Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-12-2021 11:57
Static task
static1
General
-
Target
5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe
-
Size
5.4MB
-
MD5
4e07d0940260e75233155f4ed5ecca68
-
SHA1
a632e1724d139e684ebb8331e136d95abbb1d576
-
SHA256
5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54
-
SHA512
dcb5d48d26bea6c3a882cfa081008405361edf686e1306b2f546e89f758360a9956d39365789b4603d09406f4c7afbde9ae647ae6b44f738990c9624fd351f26
Malware Config
Extracted
danabot
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4068 created 2516 4068 WerFault.exe juujwlnbddl.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 34 932 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
edenic.exegodwitvp.exejuujwlnbddl.exeDpEditor.exepid process 3768 edenic.exe 1880 godwitvp.exe 2516 juujwlnbddl.exe 2288 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
edenic.exegodwitvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion edenic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion edenic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion godwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion godwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 2 IoCs
Processes:
5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exerundll32.exepid process 2476 5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe 1376 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe themida C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe themida C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe themida C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe themida behavioral1/memory/3768-122-0x0000000000DF0000-0x00000000014DA000-memory.dmp themida behavioral1/memory/3768-123-0x0000000000DF0000-0x00000000014DA000-memory.dmp themida behavioral1/memory/1880-124-0x0000000000230000-0x00000000008EF000-memory.dmp themida behavioral1/memory/3768-125-0x0000000000DF0000-0x00000000014DA000-memory.dmp themida behavioral1/memory/1880-126-0x0000000000230000-0x00000000008EF000-memory.dmp themida behavioral1/memory/3768-127-0x0000000000DF0000-0x00000000014DA000-memory.dmp themida behavioral1/memory/1880-128-0x0000000000230000-0x00000000008EF000-memory.dmp themida behavioral1/memory/1880-130-0x0000000000230000-0x00000000008EF000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/2288-140-0x0000000000FE0000-0x00000000016CA000-memory.dmp themida behavioral1/memory/2288-141-0x0000000000FE0000-0x00000000016CA000-memory.dmp themida behavioral1/memory/2288-143-0x0000000000FE0000-0x00000000016CA000-memory.dmp themida behavioral1/memory/2288-144-0x0000000000FE0000-0x00000000016CA000-memory.dmp themida -
Processes:
godwitvp.exeDpEditor.exeedenic.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA godwitvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA edenic.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
edenic.exegodwitvp.exeDpEditor.exepid process 3768 edenic.exe 1880 godwitvp.exe 2288 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4068 2516 WerFault.exe juujwlnbddl.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
godwitvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 godwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString godwitvp.exe -
Modifies registry class 1 IoCs
Processes:
godwitvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings godwitvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 2288 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
edenic.exegodwitvp.exeDpEditor.exeWerFault.exepid process 3768 edenic.exe 3768 edenic.exe 1880 godwitvp.exe 1880 godwitvp.exe 2288 DpEditor.exe 2288 DpEditor.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4068 WerFault.exe Token: SeBackupPrivilege 4068 WerFault.exe Token: SeDebugPrivilege 4068 WerFault.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exegodwitvp.exeedenic.exejuujwlnbddl.exedescription pid process target process PID 2476 wrote to memory of 3768 2476 5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe edenic.exe PID 2476 wrote to memory of 3768 2476 5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe edenic.exe PID 2476 wrote to memory of 3768 2476 5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe edenic.exe PID 2476 wrote to memory of 1880 2476 5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe godwitvp.exe PID 2476 wrote to memory of 1880 2476 5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe godwitvp.exe PID 2476 wrote to memory of 1880 2476 5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe godwitvp.exe PID 1880 wrote to memory of 2516 1880 godwitvp.exe juujwlnbddl.exe PID 1880 wrote to memory of 2516 1880 godwitvp.exe juujwlnbddl.exe PID 1880 wrote to memory of 2516 1880 godwitvp.exe juujwlnbddl.exe PID 1880 wrote to memory of 3148 1880 godwitvp.exe WScript.exe PID 1880 wrote to memory of 3148 1880 godwitvp.exe WScript.exe PID 1880 wrote to memory of 3148 1880 godwitvp.exe WScript.exe PID 3768 wrote to memory of 2288 3768 edenic.exe DpEditor.exe PID 3768 wrote to memory of 2288 3768 edenic.exe DpEditor.exe PID 3768 wrote to memory of 2288 3768 edenic.exe DpEditor.exe PID 1880 wrote to memory of 932 1880 godwitvp.exe WScript.exe PID 1880 wrote to memory of 932 1880 godwitvp.exe WScript.exe PID 1880 wrote to memory of 932 1880 godwitvp.exe WScript.exe PID 2516 wrote to memory of 1376 2516 juujwlnbddl.exe rundll32.exe PID 2516 wrote to memory of 1376 2516 juujwlnbddl.exe rundll32.exe PID 2516 wrote to memory of 1376 2516 juujwlnbddl.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe"C:\Users\Admin\AppData\Local\Temp\5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe"C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe"C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\juujwlnbddl.exe"C:\Users\Admin\AppData\Local\Temp\juujwlnbddl.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\JUUJWL~1.DLL,s C:\Users\Admin\AppData\Local\Temp\JUUJWL~1.EXE4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 5524⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cjavldj.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ysawwjamo.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
55d43afa2514359f9e870587b87bf1ab
SHA182410066fdcd676360b02fbf95b45e56e2be1265
SHA2566b955d3bba3008cc7f0bea9f8343286a64383707fe2850179cd183e483de32e9
SHA5121cff5e1714c2f87056e7b3202efdc68565fe6265ea36d2ba6b35c37817a790943d8f2b48fc1e9d1c6608b21bb39688b9c8c391d46b5f54bc186f551b5d3f24eb
-
C:\Users\Admin\AppData\Local\Temp\JUUJWL~1.DLLMD5
69b49ecb8bf6c58115fe0df41ed08092
SHA16dfc8c5cef6857408d513216db45e679b95a565a
SHA25676a13187e822ce22597e015b1b2a492ab7e5aa0ffb4b23191e3c618c73f5386a
SHA512b59f1be19b27e9b686f284c7ee584d830d8edb111c8764a400e861957ff0f0a3f414e94b1df17abe72c461a894f45a327e5ea8efc2d711e7f6326e3d1d93db7e
-
C:\Users\Admin\AppData\Local\Temp\cjavldj.vbsMD5
66b93c36a31d52a4ea8e7ab6c28366fb
SHA15ecb15025bdb390352dfdaed85bbc4b3498a82c9
SHA256bcacbb1614eb857eaa8af891de8a74c1a2ab53b52141e172d69bb16b2de0ed87
SHA512da407275e283e117d12381a2cb72444398e0da83b0ab12d981111376f378f1d0471eefee962efde1039be7e58a353e100648ee9c989c002ac8e3f9ecba167cf3
-
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exeMD5
c983192fb4b4f55d1d5a6bcaec5241db
SHA1c8fae465e7e4595ab216a8efa614ad8ff87871d3
SHA256f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8
SHA51248d559ef2e9320ee2a304c408003c3822eef98524233fbcd9b63d565b4f8c37bbbbd42a5b2f7f7cc0121579f3ab6f2e2ad76f86b215f1240e2755242e03ad57e
-
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exeMD5
c983192fb4b4f55d1d5a6bcaec5241db
SHA1c8fae465e7e4595ab216a8efa614ad8ff87871d3
SHA256f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8
SHA51248d559ef2e9320ee2a304c408003c3822eef98524233fbcd9b63d565b4f8c37bbbbd42a5b2f7f7cc0121579f3ab6f2e2ad76f86b215f1240e2755242e03ad57e
-
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exeMD5
867723e7562a926965123850713d4b07
SHA153e6cd23e03ae13d07703d55c6317fa2f3bec700
SHA256b7f8b2ceeeaa67c7f7b0089cb71c37061a3a1a8cbba298907600bbd43e9953ed
SHA512decff188727a9e4e96f7ad43de36bcecb1d4612253f177dfa2c300aabe1bf10f9f7670c43d8d29b104744f8d7debbacb1d190d60edd54eeaafdcb2510c7d0a1a
-
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exeMD5
867723e7562a926965123850713d4b07
SHA153e6cd23e03ae13d07703d55c6317fa2f3bec700
SHA256b7f8b2ceeeaa67c7f7b0089cb71c37061a3a1a8cbba298907600bbd43e9953ed
SHA512decff188727a9e4e96f7ad43de36bcecb1d4612253f177dfa2c300aabe1bf10f9f7670c43d8d29b104744f8d7debbacb1d190d60edd54eeaafdcb2510c7d0a1a
-
C:\Users\Admin\AppData\Local\Temp\juujwlnbddl.exeMD5
97b45c0ab8e7d750ec9be3fb6499476f
SHA1939aab013f617b49d4e0d7008a90305b3adccfa7
SHA256541888efa1f92ca3a7be8339bc7dc3e0828c48e66f014b0cac4be999f8ee8bad
SHA51260679dd10f4b124a24cb0054b24851074efa21eb0b0e213c82a62afa587afc2bd05fe57d0eca44195ff7fa701d41dbdb5ae28e1126addd2d3ae88e379e69b49d
-
C:\Users\Admin\AppData\Local\Temp\juujwlnbddl.exeMD5
97b45c0ab8e7d750ec9be3fb6499476f
SHA1939aab013f617b49d4e0d7008a90305b3adccfa7
SHA256541888efa1f92ca3a7be8339bc7dc3e0828c48e66f014b0cac4be999f8ee8bad
SHA51260679dd10f4b124a24cb0054b24851074efa21eb0b0e213c82a62afa587afc2bd05fe57d0eca44195ff7fa701d41dbdb5ae28e1126addd2d3ae88e379e69b49d
-
C:\Users\Admin\AppData\Local\Temp\ysawwjamo.vbsMD5
83e1708e4fba06a4b3b50664ec2140d1
SHA11fb11d9f2c08391e67d0758d9dc43ce64596f950
SHA256e7dcdeed62133473d8096400aa9c9f8146f62127efd81966bd8cf45e97bfee36
SHA512eee9117f5eee30c6560ef2abd3759b4600c88f59ce252d1423165c5827d9c43fef60aa8779164705849bfe3fade9b540832330ccd5832e20f8129be0efd8363e
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
c983192fb4b4f55d1d5a6bcaec5241db
SHA1c8fae465e7e4595ab216a8efa614ad8ff87871d3
SHA256f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8
SHA51248d559ef2e9320ee2a304c408003c3822eef98524233fbcd9b63d565b4f8c37bbbbd42a5b2f7f7cc0121579f3ab6f2e2ad76f86b215f1240e2755242e03ad57e
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
c983192fb4b4f55d1d5a6bcaec5241db
SHA1c8fae465e7e4595ab216a8efa614ad8ff87871d3
SHA256f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8
SHA51248d559ef2e9320ee2a304c408003c3822eef98524233fbcd9b63d565b4f8c37bbbbd42a5b2f7f7cc0121579f3ab6f2e2ad76f86b215f1240e2755242e03ad57e
-
\Users\Admin\AppData\Local\Temp\JUUJWL~1.DLLMD5
69b49ecb8bf6c58115fe0df41ed08092
SHA16dfc8c5cef6857408d513216db45e679b95a565a
SHA25676a13187e822ce22597e015b1b2a492ab7e5aa0ffb4b23191e3c618c73f5386a
SHA512b59f1be19b27e9b686f284c7ee584d830d8edb111c8764a400e861957ff0f0a3f414e94b1df17abe72c461a894f45a327e5ea8efc2d711e7f6326e3d1d93db7e
-
\Users\Admin\AppData\Local\Temp\nsfC352.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/932-148-0x0000000000000000-mapping.dmp
-
memory/1376-152-0x0000000000000000-mapping.dmp
-
memory/1880-124-0x0000000000230000-0x00000000008EF000-memory.dmpFilesize
6.7MB
-
memory/1880-131-0x00000000773B0000-0x000000007753E000-memory.dmpFilesize
1.6MB
-
memory/1880-130-0x0000000000230000-0x00000000008EF000-memory.dmpFilesize
6.7MB
-
memory/1880-128-0x0000000000230000-0x00000000008EF000-memory.dmpFilesize
6.7MB
-
memory/1880-126-0x0000000000230000-0x00000000008EF000-memory.dmpFilesize
6.7MB
-
memory/1880-119-0x0000000000000000-mapping.dmp
-
memory/2288-140-0x0000000000FE0000-0x00000000016CA000-memory.dmpFilesize
6.9MB
-
memory/2288-137-0x0000000000000000-mapping.dmp
-
memory/2288-141-0x0000000000FE0000-0x00000000016CA000-memory.dmpFilesize
6.9MB
-
memory/2288-142-0x00000000773B0000-0x000000007753E000-memory.dmpFilesize
1.6MB
-
memory/2288-143-0x0000000000FE0000-0x00000000016CA000-memory.dmpFilesize
6.9MB
-
memory/2288-144-0x0000000000FE0000-0x00000000016CA000-memory.dmpFilesize
6.9MB
-
memory/2516-132-0x0000000000000000-mapping.dmp
-
memory/2516-145-0x00000000022F3000-0x0000000002481000-memory.dmpFilesize
1.6MB
-
memory/2516-146-0x0000000002490000-0x0000000002634000-memory.dmpFilesize
1.6MB
-
memory/2516-147-0x0000000000400000-0x0000000000648000-memory.dmpFilesize
2.3MB
-
memory/3148-135-0x0000000000000000-mapping.dmp
-
memory/3768-129-0x00000000773B0000-0x000000007753E000-memory.dmpFilesize
1.6MB
-
memory/3768-127-0x0000000000DF0000-0x00000000014DA000-memory.dmpFilesize
6.9MB
-
memory/3768-125-0x0000000000DF0000-0x00000000014DA000-memory.dmpFilesize
6.9MB
-
memory/3768-123-0x0000000000DF0000-0x00000000014DA000-memory.dmpFilesize
6.9MB
-
memory/3768-122-0x0000000000DF0000-0x00000000014DA000-memory.dmpFilesize
6.9MB
-
memory/3768-116-0x0000000000000000-mapping.dmp