Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-10-2022 17:06
General
-
Target
dad2eba4c90ce1e62ba842516e64cacd4daf1d3212bc95ac06a313c48dbefa98.exe
-
Size
255KB
-
MD5
db6ff718c9b713a3cb847be4f06ddcab
-
SHA1
cf9960f1e7abd836390a090f9710430828a4df53
-
SHA256
dad2eba4c90ce1e62ba842516e64cacd4daf1d3212bc95ac06a313c48dbefa98
-
SHA512
32d78186df350fef442e5cda5d22f597aed9c8b616c2ef673fd84e06e175e6ea44ec58f22aee6a5b7b7f0da89bc341421cf660b93ae17c143a4090139d9344a2
-
SSDEEP
6144:Iu7fLcAhELLN89bTam9aUMpzHti4p+ui:IqoAhELp85TamIhNi4U
Malware Config
Extracted
danabot
-
embedded_hash
569235DCA8F16ED8310BBACCB674F896
-
type
loader
Extracted
vidar
55.2
937
https://t.me/slivetalks
https://c.im/@xinibin420
-
profile_id
937
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
-
Checks SCSI registry key(s) 3 TTPs 39 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 47 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 21 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dad2eba4c90ce1e62ba842516e64cacd4daf1d3212bc95ac06a313c48dbefa98.exe"C:\Users\Admin\AppData\Local\Temp\dad2eba4c90ce1e62ba842516e64cacd4daf1d3212bc95ac06a313c48dbefa98.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F244.exeC:\Users\Admin\AppData\Local\Temp\F244.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\agentactivationruntimestarter.exeC:\Windows\system32\agentactivationruntimestarter.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 6522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 9962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 10082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 10082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 11362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 12082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 12322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 11922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 10562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 14202⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x2ec1⤵
-
C:\Users\Admin\AppData\Local\Temp\69B7.exeC:\Users\Admin\AppData\Local\Temp\69B7.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\05102500038626919489.exe"C:\ProgramData\05102500038626919489.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FilesH.bat" "3⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Steam.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\69B7.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 19602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 364 -ip 3641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3252 -ip 32521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3252 -ip 32521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3252 -ip 32521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3252 -ip 32521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3252 -ip 32521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3252 -ip 32521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3252 -ip 32521⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3252 -ip 32521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3252 -ip 32521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3252 -ip 32521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\05102500038626919489.exeFilesize
389KB
MD55ec52400b61c5b586e24a85fa0a2318f
SHA1579d8cfcf508c81e6e45e47186f33221d47563f3
SHA25626f22547e17e37af41e6fca415a9fffb43c951c8c3d7129b1d4f8f358cf24ccd
SHA512b7482d0d97b195a868fe77a882aa2b2d3009c908474dc8a66cc04325d7d3617732d5ac2e7fba8f7255d7cb283c114bbf276cddb336a6a30698b507b6181bba3b
-
C:\ProgramData\05102500038626919489.exeFilesize
389KB
MD55ec52400b61c5b586e24a85fa0a2318f
SHA1579d8cfcf508c81e6e45e47186f33221d47563f3
SHA25626f22547e17e37af41e6fca415a9fffb43c951c8c3d7129b1d4f8f358cf24ccd
SHA512b7482d0d97b195a868fe77a882aa2b2d3009c908474dc8a66cc04325d7d3617732d5ac2e7fba8f7255d7cb283c114bbf276cddb336a6a30698b507b6181bba3b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\ProgramData\sqlite3.dllFilesize
1.1MB
MD51f44d4d3087c2b202cf9c90ee9d04b0f
SHA1106a3ebc9e39ab6ddb3ff987efb6527c956f192d
SHA2564841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260
SHA512b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45
-
C:\Users\Admin\AppData\Local\Temp\69B7.exeFilesize
318KB
MD5e58c70e8e2cde5c7aee3975db0a2e559
SHA14c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe
SHA2562a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf
SHA512b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8
-
C:\Users\Admin\AppData\Local\Temp\69B7.exeFilesize
318KB
MD5e58c70e8e2cde5c7aee3975db0a2e559
SHA14c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe
SHA2562a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf
SHA512b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exeFilesize
275KB
MD5119ee6d6dcfa21f32dd9db95b365f256
SHA142d7f74eab4682928b03e577e2f5b9e6a2d95356
SHA256ca128762eff2a68d3c319bd81574e423c79f59b1e445646ebe83b9c2135c5146
SHA512cb4b8a2f037f1e0ab6a06094895ce9afffaaa428142c63259fa4d899ea53e06c581f5379156bb5f5c577daec8ed8d3e4e315d504771176f2c1a9fb8904a54b7e
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exeFilesize
275KB
MD5119ee6d6dcfa21f32dd9db95b365f256
SHA142d7f74eab4682928b03e577e2f5b9e6a2d95356
SHA256ca128762eff2a68d3c319bd81574e423c79f59b1e445646ebe83b9c2135c5146
SHA512cb4b8a2f037f1e0ab6a06094895ce9afffaaa428142c63259fa4d899ea53e06c581f5379156bb5f5c577daec8ed8d3e4e315d504771176f2c1a9fb8904a54b7e
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FilesH.batFilesize
475B
MD5979e62632d7fcd1c5f022d524dac901a
SHA10335075559e0e2b3d095920eae545a635fb1f61e
SHA2566f90b594a016a0814d30cbb0aa665ebede4b710927efd5ef96ec518088b1e553
SHA512dad192359ffc7f42d832b0e841553b9342293705db0adefa19edf6c47953bb61a0787cf2f7e0022ee52c5fab3571af7c2167e25ca93903c33693f825c07b961d
-
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.logFilesize
1KB
MD5f100bb8b2cb884eaeb980fec005fda2a
SHA135b381fb5f67e27d337a9be9a9a80f99a62ade7b
SHA256ab5bbad92eb5b118a83152c34f7d011cd7ebd55e0774e7649b5bd6084c6bb807
SHA512f199706af09ab1ec2fd2e1a23055f1d898271bb27ef067b992dece2677e74854023188a7c7c2f8836e7f64854b0bc6b190684b300f0da973d8bd96c3497346b2
-
C:\Users\Admin\AppData\Local\Temp\F244.exeFilesize
8.4MB
MD5febec851b0cd98f6b628a1ef567f6ecb
SHA172409831f8ddf8b7e97be8a63af7c7d93fed8249
SHA256d08d5bcd7ac37694068e193afbff3460992a5b44d599bb2642529622a5c69a34
SHA512545cb635fdebace748edfa94b4b4a840fbacf21d481ee05f2bdf35f88ffa7496d1bdeef720ee98841956313f62b575a16854d9cdc83ef8c81973451cb00b37e3
-
C:\Users\Admin\AppData\Local\Temp\F244.exeFilesize
8.4MB
MD5febec851b0cd98f6b628a1ef567f6ecb
SHA172409831f8ddf8b7e97be8a63af7c7d93fed8249
SHA256d08d5bcd7ac37694068e193afbff3460992a5b44d599bb2642529622a5c69a34
SHA512545cb635fdebace748edfa94b4b4a840fbacf21d481ee05f2bdf35f88ffa7496d1bdeef720ee98841956313f62b575a16854d9cdc83ef8c81973451cb00b37e3
-
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.logFilesize
25KB
MD581afc5fdc60ea77324d4d8c4438e6510
SHA14b21359d6a24d7096bd1f5afe2c100cb06829352
SHA256c3db936d22f55c93214a38a5cc2b7a042b298822db68af0b4a574df37a1820db
SHA51287e49d7bcf9f7d383ccf98ec4125402749db4bf954b8dc7c64177dd1ed254916a5b9a03903ccc01f0fc6bf635dc8640d3f9961156cd23882896c9b23fb472dcc
-
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmpFilesize
3.3MB
MD513d0ff809f24a408728fd6fe00241020
SHA1fde8484da982eceb86cf6959460ffc4ce33271a9
SHA256db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520
SHA51238dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768
-
C:\Users\Admin\AppData\Local\Temp\TMKNGOMU-20220812-1924.logFilesize
56KB
MD5942061e415bb8ead9b5a5218d5c14343
SHA16017ef310882921100fa81965ff75e420200507d
SHA2561226acee43898580e53859127ed657800319973cb60df51155e5c8a7ce45e895
SHA512b0a93f95992a6389ba9913d8ca29aaba421f25aea2463244468f3279185f88dddd3db4ecc9d58e4c73ac9901465548df24150978f3bc8a943376a176f605cddd
-
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txtFilesize
1KB
MD5807032b7314049329ebd06853899378d
SHA15b92011b163eb80836c163163d7350731fac9bd8
SHA256833a02f36dfa5affbce525ec3c8ff76f17884fa6f058a31247aae3a5afc4f447
SHA5122737573f6f344754cfd0d2562458743608a626fd03e21f728f459f49d2f529b85ae7f4be83cf91f0365e7275681458bf1baefc0e100c46a9ec07fe1638803241
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI50B8.txtFilesize
11KB
MD52d3d4b9bab706bc5873482be100e0851
SHA147cc8742c34ac728a62d4a4705a50c661d247944
SHA256fd5ac2a1c3c9c587a7ed459f1ee4f8074f6643bc8557d9c8bec3c1582568c405
SHA512b423281011e69f3957cda935ae25acd69c65ddeb29bb8d10c5159c72e53e55c609071d5a0109366962b87e538e7fc10300eee6baef8dbc613d112792f190c8e1
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
265KB
MD555d18fd015e28a95ae56b4e8389250dc
SHA1f040e628caba414a46cf2ea5007cc15b5cfefc19
SHA25631027983935b7afcf422452e2ab35d583aad46a68ba867e0bfaeb2d0ca3268a6
SHA5128ee86c7a9248245c5053def53f407357c85deb0759f99198a392185c00e4d536640b69b05739ed304f08f999824eab96a1d76438528daef96be36ad3c1eeb3bd
-
C:\Users\Admin\AppData\Local\Temp\msedge_installer.logFilesize
3KB
MD59ff44423a176ce26a4c7a07b31228885
SHA14fc43105c7c45af784e366d70186909dae5e3d60
SHA256dad5b6d0b662cfad2be7ff91c9fae6df5560d8c060945c2e500161dec02e7c3d
SHA512d650e64ef28bc8da2fcbf686fd1fda891e2d5d4f22ee2bfa69bcba01cd4369eacfcb362f4d8e8f69bab317eaa5b4d0644da0fe5ee5935c9d284ce625ddbcc5bf
-
C:\Users\Admin\AppData\Local\Temp\wctA1E8.tmpFilesize
62KB
MD57185e716980842db27c3b3a88e1fe804
SHA1e4615379cd4797629b4cc3da157f4d4a5412fb2b
SHA256094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1
SHA512dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c
-
C:\Users\Admin\AppData\Local\Temp\wctC4C7.tmpFilesize
62KB
MD57185e716980842db27c3b3a88e1fe804
SHA1e4615379cd4797629b4cc3da157f4d4a5412fb2b
SHA256094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1
SHA512dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c
-
memory/364-166-0x0000000000400000-0x0000000002C3D000-memory.dmpFilesize
40.2MB
-
memory/364-148-0x0000000004860000-0x00000000048A9000-memory.dmpFilesize
292KB
-
memory/364-144-0x0000000000000000-mapping.dmp
-
memory/364-147-0x0000000002ED3000-0x0000000002EFF000-memory.dmpFilesize
176KB
-
memory/364-149-0x0000000000400000-0x0000000002C3D000-memory.dmpFilesize
40.2MB
-
memory/364-162-0x0000000002ED3000-0x0000000002EFF000-memory.dmpFilesize
176KB
-
memory/872-153-0x0000000000000000-mapping.dmp
-
memory/1056-135-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/1056-134-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/1056-132-0x0000000002ED2000-0x0000000002EE7000-memory.dmpFilesize
84KB
-
memory/1056-133-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/1120-157-0x0000000000000000-mapping.dmp
-
memory/1472-139-0x0000000000000000-mapping.dmp
-
memory/2916-160-0x0000000000000000-mapping.dmp
-
memory/3252-177-0x00000000080F0000-0x0000000008230000-memory.dmpFilesize
1.2MB
-
memory/3252-178-0x00000000080F0000-0x0000000008230000-memory.dmpFilesize
1.2MB
-
memory/3252-170-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/3252-171-0x00000000073D0000-0x0000000007E82000-memory.dmpFilesize
10.7MB
-
memory/3252-172-0x00000000073D0000-0x0000000007E82000-memory.dmpFilesize
10.7MB
-
memory/3252-173-0x00000000073D0000-0x0000000007E82000-memory.dmpFilesize
10.7MB
-
memory/3252-174-0x00000000080F0000-0x0000000008230000-memory.dmpFilesize
1.2MB
-
memory/3252-175-0x00000000080F0000-0x0000000008230000-memory.dmpFilesize
1.2MB
-
memory/3252-176-0x00000000080F0000-0x0000000008230000-memory.dmpFilesize
1.2MB
-
memory/3252-169-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/3252-179-0x00000000080F0000-0x0000000008230000-memory.dmpFilesize
1.2MB
-
memory/3252-141-0x0000000005930000-0x0000000006306000-memory.dmpFilesize
9.8MB
-
memory/3252-200-0x00000000073D0000-0x0000000007E82000-memory.dmpFilesize
10.7MB
-
memory/3252-181-0x00000000080F0000-0x0000000008230000-memory.dmpFilesize
1.2MB
-
memory/3252-180-0x00000000080F0000-0x0000000008230000-memory.dmpFilesize
1.2MB
-
memory/3252-196-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/3252-142-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/3252-136-0x0000000000000000-mapping.dmp
-
memory/3252-140-0x0000000003950000-0x000000000418B000-memory.dmpFilesize
8.2MB
-
memory/3252-143-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/3620-161-0x0000000000000000-mapping.dmp
-
memory/4064-168-0x00000000062E0000-0x0000000006302000-memory.dmpFilesize
136KB
-
memory/4064-167-0x0000000000470000-0x00000000004BA000-memory.dmpFilesize
296KB
-
memory/4064-163-0x0000000000000000-mapping.dmp
-
memory/4220-185-0x00000000039E0000-0x0000000003B20000-memory.dmpFilesize
1.2MB
-
memory/4220-184-0x00000000039E0000-0x0000000003B20000-memory.dmpFilesize
1.2MB
-
memory/4220-183-0x0000000002F20000-0x00000000039D2000-memory.dmpFilesize
10.7MB
-
memory/4220-197-0x0000000000C00000-0x0000000001592000-memory.dmpFilesize
9.6MB
-
memory/4220-198-0x0000000002F20000-0x00000000039D2000-memory.dmpFilesize
10.7MB
-
memory/4220-199-0x0000000002F20000-0x00000000039D2000-memory.dmpFilesize
10.7MB
-
memory/4220-182-0x0000000000000000-mapping.dmp
-
memory/4372-156-0x0000000000000000-mapping.dmp
-
memory/4400-159-0x0000000000000000-mapping.dmp