Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 14:25
Static task
static1
General
-
Target
02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe
-
Size
5.4MB
-
MD5
5096680c111700a7343cac14d166ce90
-
SHA1
8277b38de8b62abbd9c1722c1a512741622e928c
-
SHA256
02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2
-
SHA512
2c37d448de62be7b9b616b29c0633cc1af4ff083e8213df6efe090a761ae39d17fa670a2fb700c149c02fa61b4cda20d661f45bc3cc10e82dcdc990f909e8d50
Malware Config
Extracted
danabot
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\YQPPJK~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\YQPPJK~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2664 created 2948 2664 WerFault.exe yqppjkopqnhb.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 38 848 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
sacque.exetilmusvp.exeyqppjkopqnhb.exeDpEditor.exepid process 1876 sacque.exe 2652 tilmusvp.exe 2948 yqppjkopqnhb.exe 696 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
sacque.exetilmusvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sacque.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sacque.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tilmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tilmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 2 IoCs
Processes:
02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exerundll32.exepid process 2748 02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe 2136 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exe themida C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exe themida C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exe themida C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exe themida behavioral1/memory/1876-122-0x0000000000F70000-0x0000000001665000-memory.dmp themida behavioral1/memory/1876-124-0x0000000000F70000-0x0000000001665000-memory.dmp themida behavioral1/memory/1876-125-0x0000000000F70000-0x0000000001665000-memory.dmp themida behavioral1/memory/1876-127-0x0000000000F70000-0x0000000001665000-memory.dmp themida behavioral1/memory/2652-126-0x0000000000CB0000-0x0000000001378000-memory.dmp themida behavioral1/memory/2652-128-0x0000000000CB0000-0x0000000001378000-memory.dmp themida behavioral1/memory/2652-129-0x0000000000CB0000-0x0000000001378000-memory.dmp themida behavioral1/memory/2652-131-0x0000000000CB0000-0x0000000001378000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/696-143-0x0000000000A90000-0x0000000001185000-memory.dmp themida behavioral1/memory/696-144-0x0000000000A90000-0x0000000001185000-memory.dmp themida behavioral1/memory/696-145-0x0000000000A90000-0x0000000001185000-memory.dmp themida behavioral1/memory/696-147-0x0000000000A90000-0x0000000001185000-memory.dmp themida -
Processes:
sacque.exetilmusvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sacque.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tilmusvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
sacque.exetilmusvp.exeDpEditor.exepid process 1876 sacque.exe 2652 tilmusvp.exe 696 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exedescription ioc process File created C:\Program Files (x86)\foler\olader\adprovider.dll 02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe File created C:\Program Files (x86)\foler\olader\acppage.dll 02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2664 2948 WerFault.exe yqppjkopqnhb.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tilmusvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tilmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString tilmusvp.exe -
Modifies registry class 1 IoCs
Processes:
tilmusvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings tilmusvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 696 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
sacque.exetilmusvp.exeDpEditor.exeWerFault.exepid process 1876 sacque.exe 1876 sacque.exe 2652 tilmusvp.exe 2652 tilmusvp.exe 696 DpEditor.exe 696 DpEditor.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2664 WerFault.exe Token: SeBackupPrivilege 2664 WerFault.exe Token: SeDebugPrivilege 2664 WerFault.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exetilmusvp.exesacque.exeyqppjkopqnhb.exedescription pid process target process PID 2748 wrote to memory of 1876 2748 02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe sacque.exe PID 2748 wrote to memory of 1876 2748 02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe sacque.exe PID 2748 wrote to memory of 1876 2748 02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe sacque.exe PID 2748 wrote to memory of 2652 2748 02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe tilmusvp.exe PID 2748 wrote to memory of 2652 2748 02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe tilmusvp.exe PID 2748 wrote to memory of 2652 2748 02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe tilmusvp.exe PID 2652 wrote to memory of 2948 2652 tilmusvp.exe yqppjkopqnhb.exe PID 2652 wrote to memory of 2948 2652 tilmusvp.exe yqppjkopqnhb.exe PID 2652 wrote to memory of 2948 2652 tilmusvp.exe yqppjkopqnhb.exe PID 2652 wrote to memory of 576 2652 tilmusvp.exe WScript.exe PID 2652 wrote to memory of 576 2652 tilmusvp.exe WScript.exe PID 2652 wrote to memory of 576 2652 tilmusvp.exe WScript.exe PID 1876 wrote to memory of 696 1876 sacque.exe DpEditor.exe PID 1876 wrote to memory of 696 1876 sacque.exe DpEditor.exe PID 1876 wrote to memory of 696 1876 sacque.exe DpEditor.exe PID 2652 wrote to memory of 848 2652 tilmusvp.exe WScript.exe PID 2652 wrote to memory of 848 2652 tilmusvp.exe WScript.exe PID 2652 wrote to memory of 848 2652 tilmusvp.exe WScript.exe PID 2948 wrote to memory of 2136 2948 yqppjkopqnhb.exe rundll32.exe PID 2948 wrote to memory of 2136 2948 yqppjkopqnhb.exe rundll32.exe PID 2948 wrote to memory of 2136 2948 yqppjkopqnhb.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe"C:\Users\Admin\AppData\Local\Temp\02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exe"C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exe"C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yqppjkopqnhb.exe"C:\Users\Admin\AppData\Local\Temp\yqppjkopqnhb.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\YQPPJK~1.DLL,s C:\Users\Admin\AppData\Local\Temp\YQPPJK~1.EXE4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 5444⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gcwkefoxddr.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\twbnxksolpa.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
13ba2b963ad31dfee4d6f218a9fa6bd4
SHA130af04c202d1d0b5008e614c0a00723f08a2936b
SHA256af69870a7615adb6518a009b143b995d4a3147dcdfba2904829052ffa019fa49
SHA51230061391d73f64f5624b1c4e00a8ee11511692b2878dd2fb4e93b5ce05db833ac5e864d805970b75368f53078fafd0d33d193e17f117427a8d0ff2a69ea6d6df
-
C:\Users\Admin\AppData\Local\Temp\YQPPJK~1.DLLMD5
498b202b4c51535c200938f99bfd399c
SHA18635cc3e9822e5267904ecedd9e92680d285235e
SHA256fc905a0a5d17e6cb9951d23dc5020208430d1aa8275845ba10d538ea1204481a
SHA5127778dbcb3b10963a37d0ef35b4938460ff9d6636d303f46e2864bd9265b59d9a101618540427818eafd7e1b5aebed9699fab80d504ed1b45504e7849b79e6eac
-
C:\Users\Admin\AppData\Local\Temp\gcwkefoxddr.vbsMD5
8acff2ba292e4d4e1b0f1b601362754b
SHA16ac128e5ab2f4acb559c30f402f5543bee4dae81
SHA256a30aa58b08d0e36b09abf4026fd71999cd68b194b94887b5ce1e681635e84752
SHA51200b705d58719727353ca75b739d4c9ea24c13c7be7e994e0a4a344d6c1db6e44baa5d9bb473426ba2652852b4e9ea7c1834fae33342710cc51b2479e416809cf
-
C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exeMD5
6aee0a1a73ed85b554aed2cbfc722e0c
SHA109a1571a20ad5712731d5f39ab62d5dd91bbc651
SHA256a27fb1f7596e8c2d97aec81b107f7d65790b0e6a43c7da63832620ca2d8f3926
SHA5126511e5c280b7000f100d2640a26edb6315ec41634066713782423c149c2abd9afd4074fd2eaa1622b4b7e10ddf596d14a69c79168cec70cac0549a648fa06c2c
-
C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exeMD5
6aee0a1a73ed85b554aed2cbfc722e0c
SHA109a1571a20ad5712731d5f39ab62d5dd91bbc651
SHA256a27fb1f7596e8c2d97aec81b107f7d65790b0e6a43c7da63832620ca2d8f3926
SHA5126511e5c280b7000f100d2640a26edb6315ec41634066713782423c149c2abd9afd4074fd2eaa1622b4b7e10ddf596d14a69c79168cec70cac0549a648fa06c2c
-
C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exeMD5
355a4152b826bac3bb7ff5ffd95ec7ed
SHA1f49b68263295852e2c2aa08fb475b6f999545289
SHA25668502d30f4d6ede5a62c4306ebc796bd1f9e7f1ae34eac34b9f21d78d200cb8c
SHA512c73c45ef0a8052160c4f1a62e4b2a500a410ae33ca277ed40d49c38bd6cbabc0b20c74acc116308790038648e070d95768e5a50f60a2eb73891afbb49d7d40ba
-
C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exeMD5
355a4152b826bac3bb7ff5ffd95ec7ed
SHA1f49b68263295852e2c2aa08fb475b6f999545289
SHA25668502d30f4d6ede5a62c4306ebc796bd1f9e7f1ae34eac34b9f21d78d200cb8c
SHA512c73c45ef0a8052160c4f1a62e4b2a500a410ae33ca277ed40d49c38bd6cbabc0b20c74acc116308790038648e070d95768e5a50f60a2eb73891afbb49d7d40ba
-
C:\Users\Admin\AppData\Local\Temp\twbnxksolpa.vbsMD5
0fe8b7d965f53325cccac3525809da14
SHA1c8fb3b838a5495c49526c7985900859aa8b4053f
SHA256b7b2da24747ae5f256712ab80eea5cd1f6de2bf7b08af3e6c73d8b7a02829b07
SHA5127e273eb27cfd0a2991518d90894418342d9acfd5dc6d8ca197f2020aed21d37e47bccbf6c6dbe17465b105c367eb4f92fd4e93a2474e682e0e2eb303cd72a3b2
-
C:\Users\Admin\AppData\Local\Temp\yqppjkopqnhb.exeMD5
c5b66be1b591daf1391a635c2417b814
SHA136cb2f68e7d2f33b4695a6997f5b48c083552faf
SHA256ebb6faa3ed76276b1af1aaef8a22026dcc7d05f2e9ab8ab8c814505f59680f3f
SHA512ad54f4c3382c06d373e00618e298dd90b660391d2d515c851d19224699c14eb3f643e98e81c0eb2f324b3404652ebd773a46bab24dba79ef504d06c9e087e0f4
-
C:\Users\Admin\AppData\Local\Temp\yqppjkopqnhb.exeMD5
c5b66be1b591daf1391a635c2417b814
SHA136cb2f68e7d2f33b4695a6997f5b48c083552faf
SHA256ebb6faa3ed76276b1af1aaef8a22026dcc7d05f2e9ab8ab8c814505f59680f3f
SHA512ad54f4c3382c06d373e00618e298dd90b660391d2d515c851d19224699c14eb3f643e98e81c0eb2f324b3404652ebd773a46bab24dba79ef504d06c9e087e0f4
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
6aee0a1a73ed85b554aed2cbfc722e0c
SHA109a1571a20ad5712731d5f39ab62d5dd91bbc651
SHA256a27fb1f7596e8c2d97aec81b107f7d65790b0e6a43c7da63832620ca2d8f3926
SHA5126511e5c280b7000f100d2640a26edb6315ec41634066713782423c149c2abd9afd4074fd2eaa1622b4b7e10ddf596d14a69c79168cec70cac0549a648fa06c2c
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
6aee0a1a73ed85b554aed2cbfc722e0c
SHA109a1571a20ad5712731d5f39ab62d5dd91bbc651
SHA256a27fb1f7596e8c2d97aec81b107f7d65790b0e6a43c7da63832620ca2d8f3926
SHA5126511e5c280b7000f100d2640a26edb6315ec41634066713782423c149c2abd9afd4074fd2eaa1622b4b7e10ddf596d14a69c79168cec70cac0549a648fa06c2c
-
\Users\Admin\AppData\Local\Temp\YQPPJK~1.DLLMD5
498b202b4c51535c200938f99bfd399c
SHA18635cc3e9822e5267904ecedd9e92680d285235e
SHA256fc905a0a5d17e6cb9951d23dc5020208430d1aa8275845ba10d538ea1204481a
SHA5127778dbcb3b10963a37d0ef35b4938460ff9d6636d303f46e2864bd9265b59d9a101618540427818eafd7e1b5aebed9699fab80d504ed1b45504e7849b79e6eac
-
\Users\Admin\AppData\Local\Temp\nsiA441.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/576-135-0x0000000000000000-mapping.dmp
-
memory/696-145-0x0000000000A90000-0x0000000001185000-memory.dmpFilesize
7.0MB
-
memory/696-147-0x0000000000A90000-0x0000000001185000-memory.dmpFilesize
7.0MB
-
memory/696-146-0x0000000077000000-0x000000007718E000-memory.dmpFilesize
1.6MB
-
memory/696-144-0x0000000000A90000-0x0000000001185000-memory.dmpFilesize
7.0MB
-
memory/696-143-0x0000000000A90000-0x0000000001185000-memory.dmpFilesize
7.0MB
-
memory/696-140-0x0000000000000000-mapping.dmp
-
memory/848-148-0x0000000000000000-mapping.dmp
-
memory/1876-125-0x0000000000F70000-0x0000000001665000-memory.dmpFilesize
7.0MB
-
memory/1876-124-0x0000000000F70000-0x0000000001665000-memory.dmpFilesize
7.0MB
-
memory/1876-116-0x0000000000000000-mapping.dmp
-
memory/1876-127-0x0000000000F70000-0x0000000001665000-memory.dmpFilesize
7.0MB
-
memory/1876-122-0x0000000000F70000-0x0000000001665000-memory.dmpFilesize
7.0MB
-
memory/1876-123-0x0000000077000000-0x000000007718E000-memory.dmpFilesize
1.6MB
-
memory/2136-152-0x0000000000000000-mapping.dmp
-
memory/2652-129-0x0000000000CB0000-0x0000000001378000-memory.dmpFilesize
6.8MB
-
memory/2652-126-0x0000000000CB0000-0x0000000001378000-memory.dmpFilesize
6.8MB
-
memory/2652-128-0x0000000000CB0000-0x0000000001378000-memory.dmpFilesize
6.8MB
-
memory/2652-130-0x0000000077000000-0x000000007718E000-memory.dmpFilesize
1.6MB
-
memory/2652-119-0x0000000000000000-mapping.dmp
-
memory/2652-131-0x0000000000CB0000-0x0000000001378000-memory.dmpFilesize
6.8MB
-
memory/2948-137-0x00000000009BD000-0x0000000000B4E000-memory.dmpFilesize
1.6MB
-
memory/2948-138-0x0000000000B50000-0x0000000000CF8000-memory.dmpFilesize
1.7MB
-
memory/2948-139-0x0000000000400000-0x000000000064E000-memory.dmpFilesize
2.3MB
-
memory/2948-132-0x0000000000000000-mapping.dmp