Analysis
-
max time kernel
74s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
08-01-2023 17:12
General
-
Target
file.exe
-
Size
378KB
-
MD5
d04f810bfbbe317de56b3312dbf9a82d
-
SHA1
acdab704ca02ce5c466b2586e101002d319c8ba6
-
SHA256
723f833a06244d7601591949fae724e0176ca30ae9582f86848d20ffe0e33b77
-
SHA512
22865b8dbd84fd905f770f81afa63ac730f5c4dcb73a825cb595d3a9abb7bd07974a778eccc0fc5a2593e523c39a6bb679c3420b817b3d831e9c3dceefe5698c
-
SSDEEP
6144:HCLkrJ7DaNcv+6vZQVu/1bDD1NhEXJXydSoOuNl:HCgN7DaN0bvWE1bDThEXJXyzJl
Score
10/10
Malware Config
Extracted
Family
vidar
Version
1.8
Botnet
24
C2
https://t.me/year2023start
https://steamcommunity.com/profiles/76561199467421923
Attributes
-
profile_id
24
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\96440751719548940061.exe"C:\ProgramData\96440751719548940061.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\838218529-aoz988JA16Qh6yGQ.exe"C:\Users\Admin\AppData\Local\Temp\838218529-aoz988JA16Qh6yGQ.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAHQAbwBCAFUAVgBlAFIAQQBSAGsATgBKAHEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGMARAByAHgAaABJAEIASwB0AFUAYgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAWABhAFcAYwB2AGUAcgB5AE0AWgBmAGcAQwBzACMAPgAgAEAAKAAgADwAIwBzAEIARwBvAFUAdgBrAEkATgBKAEwAeQBUAE0AVQAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMASgBPAEMAdQBFAFAAbQB5AGYAWQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAVABVAEMAcQBwAHAAWQB4AGcAbgBTAHgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbgBzAGQAbQBYAEkAZQBCAFQAUwBTAGYAIwA+AA=="4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHQAbwBCAFUAVgBlAFIAQQBSAGsATgBKAHEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGMARAByAHgAaABJAEIASwB0AFUAYgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAWABhAFcAYwB2AGUAcgB5AE0AWgBmAGcAQwBzACMAPgAgAEAAKAAgADwAIwBzAEIARwBvAFUAdgBrAEkATgBKAEwAeQBUAE0AVQAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMASgBPAEMAdQBFAFAAbQB5AGYAWQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAVABVAEMAcQBwAHAAWQB4AGcAbgBTAHgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbgBzAGQAbQBYAEkAZQBCAFQAUwBTAGYAIwA+AA=="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk885" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk885" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk435" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk435" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk461" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk461" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk704" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk704" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk556" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk556" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f4⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /hibernate off5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 19722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4824 -ip 48241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\96440751719548940061.exeFilesize
1.2MB
MD58ae394f52d9643999fe1014ff320cac6
SHA17fd97efe4be7548836d8957b7c04092511ed50b4
SHA256f6aeb68b5ffe48020a64d635df719226ff3436a2dbe6ec6b41896567124fa321
SHA51291cc2fc3bb15acd66beec436059ba2a4d2bc48caa01f36300b3b6a4675bc78e7ae4995408be113d8a9c736bb19a9c1b9bb971f370fe1e7751adfa152b2029e41
-
C:\ProgramData\96440751719548940061.exeFilesize
1.2MB
MD58ae394f52d9643999fe1014ff320cac6
SHA17fd97efe4be7548836d8957b7c04092511ed50b4
SHA256f6aeb68b5ffe48020a64d635df719226ff3436a2dbe6ec6b41896567124fa321
SHA51291cc2fc3bb15acd66beec436059ba2a4d2bc48caa01f36300b3b6a4675bc78e7ae4995408be113d8a9c736bb19a9c1b9bb971f370fe1e7751adfa152b2029e41
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\Users\Admin\AppData\Local\Temp\838218529-aoz988JA16Qh6yGQ.exeFilesize
450KB
MD5bcf5daf269504eaab30f32522f43225a
SHA1c83c1aea9420d57a49ab11f1bc686dce2e5dbf19
SHA2569340663fec2d743c36ed12f4bbb9b58176f21975e01d5aee4ca04062d3612445
SHA5120167fb70270523e7ad5e779f9906d5ad5cbfe5ccb24e791ded05e2209881b49327dc07f62cfd3e61285ed071c110d7df6bb88a7e41214e39b12f32f8291a396c
-
C:\Users\Admin\AppData\Local\Temp\838218529-aoz988JA16Qh6yGQ.exeFilesize
450KB
MD5bcf5daf269504eaab30f32522f43225a
SHA1c83c1aea9420d57a49ab11f1bc686dce2e5dbf19
SHA2569340663fec2d743c36ed12f4bbb9b58176f21975e01d5aee4ca04062d3612445
SHA5120167fb70270523e7ad5e779f9906d5ad5cbfe5ccb24e791ded05e2209881b49327dc07f62cfd3e61285ed071c110d7df6bb88a7e41214e39b12f32f8291a396c
-
memory/376-193-0x0000000000000000-mapping.dmp
-
memory/696-191-0x0000000000000000-mapping.dmp
-
memory/1148-196-0x0000000000000000-mapping.dmp
-
memory/1420-194-0x0000000000000000-mapping.dmp
-
memory/1436-204-0x0000000000000000-mapping.dmp
-
memory/1556-210-0x0000000000000000-mapping.dmp
-
memory/1672-195-0x0000000000000000-mapping.dmp
-
memory/1912-164-0x0000000000000000-mapping.dmp
-
memory/1956-178-0x0000000004A00000-0x0000000004A22000-memory.dmpFilesize
136KB
-
memory/1956-176-0x0000000002500000-0x0000000002536000-memory.dmpFilesize
216KB
-
memory/1956-225-0x0000000007100000-0x0000000007108000-memory.dmpFilesize
32KB
-
memory/1956-219-0x0000000007420000-0x0000000007A9A000-memory.dmpFilesize
6.5MB
-
memory/1956-224-0x0000000007120000-0x000000000713A000-memory.dmpFilesize
104KB
-
memory/1956-220-0x0000000006DD0000-0x0000000006DEA000-memory.dmpFilesize
104KB
-
memory/1956-221-0x0000000006E40000-0x0000000006E4A000-memory.dmpFilesize
40KB
-
memory/1956-223-0x0000000007020000-0x000000000702E000-memory.dmpFilesize
56KB
-
memory/1956-222-0x0000000007060000-0x00000000070F6000-memory.dmpFilesize
600KB
-
memory/1956-213-0x000000006FA80000-0x000000006FACC000-memory.dmpFilesize
304KB
-
memory/1956-175-0x0000000000000000-mapping.dmp
-
memory/1956-215-0x0000000006080000-0x000000000609E000-memory.dmpFilesize
120KB
-
memory/1956-177-0x0000000004C20000-0x0000000005248000-memory.dmpFilesize
6.2MB
-
memory/1956-211-0x00000000060A0000-0x00000000060D2000-memory.dmpFilesize
200KB
-
memory/1956-179-0x0000000004BA0000-0x0000000004C06000-memory.dmpFilesize
408KB
-
memory/1956-180-0x0000000005AD0000-0x0000000005AEE000-memory.dmpFilesize
120KB
-
memory/2004-187-0x0000000000000000-mapping.dmp
-
memory/2184-217-0x0000000000000000-mapping.dmp
-
memory/2392-190-0x0000000000000000-mapping.dmp
-
memory/2408-209-0x0000000000000000-mapping.dmp
-
memory/2680-181-0x0000000000000000-mapping.dmp
-
memory/2684-192-0x0000000000000000-mapping.dmp
-
memory/2764-202-0x0000000000000000-mapping.dmp
-
memory/3192-197-0x0000000000000000-mapping.dmp
-
memory/3416-173-0x0000000009F10000-0x0000000009F76000-memory.dmpFilesize
408KB
-
memory/3416-172-0x0000000006F40000-0x0000000006F4A000-memory.dmpFilesize
40KB
-
memory/3416-171-0x0000000006F70000-0x0000000007002000-memory.dmpFilesize
584KB
-
memory/3416-170-0x0000000007480000-0x0000000007A24000-memory.dmpFilesize
5.6MB
-
memory/3416-169-0x0000000000190000-0x0000000000206000-memory.dmpFilesize
472KB
-
memory/3416-166-0x0000000000000000-mapping.dmp
-
memory/3452-185-0x0000000000000000-mapping.dmp
-
memory/3468-200-0x0000000000000000-mapping.dmp
-
memory/3504-184-0x0000000000000000-mapping.dmp
-
memory/3904-206-0x0000000000000000-mapping.dmp
-
memory/3924-207-0x0000000000000000-mapping.dmp
-
memory/3992-188-0x0000000000000000-mapping.dmp
-
memory/4084-186-0x0000000000000000-mapping.dmp
-
memory/4152-174-0x0000000000000000-mapping.dmp
-
memory/4212-218-0x0000000000000000-mapping.dmp
-
memory/4248-205-0x0000000000000000-mapping.dmp
-
memory/4252-208-0x0000000000000000-mapping.dmp
-
memory/4336-212-0x0000000000000000-mapping.dmp
-
memory/4364-163-0x0000000000000000-mapping.dmp
-
memory/4512-199-0x0000000000000000-mapping.dmp
-
memory/4524-201-0x0000000000000000-mapping.dmp
-
memory/4564-214-0x0000000000000000-mapping.dmp
-
memory/4608-203-0x0000000000000000-mapping.dmp
-
memory/4740-216-0x0000000000000000-mapping.dmp
-
memory/4824-133-0x0000000002BD0000-0x0000000002CD0000-memory.dmpFilesize
1024KB
-
memory/4824-134-0x0000000004930000-0x000000000497C000-memory.dmpFilesize
304KB
-
memory/4824-135-0x0000000000400000-0x0000000002BC7000-memory.dmpFilesize
39.8MB
-
memory/4824-136-0x0000000053510000-0x00000000535A2000-memory.dmpFilesize
584KB
-
memory/4824-165-0x0000000000400000-0x0000000002BC7000-memory.dmpFilesize
39.8MB
-
memory/4824-157-0x0000000002BD0000-0x0000000002CD0000-memory.dmpFilesize
1024KB
-
memory/4824-158-0x0000000000400000-0x0000000002BC7000-memory.dmpFilesize
39.8MB
-
memory/4916-159-0x0000000000000000-mapping.dmp
-
memory/4916-162-0x0000000000E00000-0x0000000000F3A000-memory.dmpFilesize
1.2MB
-
memory/4960-189-0x0000000000000000-mapping.dmp
-
memory/5004-182-0x0000000000000000-mapping.dmp
-
memory/5008-183-0x0000000000000000-mapping.dmp
-
memory/5096-198-0x0000000000000000-mapping.dmp