Analysis
-
max time kernel
142s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-12-2021 05:52
Static task
static1
General
-
Target
3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe
-
Size
5.5MB
-
MD5
b853012145aabac760af9e9a0fe37b3e
-
SHA1
25bdf531d5fafeec8b02d3d2a09dfb5a1340e9c2
-
SHA256
3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35
-
SHA512
c66586730d1fc0751fc71b1e03597a7d6045d347221ed13179b393e8052f6c4050ce7e794861fc9fee2fd2fbc9a39dcb4e33530315b61b35784e487af0f95774
Malware Config
Extracted
danabot
4
142.11.244.223:443
192.236.194.72:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MMTCOL~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\MMTCOL~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2252 created 4084 2252 WerFault.exe mmtcolpbkk.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exeflow pid process 33 936 WScript.exe 34 936 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
hughoc.exekulmetvp.exemmtcolpbkk.exeDpEditor.exepid process 3644 hughoc.exe 3532 kulmetvp.exe 4084 mmtcolpbkk.exe 4396 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
hughoc.exekulmetvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion hughoc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kulmetvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kulmetvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion hughoc.exe -
Loads dropped DLL 2 IoCs
Processes:
3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exerundll32.exepid process 3404 3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe 1288 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe themida C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe themida C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe themida C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe themida behavioral1/memory/3532-124-0x00000000009E0000-0x00000000010BA000-memory.dmp themida behavioral1/memory/3644-123-0x0000000000BE0000-0x00000000012C9000-memory.dmp themida behavioral1/memory/3644-122-0x0000000000BE0000-0x00000000012C9000-memory.dmp themida behavioral1/memory/3644-126-0x0000000000BE0000-0x00000000012C9000-memory.dmp themida behavioral1/memory/3532-125-0x00000000009E0000-0x00000000010BA000-memory.dmp themida behavioral1/memory/3532-127-0x00000000009E0000-0x00000000010BA000-memory.dmp themida behavioral1/memory/3644-128-0x0000000000BE0000-0x00000000012C9000-memory.dmp themida behavioral1/memory/3532-129-0x00000000009E0000-0x00000000010BA000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/4396-143-0x0000000000910000-0x0000000000FF9000-memory.dmp themida behavioral1/memory/4396-144-0x0000000000910000-0x0000000000FF9000-memory.dmp themida behavioral1/memory/4396-145-0x0000000000910000-0x0000000000FF9000-memory.dmp themida behavioral1/memory/4396-146-0x0000000000910000-0x0000000000FF9000-memory.dmp themida -
Processes:
kulmetvp.exeDpEditor.exehughoc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kulmetvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hughoc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
hughoc.exekulmetvp.exeDpEditor.exepid process 3644 hughoc.exe 3532 kulmetvp.exe 4396 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exedescription ioc process File created C:\Program Files (x86)\foler\olader\adprovider.dll 3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe File created C:\Program Files (x86)\foler\olader\acppage.dll 3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2252 4084 WerFault.exe mmtcolpbkk.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
kulmetvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kulmetvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kulmetvp.exe -
Modifies registry class 1 IoCs
Processes:
kulmetvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings kulmetvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 4396 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
hughoc.exekulmetvp.exeDpEditor.exeWerFault.exepid process 3644 hughoc.exe 3644 hughoc.exe 3532 kulmetvp.exe 3532 kulmetvp.exe 4396 DpEditor.exe 4396 DpEditor.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2252 WerFault.exe Token: SeBackupPrivilege 2252 WerFault.exe Token: SeDebugPrivilege 2252 WerFault.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exekulmetvp.exehughoc.exemmtcolpbkk.exedescription pid process target process PID 3404 wrote to memory of 3644 3404 3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe hughoc.exe PID 3404 wrote to memory of 3644 3404 3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe hughoc.exe PID 3404 wrote to memory of 3644 3404 3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe hughoc.exe PID 3404 wrote to memory of 3532 3404 3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe kulmetvp.exe PID 3404 wrote to memory of 3532 3404 3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe kulmetvp.exe PID 3404 wrote to memory of 3532 3404 3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe kulmetvp.exe PID 3532 wrote to memory of 4084 3532 kulmetvp.exe mmtcolpbkk.exe PID 3532 wrote to memory of 4084 3532 kulmetvp.exe mmtcolpbkk.exe PID 3532 wrote to memory of 4084 3532 kulmetvp.exe mmtcolpbkk.exe PID 3532 wrote to memory of 3980 3532 kulmetvp.exe WScript.exe PID 3532 wrote to memory of 3980 3532 kulmetvp.exe WScript.exe PID 3532 wrote to memory of 3980 3532 kulmetvp.exe WScript.exe PID 3644 wrote to memory of 4396 3644 hughoc.exe DpEditor.exe PID 3644 wrote to memory of 4396 3644 hughoc.exe DpEditor.exe PID 3644 wrote to memory of 4396 3644 hughoc.exe DpEditor.exe PID 3532 wrote to memory of 936 3532 kulmetvp.exe WScript.exe PID 3532 wrote to memory of 936 3532 kulmetvp.exe WScript.exe PID 3532 wrote to memory of 936 3532 kulmetvp.exe WScript.exe PID 4084 wrote to memory of 1288 4084 mmtcolpbkk.exe rundll32.exe PID 4084 wrote to memory of 1288 4084 mmtcolpbkk.exe rundll32.exe PID 4084 wrote to memory of 1288 4084 mmtcolpbkk.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe"C:\Users\Admin\AppData\Local\Temp\3f8974ef9b6a429376d46e082bbb9cb418417f25dcc744837c5b36efaf4c3f35.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe"C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe"C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\mmtcolpbkk.exe"C:\Users\Admin\AppData\Local\Temp\mmtcolpbkk.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\MMTCOL~1.DLL,s C:\Users\Admin\AppData\Local\Temp\MMTCOL~1.EXE4⤵
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 5564⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccyrdvu.vbs"3⤵PID:3980
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\kvvbkmbi.vbs"3⤵
- Blocklisted process makes network request
PID:936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
7efc5526e4b634ca68a5a28213218059
SHA1c5fb622be6c3e961591fb9345e776e129fc035ef
SHA256ef4c2dadc710f749e5c236bb5fc5f4e500666ec89e808d0ccd99fbca8cbe3a91
SHA512b31f4e41abaf1ec16e10059f63beeb7a1f0bbd877f26adc4baca5ca319f02ad7f549819cdbd599c1e548ece4320857e3a39189c6d60d9872848f09a9681e9e77
-
C:\Users\Admin\AppData\Local\Temp\MMTCOL~1.DLLMD5
151e6f9525a132844cb80472ed5c77a1
SHA1cbad2999ddf30169dc09bc565b291e7112ea01ec
SHA2567bc5454b5eb9455f62959ab2b1f24961f3c6bcb611451027555500bdafa928e6
SHA5126a4d984966d6736c30a1562cc1cc9e9ada6fb277b4f4c2801049d1e622082a74fe7e1da36ff2267958aac59d689a222fb6a2a9a99e1e3991c58e1b8d8a9cd012
-
C:\Users\Admin\AppData\Local\Temp\ccyrdvu.vbsMD5
720ab043b9b8be0754c9b418e14201fe
SHA18ab242054facabc43c4b19c7c42b191837dd80f1
SHA256870e78dde3df08157ed44dc3fd39b92e6f7dfab44ab3687c3f59978e242bc5ba
SHA512d73766cd5591ef48be0cae271264763630ce7c78a836a1f4e649917b7fd175008908f5677d9d362574d1597f1e5a90dd2b7dd395fcf70d26d0889ab5d59e6727
-
C:\Users\Admin\AppData\Local\Temp\kvvbkmbi.vbsMD5
95349701ea728f8fc605930cc710bd57
SHA16dea4b2d2a941bab4a2c231e49b3ca3360d8e2e8
SHA256c0015eb53a17f5b3390c2774a55f0077200ef4edd9cf44546ec75dd9322172dd
SHA512d451441eb41d6d0fb177eda03215e497300fe03e4e4c5bbce1b22332b0615f201faf164a491eb1cface0a5eedf1e6064605e3b6ee1fdbf184f177205bbbc8ab7
-
C:\Users\Admin\AppData\Local\Temp\mmtcolpbkk.exeMD5
1f64ff2c89d8707c0cd78a8fe6a7032c
SHA1846441f9d4eb60912f7dbdc86b1cdea33338edc6
SHA256e99a92c295b18b10760201a9d13e9ef1f1f19d1c2d0253c191011935f8ce7736
SHA5123f09a22bdc7ed161ab5465b3c30e9006adfc1294fab72cd92f7d98e957ce677d3524d2d648d1b9f23e8b06329b8ffb1f41aa58123e61adf444892ec7c223caf1
-
C:\Users\Admin\AppData\Local\Temp\mmtcolpbkk.exeMD5
1f64ff2c89d8707c0cd78a8fe6a7032c
SHA1846441f9d4eb60912f7dbdc86b1cdea33338edc6
SHA256e99a92c295b18b10760201a9d13e9ef1f1f19d1c2d0253c191011935f8ce7736
SHA5123f09a22bdc7ed161ab5465b3c30e9006adfc1294fab72cd92f7d98e957ce677d3524d2d648d1b9f23e8b06329b8ffb1f41aa58123e61adf444892ec7c223caf1
-
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exeMD5
0019785ef16b9d250b3663c51b8df159
SHA1527fc20c982e535116755d3415acfc397235c21b
SHA2565f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83
SHA512d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888
-
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exeMD5
0019785ef16b9d250b3663c51b8df159
SHA1527fc20c982e535116755d3415acfc397235c21b
SHA2565f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83
SHA512d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888
-
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exeMD5
9dd925d43100d4e9a466cc7d0681213d
SHA1ba8945827c9aa094b5bcb8cb8aa2d1fad1e74d79
SHA25682ee9213fbcd132441778404eaf72ff4867eaa78d6d919b4746b3d769d7640cf
SHA5122677542ff54a2608de9cf35a0fef2383a646c93b7002fb64169fe947fa915d78f4ed5e5fd6dd8471672082db24268cb5c2e87e345afc054f8bb23e7a0fc913a7
-
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exeMD5
9dd925d43100d4e9a466cc7d0681213d
SHA1ba8945827c9aa094b5bcb8cb8aa2d1fad1e74d79
SHA25682ee9213fbcd132441778404eaf72ff4867eaa78d6d919b4746b3d769d7640cf
SHA5122677542ff54a2608de9cf35a0fef2383a646c93b7002fb64169fe947fa915d78f4ed5e5fd6dd8471672082db24268cb5c2e87e345afc054f8bb23e7a0fc913a7
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
0019785ef16b9d250b3663c51b8df159
SHA1527fc20c982e535116755d3415acfc397235c21b
SHA2565f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83
SHA512d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
0019785ef16b9d250b3663c51b8df159
SHA1527fc20c982e535116755d3415acfc397235c21b
SHA2565f81fe3b07dd7cb4cb007867040928b81b3d5abd8cae2997eeae24d056c12e83
SHA512d474ef3f4ac5dd8f3456948bc6a484c178f97435958a22849bec056025bc1658d077bbe0d671a5c6c90166b5e15efa3ed95cee819f243d322aa2adafab3f3888
-
\Users\Admin\AppData\Local\Temp\MMTCOL~1.DLLMD5
151e6f9525a132844cb80472ed5c77a1
SHA1cbad2999ddf30169dc09bc565b291e7112ea01ec
SHA2567bc5454b5eb9455f62959ab2b1f24961f3c6bcb611451027555500bdafa928e6
SHA5126a4d984966d6736c30a1562cc1cc9e9ada6fb277b4f4c2801049d1e622082a74fe7e1da36ff2267958aac59d689a222fb6a2a9a99e1e3991c58e1b8d8a9cd012
-
\Users\Admin\AppData\Local\Temp\nssA347.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/936-148-0x0000000000000000-mapping.dmp
-
memory/1288-152-0x0000000000000000-mapping.dmp
-
memory/3532-124-0x00000000009E0000-0x00000000010BA000-memory.dmpFilesize
6.9MB
-
memory/3532-131-0x0000000077000000-0x000000007718E000-memory.dmpFilesize
1.6MB
-
memory/3532-129-0x00000000009E0000-0x00000000010BA000-memory.dmpFilesize
6.9MB
-
memory/3532-127-0x00000000009E0000-0x00000000010BA000-memory.dmpFilesize
6.9MB
-
memory/3532-125-0x00000000009E0000-0x00000000010BA000-memory.dmpFilesize
6.9MB
-
memory/3532-119-0x0000000000000000-mapping.dmp
-
memory/3644-130-0x0000000077000000-0x000000007718E000-memory.dmpFilesize
1.6MB
-
memory/3644-128-0x0000000000BE0000-0x00000000012C9000-memory.dmpFilesize
6.9MB
-
memory/3644-126-0x0000000000BE0000-0x00000000012C9000-memory.dmpFilesize
6.9MB
-
memory/3644-122-0x0000000000BE0000-0x00000000012C9000-memory.dmpFilesize
6.9MB
-
memory/3644-123-0x0000000000BE0000-0x00000000012C9000-memory.dmpFilesize
6.9MB
-
memory/3644-116-0x0000000000000000-mapping.dmp
-
memory/3980-135-0x0000000000000000-mapping.dmp
-
memory/4084-138-0x0000000000CA0000-0x0000000000E47000-memory.dmpFilesize
1.7MB
-
memory/4084-139-0x0000000000400000-0x0000000000650000-memory.dmpFilesize
2.3MB
-
memory/4084-137-0x0000000000B04000-0x0000000000C95000-memory.dmpFilesize
1.6MB
-
memory/4084-132-0x0000000000000000-mapping.dmp
-
memory/4396-145-0x0000000000910000-0x0000000000FF9000-memory.dmpFilesize
6.9MB
-
memory/4396-146-0x0000000000910000-0x0000000000FF9000-memory.dmpFilesize
6.9MB
-
memory/4396-147-0x0000000077000000-0x000000007718E000-memory.dmpFilesize
1.6MB
-
memory/4396-144-0x0000000000910000-0x0000000000FF9000-memory.dmpFilesize
6.9MB
-
memory/4396-143-0x0000000000910000-0x0000000000FF9000-memory.dmpFilesize
6.9MB
-
memory/4396-140-0x0000000000000000-mapping.dmp