Analysis
-
max time kernel
151s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 17:51
Static task
static1
Behavioral task
behavioral1
Sample
19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe
Resource
win7-20221111-en
General
-
Target
19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe
-
Size
4.0MB
-
MD5
8f129ca0e882e49208ef4749bfaab916
-
SHA1
6a44d8e9af5097a8f2fd5e9928fd1d29c483aa53
-
SHA256
19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa
-
SHA512
d97b9a0b5d8dd80a0138eb4e33ec00be66e57f5978eb1614d05c0d60c6390a546097e454249ca207aa1f6ec04fcf2e44cdca4a84dfc5bd905f2a9d9c0991987d
-
SSDEEP
98304:fpvKw4l/aCvEhf/EtxpQD4x1K0hp476EtDF:f8NHEdEzy4DK0hp476I
Malware Config
Extracted
danabot
1765
3
79.124.78.236:443
134.119.186.199:443
192.236.162.42:443
134.119.186.198:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 4 880 RUNDLL32.EXE 5 880 RUNDLL32.EXE 6 880 RUNDLL32.EXE 7 880 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 1216 rundll32.exe -
Loads dropped DLL 8 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1216 rundll32.exe 1216 rundll32.exe 1216 rundll32.exe 1216 rundll32.exe 880 RUNDLL32.EXE 880 RUNDLL32.EXE 880 RUNDLL32.EXE 880 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepid process 1976 powershell.exe 880 RUNDLL32.EXE 880 RUNDLL32.EXE 540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1216 rundll32.exe Token: SeDebugPrivilege 880 RUNDLL32.EXE Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 540 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 880 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 1228 wrote to memory of 1216 1228 19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe rundll32.exe PID 1228 wrote to memory of 1216 1228 19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe rundll32.exe PID 1228 wrote to memory of 1216 1228 19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe rundll32.exe PID 1228 wrote to memory of 1216 1228 19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe rundll32.exe PID 1228 wrote to memory of 1216 1228 19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe rundll32.exe PID 1228 wrote to memory of 1216 1228 19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe rundll32.exe PID 1228 wrote to memory of 1216 1228 19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe rundll32.exe PID 1216 wrote to memory of 880 1216 rundll32.exe RUNDLL32.EXE PID 1216 wrote to memory of 880 1216 rundll32.exe RUNDLL32.EXE PID 1216 wrote to memory of 880 1216 rundll32.exe RUNDLL32.EXE PID 1216 wrote to memory of 880 1216 rundll32.exe RUNDLL32.EXE PID 1216 wrote to memory of 880 1216 rundll32.exe RUNDLL32.EXE PID 1216 wrote to memory of 880 1216 rundll32.exe RUNDLL32.EXE PID 1216 wrote to memory of 880 1216 rundll32.exe RUNDLL32.EXE PID 880 wrote to memory of 1976 880 RUNDLL32.EXE powershell.exe PID 880 wrote to memory of 1976 880 RUNDLL32.EXE powershell.exe PID 880 wrote to memory of 1976 880 RUNDLL32.EXE powershell.exe PID 880 wrote to memory of 1976 880 RUNDLL32.EXE powershell.exe PID 880 wrote to memory of 540 880 RUNDLL32.EXE powershell.exe PID 880 wrote to memory of 540 880 RUNDLL32.EXE powershell.exe PID 880 wrote to memory of 540 880 RUNDLL32.EXE powershell.exe PID 880 wrote to memory of 540 880 RUNDLL32.EXE powershell.exe PID 540 wrote to memory of 648 540 powershell.exe nslookup.exe PID 540 wrote to memory of 648 540 powershell.exe nslookup.exe PID 540 wrote to memory of 648 540 powershell.exe nslookup.exe PID 540 wrote to memory of 648 540 powershell.exe nslookup.exe PID 880 wrote to memory of 1212 880 RUNDLL32.EXE schtasks.exe PID 880 wrote to memory of 1212 880 RUNDLL32.EXE schtasks.exe PID 880 wrote to memory of 1212 880 RUNDLL32.EXE schtasks.exe PID 880 wrote to memory of 1212 880 RUNDLL32.EXE schtasks.exe PID 880 wrote to memory of 1924 880 RUNDLL32.EXE schtasks.exe PID 880 wrote to memory of 1924 880 RUNDLL32.EXE schtasks.exe PID 880 wrote to memory of 1924 880 RUNDLL32.EXE schtasks.exe PID 880 wrote to memory of 1924 880 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe"C:\Users\Admin\AppData\Local\Temp\19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\19524F~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\19524F~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\19524F~1.DLL,PAU3NA==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4F1B.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6F0B.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\19524F~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\tmp4F1B.tmp.ps1Filesize
261B
MD54ee362a6e789f799aa5200d33b5c8b26
SHA17433709a9dd335081fe149a8952decca52a5db6d
SHA256e82f871c00cc02b709355e7613a2c0a72b84b65769fd54ea0d1623c66ac9ebf0
SHA512058a75172e32643085690ab091eaf58d1bba5e7a288d7c5813ce269c0905fb8d2e7e7edcf509537301ad024abeb39865d95cfe7b4aeb50684b92547b157aaa5e
-
C:\Users\Admin\AppData\Local\Temp\tmp6F0B.tmp.ps1Filesize
80B
MD58dddfc9addb23fc994e2ad1ae0ea6efc
SHA17ce771656eb5342689c1b863dd6b8626f939cf94
SHA25656a6106ab382fb6a75d7fbeda7b6173095e8fd1de4382616acb16100f9b6b7d6
SHA51209aea89a1f426f04bea855b2e22d4a94cd75c15744977fe159580aea1dfa5ced0cd417ed6f49b689789b3579ce7e1ce733e8defd53d228c52e050da94186317e
-
C:\Users\Admin\AppData\Local\Temp\tmp6F0C.tmpFilesize
86B
MD51860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD564556594192b23833bbc6c05d86a1c7f
SHA1d0810fbf9891d4f7b64295b05795fd4517f463ce
SHA256f864da8c3afcd38222d5ef6cc5425477a5d5ee19fccb883ad43289063635aaf2
SHA512eec169136f0f1862ecada607908aa98d92716dd3242995258df884867eccf2278aa0c77f12ccb56a4b1e4c5dc31611b778aae6d529ec6cdda9db0574c9201928
-
\Users\Admin\AppData\Local\Temp\19524F~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\19524F~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\19524F~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\19524F~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\19524F~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\19524F~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\19524F~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\19524F~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
memory/540-85-0x0000000000000000-mapping.dmp
-
memory/540-91-0x00000000726B0000-0x0000000072C5B000-memory.dmpFilesize
5.7MB
-
memory/540-92-0x00000000726B0000-0x0000000072C5B000-memory.dmpFilesize
5.7MB
-
memory/648-89-0x0000000000000000-mapping.dmp
-
memory/880-76-0x0000000001C60000-0x000000000202D000-memory.dmpFilesize
3.8MB
-
memory/880-79-0x0000000002400000-0x0000000002A62000-memory.dmpFilesize
6.4MB
-
memory/880-70-0x0000000000000000-mapping.dmp
-
memory/880-90-0x0000000002400000-0x0000000002A62000-memory.dmpFilesize
6.4MB
-
memory/880-78-0x0000000002400000-0x0000000002A62000-memory.dmpFilesize
6.4MB
-
memory/1212-94-0x0000000000000000-mapping.dmp
-
memory/1216-67-0x00000000025B0000-0x0000000002C12000-memory.dmpFilesize
6.4MB
-
memory/1216-66-0x0000000001E10000-0x00000000021DD000-memory.dmpFilesize
3.8MB
-
memory/1216-77-0x00000000025B0000-0x0000000002C12000-memory.dmpFilesize
6.4MB
-
memory/1216-68-0x00000000025B0000-0x0000000002C12000-memory.dmpFilesize
6.4MB
-
memory/1216-56-0x0000000000000000-mapping.dmp
-
memory/1216-69-0x00000000025B0000-0x0000000002C12000-memory.dmpFilesize
6.4MB
-
memory/1228-58-0x00000000032D0000-0x000000000369C000-memory.dmpFilesize
3.8MB
-
memory/1228-60-0x0000000000400000-0x0000000002F80000-memory.dmpFilesize
43.5MB
-
memory/1228-59-0x00000000036A0000-0x0000000003A7F000-memory.dmpFilesize
3.9MB
-
memory/1228-54-0x00000000032D0000-0x000000000369C000-memory.dmpFilesize
3.8MB
-
memory/1228-55-0x00000000760A1000-0x00000000760A3000-memory.dmpFilesize
8KB
-
memory/1924-95-0x0000000000000000-mapping.dmp
-
memory/1976-80-0x0000000000000000-mapping.dmp
-
memory/1976-84-0x0000000072AB0000-0x000000007305B000-memory.dmpFilesize
5.7MB
-
memory/1976-82-0x0000000072AB0000-0x000000007305B000-memory.dmpFilesize
5.7MB