Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-12-2021 17:29
Static task
static1
General
-
Target
0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe
-
Size
5.4MB
-
MD5
6851ee86ef723624b9d8bb881188b745
-
SHA1
bd1354f4b1679b4b5aa79bb3af38d3e041ebd24c
-
SHA256
0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7
-
SHA512
24ca73eb150904362a14577bbbd88f585412f1b1e660631ae7614d80d0dbea58d877548d8f816e56d76933bdc8af734051183624e728b2653a59713f7e75c7fa
Malware Config
Extracted
danabot
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CQIIYD~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\CQIIYD~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3028 created 3672 3028 WerFault.exe cqiiydonaie.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 36 3412 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
edenic.exegodwitvp.execqiiydonaie.exeDpEditor.exepid process 428 edenic.exe 664 godwitvp.exe 3672 cqiiydonaie.exe 680 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
edenic.exegodwitvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion edenic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion edenic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion godwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion godwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 2 IoCs
Processes:
0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exerundll32.exepid process 3812 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe 1960 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe themida C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe themida C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe themida C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe themida behavioral1/memory/428-122-0x0000000000840000-0x0000000000F2B000-memory.dmp themida behavioral1/memory/428-123-0x0000000000840000-0x0000000000F2B000-memory.dmp themida behavioral1/memory/664-124-0x0000000000B50000-0x000000000121D000-memory.dmp themida behavioral1/memory/428-125-0x0000000000840000-0x0000000000F2B000-memory.dmp themida behavioral1/memory/428-128-0x0000000000840000-0x0000000000F2B000-memory.dmp themida behavioral1/memory/664-126-0x0000000000B50000-0x000000000121D000-memory.dmp themida behavioral1/memory/664-130-0x0000000000B50000-0x000000000121D000-memory.dmp themida behavioral1/memory/664-131-0x0000000000B50000-0x000000000121D000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/680-141-0x0000000000300000-0x00000000009EB000-memory.dmp themida behavioral1/memory/680-142-0x0000000000300000-0x00000000009EB000-memory.dmp themida behavioral1/memory/680-143-0x0000000000300000-0x00000000009EB000-memory.dmp themida behavioral1/memory/680-144-0x0000000000300000-0x00000000009EB000-memory.dmp themida -
Processes:
edenic.exegodwitvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA edenic.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA godwitvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
edenic.exegodwitvp.exeDpEditor.exepid process 428 edenic.exe 664 godwitvp.exe 680 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3028 3672 WerFault.exe cqiiydonaie.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
godwitvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 godwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString godwitvp.exe -
Modifies registry class 1 IoCs
Processes:
godwitvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings godwitvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 680 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
edenic.exegodwitvp.exeDpEditor.exeWerFault.exepid process 428 edenic.exe 428 edenic.exe 664 godwitvp.exe 664 godwitvp.exe 680 DpEditor.exe 680 DpEditor.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3028 WerFault.exe Token: SeBackupPrivilege 3028 WerFault.exe Token: SeDebugPrivilege 3028 WerFault.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exegodwitvp.exeedenic.execqiiydonaie.exedescription pid process target process PID 3812 wrote to memory of 428 3812 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe edenic.exe PID 3812 wrote to memory of 428 3812 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe edenic.exe PID 3812 wrote to memory of 428 3812 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe edenic.exe PID 3812 wrote to memory of 664 3812 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe godwitvp.exe PID 3812 wrote to memory of 664 3812 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe godwitvp.exe PID 3812 wrote to memory of 664 3812 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe godwitvp.exe PID 664 wrote to memory of 3672 664 godwitvp.exe cqiiydonaie.exe PID 664 wrote to memory of 3672 664 godwitvp.exe cqiiydonaie.exe PID 664 wrote to memory of 3672 664 godwitvp.exe cqiiydonaie.exe PID 664 wrote to memory of 1700 664 godwitvp.exe WScript.exe PID 664 wrote to memory of 1700 664 godwitvp.exe WScript.exe PID 664 wrote to memory of 1700 664 godwitvp.exe WScript.exe PID 428 wrote to memory of 680 428 edenic.exe DpEditor.exe PID 428 wrote to memory of 680 428 edenic.exe DpEditor.exe PID 428 wrote to memory of 680 428 edenic.exe DpEditor.exe PID 664 wrote to memory of 3412 664 godwitvp.exe WScript.exe PID 664 wrote to memory of 3412 664 godwitvp.exe WScript.exe PID 664 wrote to memory of 3412 664 godwitvp.exe WScript.exe PID 3672 wrote to memory of 1960 3672 cqiiydonaie.exe rundll32.exe PID 3672 wrote to memory of 1960 3672 cqiiydonaie.exe rundll32.exe PID 3672 wrote to memory of 1960 3672 cqiiydonaie.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe"C:\Users\Admin\AppData\Local\Temp\0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe"C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:680 -
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe"C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Users\Admin\AppData\Local\Temp\cqiiydonaie.exe"C:\Users\Admin\AppData\Local\Temp\cqiiydonaie.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CQIIYD~1.DLL,s C:\Users\Admin\AppData\Local\Temp\CQIIYD~1.EXE4⤵
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 5764⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nicemqnvj.vbs"3⤵PID:1700
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cgyqseqolovt.vbs"3⤵
- Blocklisted process makes network request
PID:3412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
d1547fd73b82072c3cdcdb7dba926c0b
SHA1c395d27dacc6e594c84b0281ccd3e6c85016ddcc
SHA2567620fefbdd6b93d54a459aafa408755d3381f8d9c92738c54f7d3919acd95ae9
SHA512e87bb57a6931dcadf558a3230dbabe2ed38f2790058cde819055ca86edf1b37b9c2821d56c6ae582dc41b8fcef1591f83c2996eb90cde4a6638887480be19a75
-
C:\Users\Admin\AppData\Local\Temp\CQIIYD~1.DLLMD5
441ff549907c6a86d915dee1f1c0f42f
SHA176d8a26206607ab0d2e00a94b771b14350ff2da6
SHA2560d6c0d2c79689ed67862cc47e9ce93b61ed0a515e9a12eeb9b6e95d19baee022
SHA51266d3fa6e249acd4beceeb8753047b9682177158d9661cc5b572c6de40370f8805a882f1d54320cb1524714921bec65a5a38fd449ee4531fa9480bf9e81386ea2
-
C:\Users\Admin\AppData\Local\Temp\cgyqseqolovt.vbsMD5
392b17aa2f0e8ad3ea176fa4dda540cc
SHA1244aa7a26ab6f3bade923bf3d099b100483b3883
SHA25694b31a4b5e81cb3f4a51370a4b4a7055c88b67785dc166ebe0c2b8e63b9e046a
SHA51279ceb614f0caba4c2c52213191a915c8e2dd661e586d44d26899842a521b15ff2e6a08afb8065b39a765b4c426ae035464466417214845476c528b604fd3f8b7
-
C:\Users\Admin\AppData\Local\Temp\cqiiydonaie.exeMD5
d8c8f053ba95f1cc5e42e777cc0633b8
SHA15838ab6f87f1e0cd034765541482a3c680c44e74
SHA256d4eb10d9b2000d76984ce945c424d98faaf398e07b32a654b7be039c8c92ea97
SHA512b3db2524de9f9b476a2196aed463e68e9e86aee74e02d97d2056bcf8777e7c32031a44f5fd6de3a69f7d34c302c5036b3112470f4b3bef5a58cef6b4c13af77c
-
C:\Users\Admin\AppData\Local\Temp\cqiiydonaie.exeMD5
d8c8f053ba95f1cc5e42e777cc0633b8
SHA15838ab6f87f1e0cd034765541482a3c680c44e74
SHA256d4eb10d9b2000d76984ce945c424d98faaf398e07b32a654b7be039c8c92ea97
SHA512b3db2524de9f9b476a2196aed463e68e9e86aee74e02d97d2056bcf8777e7c32031a44f5fd6de3a69f7d34c302c5036b3112470f4b3bef5a58cef6b4c13af77c
-
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exeMD5
c9bdb6ed5eb6da1c74b956937bbd31b4
SHA1a9c6389196fa0c28b91b1802758981feee113031
SHA25631eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa
SHA512496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295
-
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exeMD5
c9bdb6ed5eb6da1c74b956937bbd31b4
SHA1a9c6389196fa0c28b91b1802758981feee113031
SHA25631eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa
SHA512496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295
-
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exeMD5
adca6cddf728ac19287c8da0690ce78e
SHA13bc43b39ac78d1edebf83ae6a95108b95acdb439
SHA2567aaf99f9ad42337851b40596faf2241ae2957048c2862aad402320312536c6d7
SHA51281dcd61505a0ced122e7b0ca12dd3520a475025643c8ca109edfd13fd017740c7ad32f854c87ea87c3eabadc780c3c4b041b247888aa7f22ffd5714be4051140
-
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exeMD5
adca6cddf728ac19287c8da0690ce78e
SHA13bc43b39ac78d1edebf83ae6a95108b95acdb439
SHA2567aaf99f9ad42337851b40596faf2241ae2957048c2862aad402320312536c6d7
SHA51281dcd61505a0ced122e7b0ca12dd3520a475025643c8ca109edfd13fd017740c7ad32f854c87ea87c3eabadc780c3c4b041b247888aa7f22ffd5714be4051140
-
C:\Users\Admin\AppData\Local\Temp\nicemqnvj.vbsMD5
77d30c001fc8189776e7538523334af1
SHA12a43997987335f54c9f4074a73ce683a6d2ae972
SHA256e12a2703daba827b34467db6a80cb1bcc6f12da8910d2f98c91c18213e2cd3ad
SHA5128677667782704ae0e1537716840165f34ad4d80d11ece579a74306c5c31c60f3f95a5048ce3f60dd86123ccf650bd9c322b678df31449e45e433774f78c09bdb
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
c9bdb6ed5eb6da1c74b956937bbd31b4
SHA1a9c6389196fa0c28b91b1802758981feee113031
SHA25631eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa
SHA512496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
c9bdb6ed5eb6da1c74b956937bbd31b4
SHA1a9c6389196fa0c28b91b1802758981feee113031
SHA25631eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa
SHA512496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295
-
\Users\Admin\AppData\Local\Temp\CQIIYD~1.DLLMD5
441ff549907c6a86d915dee1f1c0f42f
SHA176d8a26206607ab0d2e00a94b771b14350ff2da6
SHA2560d6c0d2c79689ed67862cc47e9ce93b61ed0a515e9a12eeb9b6e95d19baee022
SHA51266d3fa6e249acd4beceeb8753047b9682177158d9661cc5b572c6de40370f8805a882f1d54320cb1524714921bec65a5a38fd449ee4531fa9480bf9e81386ea2
-
\Users\Admin\AppData\Local\Temp\nsmA28B.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/428-128-0x0000000000840000-0x0000000000F2B000-memory.dmpFilesize
6.9MB
-
memory/428-127-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/428-125-0x0000000000840000-0x0000000000F2B000-memory.dmpFilesize
6.9MB
-
memory/428-123-0x0000000000840000-0x0000000000F2B000-memory.dmpFilesize
6.9MB
-
memory/428-122-0x0000000000840000-0x0000000000F2B000-memory.dmpFilesize
6.9MB
-
memory/428-116-0x0000000000000000-mapping.dmp
-
memory/664-131-0x0000000000B50000-0x000000000121D000-memory.dmpFilesize
6.8MB
-
memory/664-130-0x0000000000B50000-0x000000000121D000-memory.dmpFilesize
6.8MB
-
memory/664-126-0x0000000000B50000-0x000000000121D000-memory.dmpFilesize
6.8MB
-
memory/664-129-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/664-124-0x0000000000B50000-0x000000000121D000-memory.dmpFilesize
6.8MB
-
memory/664-119-0x0000000000000000-mapping.dmp
-
memory/680-137-0x0000000000000000-mapping.dmp
-
memory/680-140-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/680-141-0x0000000000300000-0x00000000009EB000-memory.dmpFilesize
6.9MB
-
memory/680-142-0x0000000000300000-0x00000000009EB000-memory.dmpFilesize
6.9MB
-
memory/680-143-0x0000000000300000-0x00000000009EB000-memory.dmpFilesize
6.9MB
-
memory/680-144-0x0000000000300000-0x00000000009EB000-memory.dmpFilesize
6.9MB
-
memory/1700-135-0x0000000000000000-mapping.dmp
-
memory/1960-152-0x0000000000000000-mapping.dmp
-
memory/3412-148-0x0000000000000000-mapping.dmp
-
memory/3672-146-0x00000000024F0000-0x0000000002696000-memory.dmpFilesize
1.6MB
-
memory/3672-147-0x0000000000400000-0x0000000000653000-memory.dmpFilesize
2.3MB
-
memory/3672-145-0x0000000002356000-0x00000000024E6000-memory.dmpFilesize
1.6MB
-
memory/3672-132-0x0000000000000000-mapping.dmp