Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-12-2021 14:51
Static task
static1
General
-
Target
3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe
-
Size
5.4MB
-
MD5
72938547306c7c34e465fad3f1e1d9c4
-
SHA1
e4746ffa624c7ac2e0983c7dd7661aa41d47876a
-
SHA256
3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce
-
SHA512
c73101e337aa3fab16e53dae7c859db354dbab32bdccd3905b2c6778af01ac842c62285ff2c9ff2fd5957663e056c7a82ddee1c69ea392a76acf2fb3b1192959
Malware Config
Extracted
danabot
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\EPMYCX~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\EPMYCX~1.DLL DanabotLoader2021 behavioral1/memory/2148-156-0x0000000004150000-0x00000000043CD000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\EPMYCX~1.DLL DanabotLoader2021 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 32 3248 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
guffer.exekadeinvp.exeepmycxmbb.exeDpEditor.exepid process 3488 guffer.exe 3768 kadeinvp.exe 2340 epmycxmbb.exe 2248 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
guffer.exekadeinvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion guffer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion guffer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kadeinvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kadeinvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 3 IoCs
Processes:
3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exerundll32.exepid process 2500 3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe 2148 rundll32.exe 2148 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe themida C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe themida C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe themida C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe themida behavioral1/memory/3488-122-0x0000000001140000-0x000000000182A000-memory.dmp themida behavioral1/memory/3488-123-0x0000000001140000-0x000000000182A000-memory.dmp themida behavioral1/memory/3768-124-0x00000000009A0000-0x000000000106E000-memory.dmp themida behavioral1/memory/3768-126-0x00000000009A0000-0x000000000106E000-memory.dmp themida behavioral1/memory/3488-125-0x0000000001140000-0x000000000182A000-memory.dmp themida behavioral1/memory/3768-128-0x00000000009A0000-0x000000000106E000-memory.dmp themida behavioral1/memory/3488-127-0x0000000001140000-0x000000000182A000-memory.dmp themida behavioral1/memory/3768-129-0x00000000009A0000-0x000000000106E000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/2248-141-0x00000000008F0000-0x0000000000FDA000-memory.dmp themida behavioral1/memory/2248-142-0x00000000008F0000-0x0000000000FDA000-memory.dmp themida behavioral1/memory/2248-144-0x00000000008F0000-0x0000000000FDA000-memory.dmp themida behavioral1/memory/2248-143-0x00000000008F0000-0x0000000000FDA000-memory.dmp themida -
Processes:
guffer.exekadeinvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA guffer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kadeinvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
guffer.exekadeinvp.exeDpEditor.exepid process 3488 guffer.exe 3768 kadeinvp.exe 2248 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exedescription ioc process File created C:\Program Files (x86)\foler\olader\adprovider.dll 3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe File created C:\Program Files (x86)\foler\olader\acppage.dll 3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
kadeinvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kadeinvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kadeinvp.exe -
Modifies registry class 1 IoCs
Processes:
kadeinvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings kadeinvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 2248 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
guffer.exekadeinvp.exeDpEditor.exepid process 3488 guffer.exe 3488 guffer.exe 3768 kadeinvp.exe 3768 kadeinvp.exe 2248 DpEditor.exe 2248 DpEditor.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exekadeinvp.exeguffer.exeepmycxmbb.exedescription pid process target process PID 2500 wrote to memory of 3488 2500 3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe guffer.exe PID 2500 wrote to memory of 3488 2500 3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe guffer.exe PID 2500 wrote to memory of 3488 2500 3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe guffer.exe PID 2500 wrote to memory of 3768 2500 3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe kadeinvp.exe PID 2500 wrote to memory of 3768 2500 3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe kadeinvp.exe PID 2500 wrote to memory of 3768 2500 3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe kadeinvp.exe PID 3768 wrote to memory of 2340 3768 kadeinvp.exe epmycxmbb.exe PID 3768 wrote to memory of 2340 3768 kadeinvp.exe epmycxmbb.exe PID 3768 wrote to memory of 2340 3768 kadeinvp.exe epmycxmbb.exe PID 3768 wrote to memory of 512 3768 kadeinvp.exe WScript.exe PID 3768 wrote to memory of 512 3768 kadeinvp.exe WScript.exe PID 3768 wrote to memory of 512 3768 kadeinvp.exe WScript.exe PID 3488 wrote to memory of 2248 3488 guffer.exe DpEditor.exe PID 3488 wrote to memory of 2248 3488 guffer.exe DpEditor.exe PID 3488 wrote to memory of 2248 3488 guffer.exe DpEditor.exe PID 3768 wrote to memory of 3248 3768 kadeinvp.exe WScript.exe PID 3768 wrote to memory of 3248 3768 kadeinvp.exe WScript.exe PID 3768 wrote to memory of 3248 3768 kadeinvp.exe WScript.exe PID 2340 wrote to memory of 2148 2340 epmycxmbb.exe rundll32.exe PID 2340 wrote to memory of 2148 2340 epmycxmbb.exe rundll32.exe PID 2340 wrote to memory of 2148 2340 epmycxmbb.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe"C:\Users\Admin\AppData\Local\Temp\3dc1556c2f61e7f99a844745571f523f789cf2221dbdbaa916c140d4f82366ce.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe"C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe"C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\epmycxmbb.exe"C:\Users\Admin\AppData\Local\Temp\epmycxmbb.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EPMYCX~1.DLL,s C:\Users\Admin\AppData\Local\Temp\EPMYCX~1.EXE4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mxafnojblr.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eyqtlalu.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
505159697b480391f42b304358775b8f
SHA127db3d1a4dac095e0a9093d6721538ce93a3a686
SHA256ba1cf7aea0d01579ccbe8a8eac2c62a998c4aab3dcbf60523b8243de9f1148b3
SHA5128de0f64571e7e1ab915bb9bf20c065a651116c8645411657ce925d0f73cc7696d29736ded9f870cd785ba4be5a6ce447d2b22dd5028d4a1121d96387f629694b
-
C:\Users\Admin\AppData\Local\Temp\EPMYCX~1.DLLMD5
3ab18d00ef9e37931e418e94d3fd9433
SHA1f7b92322334730a2a7033d45d211e7a20ffc9f65
SHA256f5098db2050f37fa9328e7ed823b5a5c4c106e7c260ad2ec1d7a65185a960d6e
SHA5123d4a947930421ca662e02e0bf66780d68ea6a7709d4315ef1c11807ace6b2d75d9c7adc028468bf89f5956c0284ed857a0ec09a2dfd79ae6481b5c1e4de1d66d
-
C:\Users\Admin\AppData\Local\Temp\epmycxmbb.exeMD5
6e6646fa119ab2512563d1c9872ea9aa
SHA103dd532271e4a40fd1bf48960a5ea007f8f1e288
SHA256cc8e8aa067e9d1c044a9018982582834b53e8e496e4e15681cda5d7c45888dd8
SHA512714af61227776d53437e5891101af0caa252fe70418c26cb46466e19a5c1221f60b04cc5b6fc18fea0a9a3ad5733897330f69b463cf1f8b8dcd888f978a7b445
-
C:\Users\Admin\AppData\Local\Temp\epmycxmbb.exeMD5
6e6646fa119ab2512563d1c9872ea9aa
SHA103dd532271e4a40fd1bf48960a5ea007f8f1e288
SHA256cc8e8aa067e9d1c044a9018982582834b53e8e496e4e15681cda5d7c45888dd8
SHA512714af61227776d53437e5891101af0caa252fe70418c26cb46466e19a5c1221f60b04cc5b6fc18fea0a9a3ad5733897330f69b463cf1f8b8dcd888f978a7b445
-
C:\Users\Admin\AppData\Local\Temp\eyqtlalu.vbsMD5
68916e660b565088eee434d683f37352
SHA13f4e282fe94e8645a1882474476e43006121e12f
SHA25669fc13784effb9baf63e2079faa28053d431802ced5f32e84c0418df560244ec
SHA51217973059a90a0da3b2ff9de0fa9c01563ecbb6f691f6379fe37e32007e709941e8b4c20b6d2cb07567c7506fb9d05cdc70ffc81d0f8feb31fa3d1385abff5ed0
-
C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exeMD5
04982c07785169467803646cd70f8f76
SHA1c3577e51dfb45914282d5c4f1f3f9817ec139a67
SHA256b132f7b9f8b7b0ff9c8dbe7db481b27b41ebdae95e90fd7daf3f2a59b17e0d3d
SHA51201031e211095d7c2c2322d9179fe3f585dc63cc9116b29f7d5600755abade54b180a5123a3332bdcdd9b7baa55c5e7294b341c11b8e501a8147d7ce48803a672
-
C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exeMD5
04982c07785169467803646cd70f8f76
SHA1c3577e51dfb45914282d5c4f1f3f9817ec139a67
SHA256b132f7b9f8b7b0ff9c8dbe7db481b27b41ebdae95e90fd7daf3f2a59b17e0d3d
SHA51201031e211095d7c2c2322d9179fe3f585dc63cc9116b29f7d5600755abade54b180a5123a3332bdcdd9b7baa55c5e7294b341c11b8e501a8147d7ce48803a672
-
C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exeMD5
815661ea12082dc43437eaee6565890d
SHA19ffa99b0a510592a7efdb77e4c0275aba3567982
SHA2562788256504ab84017065d249753676f84fd5b1af2f90a06a07547b9950c5f0a2
SHA5123478366d650f793e098e24071d420589308165a3e0c5c352b1f4a014245a64a2a239086da1771f14e8521ae65466e3fc23af9f015e7df4fbde5ca2331fe4787c
-
C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exeMD5
815661ea12082dc43437eaee6565890d
SHA19ffa99b0a510592a7efdb77e4c0275aba3567982
SHA2562788256504ab84017065d249753676f84fd5b1af2f90a06a07547b9950c5f0a2
SHA5123478366d650f793e098e24071d420589308165a3e0c5c352b1f4a014245a64a2a239086da1771f14e8521ae65466e3fc23af9f015e7df4fbde5ca2331fe4787c
-
C:\Users\Admin\AppData\Local\Temp\mxafnojblr.vbsMD5
b45ec7886a05c8bb9b75dbb1c606925a
SHA1829f866a18b43710ab30fa3ed70d59fde28155c7
SHA25654f6372b338e4d3fe2d407c41da037b12211fe675232a1a4be508511fd1ad446
SHA512256e42e959a2fe0b6c2c7f41b353f31acee7e785d2e80b9aeef7164dd4fa51ca9b5a2f208d7689ddc120b7da429f1270ed3dc37c85ae99ade203ea601b086831
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
04982c07785169467803646cd70f8f76
SHA1c3577e51dfb45914282d5c4f1f3f9817ec139a67
SHA256b132f7b9f8b7b0ff9c8dbe7db481b27b41ebdae95e90fd7daf3f2a59b17e0d3d
SHA51201031e211095d7c2c2322d9179fe3f585dc63cc9116b29f7d5600755abade54b180a5123a3332bdcdd9b7baa55c5e7294b341c11b8e501a8147d7ce48803a672
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
04982c07785169467803646cd70f8f76
SHA1c3577e51dfb45914282d5c4f1f3f9817ec139a67
SHA256b132f7b9f8b7b0ff9c8dbe7db481b27b41ebdae95e90fd7daf3f2a59b17e0d3d
SHA51201031e211095d7c2c2322d9179fe3f585dc63cc9116b29f7d5600755abade54b180a5123a3332bdcdd9b7baa55c5e7294b341c11b8e501a8147d7ce48803a672
-
\Users\Admin\AppData\Local\Temp\EPMYCX~1.DLLMD5
3ab18d00ef9e37931e418e94d3fd9433
SHA1f7b92322334730a2a7033d45d211e7a20ffc9f65
SHA256f5098db2050f37fa9328e7ed823b5a5c4c106e7c260ad2ec1d7a65185a960d6e
SHA5123d4a947930421ca662e02e0bf66780d68ea6a7709d4315ef1c11807ace6b2d75d9c7adc028468bf89f5956c0284ed857a0ec09a2dfd79ae6481b5c1e4de1d66d
-
\Users\Admin\AppData\Local\Temp\EPMYCX~1.DLLMD5
3ab18d00ef9e37931e418e94d3fd9433
SHA1f7b92322334730a2a7033d45d211e7a20ffc9f65
SHA256f5098db2050f37fa9328e7ed823b5a5c4c106e7c260ad2ec1d7a65185a960d6e
SHA5123d4a947930421ca662e02e0bf66780d68ea6a7709d4315ef1c11807ace6b2d75d9c7adc028468bf89f5956c0284ed857a0ec09a2dfd79ae6481b5c1e4de1d66d
-
\Users\Admin\AppData\Local\Temp\nsf9EC2.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/512-135-0x0000000000000000-mapping.dmp
-
memory/2148-156-0x0000000004150000-0x00000000043CD000-memory.dmpFilesize
2.5MB
-
memory/2148-152-0x0000000000000000-mapping.dmp
-
memory/2248-141-0x00000000008F0000-0x0000000000FDA000-memory.dmpFilesize
6.9MB
-
memory/2248-142-0x00000000008F0000-0x0000000000FDA000-memory.dmpFilesize
6.9MB
-
memory/2248-144-0x00000000008F0000-0x0000000000FDA000-memory.dmpFilesize
6.9MB
-
memory/2248-143-0x00000000008F0000-0x0000000000FDA000-memory.dmpFilesize
6.9MB
-
memory/2248-137-0x0000000000000000-mapping.dmp
-
memory/2248-140-0x0000000076F30000-0x00000000770BE000-memory.dmpFilesize
1.6MB
-
memory/2340-146-0x0000000001230000-0x00000000013D5000-memory.dmpFilesize
1.6MB
-
memory/2340-145-0x00000000010A0000-0x000000000122F000-memory.dmpFilesize
1.6MB
-
memory/2340-132-0x0000000000000000-mapping.dmp
-
memory/2340-147-0x0000000000400000-0x000000000099A000-memory.dmpFilesize
5.6MB
-
memory/3248-148-0x0000000000000000-mapping.dmp
-
memory/3488-123-0x0000000001140000-0x000000000182A000-memory.dmpFilesize
6.9MB
-
memory/3488-127-0x0000000001140000-0x000000000182A000-memory.dmpFilesize
6.9MB
-
memory/3488-125-0x0000000001140000-0x000000000182A000-memory.dmpFilesize
6.9MB
-
memory/3488-130-0x0000000076F30000-0x00000000770BE000-memory.dmpFilesize
1.6MB
-
memory/3488-122-0x0000000001140000-0x000000000182A000-memory.dmpFilesize
6.9MB
-
memory/3488-116-0x0000000000000000-mapping.dmp
-
memory/3768-129-0x00000000009A0000-0x000000000106E000-memory.dmpFilesize
6.8MB
-
memory/3768-131-0x0000000076F30000-0x00000000770BE000-memory.dmpFilesize
1.6MB
-
memory/3768-128-0x00000000009A0000-0x000000000106E000-memory.dmpFilesize
6.8MB
-
memory/3768-126-0x00000000009A0000-0x000000000106E000-memory.dmpFilesize
6.8MB
-
memory/3768-124-0x00000000009A0000-0x000000000106E000-memory.dmpFilesize
6.8MB
-
memory/3768-119-0x0000000000000000-mapping.dmp