Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
06-12-2021 13:47
Static task
static1
General
-
Target
7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe
-
Size
5.4MB
-
MD5
d19ad5fbe2455393c8b4bf7203754461
-
SHA1
db97f0945094fb160c3f7154d230ed268842a6e8
-
SHA256
7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c
-
SHA512
43ee8f5e9b15a6736eff2179e46b8b68c7a968a3b12032356c7b98e3bbff8ccd4fcaf9a62ceba3f8fd0e244de635d90044825b5877e842a6a828fd5bedc1b921
Malware Config
Extracted
danabot
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\PPSVUW~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\PPSVUW~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\PPSVUW~1.DLL DanabotLoader2021 behavioral1/memory/2616-159-0x0000000000AC0000-0x0000000000D3B000-memory.dmp DanabotLoader2021 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 34 3156 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
noahic.exepikingvp.exeppsvuwnoqg.exeDpEditor.exepid process 3144 noahic.exe 4056 pikingvp.exe 2248 ppsvuwnoqg.exe 1720 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
noahic.exepikingvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion noahic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion noahic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pikingvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion pikingvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 3 IoCs
Processes:
7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exerundll32.exepid process 3972 7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe 2616 rundll32.exe 2616 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe themida C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe themida C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe themida C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe themida behavioral1/memory/3144-125-0x00000000009D0000-0x000000000111C000-memory.dmp themida behavioral1/memory/4056-126-0x00000000012B0000-0x000000000191B000-memory.dmp themida behavioral1/memory/3144-127-0x00000000009D0000-0x000000000111C000-memory.dmp themida behavioral1/memory/4056-128-0x00000000012B0000-0x000000000191B000-memory.dmp themida behavioral1/memory/4056-129-0x00000000012B0000-0x000000000191B000-memory.dmp themida behavioral1/memory/3144-131-0x00000000009D0000-0x000000000111C000-memory.dmp themida behavioral1/memory/4056-130-0x00000000012B0000-0x000000000191B000-memory.dmp themida behavioral1/memory/3144-132-0x00000000009D0000-0x000000000111C000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/1720-147-0x0000000000DA0000-0x00000000014EC000-memory.dmp themida behavioral1/memory/1720-148-0x0000000000DA0000-0x00000000014EC000-memory.dmp themida behavioral1/memory/1720-149-0x0000000000DA0000-0x00000000014EC000-memory.dmp themida behavioral1/memory/1720-150-0x0000000000DA0000-0x00000000014EC000-memory.dmp themida -
Processes:
pikingvp.exeDpEditor.exenoahic.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA pikingvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA noahic.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
noahic.exepikingvp.exeDpEditor.exepid process 3144 noahic.exe 4056 pikingvp.exe 1720 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
pikingvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pikingvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pikingvp.exe -
Modifies registry class 1 IoCs
Processes:
pikingvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings pikingvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1720 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
noahic.exepikingvp.exeDpEditor.exepid process 3144 noahic.exe 3144 noahic.exe 4056 pikingvp.exe 4056 pikingvp.exe 1720 DpEditor.exe 1720 DpEditor.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exepikingvp.exenoahic.exeppsvuwnoqg.exedescription pid process target process PID 3972 wrote to memory of 3144 3972 7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe noahic.exe PID 3972 wrote to memory of 3144 3972 7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe noahic.exe PID 3972 wrote to memory of 3144 3972 7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe noahic.exe PID 3972 wrote to memory of 4056 3972 7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe pikingvp.exe PID 3972 wrote to memory of 4056 3972 7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe pikingvp.exe PID 3972 wrote to memory of 4056 3972 7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe pikingvp.exe PID 4056 wrote to memory of 2248 4056 pikingvp.exe ppsvuwnoqg.exe PID 4056 wrote to memory of 2248 4056 pikingvp.exe ppsvuwnoqg.exe PID 4056 wrote to memory of 2248 4056 pikingvp.exe ppsvuwnoqg.exe PID 4056 wrote to memory of 644 4056 pikingvp.exe WScript.exe PID 4056 wrote to memory of 644 4056 pikingvp.exe WScript.exe PID 4056 wrote to memory of 644 4056 pikingvp.exe WScript.exe PID 3144 wrote to memory of 1720 3144 noahic.exe DpEditor.exe PID 3144 wrote to memory of 1720 3144 noahic.exe DpEditor.exe PID 3144 wrote to memory of 1720 3144 noahic.exe DpEditor.exe PID 4056 wrote to memory of 3156 4056 pikingvp.exe WScript.exe PID 4056 wrote to memory of 3156 4056 pikingvp.exe WScript.exe PID 4056 wrote to memory of 3156 4056 pikingvp.exe WScript.exe PID 2248 wrote to memory of 2616 2248 ppsvuwnoqg.exe rundll32.exe PID 2248 wrote to memory of 2616 2248 ppsvuwnoqg.exe rundll32.exe PID 2248 wrote to memory of 2616 2248 ppsvuwnoqg.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe"C:\Users\Admin\AppData\Local\Temp\7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe"C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe"C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\ppsvuwnoqg.exe"C:\Users\Admin\AppData\Local\Temp\ppsvuwnoqg.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\PPSVUW~1.DLL,s C:\Users\Admin\AppData\Local\Temp\PPSVUW~1.EXE4⤵
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\keyhgdjhrg.vbs"3⤵PID:644
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ldptxsseaxv.vbs"3⤵
- Blocklisted process makes network request
PID:3156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
a0976c977ec294e1b13da0425920fe72
SHA1e83636fd4c2eb44b5c41f7f49e1e4df58bf60cc0
SHA2561f20ce8b1d58cb8ed4997029781aa5442dd22b62e62e434910d8fa59635908be
SHA512fa1964a3d19eadac5bea1da446d8b67cf5877063a34acdca3927e3e9e20d069f2b5a4dd9501b49d77ae8b30073c07efd4f267827aa09eb9245edc8a0b16b29cf
-
C:\Users\Admin\AppData\Local\Temp\PPSVUW~1.DLLMD5
0d02460e58f24b5013b870295c6752b1
SHA1e9b6c68867cb83a914b9bb2de8378ec89db9a106
SHA2561852c4b7ee2679100adfecce288f5c1ad254f803651d889bfedf1d9b70074d26
SHA512d66497f6f3aaac5c6bc6b80523515eda09efb920e27bf8d57a1c2f40b49e2f4f937a8d18a3345a044835886181b4d93f8f400c63df22b0c50e7d4639ec9fb9ca
-
C:\Users\Admin\AppData\Local\Temp\keyhgdjhrg.vbsMD5
a3919da2e13e5e5a61a026aea463e6cf
SHA14ca8a652f93474d6580ca3cfc1117344e23fc9d1
SHA256b0454fdf8ee7057eb83476e7858dded8740b9d1595bfc02427e3bb1d328bc03d
SHA512282802786ebf779e6b6e544ca38f20e1cb95817d4067990d9a2d682be7aff617924fbe442f25c20e732f9d2473d31f385cdeeeadf456666ef5389df468ed6774
-
C:\Users\Admin\AppData\Local\Temp\ldptxsseaxv.vbsMD5
ff1e38f966a3e97b332d06da13de5fe4
SHA1f8b9b26d65ce4823302e1fd594f4c2ce8e1815df
SHA256bda07b5a65da133dd7e1cca0d54e1e9e3ad4614989a440c016c2cee952ea9c98
SHA5120ba3a2fa753beeb7137d3dc62063ba4b5284b1bc3fda97649ca21c100d32b0792f2f747acce1ecebf8cec33a42e9515826248f5bd8970d6f2c677d2b6ed3f688
-
C:\Users\Admin\AppData\Local\Temp\ppsvuwnoqg.exeMD5
d9a1cd804188f0e8af6314f6bd9cc7f9
SHA1841ece48e4089a4a71249800d9ca9998021fdd78
SHA2563f50270fa6c564e9696109d3d2e61fd3bcc4c81eda8db6122ebc7f2b120689dc
SHA512b0bc11689c5b1512519af289590eab98d0bb0ab8ac0f180e56d1712e42b68e87538c34c4ee505e13ddf215ce0b9a1518b0c03128e06e5ea42f037454f9e23e66
-
C:\Users\Admin\AppData\Local\Temp\ppsvuwnoqg.exeMD5
d9a1cd804188f0e8af6314f6bd9cc7f9
SHA1841ece48e4089a4a71249800d9ca9998021fdd78
SHA2563f50270fa6c564e9696109d3d2e61fd3bcc4c81eda8db6122ebc7f2b120689dc
SHA512b0bc11689c5b1512519af289590eab98d0bb0ab8ac0f180e56d1712e42b68e87538c34c4ee505e13ddf215ce0b9a1518b0c03128e06e5ea42f037454f9e23e66
-
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exeMD5
bea267e61710103a9c4fb93e293fce83
SHA133aeb83f904c289d3dc1469981ce3739d4357879
SHA256afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3
SHA512c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512
-
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exeMD5
bea267e61710103a9c4fb93e293fce83
SHA133aeb83f904c289d3dc1469981ce3739d4357879
SHA256afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3
SHA512c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512
-
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exeMD5
e0fdcfe02625d8a48acd00ce606b0341
SHA1f4899424cf6774bf6fab063313343e760b66bb85
SHA256d0d82aa1c76ee04abc3e80afd330ab7b68f74f45fd658b3f0813fca153d8bf84
SHA512b6f3a8b2b9fbc50163c2a6224958aecafe72349a71942c7031aa2be65c8d4de2c3cdfabac88a4981047690ae71af0e2e9f111e7fbca0e26f9e488054168ec33b
-
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exeMD5
e0fdcfe02625d8a48acd00ce606b0341
SHA1f4899424cf6774bf6fab063313343e760b66bb85
SHA256d0d82aa1c76ee04abc3e80afd330ab7b68f74f45fd658b3f0813fca153d8bf84
SHA512b6f3a8b2b9fbc50163c2a6224958aecafe72349a71942c7031aa2be65c8d4de2c3cdfabac88a4981047690ae71af0e2e9f111e7fbca0e26f9e488054168ec33b
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
bea267e61710103a9c4fb93e293fce83
SHA133aeb83f904c289d3dc1469981ce3739d4357879
SHA256afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3
SHA512c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
bea267e61710103a9c4fb93e293fce83
SHA133aeb83f904c289d3dc1469981ce3739d4357879
SHA256afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3
SHA512c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512
-
\Users\Admin\AppData\Local\Temp\PPSVUW~1.DLLMD5
0d02460e58f24b5013b870295c6752b1
SHA1e9b6c68867cb83a914b9bb2de8378ec89db9a106
SHA2561852c4b7ee2679100adfecce288f5c1ad254f803651d889bfedf1d9b70074d26
SHA512d66497f6f3aaac5c6bc6b80523515eda09efb920e27bf8d57a1c2f40b49e2f4f937a8d18a3345a044835886181b4d93f8f400c63df22b0c50e7d4639ec9fb9ca
-
\Users\Admin\AppData\Local\Temp\PPSVUW~1.DLLMD5
0d02460e58f24b5013b870295c6752b1
SHA1e9b6c68867cb83a914b9bb2de8378ec89db9a106
SHA2561852c4b7ee2679100adfecce288f5c1ad254f803651d889bfedf1d9b70074d26
SHA512d66497f6f3aaac5c6bc6b80523515eda09efb920e27bf8d57a1c2f40b49e2f4f937a8d18a3345a044835886181b4d93f8f400c63df22b0c50e7d4639ec9fb9ca
-
\Users\Admin\AppData\Local\Temp\nsiA663.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/644-138-0x0000000000000000-mapping.dmp
-
memory/1720-148-0x0000000000DA0000-0x00000000014EC000-memory.dmpFilesize
7.3MB
-
memory/1720-143-0x0000000000000000-mapping.dmp
-
memory/1720-150-0x0000000000DA0000-0x00000000014EC000-memory.dmpFilesize
7.3MB
-
memory/1720-149-0x0000000000DA0000-0x00000000014EC000-memory.dmpFilesize
7.3MB
-
memory/1720-147-0x0000000000DA0000-0x00000000014EC000-memory.dmpFilesize
7.3MB
-
memory/1720-146-0x0000000077520000-0x00000000776AE000-memory.dmpFilesize
1.6MB
-
memory/2248-135-0x0000000000000000-mapping.dmp
-
memory/2248-142-0x0000000000400000-0x00000000005D0000-memory.dmpFilesize
1.8MB
-
memory/2248-141-0x00000000023E0000-0x0000000002586000-memory.dmpFilesize
1.6MB
-
memory/2248-140-0x000000000224B000-0x00000000023DA000-memory.dmpFilesize
1.6MB
-
memory/2616-155-0x0000000000000000-mapping.dmp
-
memory/2616-159-0x0000000000AC0000-0x0000000000D3B000-memory.dmpFilesize
2.5MB
-
memory/3144-119-0x0000000000000000-mapping.dmp
-
memory/3144-131-0x00000000009D0000-0x000000000111C000-memory.dmpFilesize
7.3MB
-
memory/3144-133-0x0000000077520000-0x00000000776AE000-memory.dmpFilesize
1.6MB
-
memory/3144-132-0x00000000009D0000-0x000000000111C000-memory.dmpFilesize
7.3MB
-
memory/3144-125-0x00000000009D0000-0x000000000111C000-memory.dmpFilesize
7.3MB
-
memory/3144-127-0x00000000009D0000-0x000000000111C000-memory.dmpFilesize
7.3MB
-
memory/3156-151-0x0000000000000000-mapping.dmp
-
memory/4056-129-0x00000000012B0000-0x000000000191B000-memory.dmpFilesize
6.4MB
-
memory/4056-126-0x00000000012B0000-0x000000000191B000-memory.dmpFilesize
6.4MB
-
memory/4056-128-0x00000000012B0000-0x000000000191B000-memory.dmpFilesize
6.4MB
-
memory/4056-122-0x0000000000000000-mapping.dmp
-
memory/4056-130-0x00000000012B0000-0x000000000191B000-memory.dmpFilesize
6.4MB
-
memory/4056-134-0x0000000077520000-0x00000000776AE000-memory.dmpFilesize
1.6MB