Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-10-2022 17:49
General
-
Target
ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe
-
Size
256KB
-
MD5
d45fa028f9141e8b0fe96fddba13a32a
-
SHA1
bf326d0329004cefa76bfba25e1dc1f4e6c0c0b2
-
SHA256
ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6
-
SHA512
db9ddaa63dd476a502db47fdd219cbf464c48e948430a59475044e7736dcd84a52e543d23413ed10275b6de24e2547cf2d408eee2cec506ebf64d0f70163ffe0
-
SSDEEP
3072:PXVFAbCILiSnyOUVjfc8Rmo8L7C9KkOme9OcScJ1y1bF4u7:/LaRLtvUVjfczAxvUccJ1y1x4g
Malware Config
Extracted
danabot
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
-
embedded_hash
569235DCA8F16ED8310BBACCB674F896
-
type
loader
Extracted
vidar
55.2
937
https://t.me/slivetalks
https://c.im/@xinibin420
-
profile_id
937
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
Checks SCSI registry key(s) 3 TTPs 39 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 46 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 21 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe"C:\Users\Admin\AppData\Local\Temp\ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CB.exeC:\Users\Admin\AppData\Local\Temp\CB.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\agentactivationruntimestarter.exeC:\Windows\system32\agentactivationruntimestarter.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 6522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 10482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 10562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 11322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 11202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 11122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 11362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 10362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 14282⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x4641⤵
-
C:\Users\Admin\AppData\Local\Temp\A23C.exeC:\Users\Admin\AppData\Local\Temp\A23C.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\19299745477717757255.exe"C:\ProgramData\19299745477717757255.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FilesH.bat" "3⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Steam.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A23C.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 19562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4912 -ip 49121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2304 -ip 23041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2304 -ip 23041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2304 -ip 23041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2304 -ip 23041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2304 -ip 23041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2304 -ip 23041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2304 -ip 23041⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2304 -ip 23041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2304 -ip 23041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\19299745477717757255.exeFilesize
389KB
MD55ec52400b61c5b586e24a85fa0a2318f
SHA1579d8cfcf508c81e6e45e47186f33221d47563f3
SHA25626f22547e17e37af41e6fca415a9fffb43c951c8c3d7129b1d4f8f358cf24ccd
SHA512b7482d0d97b195a868fe77a882aa2b2d3009c908474dc8a66cc04325d7d3617732d5ac2e7fba8f7255d7cb283c114bbf276cddb336a6a30698b507b6181bba3b
-
C:\ProgramData\19299745477717757255.exeFilesize
389KB
MD55ec52400b61c5b586e24a85fa0a2318f
SHA1579d8cfcf508c81e6e45e47186f33221d47563f3
SHA25626f22547e17e37af41e6fca415a9fffb43c951c8c3d7129b1d4f8f358cf24ccd
SHA512b7482d0d97b195a868fe77a882aa2b2d3009c908474dc8a66cc04325d7d3617732d5ac2e7fba8f7255d7cb283c114bbf276cddb336a6a30698b507b6181bba3b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\ProgramData\sqlite3.dllFilesize
1.1MB
MD51f44d4d3087c2b202cf9c90ee9d04b0f
SHA1106a3ebc9e39ab6ddb3ff987efb6527c956f192d
SHA2564841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260
SHA512b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exeFilesize
275KB
MD5119ee6d6dcfa21f32dd9db95b365f256
SHA142d7f74eab4682928b03e577e2f5b9e6a2d95356
SHA256ca128762eff2a68d3c319bd81574e423c79f59b1e445646ebe83b9c2135c5146
SHA512cb4b8a2f037f1e0ab6a06094895ce9afffaaa428142c63259fa4d899ea53e06c581f5379156bb5f5c577daec8ed8d3e4e315d504771176f2c1a9fb8904a54b7e
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exeFilesize
275KB
MD5119ee6d6dcfa21f32dd9db95b365f256
SHA142d7f74eab4682928b03e577e2f5b9e6a2d95356
SHA256ca128762eff2a68d3c319bd81574e423c79f59b1e445646ebe83b9c2135c5146
SHA512cb4b8a2f037f1e0ab6a06094895ce9afffaaa428142c63259fa4d899ea53e06c581f5379156bb5f5c577daec8ed8d3e4e315d504771176f2c1a9fb8904a54b7e
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FilesH.batFilesize
475B
MD5979e62632d7fcd1c5f022d524dac901a
SHA10335075559e0e2b3d095920eae545a635fb1f61e
SHA2566f90b594a016a0814d30cbb0aa665ebede4b710927efd5ef96ec518088b1e553
SHA512dad192359ffc7f42d832b0e841553b9342293705db0adefa19edf6c47953bb61a0787cf2f7e0022ee52c5fab3571af7c2167e25ca93903c33693f825c07b961d
-
C:\Users\Admin\AppData\Local\Temp\A23C.exeFilesize
343KB
MD5ba97a8ba982684ffd26140b002fcf5f6
SHA18d0b982e8e9aaf3a84e3b17ebc910d26d341b1f7
SHA256a3282df5188935d442674443e22d2f8bc5d5390a778b386a675d2a66a619d47b
SHA51227823fba4a49841df28e5cd99dc68d9a258213cafade5aacaabac60461bdc273751aba808c7008374b3c7861664c7b1b301556c9b2e5ada8bf6c435e05a5ea8f
-
C:\Users\Admin\AppData\Local\Temp\A23C.exeFilesize
343KB
MD5ba97a8ba982684ffd26140b002fcf5f6
SHA18d0b982e8e9aaf3a84e3b17ebc910d26d341b1f7
SHA256a3282df5188935d442674443e22d2f8bc5d5390a778b386a675d2a66a619d47b
SHA51227823fba4a49841df28e5cd99dc68d9a258213cafade5aacaabac60461bdc273751aba808c7008374b3c7861664c7b1b301556c9b2e5ada8bf6c435e05a5ea8f
-
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.logFilesize
1KB
MD5f100bb8b2cb884eaeb980fec005fda2a
SHA135b381fb5f67e27d337a9be9a9a80f99a62ade7b
SHA256ab5bbad92eb5b118a83152c34f7d011cd7ebd55e0774e7649b5bd6084c6bb807
SHA512f199706af09ab1ec2fd2e1a23055f1d898271bb27ef067b992dece2677e74854023188a7c7c2f8836e7f64854b0bc6b190684b300f0da973d8bd96c3497346b2
-
C:\Users\Admin\AppData\Local\Temp\CB.exeFilesize
8.4MB
MD5f918ede92fd01b0f8d9370b98c7c63bc
SHA189c0440dfaa5ce9506a3151c1a9e94ef0dbc374a
SHA256f8d1cf7824eeada220b0557cfcd4ad773fe08d54a42f74befdfb7fb379eecca8
SHA51237de27f2194498a7bef0ccc7a5580001c8af21fb1fdabab131b8af26576e574ab23ea08da341d69ff2529303e39227c755db99f8957db4dbeaec9a906c963053
-
C:\Users\Admin\AppData\Local\Temp\CB.exeFilesize
8.4MB
MD5f918ede92fd01b0f8d9370b98c7c63bc
SHA189c0440dfaa5ce9506a3151c1a9e94ef0dbc374a
SHA256f8d1cf7824eeada220b0557cfcd4ad773fe08d54a42f74befdfb7fb379eecca8
SHA51237de27f2194498a7bef0ccc7a5580001c8af21fb1fdabab131b8af26576e574ab23ea08da341d69ff2529303e39227c755db99f8957db4dbeaec9a906c963053
-
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20220812_191749306.htmlFilesize
94KB
MD5da6b45af25ddc7d9a34a5a425b253bb2
SHA1b94cc8311d176c735ef39586086ba5293808c3a9
SHA256fe6525b8436cfb0df02ae2cd7e7054bd706b3fa6f68ba4ded69308ed0bbfc350
SHA5126a56d232768ad1f999bea5c61c58561e870c26c5de539d73e84984c0a806093251d060a359c55de71f46442f0752e96f6375ac8d8a79d7f957486c1e0e4c6e23
-
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmpFilesize
3.3MB
MD513d0ff809f24a408728fd6fe00241020
SHA1fde8484da982eceb86cf6959460ffc4ce33271a9
SHA256db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520
SHA51238dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768
-
C:\Users\Admin\AppData\Local\Temp\TMKNGOMU-20220812-1924.logFilesize
56KB
MD5942061e415bb8ead9b5a5218d5c14343
SHA16017ef310882921100fa81965ff75e420200507d
SHA2561226acee43898580e53859127ed657800319973cb60df51155e5c8a7ce45e895
SHA512b0a93f95992a6389ba9913d8ca29aaba421f25aea2463244468f3279185f88dddd3db4ecc9d58e4c73ac9901465548df24150978f3bc8a943376a176f605cddd
-
C:\Users\Admin\AppData\Local\Temp\wct168.tmpFilesize
62KB
MD57185e716980842db27c3b3a88e1fe804
SHA1e4615379cd4797629b4cc3da157f4d4a5412fb2b
SHA256094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1
SHA512dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c
-
C:\Users\Admin\AppData\Local\Temp\wct1F1D.tmpFilesize
62KB
MD57185e716980842db27c3b3a88e1fe804
SHA1e4615379cd4797629b4cc3da157f4d4a5412fb2b
SHA256094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1
SHA512dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c
-
C:\Users\Admin\AppData\Local\Temp\wct5D7C.tmpFilesize
62KB
MD57185e716980842db27c3b3a88e1fe804
SHA1e4615379cd4797629b4cc3da157f4d4a5412fb2b
SHA256094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1
SHA512dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c
-
C:\Users\Admin\AppData\Local\Temp\wmsetup.logFilesize
697B
MD597135e1ef652cacbca26f832ec7c2ee2
SHA1b2691d8e35a78fa4bbf86a480638da8f48b169aa
SHA2563b113453a1a98b0d6b6e07bd35eca1f0a1992f2c2d69ab22c80ae54d194bc9dd
SHA512fd3180cac2443538ea32868fe5169148554923cae0e296a0863c46dfa5326495b8dc75a0b0fb52639149f38c01cd569b340db9956ba96159c825124cb23633a5
-
memory/544-157-0x0000000000000000-mapping.dmp
-
memory/1424-167-0x0000000000FB0000-0x0000000000FFA000-memory.dmpFilesize
296KB
-
memory/1424-168-0x0000000006D20000-0x0000000006D42000-memory.dmpFilesize
136KB
-
memory/1424-163-0x0000000000000000-mapping.dmp
-
memory/1800-153-0x0000000000000000-mapping.dmp
-
memory/2304-180-0x0000000007F00000-0x0000000008040000-memory.dmpFilesize
1.2MB
-
memory/2304-178-0x0000000007F00000-0x0000000008040000-memory.dmpFilesize
1.2MB
-
memory/2304-198-0x00000000072A0000-0x0000000007D52000-memory.dmpFilesize
10.7MB
-
memory/2304-136-0x0000000000000000-mapping.dmp
-
memory/2304-140-0x0000000003908000-0x0000000004143000-memory.dmpFilesize
8.2MB
-
memory/2304-141-0x00000000058F0000-0x00000000062C6000-memory.dmpFilesize
9.8MB
-
memory/2304-142-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/2304-184-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/2304-181-0x0000000007F00000-0x0000000008040000-memory.dmpFilesize
1.2MB
-
memory/2304-179-0x00000000072A0000-0x0000000007D52000-memory.dmpFilesize
10.7MB
-
memory/2304-177-0x0000000007F00000-0x0000000008040000-memory.dmpFilesize
1.2MB
-
memory/2304-143-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/2304-169-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/2304-170-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/2304-171-0x00000000072A0000-0x0000000007D52000-memory.dmpFilesize
10.7MB
-
memory/2304-172-0x00000000072A0000-0x0000000007D52000-memory.dmpFilesize
10.7MB
-
memory/2304-173-0x0000000007F00000-0x0000000008040000-memory.dmpFilesize
1.2MB
-
memory/2304-174-0x0000000007F00000-0x0000000008040000-memory.dmpFilesize
1.2MB
-
memory/2304-175-0x0000000007F00000-0x0000000008040000-memory.dmpFilesize
1.2MB
-
memory/2304-176-0x0000000007F00000-0x0000000008040000-memory.dmpFilesize
1.2MB
-
memory/3580-158-0x0000000000000000-mapping.dmp
-
memory/3740-139-0x0000000000000000-mapping.dmp
-
memory/3940-161-0x0000000000000000-mapping.dmp
-
memory/4128-156-0x0000000000000000-mapping.dmp
-
memory/4828-132-0x0000000002C72000-0x0000000002C88000-memory.dmpFilesize
88KB
-
memory/4828-133-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/4828-134-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/4828-135-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/4912-144-0x0000000000000000-mapping.dmp
-
memory/4912-147-0x0000000002C93000-0x0000000002CBF000-memory.dmpFilesize
176KB
-
memory/4912-148-0x00000000048A0000-0x00000000048E9000-memory.dmpFilesize
292KB
-
memory/4912-149-0x0000000000400000-0x0000000002C44000-memory.dmpFilesize
40.3MB
-
memory/4912-162-0x0000000002C93000-0x0000000002CBF000-memory.dmpFilesize
176KB
-
memory/4912-166-0x0000000000400000-0x0000000002C44000-memory.dmpFilesize
40.3MB
-
memory/4956-160-0x0000000000000000-mapping.dmp
-
memory/5036-182-0x0000000000000000-mapping.dmp
-
memory/5036-189-0x00000000034C0000-0x0000000003F72000-memory.dmpFilesize
10.7MB
-
memory/5036-185-0x0000000001080000-0x0000000001A12000-memory.dmpFilesize
9.6MB
-
memory/5036-187-0x00000000041D0000-0x0000000004310000-memory.dmpFilesize
1.2MB
-
memory/5036-186-0x00000000041D0000-0x0000000004310000-memory.dmpFilesize
1.2MB
-
memory/5036-197-0x00000000034C0000-0x0000000003F72000-memory.dmpFilesize
10.7MB
-
memory/5036-183-0x00000000034C0000-0x0000000003F72000-memory.dmpFilesize
10.7MB