Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-12-2021 11:58
Static task
static1
General
-
Target
75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe
-
Size
5.4MB
-
MD5
fe68fe5a435d3067c0a5919b369470be
-
SHA1
3a87920670f578fe58f2fa485dfa3666939d679a
-
SHA256
75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38
-
SHA512
54a0700b97a8c6cb0afd7936a7ef573392270fb330b072d88fcb540e7d65688dde3ada015e0abb1b19361b72617dcd2768f2bdf3c563256cab5ed3aef9688bb3
Malware Config
Extracted
danabot
4
142.11.244.223:443
192.236.194.72:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\PACLQA~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\PACLQA~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\PACLQA~1.DLL DanabotLoader2021 behavioral1/memory/2300-156-0x00000000045A0000-0x000000000481D000-memory.dmp DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3656 created 420 3656 WerFault.exe paclqap.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 32 3476 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
hughoc.exekulmetvp.exepaclqap.exeDpEditor.exepid process 1564 hughoc.exe 3184 kulmetvp.exe 420 paclqap.exe 3372 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
hughoc.exekulmetvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion hughoc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion hughoc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kulmetvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kulmetvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 3 IoCs
Processes:
75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exerundll32.exepid process 2740 75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe 2300 rundll32.exe 2300 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe themida C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe themida C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe themida C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe themida behavioral1/memory/1564-123-0x0000000001230000-0x0000000001923000-memory.dmp themida behavioral1/memory/1564-124-0x0000000001230000-0x0000000001923000-memory.dmp themida behavioral1/memory/3184-125-0x0000000001380000-0x00000000019FE000-memory.dmp themida behavioral1/memory/1564-127-0x0000000001230000-0x0000000001923000-memory.dmp themida behavioral1/memory/3184-126-0x0000000001380000-0x00000000019FE000-memory.dmp themida behavioral1/memory/1564-128-0x0000000001230000-0x0000000001923000-memory.dmp themida behavioral1/memory/3184-129-0x0000000001380000-0x00000000019FE000-memory.dmp themida behavioral1/memory/3184-130-0x0000000001380000-0x00000000019FE000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/3372-143-0x00000000008C0000-0x0000000000FB3000-memory.dmp themida behavioral1/memory/3372-144-0x00000000008C0000-0x0000000000FB3000-memory.dmp themida behavioral1/memory/3372-145-0x00000000008C0000-0x0000000000FB3000-memory.dmp themida behavioral1/memory/3372-146-0x00000000008C0000-0x0000000000FB3000-memory.dmp themida -
Processes:
hughoc.exekulmetvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hughoc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kulmetvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
hughoc.exekulmetvp.exeDpEditor.exepid process 1564 hughoc.exe 3184 kulmetvp.exe 3372 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3656 420 WerFault.exe paclqap.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
kulmetvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kulmetvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kulmetvp.exe -
Modifies registry class 1 IoCs
Processes:
kulmetvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings kulmetvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 3372 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
hughoc.exekulmetvp.exeDpEditor.exeWerFault.exepid process 1564 hughoc.exe 1564 hughoc.exe 3184 kulmetvp.exe 3184 kulmetvp.exe 3372 DpEditor.exe 3372 DpEditor.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3656 WerFault.exe Token: SeBackupPrivilege 3656 WerFault.exe Token: SeDebugPrivilege 3656 WerFault.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exekulmetvp.exehughoc.exepaclqap.exedescription pid process target process PID 2740 wrote to memory of 1564 2740 75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe hughoc.exe PID 2740 wrote to memory of 1564 2740 75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe hughoc.exe PID 2740 wrote to memory of 1564 2740 75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe hughoc.exe PID 2740 wrote to memory of 3184 2740 75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe kulmetvp.exe PID 2740 wrote to memory of 3184 2740 75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe kulmetvp.exe PID 2740 wrote to memory of 3184 2740 75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe kulmetvp.exe PID 3184 wrote to memory of 420 3184 kulmetvp.exe paclqap.exe PID 3184 wrote to memory of 420 3184 kulmetvp.exe paclqap.exe PID 3184 wrote to memory of 420 3184 kulmetvp.exe paclqap.exe PID 3184 wrote to memory of 416 3184 kulmetvp.exe WScript.exe PID 3184 wrote to memory of 416 3184 kulmetvp.exe WScript.exe PID 3184 wrote to memory of 416 3184 kulmetvp.exe WScript.exe PID 1564 wrote to memory of 3372 1564 hughoc.exe DpEditor.exe PID 1564 wrote to memory of 3372 1564 hughoc.exe DpEditor.exe PID 1564 wrote to memory of 3372 1564 hughoc.exe DpEditor.exe PID 3184 wrote to memory of 3476 3184 kulmetvp.exe WScript.exe PID 3184 wrote to memory of 3476 3184 kulmetvp.exe WScript.exe PID 3184 wrote to memory of 3476 3184 kulmetvp.exe WScript.exe PID 420 wrote to memory of 2300 420 paclqap.exe rundll32.exe PID 420 wrote to memory of 2300 420 paclqap.exe rundll32.exe PID 420 wrote to memory of 2300 420 paclqap.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe"C:\Users\Admin\AppData\Local\Temp\75418ef4eef30a8a01341680675b7384d2aabab97b0e61fe6e814c34f6731e38.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe"C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe"C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\paclqap.exe"C:\Users\Admin\AppData\Local\Temp\paclqap.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\PACLQA~1.DLL,s C:\Users\Admin\AppData\Local\Temp\paclqap.exe4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 5444⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ovwiaihc.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ujorgpw.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
c80cf97b0ff8e3f93a32003b84f1443c
SHA1cd8c46aa11cff8d64baa1306b7d5af9438a0a54d
SHA2561edc55919e4fa00f4f80a667f3a61e17d6dafcd34b2d9f62d588052a82270d2a
SHA512b6e5b610e54ccad3f46641e2bfd1b10102b94b3953cf9487b5b8675139e2184ddc0fc20f53d77d0a518f7594d93d381e1abd7add46d51d661d83f66fff4deb2b
-
C:\Users\Admin\AppData\Local\Temp\PACLQA~1.DLLMD5
7a8c6beb40eaf10831aa8542aa0b7c64
SHA1dc40ccaa7d633ec6f8ec38b97189bc08064635f0
SHA2569815951feb4b3dc93d7a26010624bcc9e70081bbae828fa8af4f9f0a9de53cf3
SHA512b610af3e0f4c2bc671a5263004d65242d85e69f69e0e20d6b57291e223c2f5320cb80da5434fd054eb84411d5aaee4b934881b1816683184a652c0ba7aa80fee
-
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exeMD5
cdc30e8f1b8cad5f1f32b15bebab91c7
SHA1d83dbbda1edc163de1fc423ac25d32a73737b039
SHA2566d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05
SHA5123421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad
-
C:\Users\Admin\AppData\Local\Temp\nutlet\hughoc.exeMD5
cdc30e8f1b8cad5f1f32b15bebab91c7
SHA1d83dbbda1edc163de1fc423ac25d32a73737b039
SHA2566d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05
SHA5123421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad
-
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exeMD5
9062a4db90e132dc070cd970a0321a07
SHA1bacb274e2603f05edb9d10aa93d8de04531d6e5b
SHA25639a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478
SHA512167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867
-
C:\Users\Admin\AppData\Local\Temp\nutlet\kulmetvp.exeMD5
9062a4db90e132dc070cd970a0321a07
SHA1bacb274e2603f05edb9d10aa93d8de04531d6e5b
SHA25639a3e454238f4d20ee0596b28fe2577eb8b3b7bf80181b4aaee4b8a9481ae478
SHA512167accc76bd4074ae4e8127d6e8bfcd753ab482992de26dc68d94f238d357ce7aafca494b9336a05e16162413e1e10e4e1a2986c41f936724d8fc99521319867
-
C:\Users\Admin\AppData\Local\Temp\ovwiaihc.vbsMD5
e353f90be69d656ab5f6fbb934709557
SHA1f886db37353d8f1b564c119c2aa65ad901c3161f
SHA256e075827784ac5ef5bd57135901e465d0a1c7c1c3820ab132782c7e1a2d81d007
SHA512b20b888d5163c7db74db04decea108eb3e97e3abcfa91fb6ded4e74dc5f389fb0405054471f9916092d411b5f552f5305e09d774b03ef67677587b34389b93d3
-
C:\Users\Admin\AppData\Local\Temp\paclqap.exeMD5
ea91ef0235bca4ae48b961881e2deb4a
SHA1aa096fd242fb40135d9baea401f0cd6fdca540f9
SHA2568e602e2699be870aab4a5553df0f7e46a391286cb6f2b63f60227836815d19d3
SHA512645734faa8ebfc76a0c953e3365eef34826d442c19837d15fe91f2a059f3506c863143d920db9ccfcd847e369f06f0f9712d3b4b1b302d4135540955ae372755
-
C:\Users\Admin\AppData\Local\Temp\paclqap.exeMD5
ea91ef0235bca4ae48b961881e2deb4a
SHA1aa096fd242fb40135d9baea401f0cd6fdca540f9
SHA2568e602e2699be870aab4a5553df0f7e46a391286cb6f2b63f60227836815d19d3
SHA512645734faa8ebfc76a0c953e3365eef34826d442c19837d15fe91f2a059f3506c863143d920db9ccfcd847e369f06f0f9712d3b4b1b302d4135540955ae372755
-
C:\Users\Admin\AppData\Local\Temp\ujorgpw.vbsMD5
582b097a124c30b2174ce078d8843f26
SHA1106eb0beb0e8f93f1e2971c9b2d41031c753ecbf
SHA256453c940a33b2759b4e563cc50a7c5579b2e1843d62e515ba14b7c4eaccbe81fe
SHA512d7048de0ba68fbf83acb76adbac03ab416597e148c9f13efb9fc45a43da466b349b4b0307990c42b0efe842ab9078768499d761bf97351b05d45590b920cf0d2
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
cdc30e8f1b8cad5f1f32b15bebab91c7
SHA1d83dbbda1edc163de1fc423ac25d32a73737b039
SHA2566d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05
SHA5123421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
cdc30e8f1b8cad5f1f32b15bebab91c7
SHA1d83dbbda1edc163de1fc423ac25d32a73737b039
SHA2566d92ca52403244434264a0ab79ec968142c94947d571c65dc3f35c72df0f2d05
SHA5123421945e29d0e35b06f0fbb3fe5160eb69cbe82fd0a27be949e1792c3bba90b9b3168d241757cb495604b994f4220fec4cd164718bfdecbde4fafc5a3960c7ad
-
\Users\Admin\AppData\Local\Temp\PACLQA~1.DLLMD5
7a8c6beb40eaf10831aa8542aa0b7c64
SHA1dc40ccaa7d633ec6f8ec38b97189bc08064635f0
SHA2569815951feb4b3dc93d7a26010624bcc9e70081bbae828fa8af4f9f0a9de53cf3
SHA512b610af3e0f4c2bc671a5263004d65242d85e69f69e0e20d6b57291e223c2f5320cb80da5434fd054eb84411d5aaee4b934881b1816683184a652c0ba7aa80fee
-
\Users\Admin\AppData\Local\Temp\PACLQA~1.DLLMD5
7a8c6beb40eaf10831aa8542aa0b7c64
SHA1dc40ccaa7d633ec6f8ec38b97189bc08064635f0
SHA2569815951feb4b3dc93d7a26010624bcc9e70081bbae828fa8af4f9f0a9de53cf3
SHA512b610af3e0f4c2bc671a5263004d65242d85e69f69e0e20d6b57291e223c2f5320cb80da5434fd054eb84411d5aaee4b934881b1816683184a652c0ba7aa80fee
-
\Users\Admin\AppData\Local\Temp\nsoA857.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/416-135-0x0000000000000000-mapping.dmp
-
memory/420-132-0x0000000000000000-mapping.dmp
-
memory/420-137-0x0000000000988000-0x0000000000B18000-memory.dmpFilesize
1.6MB
-
memory/420-138-0x0000000000B80000-0x0000000000D26000-memory.dmpFilesize
1.6MB
-
memory/420-139-0x0000000000400000-0x000000000064F000-memory.dmpFilesize
2.3MB
-
memory/1564-127-0x0000000001230000-0x0000000001923000-memory.dmpFilesize
6.9MB
-
memory/1564-128-0x0000000001230000-0x0000000001923000-memory.dmpFilesize
6.9MB
-
memory/1564-124-0x0000000001230000-0x0000000001923000-memory.dmpFilesize
6.9MB
-
memory/1564-123-0x0000000001230000-0x0000000001923000-memory.dmpFilesize
6.9MB
-
memory/1564-122-0x0000000077230000-0x00000000773BE000-memory.dmpFilesize
1.6MB
-
memory/1564-116-0x0000000000000000-mapping.dmp
-
memory/2300-152-0x0000000000000000-mapping.dmp
-
memory/2300-156-0x00000000045A0000-0x000000000481D000-memory.dmpFilesize
2.5MB
-
memory/3184-125-0x0000000001380000-0x00000000019FE000-memory.dmpFilesize
6.5MB
-
memory/3184-131-0x0000000077230000-0x00000000773BE000-memory.dmpFilesize
1.6MB
-
memory/3184-130-0x0000000001380000-0x00000000019FE000-memory.dmpFilesize
6.5MB
-
memory/3184-129-0x0000000001380000-0x00000000019FE000-memory.dmpFilesize
6.5MB
-
memory/3184-126-0x0000000001380000-0x00000000019FE000-memory.dmpFilesize
6.5MB
-
memory/3184-119-0x0000000000000000-mapping.dmp
-
memory/3372-145-0x00000000008C0000-0x0000000000FB3000-memory.dmpFilesize
6.9MB
-
memory/3372-146-0x00000000008C0000-0x0000000000FB3000-memory.dmpFilesize
6.9MB
-
memory/3372-147-0x0000000077230000-0x00000000773BE000-memory.dmpFilesize
1.6MB
-
memory/3372-144-0x00000000008C0000-0x0000000000FB3000-memory.dmpFilesize
6.9MB
-
memory/3372-143-0x00000000008C0000-0x0000000000FB3000-memory.dmpFilesize
6.9MB
-
memory/3372-140-0x0000000000000000-mapping.dmp
-
memory/3476-148-0x0000000000000000-mapping.dmp