27a60da8dde0e7df4450a8491ae1dee1e8c4c8d6f1cf37231326cdd86793bf2088f01a68
-
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Avvenne.pstMD5
3a9d03cccbf783554b8350fff9bbc8df
SHA1636b49abfcadb9c4242772c65b1a4d6485df1cea
SHA256e1f3771ea85d11ed1ce2f3686c087f5e53b94b6165d4105a8dc76f03ef8cbd1b
SHA512c3c620e1e34fcfcbdfa7d84ab015c070a40265b67f40d9a7d857a4f695d6a05ab660dac767f1e9d6f9e667b5c040b9e807c610ade9cfa6f7931e3cd1c476fb8b
-
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Crudelta.pstMD5
0d540d5ad9aae4b04416a647d36e6b8f
SHA11dc0f743995d6706927c2b01d5fa6860fb4ac118
SHA25631c317f12b408beed5e0da60734a083797d0d0a599710875352cccab59970049
SHA512d723b84e6fa7752a4bc2afa74aee80f88a3d0d6fb9c62462866738a37c7f77dfa7f8c590670afadd26dcdbdd9415d51de7df424a9c0eaf3b7af9458a3646ebbd
-
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ora.pstMD5
3ca4dc18e084c073dbd4976dc9dfb602
SHA16a2f962587ab39e0ad7322d71ad590612052d466
SHA256115b36d44dd6636f4fe7659c898d2440194ae6a6d9073e28475269c65fd53c17
SHA5126d5a8285a010f250a2b8117b6f1b4cdab5d625f56feb3fe4aaff3036436db22d207ce823232881e93dcbae0cb5625f05c4227f4d3a7726334765c391b78b5fb4
-
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\pMD5
cb84d48d8a79791bee0d1e52740ccb92
SHA1902e3d817e09274d47c1d00fc10e0e831a0a4964
SHA256f253dece3b82426eecbd65c4f34d9a5dcb02a8710c83fc4a48d9edc8f6b89f65
SHA51220d0dccc6e80dc44c2beba3c0dceaf23e886e68b3b36de6675a8357f27a60da8dde0e7df4450a8491ae1dee1e8c4c8d6f1cf37231326cdd86793bf2088f01a68
-
\Users\Admin\AppData\Local\Temp\DSHQKP~1.DLLMD5
ce2816dd27b6f679acfbfbad58c5ac6e
SHA12a1b1d7fa0b4f61ff178b197766943bb338bbe8c
SHA25690f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27
SHA5121f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e
-
\Users\Admin\AppData\Local\Temp\DSHQKP~1.DLLMD5
ce2816dd27b6f679acfbfbad58c5ac6e
SHA12a1b1d7fa0b4f61ff178b197766943bb338bbe8c
SHA25690f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27
SHA5121f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e
-
\Users\Admin\AppData\Local\Temp\DSHQKP~1.DLLMD5
ce2816dd27b6f679acfbfbad58c5ac6e
SHA12a1b1d7fa0b4f61ff178b197766943bb338bbe8c
SHA25690f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27
SHA5121f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e
-
memory/188-117-0x0000000000000000-mapping.dmp
-
memory/700-137-0x0000000002A10000-0x0000000002A11000-memory.dmpFilesize
4KB
-
memory/700-130-0x0000000000000000-mapping.dmp
-
memory/700-136-0x0000000000400000-0x0000000000DF2000-memory.dmpFilesize
9.9MB
-
memory/700-135-0x00000000031E0000-0x00000000038D5000-memory.dmpFilesize
7.0MB
-
memory/732-121-0x0000000000000000-mapping.dmp
-
memory/800-149-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/800-143-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/800-138-0x0000000000000000-mapping.dmp
-
memory/800-148-0x0000000004D31000-0x000000000538F000-memory.dmpFilesize
6.4MB
-
memory/800-142-0x0000000004080000-0x000000000463A000-memory.dmpFilesize
5.7MB
-
memory/864-115-0x0000000000000000-mapping.dmp
-
memory/868-114-0x0000000000000000-mapping.dmp
-
memory/1180-123-0x0000000000000000-mapping.dmp
-
memory/1428-151-0x0000000000000000-mapping.dmp
-
memory/1760-144-0x0000000000000000-mapping.dmp
-
memory/1760-150-0x0000000005021000-0x000000000567F000-memory.dmpFilesize
6.4MB
-
memory/2128-128-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/2128-125-0x0000000000000000-mapping.dmp
-
memory/2752-118-0x0000000000000000-mapping.dmp
-
memory/2820-133-0x0000000000000000-mapping.dmp