Analysis
-
max time kernel
146s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-07-2021 00:57
Static task
static1
Behavioral task
behavioral1
Sample
e6b7419ef5704c67f35d42beeeba83ba.exe
Resource
win7v20210410
General
-
Target
e6b7419ef5704c67f35d42beeeba83ba.exe
-
Size
1.1MB
-
MD5
e6b7419ef5704c67f35d42beeeba83ba
-
SHA1
feedc1394fa98c479c41fc1211c530f3201fde06
-
SHA256
7a79e2248392fa193b734c9442588144434853006dd6b54545ab3e4ef7971cba
-
SHA512
0807f5e4691cddb6a44c4f231a084857919a223c98fee3f7441f9be35e9eab6597077114eff067508c9b615aed006a155ac6a124d44fc436a52ec770d040a0b1
Malware Config
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 14 3720 rundll32.exe 15 2680 RUNDLL32.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 3720 rundll32.exe 3720 rundll32.exe 2680 RUNDLL32.EXE 2680 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 2680 set thread context of 1220 2680 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4DCB91123D996BFCBE5FD7703A8A14A09C14BB36 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4DCB91123D996BFCBE5FD7703A8A14A09C14BB36\Blob = 0300000001000000140000004dcb91123d996bfcbe5fd7703a8a14a09c14bb362000000001000000c3020000308202bf30820228a0030201020208433997ef63a2a031300d06092a864886f70d01010b050030793139303706035504030c3056653272695369676e20556e6976657273616c20526f6f742043657274696669636174696f6e20417574686f72697479311b3019060355040b0c1222286329203230303820566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303732353032353435355a170d3233303732343032353435355a30793139303706035504030c3056653272695369676e20556e6976657273616c20526f6f742043657274696669636174696f6e20417574686f72697479311b3019060355040b0c1222286329203230303820566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c39cb4e0113eb33f7b5c7dbb82aa9f01af82df07f448313fcfe4a79a0c26ebaf383170c97a4fbc1c2f5b2fd41ecdcd83c5978a14e31e87ca3fd652c8e87a9608762cd128eb531e8da9192584195fe0ebe6180a70bb4fc2b53829cae495c6a35c8fc2a8218ee4b30ad1203ba69767f1387f0680d34ccf694dbf0489c72704cae30203010001a350304e300f0603551d130101ff040530030101ff303b0603551d1104343032823056653272695369676e20556e6976657273616c20526f6f742043657274696669636174696f6e20417574686f72697479300d06092a864886f70d01010b0500038181004226ddbf375fd7afe6e272201e514a7f5282f9dc02a3dedb90c567738cb986bb7497deebb4b88e1e5d400a3b2a8ae9231cd9fc634ec8767cdafb1a25bc9331efc06871631b58b9d6541d15fe51d582274ca2f570799dc61e6e54b8336c2d6aaf5f2f3e03fbdb033d80dbf678a9f488c0b6e147f6d0bc038c59ae070e31fcce6a RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exepid process 2680 RUNDLL32.EXE 2680 RUNDLL32.EXE 2680 RUNDLL32.EXE 2680 RUNDLL32.EXE 2680 RUNDLL32.EXE 2680 RUNDLL32.EXE 2680 RUNDLL32.EXE 2680 RUNDLL32.EXE 4088 powershell.exe 4088 powershell.exe 4088 powershell.exe 2680 RUNDLL32.EXE 2680 RUNDLL32.EXE 1808 powershell.exe 1808 powershell.exe 1808 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2680 RUNDLL32.EXE Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 2680 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
e6b7419ef5704c67f35d42beeeba83ba.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 528 wrote to memory of 3720 528 e6b7419ef5704c67f35d42beeeba83ba.exe rundll32.exe PID 528 wrote to memory of 3720 528 e6b7419ef5704c67f35d42beeeba83ba.exe rundll32.exe PID 528 wrote to memory of 3720 528 e6b7419ef5704c67f35d42beeeba83ba.exe rundll32.exe PID 3720 wrote to memory of 2680 3720 rundll32.exe RUNDLL32.EXE PID 3720 wrote to memory of 2680 3720 rundll32.exe RUNDLL32.EXE PID 3720 wrote to memory of 2680 3720 rundll32.exe RUNDLL32.EXE PID 2680 wrote to memory of 1220 2680 RUNDLL32.EXE rundll32.exe PID 2680 wrote to memory of 1220 2680 RUNDLL32.EXE rundll32.exe PID 2680 wrote to memory of 1220 2680 RUNDLL32.EXE rundll32.exe PID 2680 wrote to memory of 4088 2680 RUNDLL32.EXE powershell.exe PID 2680 wrote to memory of 4088 2680 RUNDLL32.EXE powershell.exe PID 2680 wrote to memory of 4088 2680 RUNDLL32.EXE powershell.exe PID 2680 wrote to memory of 1808 2680 RUNDLL32.EXE powershell.exe PID 2680 wrote to memory of 1808 2680 RUNDLL32.EXE powershell.exe PID 2680 wrote to memory of 1808 2680 RUNDLL32.EXE powershell.exe PID 1808 wrote to memory of 2292 1808 powershell.exe nslookup.exe PID 1808 wrote to memory of 2292 1808 powershell.exe nslookup.exe PID 1808 wrote to memory of 2292 1808 powershell.exe nslookup.exe PID 2680 wrote to memory of 3988 2680 RUNDLL32.EXE schtasks.exe PID 2680 wrote to memory of 3988 2680 RUNDLL32.EXE schtasks.exe PID 2680 wrote to memory of 3988 2680 RUNDLL32.EXE schtasks.exe PID 2680 wrote to memory of 3308 2680 RUNDLL32.EXE schtasks.exe PID 2680 wrote to memory of 3308 2680 RUNDLL32.EXE schtasks.exe PID 2680 wrote to memory of 3308 2680 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6b7419ef5704c67f35d42beeeba83ba.exe"C:\Users\Admin\AppData\Local\Temp\e6b7419ef5704c67f35d42beeeba83ba.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E6B741~1.TMP,S C:\Users\Admin\AppData\Local\Temp\E6B741~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\E6B741~1.TMP,GxsANjEzM1k=3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 178944⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpA086.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC4AA.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Jvgzbfh.tmpMD5
26af65cbb11480fa1e5ce0b232dd1dfb
SHA1fa17c2c3f417d80dfed9a153b20b61a595046748
SHA25663ac430b3c16751c4f3d083243f13f350783196f1e108ff6c3c235b3deb3dae8
SHA512b0be9f589d61e5eea42ef98ade61f445017d5d2914ba081544616eda59294d4aaccb6c180a456986d6bd9ed897fc598dd8605f23a8c2267165590422d34f725c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1f8546f6b0896a1567c5e1e6602ccdaa
SHA1c89dbb35a6d98fbf1855b388e5fd0ea4b9d10eb6
SHA2568971de44123cbb4606bf8a9d8ce45e44ac50bf0c1c408ad6a8f602fd91c2dadc
SHA512a5bfe4c9a626a9039674766e52ef6c3311e405cbcafe01f1a4d517836d84f50ff92b6b225a5da88deb9a4be01f228de81053159a1306538e3110c32f226bda00
-
C:\Users\Admin\AppData\Local\Temp\E6B741~1.TMPMD5
02e6a2ff71d8467f7d4113a20a66a039
SHA180c16bbcc268ee67bc149d2fd8c270eda9c1ecda
SHA256d7fbb290d9f24ae5f547fe60268e636f205367104aed7fe7b9563f3996ced443
SHA512030addbf66f19acb4b82446a0c3da786cb6a7080ab60418db24c335afbd26069ff26efe0b70512348db6f4404cfcfdaad4aa3874d6edf5fcb771cfab7eb872ae
-
C:\Users\Admin\AppData\Local\Temp\tmpA086.tmp.ps1MD5
fe42335d1ef34781f9182e6b7477fe81
SHA1db6b9bd4170d99237b023f94330195e11c12b40e
SHA25697b647963bcd2d6a9a095ea1af3cb3e0f8ed0fb3c40ca3a95f8001b3e3a0ad59
SHA5120bd83473a194381bc6fec7707f5b3ba4b0d76e5daff63dd0298a1d450f07915c9bfe3a83aaeab6a98ed7cac5090076df4a2141dc41e1808e4161188b60ddfb74
-
C:\Users\Admin\AppData\Local\Temp\tmpA087.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmpC4AA.tmp.ps1MD5
e58e6b54a5b4c3de1e574cc0f89bde30
SHA15e76df17e633dc711888fcdc6dfb0d3c6e236ed6
SHA256a0eb419ab56e073dc689ef0b4506c5d949dfc5727688363d84fa53cbbdca34a3
SHA5122b84af944ec9880457bef4127014249770d361f0b5e20aaae4347fed4278ca4a4c60817b3bdc5a175a2288403b956533ba39d937ba5d84623eb4378aef2e602a
-
C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
\Users\Admin\AppData\Local\Temp\E6B741~1.TMPMD5
02e6a2ff71d8467f7d4113a20a66a039
SHA180c16bbcc268ee67bc149d2fd8c270eda9c1ecda
SHA256d7fbb290d9f24ae5f547fe60268e636f205367104aed7fe7b9563f3996ced443
SHA512030addbf66f19acb4b82446a0c3da786cb6a7080ab60418db24c335afbd26069ff26efe0b70512348db6f4404cfcfdaad4aa3874d6edf5fcb771cfab7eb872ae
-
\Users\Admin\AppData\Local\Temp\E6B741~1.TMPMD5
02e6a2ff71d8467f7d4113a20a66a039
SHA180c16bbcc268ee67bc149d2fd8c270eda9c1ecda
SHA256d7fbb290d9f24ae5f547fe60268e636f205367104aed7fe7b9563f3996ced443
SHA512030addbf66f19acb4b82446a0c3da786cb6a7080ab60418db24c335afbd26069ff26efe0b70512348db6f4404cfcfdaad4aa3874d6edf5fcb771cfab7eb872ae
-
\Users\Admin\AppData\Local\Temp\E6B741~1.TMPMD5
02e6a2ff71d8467f7d4113a20a66a039
SHA180c16bbcc268ee67bc149d2fd8c270eda9c1ecda
SHA256d7fbb290d9f24ae5f547fe60268e636f205367104aed7fe7b9563f3996ced443
SHA512030addbf66f19acb4b82446a0c3da786cb6a7080ab60418db24c335afbd26069ff26efe0b70512348db6f4404cfcfdaad4aa3874d6edf5fcb771cfab7eb872ae
-
\Users\Admin\AppData\Local\Temp\E6B741~1.TMPMD5
02e6a2ff71d8467f7d4113a20a66a039
SHA180c16bbcc268ee67bc149d2fd8c270eda9c1ecda
SHA256d7fbb290d9f24ae5f547fe60268e636f205367104aed7fe7b9563f3996ced443
SHA512030addbf66f19acb4b82446a0c3da786cb6a7080ab60418db24c335afbd26069ff26efe0b70512348db6f4404cfcfdaad4aa3874d6edf5fcb771cfab7eb872ae
-
memory/528-115-0x00000000028D0000-0x00000000029CF000-memory.dmpFilesize
1020KB
-
memory/528-116-0x0000000000400000-0x000000000097F000-memory.dmpFilesize
5.5MB
-
memory/1220-145-0x0000014D5EF50000-0x0000014D5F101000-memory.dmpFilesize
1.7MB
-
memory/1220-144-0x0000000000BB0000-0x0000000000D50000-memory.dmpFilesize
1.6MB
-
memory/1220-140-0x00007FF6529D5FD0-mapping.dmp
-
memory/1808-199-0x0000000004E93000-0x0000000004E94000-memory.dmpFilesize
4KB
-
memory/1808-184-0x0000000008BD0000-0x0000000008BD1000-memory.dmpFilesize
4KB
-
memory/1808-185-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/1808-181-0x00000000081F0000-0x00000000081F1000-memory.dmpFilesize
4KB
-
memory/1808-172-0x0000000000000000-mapping.dmp
-
memory/1808-186-0x0000000004E92000-0x0000000004E93000-memory.dmpFilesize
4KB
-
memory/2292-195-0x0000000000000000-mapping.dmp
-
memory/2680-133-0x0000000005E90000-0x0000000005E91000-memory.dmpFilesize
4KB
-
memory/2680-143-0x0000000005FB0000-0x0000000005FB1000-memory.dmpFilesize
4KB
-
memory/2680-127-0x0000000000000000-mapping.dmp
-
memory/2680-130-0x0000000000EE0000-0x000000000103D000-memory.dmpFilesize
1.4MB
-
memory/2680-139-0x0000000004AA0000-0x0000000005D36000-memory.dmpFilesize
18.6MB
-
memory/3308-200-0x0000000000000000-mapping.dmp
-
memory/3720-120-0x00000000010B0000-0x000000000115E000-memory.dmpFilesize
696KB
-
memory/3720-121-0x0000000005C60000-0x0000000005C61000-memory.dmpFilesize
4KB
-
memory/3720-132-0x0000000004730000-0x00000000059C6000-memory.dmpFilesize
18.6MB
-
memory/3720-114-0x0000000000000000-mapping.dmp
-
memory/3988-198-0x0000000000000000-mapping.dmp
-
memory/4088-159-0x0000000008070000-0x0000000008071000-memory.dmpFilesize
4KB
-
memory/4088-161-0x0000000006BE0000-0x0000000006BE1000-memory.dmpFilesize
4KB
-
memory/4088-169-0x0000000001213000-0x0000000001214000-memory.dmpFilesize
4KB
-
memory/4088-151-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/4088-150-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB
-
memory/4088-149-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/4088-146-0x0000000000000000-mapping.dmp
-
memory/4088-167-0x0000000008D90000-0x0000000008D91000-memory.dmpFilesize
4KB
-
memory/4088-166-0x0000000009810000-0x0000000009811000-memory.dmpFilesize
4KB
-
memory/4088-168-0x0000000008190000-0x0000000008191000-memory.dmpFilesize
4KB
-
memory/4088-152-0x0000000001212000-0x0000000001213000-memory.dmpFilesize
4KB
-
memory/4088-153-0x0000000006E90000-0x0000000006E91000-memory.dmpFilesize
4KB
-
memory/4088-158-0x0000000008250000-0x0000000008251000-memory.dmpFilesize
4KB
-
memory/4088-157-0x0000000007D40000-0x0000000007D41000-memory.dmpFilesize
4KB
-
memory/4088-156-0x0000000007970000-0x0000000007971000-memory.dmpFilesize
4KB
-
memory/4088-155-0x0000000007900000-0x0000000007901000-memory.dmpFilesize
4KB
-
memory/4088-154-0x0000000007790000-0x0000000007791000-memory.dmpFilesize
4KB