Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07-12-2021 11:57
Static task
static1
General
-
Target
615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe
-
Size
5.3MB
-
MD5
d29cdd460f6d9747eb2ce497ceee07cf
-
SHA1
45f75cba21e74d9955ce69d781071d9b4b746bfa
-
SHA256
615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426
-
SHA512
41903d2b5cfad3bba683a2476e4dcccba593cb6d11cdc0c3509698ffdd481f2b751f69cb8dd5e3181dcc9d5ebb9ef0df0d1c068b10f03308545e9053eb639587
Malware Config
Extracted
danabot
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\WYRJVL~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\WYRJVL~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2280 created 3840 2280 WerFault.exe wyrjvltcwmhh.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 36 912 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
upslip.exewonnervp.exewyrjvltcwmhh.exeDpEditor.exepid process 3384 upslip.exe 3004 wonnervp.exe 3840 wyrjvltcwmhh.exe 808 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wonnervp.exeDpEditor.exeupslip.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wonnervp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wonnervp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion upslip.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion upslip.exe -
Loads dropped DLL 2 IoCs
Processes:
615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exerundll32.exepid process 2740 615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe 1992 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\acmite\upslip.exe themida C:\Users\Admin\AppData\Local\Temp\acmite\upslip.exe themida C:\Users\Admin\AppData\Local\Temp\acmite\wonnervp.exe themida C:\Users\Admin\AppData\Local\Temp\acmite\wonnervp.exe themida behavioral1/memory/3384-123-0x0000000000260000-0x000000000094F000-memory.dmp themida behavioral1/memory/3384-122-0x0000000000260000-0x000000000094F000-memory.dmp themida behavioral1/memory/3384-124-0x0000000000260000-0x000000000094F000-memory.dmp themida behavioral1/memory/3384-125-0x0000000000260000-0x000000000094F000-memory.dmp themida behavioral1/memory/3004-128-0x00000000001E0000-0x000000000084A000-memory.dmp themida behavioral1/memory/3004-129-0x00000000001E0000-0x000000000084A000-memory.dmp themida behavioral1/memory/3004-130-0x00000000001E0000-0x000000000084A000-memory.dmp themida behavioral1/memory/3004-131-0x00000000001E0000-0x000000000084A000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/808-140-0x00000000001A0000-0x000000000088F000-memory.dmp themida behavioral1/memory/808-141-0x00000000001A0000-0x000000000088F000-memory.dmp themida behavioral1/memory/808-142-0x00000000001A0000-0x000000000088F000-memory.dmp themida behavioral1/memory/808-144-0x00000000001A0000-0x000000000088F000-memory.dmp themida -
Processes:
upslip.exewonnervp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upslip.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wonnervp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
upslip.exewonnervp.exeDpEditor.exepid process 3384 upslip.exe 3004 wonnervp.exe 808 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2280 3840 WerFault.exe wyrjvltcwmhh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wonnervp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wonnervp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wonnervp.exe -
Modifies registry class 1 IoCs
Processes:
wonnervp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings wonnervp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 808 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
upslip.exewonnervp.exeDpEditor.exeWerFault.exepid process 3384 upslip.exe 3384 upslip.exe 3004 wonnervp.exe 3004 wonnervp.exe 808 DpEditor.exe 808 DpEditor.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2280 WerFault.exe Token: SeBackupPrivilege 2280 WerFault.exe Token: SeDebugPrivilege 2280 WerFault.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exewonnervp.exeupslip.exewyrjvltcwmhh.exedescription pid process target process PID 2740 wrote to memory of 3384 2740 615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe upslip.exe PID 2740 wrote to memory of 3384 2740 615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe upslip.exe PID 2740 wrote to memory of 3384 2740 615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe upslip.exe PID 2740 wrote to memory of 3004 2740 615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe wonnervp.exe PID 2740 wrote to memory of 3004 2740 615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe wonnervp.exe PID 2740 wrote to memory of 3004 2740 615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe wonnervp.exe PID 3004 wrote to memory of 3840 3004 wonnervp.exe wyrjvltcwmhh.exe PID 3004 wrote to memory of 3840 3004 wonnervp.exe wyrjvltcwmhh.exe PID 3004 wrote to memory of 3840 3004 wonnervp.exe wyrjvltcwmhh.exe PID 3004 wrote to memory of 1572 3004 wonnervp.exe WScript.exe PID 3004 wrote to memory of 1572 3004 wonnervp.exe WScript.exe PID 3004 wrote to memory of 1572 3004 wonnervp.exe WScript.exe PID 3384 wrote to memory of 808 3384 upslip.exe DpEditor.exe PID 3384 wrote to memory of 808 3384 upslip.exe DpEditor.exe PID 3384 wrote to memory of 808 3384 upslip.exe DpEditor.exe PID 3004 wrote to memory of 912 3004 wonnervp.exe WScript.exe PID 3004 wrote to memory of 912 3004 wonnervp.exe WScript.exe PID 3004 wrote to memory of 912 3004 wonnervp.exe WScript.exe PID 3840 wrote to memory of 1992 3840 wyrjvltcwmhh.exe rundll32.exe PID 3840 wrote to memory of 1992 3840 wyrjvltcwmhh.exe rundll32.exe PID 3840 wrote to memory of 1992 3840 wyrjvltcwmhh.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe"C:\Users\Admin\AppData\Local\Temp\615aa3a7ee8704e16e93ba731035d4bcc3f4464ecdb44766e814bdd05fff0426.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acmite\upslip.exe"C:\Users\Admin\AppData\Local\Temp\acmite\upslip.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\acmite\wonnervp.exe"C:\Users\Admin\AppData\Local\Temp\acmite\wonnervp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wyrjvltcwmhh.exe"C:\Users\Admin\AppData\Local\Temp\wyrjvltcwmhh.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\WYRJVL~1.DLL,s C:\Users\Admin\AppData\Local\Temp\WYRJVL~1.EXE4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 5604⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cpgyrao.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lnlismiyhkkc.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
ce178dc685c0934d3360b2e90cac8744
SHA128851edf86d5e13e49464751dfe6035d152833a5
SHA256879ec73321637a283d4795ef722440f646314f988c5c1dcfe3f58c3f038f2b37
SHA512cd21c77afb2e1084009778a46cc01e9b8b41ee0dffc910d1c296f110ab78ac3cc30e52382bc827c4c2cdcc049535499050626c97e9678f509145f5ac4f727d95
-
C:\Users\Admin\AppData\Local\Temp\WYRJVL~1.DLLMD5
1d80191976c77857e4afb02987750314
SHA1b7395d6fa30f63bc2824ebf5c2ad6ce7fd7bb370
SHA256ebd9c506456d62324a03829a290a2886bd2d51c358bf442af865baab3133d7cd
SHA5126d5cb5d3a1716e00e78b4e5b03ce6111fd98ec0255400741cba1f352bb419feb3bc23d94a410483a69f0c764a157f1eba1e51ec026febbc7a388a5cf031b6ca8
-
C:\Users\Admin\AppData\Local\Temp\acmite\upslip.exeMD5
c9a79a2b9c861ae7b6cda00fc1b1dd4f
SHA17eb2b7febf1f285ce3d9c4b10e2531a43e8892df
SHA2561746e89f27cd194556fbbbc390a53f78a3bc15814de6361996a874d78ec84442
SHA512fff77dee14a0622fb53fb1404d23a8192670c62b712e156a644b9b70f33d8cbc572a8b56b2dcb76b1386c6f975c090b59b5aaa57437d051f58f77f663c6fc201
-
C:\Users\Admin\AppData\Local\Temp\acmite\upslip.exeMD5
c9a79a2b9c861ae7b6cda00fc1b1dd4f
SHA17eb2b7febf1f285ce3d9c4b10e2531a43e8892df
SHA2561746e89f27cd194556fbbbc390a53f78a3bc15814de6361996a874d78ec84442
SHA512fff77dee14a0622fb53fb1404d23a8192670c62b712e156a644b9b70f33d8cbc572a8b56b2dcb76b1386c6f975c090b59b5aaa57437d051f58f77f663c6fc201
-
C:\Users\Admin\AppData\Local\Temp\acmite\wonnervp.exeMD5
3a147159d6af1629ef2403b32c5a56f2
SHA13652e76cd272d51b304f3c1003203d98e3290e32
SHA25692c9acf931072da13162c0f60a775b7beee9b15f4eb84c2e009e07c967174dea
SHA51251d2dca209f06b6aa738934660eb5ec350d9c624ffda27a4d33eb75ed3398814fb509076bc5855651f9ceb9bc33b3822e1734d63080450cf06f5fa0ebf99c12b
-
C:\Users\Admin\AppData\Local\Temp\acmite\wonnervp.exeMD5
3a147159d6af1629ef2403b32c5a56f2
SHA13652e76cd272d51b304f3c1003203d98e3290e32
SHA25692c9acf931072da13162c0f60a775b7beee9b15f4eb84c2e009e07c967174dea
SHA51251d2dca209f06b6aa738934660eb5ec350d9c624ffda27a4d33eb75ed3398814fb509076bc5855651f9ceb9bc33b3822e1734d63080450cf06f5fa0ebf99c12b
-
C:\Users\Admin\AppData\Local\Temp\cpgyrao.vbsMD5
7baa072f7ca688a15e1b1576a58432ac
SHA13acf1a0a2b9926c2ad72c8ed39fe99b98056dd18
SHA2568f5c20a007031056cfdeae757f3c67cf69272713bdda42b54f0f6c8bda9f51bc
SHA512d317337e5a669a6664c2e9ab52f5c32a3df92bea2d2514b0e970fd34d9f6d9d4d91d6c452c49b7a080c0b4a81c2b6f5a89839e4c6eccb5af3567f1decc86f3d8
-
C:\Users\Admin\AppData\Local\Temp\lnlismiyhkkc.vbsMD5
6188feefe881ddc34858d858b2cfe097
SHA1c16924dec6a958e0fbcfe1fd501245b5f4dc1b5a
SHA256a72ddfe573da93165376d164919f9e47e9818e4891a6a8aec9d67747a97e8eef
SHA512c98223daefa9341d5f01b14e650824850be48af4e56054847236549cae6ebd735a4178e7ddc420ef97247097885331de344ad95de29827692d8906f638cc5f03
-
C:\Users\Admin\AppData\Local\Temp\wyrjvltcwmhh.exeMD5
de1b48e1ac8d9056b3e9f5601b5a0bdf
SHA14f937398e854a3eefebd7392e71b4ce9f58b34ce
SHA256aeee9c17c62edf0b47ec0ca31ee8e47b6c1b71afe32a459b0c3acf036f3bcbf2
SHA5120edc46aace4b25642263bf96e26b152ae07b77b2a5ce23114bd233b53adef0f2e53aa0237a61943074d4ec87eb9b1c53278f1e19401ba38a711d18b81bc4cbb4
-
C:\Users\Admin\AppData\Local\Temp\wyrjvltcwmhh.exeMD5
de1b48e1ac8d9056b3e9f5601b5a0bdf
SHA14f937398e854a3eefebd7392e71b4ce9f58b34ce
SHA256aeee9c17c62edf0b47ec0ca31ee8e47b6c1b71afe32a459b0c3acf036f3bcbf2
SHA5120edc46aace4b25642263bf96e26b152ae07b77b2a5ce23114bd233b53adef0f2e53aa0237a61943074d4ec87eb9b1c53278f1e19401ba38a711d18b81bc4cbb4
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
c9a79a2b9c861ae7b6cda00fc1b1dd4f
SHA17eb2b7febf1f285ce3d9c4b10e2531a43e8892df
SHA2561746e89f27cd194556fbbbc390a53f78a3bc15814de6361996a874d78ec84442
SHA512fff77dee14a0622fb53fb1404d23a8192670c62b712e156a644b9b70f33d8cbc572a8b56b2dcb76b1386c6f975c090b59b5aaa57437d051f58f77f663c6fc201
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
c9a79a2b9c861ae7b6cda00fc1b1dd4f
SHA17eb2b7febf1f285ce3d9c4b10e2531a43e8892df
SHA2561746e89f27cd194556fbbbc390a53f78a3bc15814de6361996a874d78ec84442
SHA512fff77dee14a0622fb53fb1404d23a8192670c62b712e156a644b9b70f33d8cbc572a8b56b2dcb76b1386c6f975c090b59b5aaa57437d051f58f77f663c6fc201
-
\Users\Admin\AppData\Local\Temp\WYRJVL~1.DLLMD5
1d80191976c77857e4afb02987750314
SHA1b7395d6fa30f63bc2824ebf5c2ad6ce7fd7bb370
SHA256ebd9c506456d62324a03829a290a2886bd2d51c358bf442af865baab3133d7cd
SHA5126d5cb5d3a1716e00e78b4e5b03ce6111fd98ec0255400741cba1f352bb419feb3bc23d94a410483a69f0c764a157f1eba1e51ec026febbc7a388a5cf031b6ca8
-
\Users\Admin\AppData\Local\Temp\nsnBEAE.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/808-137-0x0000000000000000-mapping.dmp
-
memory/808-144-0x00000000001A0000-0x000000000088F000-memory.dmpFilesize
6.9MB
-
memory/808-143-0x0000000077270000-0x00000000773FE000-memory.dmpFilesize
1.6MB
-
memory/808-142-0x00000000001A0000-0x000000000088F000-memory.dmpFilesize
6.9MB
-
memory/808-141-0x00000000001A0000-0x000000000088F000-memory.dmpFilesize
6.9MB
-
memory/808-140-0x00000000001A0000-0x000000000088F000-memory.dmpFilesize
6.9MB
-
memory/912-148-0x0000000000000000-mapping.dmp
-
memory/1572-135-0x0000000000000000-mapping.dmp
-
memory/1992-152-0x0000000000000000-mapping.dmp
-
memory/3004-127-0x0000000077270000-0x00000000773FE000-memory.dmpFilesize
1.6MB
-
memory/3004-119-0x0000000000000000-mapping.dmp
-
memory/3004-131-0x00000000001E0000-0x000000000084A000-memory.dmpFilesize
6.4MB
-
memory/3004-130-0x00000000001E0000-0x000000000084A000-memory.dmpFilesize
6.4MB
-
memory/3004-129-0x00000000001E0000-0x000000000084A000-memory.dmpFilesize
6.4MB
-
memory/3004-128-0x00000000001E0000-0x000000000084A000-memory.dmpFilesize
6.4MB
-
memory/3384-125-0x0000000000260000-0x000000000094F000-memory.dmpFilesize
6.9MB
-
memory/3384-126-0x0000000077270000-0x00000000773FE000-memory.dmpFilesize
1.6MB
-
memory/3384-124-0x0000000000260000-0x000000000094F000-memory.dmpFilesize
6.9MB
-
memory/3384-122-0x0000000000260000-0x000000000094F000-memory.dmpFilesize
6.9MB
-
memory/3384-123-0x0000000000260000-0x000000000094F000-memory.dmpFilesize
6.9MB
-
memory/3384-116-0x0000000000000000-mapping.dmp
-
memory/3840-146-0x0000000000BA0000-0x0000000000D44000-memory.dmpFilesize
1.6MB
-
memory/3840-147-0x0000000000400000-0x0000000000650000-memory.dmpFilesize
2.3MB
-
memory/3840-145-0x0000000000A0A000-0x0000000000B98000-memory.dmpFilesize
1.6MB
-
memory/3840-132-0x0000000000000000-mapping.dmp