Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
11-01-2022 15:34
Behavioral task
behavioral1
Sample
57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll
Resource
win7-en-20211208
General
-
Target
57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll
-
Size
14.9MB
-
MD5
cbac8f0600345f5fdc38a4c9f41e21f3
-
SHA1
606f627a922e4a22cc139474866559dabea1f0d5
-
SHA256
57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05
-
SHA512
54a7dcf07f2cc56bb6c0c69472a5d24cc3338650b93af959261f8b878ef9729ab2dbdebf654506271ab0d2d3dc88742e9039b97a607d4060702d17b978f7b109
Malware Config
Extracted
danabot
2108
4
192.119.110.4:443
103.175.16.113:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
main
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
RUNDLL32.EXEflow pid process 18 3024 RUNDLL32.EXE 27 3024 RUNDLL32.EXE 30 3024 RUNDLL32.EXE -
Sets DLL path for service in the registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
RUNDLL32.EXEdescription ioc process File opened (read-only) \??\A: RUNDLL32.EXE File opened (read-only) \??\B: RUNDLL32.EXE -
Drops file in System32 directory 3 IoCs
Processes:
RUNDLL32.EXErundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat RUNDLL32.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\pkcs11.txt rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\cert9.db rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 688 set thread context of 3180 688 RUNDLL32.EXE rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXERUNDLL32.EXErundll32.exesvchost.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLs rundll32.exe -
Processes:
RUNDLL32.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\546A1EA02958B1FB0E34D5F75583698829AD7630\Blob = 030000000100000014000000546a1ea02958b1fb0e34d5f75583698829ad763020000000010000007a02000030820276308201dfa00302010202086d77941017c71857300d06092a864886f70d01010b050030613120301e06035504030c17446967694365737420476c6f62616c20526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139313231313132303233345a170d3233313231303132303233345a30613120301e06035504030c17446967694365737420476c6f62616c20526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100de2d30725e129e40b87cdcf0d429dd840ddaf0b7dbb0718f835eef33cbfeced631b1551cdba350727bd6a0e38ef77ef2db9336353ac32d2d5e7c3fe79e850e0d39a993e52c2ae29e42362386f8811943f0422b7f190fef5dfc23e55dbeabe31189f75a0463c0cf05e1048ce240f503b80d79e423193534488637d518df39b5850203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b30198217446967694365737420476c6f62616c20526f6f74204341300d06092a864886f70d01010b050003818100b415612776e5ed0a3ed477ca3b7e9ca43dbb0cefe132eafb0181a6ab5d72addc102bcf36d4f93f363ae6a59da74758eadba70066b9d78d7858b8cb3aa8044c5a57c500ce4939a624a87dc0d7ad5cf62d7d3a624751b6e7a073208fd3ec9a56cb445b1463bdad40b5d0a4ff384ed1a2dd163ab4d379ba08af0dfe28560056c822 RUNDLL32.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\546A1EA02958B1FB0E34D5F75583698829AD7630 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
svchost.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEpid process 1308 svchost.exe 1308 svchost.exe 3024 RUNDLL32.EXE 3024 RUNDLL32.EXE 3024 RUNDLL32.EXE 3024 RUNDLL32.EXE 3024 RUNDLL32.EXE 3024 RUNDLL32.EXE 2320 powershell.exe 2320 powershell.exe 2320 powershell.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 688 RUNDLL32.EXE 688 RUNDLL32.EXE 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe 1308 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RUNDLL32.EXEpowershell.exedescription pid process Token: SeDebugPrivilege 3024 RUNDLL32.EXE Token: SeDebugPrivilege 2320 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 3180 rundll32.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rundll32.exesvchost.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exedescription pid process target process PID 660 wrote to memory of 1856 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 1856 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 1856 660 rundll32.exe rundll32.exe PID 1308 wrote to memory of 3024 1308 svchost.exe RUNDLL32.EXE PID 1308 wrote to memory of 3024 1308 svchost.exe RUNDLL32.EXE PID 1308 wrote to memory of 3024 1308 svchost.exe RUNDLL32.EXE PID 1856 wrote to memory of 2320 1856 rundll32.exe powershell.exe PID 1856 wrote to memory of 2320 1856 rundll32.exe powershell.exe PID 1856 wrote to memory of 2320 1856 rundll32.exe powershell.exe PID 3024 wrote to memory of 688 3024 RUNDLL32.EXE RUNDLL32.EXE PID 3024 wrote to memory of 688 3024 RUNDLL32.EXE RUNDLL32.EXE PID 3024 wrote to memory of 688 3024 RUNDLL32.EXE RUNDLL32.EXE PID 688 wrote to memory of 3180 688 RUNDLL32.EXE rundll32.exe PID 688 wrote to memory of 3180 688 RUNDLL32.EXE rundll32.exe PID 688 wrote to memory of 3180 688 RUNDLL32.EXE rundll32.exe PID 3180 wrote to memory of 1260 3180 rundll32.exe ctfmon.exe PID 3180 wrote to memory of 1260 3180 rundll32.exe ctfmon.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,#12⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,dD42NjlWQ0Na2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,aRlPRA==3⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 72394⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/688-392-0x0000000001310000-0x0000000001311000-memory.dmpFilesize
4KB
-
memory/688-375-0x0000000000000000-mapping.dmp
-
memory/1260-391-0x0000000000000000-mapping.dmp
-
memory/1308-118-0x0000000003E00000-0x0000000004E01000-memory.dmpFilesize
16.0MB
-
memory/1308-119-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/1856-115-0x0000000000000000-mapping.dmp
-
memory/1856-116-0x00000000047A0000-0x00000000057A1000-memory.dmpFilesize
16.0MB
-
memory/1856-117-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/2320-137-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/2320-149-0x0000000007810000-0x0000000007876000-memory.dmpFilesize
408KB
-
memory/2320-125-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/2320-126-0x00000000046D0000-0x0000000004706000-memory.dmpFilesize
216KB
-
memory/2320-127-0x00000000071E0000-0x0000000007808000-memory.dmpFilesize
6.2MB
-
memory/2320-128-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/2320-129-0x0000000001212000-0x0000000001213000-memory.dmpFilesize
4KB
-
memory/2320-130-0x0000000007130000-0x0000000007152000-memory.dmpFilesize
136KB
-
memory/2320-131-0x0000000007810000-0x0000000007876000-memory.dmpFilesize
408KB
-
memory/2320-132-0x0000000007880000-0x00000000078E6000-memory.dmpFilesize
408KB
-
memory/2320-133-0x00000000078F0000-0x0000000007C40000-memory.dmpFilesize
3.3MB
-
memory/2320-134-0x0000000006D90000-0x0000000006DAC000-memory.dmpFilesize
112KB
-
memory/2320-135-0x0000000008110000-0x000000000815B000-memory.dmpFilesize
300KB
-
memory/2320-136-0x0000000008240000-0x00000000082B6000-memory.dmpFilesize
472KB
-
memory/2320-123-0x0000000000000000-mapping.dmp
-
memory/2320-145-0x00000000071E0000-0x0000000007808000-memory.dmpFilesize
6.2MB
-
memory/2320-147-0x0000000009090000-0x00000000090C3000-memory.dmpFilesize
204KB
-
memory/2320-146-0x0000000009090000-0x00000000090C3000-memory.dmpFilesize
204KB
-
memory/2320-148-0x0000000007130000-0x0000000007152000-memory.dmpFilesize
136KB
-
memory/2320-124-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/2320-150-0x0000000007880000-0x00000000078E6000-memory.dmpFilesize
408KB
-
memory/2320-151-0x0000000008110000-0x000000000815B000-memory.dmpFilesize
300KB
-
memory/2320-152-0x0000000008240000-0x00000000082B6000-memory.dmpFilesize
472KB
-
memory/2320-153-0x0000000009070000-0x000000000908E000-memory.dmpFilesize
120KB
-
memory/2320-158-0x00000000091C0000-0x0000000009265000-memory.dmpFilesize
660KB
-
memory/2320-159-0x000000007F1B0000-0x000000007F1B1000-memory.dmpFilesize
4KB
-
memory/2320-160-0x00000000095B0000-0x0000000009644000-memory.dmpFilesize
592KB
-
memory/2320-197-0x0000000001213000-0x0000000001214000-memory.dmpFilesize
4KB
-
memory/2320-354-0x0000000009550000-0x000000000956A000-memory.dmpFilesize
104KB
-
memory/2320-359-0x0000000009550000-0x000000000956A000-memory.dmpFilesize
104KB
-
memory/2320-360-0x0000000009540000-0x0000000009548000-memory.dmpFilesize
32KB
-
memory/2320-365-0x0000000009540000-0x0000000009548000-memory.dmpFilesize
32KB
-
memory/3024-122-0x00000000060E0000-0x00000000060E1000-memory.dmpFilesize
4KB
-
memory/3024-121-0x0000000004DD0000-0x0000000005DD1000-memory.dmpFilesize
16.0MB
-
memory/3024-120-0x0000000000000000-mapping.dmp
-
memory/3180-387-0x00007FF704D15FD0-mapping.dmp
-
memory/3180-393-0x0000000000220000-0x00000000003D1000-memory.dmpFilesize
1.7MB
-
memory/3180-394-0x000001C2E9620000-0x000001C2E97E2000-memory.dmpFilesize
1.8MB