Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20-12-2021 17:30
Static task
static1
General
-
Target
0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe
-
Size
5.4MB
-
MD5
e946313323a4fab93d139a9e3861e5ef
-
SHA1
19c67ccdfbfc3971d31b5827f185009976072936
-
SHA256
0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209
-
SHA512
a85beddb32dbd48b802387b32a856f4fcb91916fcbc099e279c706e9ac553e75e34370a511720c9eee77f436922de71a68e746a5ed002282e13e44a1165b8ed0
Malware Config
Extracted
danabot
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AJXBRP~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\AJXBRP~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\AJXBRP~1.DLL DanabotLoader2021 behavioral1/memory/2416-156-0x00000000040A0000-0x000000000431A000-memory.dmp DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1448 created 3164 1448 WerFault.exe ajxbrplumyh.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 31 4016 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
napaea.exeoutwitvp.exeajxbrplumyh.exeDpEditor.exepid process 2248 napaea.exe 3784 outwitvp.exe 3164 ajxbrplumyh.exe 652 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
outwitvp.exeDpEditor.exenapaea.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion outwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion outwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion napaea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion napaea.exe -
Loads dropped DLL 3 IoCs
Processes:
0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exerundll32.exepid process 3476 0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe 2416 rundll32.exe 2416 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe themida C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe themida C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe themida C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe themida behavioral1/memory/2248-122-0x0000000000E10000-0x00000000014E6000-memory.dmp themida behavioral1/memory/2248-123-0x0000000000E10000-0x00000000014E6000-memory.dmp themida behavioral1/memory/2248-124-0x0000000000E10000-0x00000000014E6000-memory.dmp themida behavioral1/memory/2248-125-0x0000000000E10000-0x00000000014E6000-memory.dmp themida behavioral1/memory/3784-126-0x0000000000200000-0x00000000008E1000-memory.dmp themida behavioral1/memory/3784-127-0x0000000000200000-0x00000000008E1000-memory.dmp themida behavioral1/memory/3784-128-0x0000000000200000-0x00000000008E1000-memory.dmp themida behavioral1/memory/3784-129-0x0000000000200000-0x00000000008E1000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/652-141-0x00000000011B0000-0x0000000001886000-memory.dmp themida behavioral1/memory/652-142-0x00000000011B0000-0x0000000001886000-memory.dmp themida behavioral1/memory/652-143-0x00000000011B0000-0x0000000001886000-memory.dmp themida behavioral1/memory/652-144-0x00000000011B0000-0x0000000001886000-memory.dmp themida -
Processes:
outwitvp.exeDpEditor.exenapaea.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA outwitvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA napaea.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
napaea.exeoutwitvp.exeDpEditor.exepid process 2248 napaea.exe 3784 outwitvp.exe 652 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1448 3164 WerFault.exe ajxbrplumyh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
outwitvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 outwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString outwitvp.exe -
Modifies registry class 1 IoCs
Processes:
outwitvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings outwitvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 652 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
napaea.exeoutwitvp.exeDpEditor.exeWerFault.exepid process 2248 napaea.exe 2248 napaea.exe 3784 outwitvp.exe 3784 outwitvp.exe 652 DpEditor.exe 652 DpEditor.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1448 WerFault.exe Token: SeBackupPrivilege 1448 WerFault.exe Token: SeDebugPrivilege 1448 WerFault.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exeoutwitvp.exenapaea.exeajxbrplumyh.exedescription pid process target process PID 3476 wrote to memory of 2248 3476 0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe napaea.exe PID 3476 wrote to memory of 2248 3476 0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe napaea.exe PID 3476 wrote to memory of 2248 3476 0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe napaea.exe PID 3476 wrote to memory of 3784 3476 0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe outwitvp.exe PID 3476 wrote to memory of 3784 3476 0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe outwitvp.exe PID 3476 wrote to memory of 3784 3476 0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe outwitvp.exe PID 3784 wrote to memory of 3164 3784 outwitvp.exe ajxbrplumyh.exe PID 3784 wrote to memory of 3164 3784 outwitvp.exe ajxbrplumyh.exe PID 3784 wrote to memory of 3164 3784 outwitvp.exe ajxbrplumyh.exe PID 3784 wrote to memory of 2216 3784 outwitvp.exe WScript.exe PID 3784 wrote to memory of 2216 3784 outwitvp.exe WScript.exe PID 3784 wrote to memory of 2216 3784 outwitvp.exe WScript.exe PID 2248 wrote to memory of 652 2248 napaea.exe DpEditor.exe PID 2248 wrote to memory of 652 2248 napaea.exe DpEditor.exe PID 2248 wrote to memory of 652 2248 napaea.exe DpEditor.exe PID 3784 wrote to memory of 4016 3784 outwitvp.exe WScript.exe PID 3784 wrote to memory of 4016 3784 outwitvp.exe WScript.exe PID 3784 wrote to memory of 4016 3784 outwitvp.exe WScript.exe PID 3164 wrote to memory of 2416 3164 ajxbrplumyh.exe rundll32.exe PID 3164 wrote to memory of 2416 3164 ajxbrplumyh.exe rundll32.exe PID 3164 wrote to memory of 2416 3164 ajxbrplumyh.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe"C:\Users\Admin\AppData\Local\Temp\0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe"C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe"C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ajxbrplumyh.exe"C:\Users\Admin\AppData\Local\Temp\ajxbrplumyh.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\AJXBRP~1.DLL,s C:\Users\Admin\AppData\Local\Temp\AJXBRP~1.EXE4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 5764⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ohocgkdjiqax.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tnfwuqovx.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
f1845618152d924adee4ffb1fe7e852a
SHA1b9457b95f13cc49c0249e9ab4aab6a4f415cc7f9
SHA2560a12cf0b81cd356d9c79be42c4be3bf34f16890a16ae42cfa9dca70e1744cf6d
SHA512366d23c4d04ed95e91949c7aafa68688cd277db13bfc98e94387a46adaffcfa2332045607689867a91214bf247f5c8586f9e174858514440ad1cbadad9bc0aee
-
C:\Users\Admin\AppData\Local\Temp\AJXBRP~1.DLLMD5
82c926c1e5b0315301ae4cd67525515a
SHA172a1e116dadf7fb06ee444dd5d849403cd3eaa07
SHA256c7ce8f1c2e580312fb8ee928d49bb23183328976969f3c2e1e87b2bb6d05b72f
SHA512951730c9c6aae653a3bace4671a83397658abbb8b1c008b2e70828c155004797e416e6bfc1469968b20e2952bfc82fcf21257b5b8f9d7a6f59fb3ce620d8002a
-
C:\Users\Admin\AppData\Local\Temp\ajxbrplumyh.exeMD5
987539956cc5e47cb0bd3c6162ad62bb
SHA1aa85bd9477f41bcbe19983aedf4702d2390c2893
SHA2569e241b853d30b10cc826fc648d611fe56d38da7fe274856e33ab4fa441645222
SHA512f47e4bfdf3bf5c2ed33686309d22d57dd70016b7c8538bb5afc48697005b5ebdd3fe526f4614f0d70b53b7c725c925ddbe54bb2a6ce676ba94016c69a8647032
-
C:\Users\Admin\AppData\Local\Temp\ajxbrplumyh.exeMD5
987539956cc5e47cb0bd3c6162ad62bb
SHA1aa85bd9477f41bcbe19983aedf4702d2390c2893
SHA2569e241b853d30b10cc826fc648d611fe56d38da7fe274856e33ab4fa441645222
SHA512f47e4bfdf3bf5c2ed33686309d22d57dd70016b7c8538bb5afc48697005b5ebdd3fe526f4614f0d70b53b7c725c925ddbe54bb2a6ce676ba94016c69a8647032
-
C:\Users\Admin\AppData\Local\Temp\ohocgkdjiqax.vbsMD5
792f4ef375fc0bd9eb0c7c9f48384548
SHA142ccbe64670601dfe0617a327a64c970cc361e52
SHA256765b0e7f6a40d2eae7d84f44f5b1a914eb37c3223e511e0579bdef28389ce4cb
SHA51222174133febfebc28e5582bbbf7095d7354744ee466d9c3bdc531b99bb893a2c65079e2fcfdd88f0c07b3cb30c6f04a5db589bfdf4ebdcdad7f5ed8ee4edb10f
-
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exeMD5
75182fea96cd2dea68a23d360fb647c8
SHA1992c5fe1ac704528a505bb42162a421e3d29b7cb
SHA2563eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c
SHA512649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0
-
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exeMD5
75182fea96cd2dea68a23d360fb647c8
SHA1992c5fe1ac704528a505bb42162a421e3d29b7cb
SHA2563eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c
SHA512649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0
-
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exeMD5
948b5f54439e4bcfd1c17cb9ae8d1ed3
SHA1e7236e3cb35a7c9caace5aa7f570dbb2311ba736
SHA256ee2955c290f9dc1a8026adcced932aaab678f5227f54fddf6a018fc81f7b01de
SHA512e6fa55501c1f151780d81ccf2db1dcb17953c89fb6fe3b577f9d751c09bd42dc5924ff09e69843fb50f64f96b34d743d6ef1e2c02059b1efd8854ecdbfc40adf
-
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exeMD5
948b5f54439e4bcfd1c17cb9ae8d1ed3
SHA1e7236e3cb35a7c9caace5aa7f570dbb2311ba736
SHA256ee2955c290f9dc1a8026adcced932aaab678f5227f54fddf6a018fc81f7b01de
SHA512e6fa55501c1f151780d81ccf2db1dcb17953c89fb6fe3b577f9d751c09bd42dc5924ff09e69843fb50f64f96b34d743d6ef1e2c02059b1efd8854ecdbfc40adf
-
C:\Users\Admin\AppData\Local\Temp\tnfwuqovx.vbsMD5
e111363ca8fc9ebc4692499d9eb3c187
SHA1d6144ff4ea13879db186712a8577e9d432879723
SHA256f8d18cdbb30bb01bf5d032f75106ebf2aa5c50749731f8c1364f46e6320594bc
SHA512164c786d8bad32f94a2da71578339b02d9501785c0cef726d99d3f4bccb7695e9704a01259822229269ce0c1f2173a1c57868be20d3bd2dbebb4279699946e2f
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
75182fea96cd2dea68a23d360fb647c8
SHA1992c5fe1ac704528a505bb42162a421e3d29b7cb
SHA2563eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c
SHA512649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
75182fea96cd2dea68a23d360fb647c8
SHA1992c5fe1ac704528a505bb42162a421e3d29b7cb
SHA2563eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c
SHA512649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0
-
\Users\Admin\AppData\Local\Temp\AJXBRP~1.DLLMD5
82c926c1e5b0315301ae4cd67525515a
SHA172a1e116dadf7fb06ee444dd5d849403cd3eaa07
SHA256c7ce8f1c2e580312fb8ee928d49bb23183328976969f3c2e1e87b2bb6d05b72f
SHA512951730c9c6aae653a3bace4671a83397658abbb8b1c008b2e70828c155004797e416e6bfc1469968b20e2952bfc82fcf21257b5b8f9d7a6f59fb3ce620d8002a
-
\Users\Admin\AppData\Local\Temp\AJXBRP~1.DLLMD5
82c926c1e5b0315301ae4cd67525515a
SHA172a1e116dadf7fb06ee444dd5d849403cd3eaa07
SHA256c7ce8f1c2e580312fb8ee928d49bb23183328976969f3c2e1e87b2bb6d05b72f
SHA512951730c9c6aae653a3bace4671a83397658abbb8b1c008b2e70828c155004797e416e6bfc1469968b20e2952bfc82fcf21257b5b8f9d7a6f59fb3ce620d8002a
-
\Users\Admin\AppData\Local\Temp\nsm1579.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/652-140-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/652-141-0x00000000011B0000-0x0000000001886000-memory.dmpFilesize
6.8MB
-
memory/652-142-0x00000000011B0000-0x0000000001886000-memory.dmpFilesize
6.8MB
-
memory/652-143-0x00000000011B0000-0x0000000001886000-memory.dmpFilesize
6.8MB
-
memory/652-144-0x00000000011B0000-0x0000000001886000-memory.dmpFilesize
6.8MB
-
memory/652-137-0x0000000000000000-mapping.dmp
-
memory/2216-135-0x0000000000000000-mapping.dmp
-
memory/2248-125-0x0000000000E10000-0x00000000014E6000-memory.dmpFilesize
6.8MB
-
memory/2248-124-0x0000000000E10000-0x00000000014E6000-memory.dmpFilesize
6.8MB
-
memory/2248-116-0x0000000000000000-mapping.dmp
-
memory/2248-130-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/2248-122-0x0000000000E10000-0x00000000014E6000-memory.dmpFilesize
6.8MB
-
memory/2248-123-0x0000000000E10000-0x00000000014E6000-memory.dmpFilesize
6.8MB
-
memory/2416-156-0x00000000040A0000-0x000000000431A000-memory.dmpFilesize
2.5MB
-
memory/2416-152-0x0000000000000000-mapping.dmp
-
memory/3164-146-0x00000000025A0000-0x0000000002745000-memory.dmpFilesize
1.6MB
-
memory/3164-132-0x0000000000000000-mapping.dmp
-
memory/3164-147-0x0000000000400000-0x0000000000655000-memory.dmpFilesize
2.3MB
-
memory/3164-145-0x0000000002408000-0x0000000002596000-memory.dmpFilesize
1.6MB
-
memory/3784-126-0x0000000000200000-0x00000000008E1000-memory.dmpFilesize
6.9MB
-
memory/3784-127-0x0000000000200000-0x00000000008E1000-memory.dmpFilesize
6.9MB
-
memory/3784-128-0x0000000000200000-0x00000000008E1000-memory.dmpFilesize
6.9MB
-
memory/3784-119-0x0000000000000000-mapping.dmp
-
memory/3784-129-0x0000000000200000-0x00000000008E1000-memory.dmpFilesize
6.9MB
-
memory/3784-131-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/4016-148-0x0000000000000000-mapping.dmp