Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
25-07-2021 06:27
Static task
static1
Behavioral task
behavioral1
Sample
ab4cf6181cfb102ec86c66d56af2d229.exe
Resource
win7v20210410
General
-
Target
ab4cf6181cfb102ec86c66d56af2d229.exe
-
Size
1.1MB
-
MD5
ab4cf6181cfb102ec86c66d56af2d229
-
SHA1
ac756cbff2887e804e9957898b0d6450a33a0aa1
-
SHA256
f7c566ca7413a1259a7bcc120bc431a5ad129438b1e8b9b51c398d5eecfc51a5
-
SHA512
dec2910e395b1714966c85741f1062f6a4b62a9a1ab3f8f92c573a2b44a49ced2a963f383247b871eb90ec7cc795a4226dc0944b8bce3e74bb3f5bd2024b0a2f
Malware Config
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 14 2004 rundll32.exe 15 2352 RUNDLL32.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2004 rundll32.exe 2004 rundll32.exe 2352 RUNDLL32.EXE 2352 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 2352 set thread context of 2108 2352 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C0A0DA32F87DAC968C8D11C980D3E338068CA9C4 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C0A0DA32F87DAC968C8D11C980D3E338068CA9C4\Blob = 030000000100000014000000c0a0da32f87dac968c8d11c980d3e338068ca9c42000000001000000b3020000308202af30820218a003020102020829c0d7236b15420d300d06092a864886f70d01010b050030743133303106035504030c2a4d693063726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3139303732363038323530375a170d3233303732353038323530375a30743133303106035504030c2a4d693063726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100b746128a1496d434a06403664c8ca81c8da4e4dc8f54aee6cdae38c854df3970f96da107796af9f06ed42fa90c891da5911981ef3747a8d905992d2f86dc6b563b50c87d8ad6e2c8e402437f13c4b6a4e09a55b76d1d759097cc9f6bb55ee8d9e7717a16cc87255ea58e2aa840dfb46431b7d8bd483e661e1b7aa39182ba42d30203010001a34a3048300f0603551d130101ff040530030101ff30350603551d11042e302c822a4d693063726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131300d06092a864886f70d01010b05000381810079da4660fb2301cc5cdd78719c861feeebf9b43cd79fbe67068b643f39ab43300bf201410abfc6eb8493dd8a3c96bcf535d65fdbe74a0eede82b1145ae2a51e44735916460bbc8221ef7813fbb13cdfea0f32af42ae49bb71a95e4b59c8908681e970bbf8e84f95ceaac001c9021345879aaf3e233c545b6f8bb6fc5f22ee446 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exepid process 2352 RUNDLL32.EXE 2352 RUNDLL32.EXE 2352 RUNDLL32.EXE 2352 RUNDLL32.EXE 2352 RUNDLL32.EXE 2352 RUNDLL32.EXE 2352 RUNDLL32.EXE 2352 RUNDLL32.EXE 3376 powershell.exe 3376 powershell.exe 3376 powershell.exe 2352 RUNDLL32.EXE 2352 RUNDLL32.EXE 192 powershell.exe 192 powershell.exe 192 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2352 RUNDLL32.EXE Token: SeDebugPrivilege 3376 powershell.exe Token: SeDebugPrivilege 192 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 2352 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
ab4cf6181cfb102ec86c66d56af2d229.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 632 wrote to memory of 2004 632 ab4cf6181cfb102ec86c66d56af2d229.exe rundll32.exe PID 632 wrote to memory of 2004 632 ab4cf6181cfb102ec86c66d56af2d229.exe rundll32.exe PID 632 wrote to memory of 2004 632 ab4cf6181cfb102ec86c66d56af2d229.exe rundll32.exe PID 2004 wrote to memory of 2352 2004 rundll32.exe RUNDLL32.EXE PID 2004 wrote to memory of 2352 2004 rundll32.exe RUNDLL32.EXE PID 2004 wrote to memory of 2352 2004 rundll32.exe RUNDLL32.EXE PID 2352 wrote to memory of 2108 2352 RUNDLL32.EXE rundll32.exe PID 2352 wrote to memory of 2108 2352 RUNDLL32.EXE rundll32.exe PID 2352 wrote to memory of 2108 2352 RUNDLL32.EXE rundll32.exe PID 2352 wrote to memory of 3376 2352 RUNDLL32.EXE powershell.exe PID 2352 wrote to memory of 3376 2352 RUNDLL32.EXE powershell.exe PID 2352 wrote to memory of 3376 2352 RUNDLL32.EXE powershell.exe PID 2352 wrote to memory of 192 2352 RUNDLL32.EXE powershell.exe PID 2352 wrote to memory of 192 2352 RUNDLL32.EXE powershell.exe PID 2352 wrote to memory of 192 2352 RUNDLL32.EXE powershell.exe PID 192 wrote to memory of 2520 192 powershell.exe nslookup.exe PID 192 wrote to memory of 2520 192 powershell.exe nslookup.exe PID 192 wrote to memory of 2520 192 powershell.exe nslookup.exe PID 2352 wrote to memory of 2940 2352 RUNDLL32.EXE schtasks.exe PID 2352 wrote to memory of 2940 2352 RUNDLL32.EXE schtasks.exe PID 2352 wrote to memory of 2940 2352 RUNDLL32.EXE schtasks.exe PID 2352 wrote to memory of 1944 2352 RUNDLL32.EXE schtasks.exe PID 2352 wrote to memory of 1944 2352 RUNDLL32.EXE schtasks.exe PID 2352 wrote to memory of 1944 2352 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab4cf6181cfb102ec86c66d56af2d229.exe"C:\Users\Admin\AppData\Local\Temp\ab4cf6181cfb102ec86c66d56af2d229.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMP,S C:\Users\Admin\AppData\Local\Temp\AB4CF6~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMP,MhkZMWM0UQ==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 178944⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFB87.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1868.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Jvgzbfh.tmpMD5
d0567b9d156180c0703d7b867533bf55
SHA1ddbaaff7a55fde4be5c3cd2b5ceb9e49535a4702
SHA2565406a5325a4764b5e8772de776c3269b880c59cbd66f4a6682620fc675722a21
SHA5127e6eb445c2c8a76d584183a8c4c1c193028a58634415fc2d4f9b53a1f585a3daa254fb0fe71522f4cc2098da201c4c29a062eab6cc6f330b52a69f4df22b806a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
dd3a177126997efa7bde22fdde8e1c4b
SHA124374f852aeb93e288e270c763ad64b8276c95e5
SHA256b30386a450ac35cdc5d55fe9f65c15534ec0873a611b51ddcbebf5ce89055140
SHA512e63a65f741eaf09e80fd529c3655eeadd8afedd38ccaf0ef58feccd1bbffc050ef90ebd7911092022fcbd166342806b4b9c75dcc3de01cf69f4585b69adc8965
-
C:\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMPMD5
279fd5be1ef6f78dceaea9160797d3ca
SHA102d83bb9752b2f9cb205fbba5ef084069204ce5c
SHA25679e7f889f4d8c8475bef4a94124ffcdc68d1b2f8b632a6f3539179945f481477
SHA5129459221ca625f4969ca4dbf68c9765f01b71d36b90cb5c0cee863e764da6c2fd2317581bdfdbfb0440133ed3435b90516ea36e06b20efd1267ca22bfe34bb216
-
C:\Users\Admin\AppData\Local\Temp\tmp1868.tmp.ps1MD5
57904d9aed1c4e5d6ab87cf548a26a64
SHA1d4fb29ae58a8db1a314de953fb43acfa437472b8
SHA256858806b623d778188f4ddc05ef0466bed0382891cc60169294f4d6230cb6e923
SHA512b9fd8ef6d0aec7e4c18185684172f1c0e0f7b9c7999c5d159015aff6af43673c4eeab9d1150e9176e69b1f378a917441d5f5752be1f39cf7c56a6d9b0f275b3a
-
C:\Users\Admin\AppData\Local\Temp\tmp1869.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Local\Temp\tmpFB87.tmp.ps1MD5
d5cc27ffd4cbb3fc0f6b67022b10fa26
SHA1d585ca62a15178422f41b6655b181e7e16d40985
SHA25682986ff0a32f5bff878032beb2ba37f7ac04f2f95e8fec72b629c225ee780f48
SHA5123d025812a967e2f439869c31bcb5ec864739dcda1f78a56469aa26cb64f46105d12b1e4ed33e2d609c5fb6e34c6aec7cbc56a62ab108befa1f4db84f4a13830e
-
C:\Users\Admin\AppData\Local\Temp\tmpFB88.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMPMD5
279fd5be1ef6f78dceaea9160797d3ca
SHA102d83bb9752b2f9cb205fbba5ef084069204ce5c
SHA25679e7f889f4d8c8475bef4a94124ffcdc68d1b2f8b632a6f3539179945f481477
SHA5129459221ca625f4969ca4dbf68c9765f01b71d36b90cb5c0cee863e764da6c2fd2317581bdfdbfb0440133ed3435b90516ea36e06b20efd1267ca22bfe34bb216
-
\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMPMD5
279fd5be1ef6f78dceaea9160797d3ca
SHA102d83bb9752b2f9cb205fbba5ef084069204ce5c
SHA25679e7f889f4d8c8475bef4a94124ffcdc68d1b2f8b632a6f3539179945f481477
SHA5129459221ca625f4969ca4dbf68c9765f01b71d36b90cb5c0cee863e764da6c2fd2317581bdfdbfb0440133ed3435b90516ea36e06b20efd1267ca22bfe34bb216
-
\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMPMD5
279fd5be1ef6f78dceaea9160797d3ca
SHA102d83bb9752b2f9cb205fbba5ef084069204ce5c
SHA25679e7f889f4d8c8475bef4a94124ffcdc68d1b2f8b632a6f3539179945f481477
SHA5129459221ca625f4969ca4dbf68c9765f01b71d36b90cb5c0cee863e764da6c2fd2317581bdfdbfb0440133ed3435b90516ea36e06b20efd1267ca22bfe34bb216
-
\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMPMD5
279fd5be1ef6f78dceaea9160797d3ca
SHA102d83bb9752b2f9cb205fbba5ef084069204ce5c
SHA25679e7f889f4d8c8475bef4a94124ffcdc68d1b2f8b632a6f3539179945f481477
SHA5129459221ca625f4969ca4dbf68c9765f01b71d36b90cb5c0cee863e764da6c2fd2317581bdfdbfb0440133ed3435b90516ea36e06b20efd1267ca22bfe34bb216
-
memory/192-172-0x0000000000000000-mapping.dmp
-
memory/192-198-0x0000000006573000-0x0000000006574000-memory.dmpFilesize
4KB
-
memory/192-181-0x0000000007650000-0x0000000007651000-memory.dmpFilesize
4KB
-
memory/192-184-0x0000000007DA0000-0x0000000007DA1000-memory.dmpFilesize
4KB
-
memory/192-188-0x0000000006572000-0x0000000006573000-memory.dmpFilesize
4KB
-
memory/192-187-0x0000000006570000-0x0000000006571000-memory.dmpFilesize
4KB
-
memory/632-114-0x0000000002730000-0x000000000282E000-memory.dmpFilesize
1016KB
-
memory/632-116-0x0000000000400000-0x0000000000982000-memory.dmpFilesize
5.5MB
-
memory/1944-200-0x0000000000000000-mapping.dmp
-
memory/2004-115-0x0000000000000000-mapping.dmp
-
memory/2004-132-0x0000000004810000-0x0000000005AA6000-memory.dmpFilesize
18.6MB
-
memory/2108-145-0x0000020DB6170000-0x0000020DB6321000-memory.dmpFilesize
1.7MB
-
memory/2108-144-0x0000000000DA0000-0x0000000000F40000-memory.dmpFilesize
1.6MB
-
memory/2108-140-0x00007FF6A7435FD0-mapping.dmp
-
memory/2352-139-0x0000000004810000-0x0000000005AA6000-memory.dmpFilesize
18.6MB
-
memory/2352-127-0x0000000000000000-mapping.dmp
-
memory/2352-130-0x0000000000C90000-0x0000000000DED000-memory.dmpFilesize
1.4MB
-
memory/2352-143-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/2520-195-0x0000000000000000-mapping.dmp
-
memory/2940-199-0x0000000000000000-mapping.dmp
-
memory/3376-154-0x0000000007650000-0x0000000007651000-memory.dmpFilesize
4KB
-
memory/3376-150-0x0000000006EB0000-0x0000000006EB1000-memory.dmpFilesize
4KB
-
memory/3376-156-0x00000000077A0000-0x00000000077A1000-memory.dmpFilesize
4KB
-
memory/3376-171-0x0000000004473000-0x0000000004474000-memory.dmpFilesize
4KB
-
memory/3376-155-0x0000000007730000-0x0000000007731000-memory.dmpFilesize
4KB
-
memory/3376-158-0x0000000007F90000-0x0000000007F91000-memory.dmpFilesize
4KB
-
memory/3376-153-0x0000000006D90000-0x0000000006D91000-memory.dmpFilesize
4KB
-
memory/3376-151-0x0000000004470000-0x0000000004471000-memory.dmpFilesize
4KB
-
memory/3376-152-0x0000000004472000-0x0000000004473000-memory.dmpFilesize
4KB
-
memory/3376-168-0x0000000008C30000-0x0000000008C31000-memory.dmpFilesize
4KB
-
memory/3376-149-0x0000000004340000-0x0000000004341000-memory.dmpFilesize
4KB
-
memory/3376-146-0x0000000000000000-mapping.dmp
-
memory/3376-167-0x0000000008B90000-0x0000000008B91000-memory.dmpFilesize
4KB
-
memory/3376-166-0x0000000009610000-0x0000000009611000-memory.dmpFilesize
4KB
-
memory/3376-161-0x0000000007F30000-0x0000000007F31000-memory.dmpFilesize
4KB
-
memory/3376-157-0x0000000007600000-0x0000000007601000-memory.dmpFilesize
4KB
-
memory/3376-159-0x0000000007E30000-0x0000000007E31000-memory.dmpFilesize
4KB