Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 18:41
Static task
static1
Behavioral task
behavioral1
Sample
0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe
Resource
win7-20221111-en
General
-
Target
0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe
-
Size
4.0MB
-
MD5
a8c0796d74fe9e34fe0c67a500dc7b32
-
SHA1
ebdd34cd4fda39ade14e4fc0c4e8ce4b397e8959
-
SHA256
0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b
-
SHA512
906db571ec138e9fec43e9182ecf2a6a2af7120f85169e14e68d4632c36bf785768a87e2043c9107b0db23f0a3f7c7473b8b1a45a943b79d68d9baf2d8bede33
-
SSDEEP
98304:acC8excbiUsPc9K7YrHDjJzp1PGcjXF1D4TQ4Ll5nZGv13dwsBD:acC8eKGU8c9fVpBLJ1MT5J5nZp
Malware Config
Extracted
danabot
1765
3
79.124.78.236:443
134.119.186.199:443
192.236.162.42:443
134.119.186.198:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 4 1460 RUNDLL32.EXE 5 1460 RUNDLL32.EXE 6 1460 RUNDLL32.EXE 7 1460 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 1800 rundll32.exe -
Loads dropped DLL 8 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1800 rundll32.exe 1800 rundll32.exe 1800 rundll32.exe 1800 rundll32.exe 1460 RUNDLL32.EXE 1460 RUNDLL32.EXE 1460 RUNDLL32.EXE 1460 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\02T2Y1LA\desktop.ini RUNDLL32.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepid process 1780 powershell.exe 1460 RUNDLL32.EXE 1460 RUNDLL32.EXE 604 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1800 rundll32.exe Token: SeDebugPrivilege 1460 RUNDLL32.EXE Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 604 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 1460 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 1200 wrote to memory of 1800 1200 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe rundll32.exe PID 1200 wrote to memory of 1800 1200 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe rundll32.exe PID 1200 wrote to memory of 1800 1200 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe rundll32.exe PID 1200 wrote to memory of 1800 1200 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe rundll32.exe PID 1200 wrote to memory of 1800 1200 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe rundll32.exe PID 1200 wrote to memory of 1800 1200 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe rundll32.exe PID 1200 wrote to memory of 1800 1200 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe rundll32.exe PID 1800 wrote to memory of 1460 1800 rundll32.exe RUNDLL32.EXE PID 1800 wrote to memory of 1460 1800 rundll32.exe RUNDLL32.EXE PID 1800 wrote to memory of 1460 1800 rundll32.exe RUNDLL32.EXE PID 1800 wrote to memory of 1460 1800 rundll32.exe RUNDLL32.EXE PID 1800 wrote to memory of 1460 1800 rundll32.exe RUNDLL32.EXE PID 1800 wrote to memory of 1460 1800 rundll32.exe RUNDLL32.EXE PID 1800 wrote to memory of 1460 1800 rundll32.exe RUNDLL32.EXE PID 1460 wrote to memory of 1780 1460 RUNDLL32.EXE powershell.exe PID 1460 wrote to memory of 1780 1460 RUNDLL32.EXE powershell.exe PID 1460 wrote to memory of 1780 1460 RUNDLL32.EXE powershell.exe PID 1460 wrote to memory of 1780 1460 RUNDLL32.EXE powershell.exe PID 1460 wrote to memory of 604 1460 RUNDLL32.EXE powershell.exe PID 1460 wrote to memory of 604 1460 RUNDLL32.EXE powershell.exe PID 1460 wrote to memory of 604 1460 RUNDLL32.EXE powershell.exe PID 1460 wrote to memory of 604 1460 RUNDLL32.EXE powershell.exe PID 604 wrote to memory of 1868 604 powershell.exe nslookup.exe PID 604 wrote to memory of 1868 604 powershell.exe nslookup.exe PID 604 wrote to memory of 1868 604 powershell.exe nslookup.exe PID 604 wrote to memory of 1868 604 powershell.exe nslookup.exe PID 1460 wrote to memory of 880 1460 RUNDLL32.EXE schtasks.exe PID 1460 wrote to memory of 880 1460 RUNDLL32.EXE schtasks.exe PID 1460 wrote to memory of 880 1460 RUNDLL32.EXE schtasks.exe PID 1460 wrote to memory of 880 1460 RUNDLL32.EXE schtasks.exe PID 1460 wrote to memory of 1576 1460 RUNDLL32.EXE schtasks.exe PID 1460 wrote to memory of 1576 1460 RUNDLL32.EXE schtasks.exe PID 1460 wrote to memory of 1576 1460 RUNDLL32.EXE schtasks.exe PID 1460 wrote to memory of 1576 1460 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe"C:\Users\Admin\AppData\Local\Temp\0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0FF222~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\0FF222~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\0FF222~1.DLL,nk5QjBz0Ag==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4377.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp8BFD.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0FF222~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\tmp4377.tmp.ps1Filesize
261B
MD54a4c84996dc8bf8c6f1209aabb632726
SHA18055c2ee9a5f6f3cdeec7272e1c3ef3baf405d83
SHA256fe502f87fccc8685d311327a5345fa35ca74f7afbfc74f56ebf1a9656fd1b1b1
SHA5124f797a181aaa344ca191449a4bb219fd13811a1fe9c4a9c52f35d967795ac87cd92a200ec6d3d14e414bfd67c2e1553c06681f5316b82a12bc2b3d1ad7af2a8b
-
C:\Users\Admin\AppData\Local\Temp\tmp8BFD.tmp.ps1Filesize
80B
MD531bb92be51555f60bd7c58fbab234e72
SHA1225cb82b5854993dc069801fea8369ff9dc183d4
SHA256530d361c0c6196cda980053a8eb222f1c8facd9b76ec4c73a606da428d83b522
SHA512e6422eaeafa7103739c9d666ff0ce7ea1c584635cd635bf897ec12f2ebde4044522f1385961839b29eadbc3d36d1ff63192470ed5b7681a8db1b8bb2b80c2e5f
-
C:\Users\Admin\AppData\Local\Temp\tmp8BFE.tmpFilesize
86B
MD51860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD50a0cf0840a7eb981dc3fdf012afaf964
SHA123e54f02aa25a858a33b114c3cf20a92630b7727
SHA25628c37f76772ac31aab1bdf8ead16054e829bfb04fd8a6a0865e2a80cf6d1d7f8
SHA5127b4b77c215746e1187f1d3d3282976bd0668112c2247c9c76c6b3acb422341d5c1b2b1d5e58e75a04c3ed13c31e64323edc6d58977dce714e386a78b693afb80
-
\Users\Admin\AppData\Local\Temp\0FF222~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\0FF222~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\0FF222~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\0FF222~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\0FF222~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\0FF222~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\0FF222~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
\Users\Admin\AppData\Local\Temp\0FF222~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
memory/604-93-0x0000000072860000-0x0000000072E0B000-memory.dmpFilesize
5.7MB
-
memory/604-87-0x0000000000000000-mapping.dmp
-
memory/604-92-0x0000000072860000-0x0000000072E0B000-memory.dmpFilesize
5.7MB
-
memory/880-95-0x0000000000000000-mapping.dmp
-
memory/1200-56-0x00000000012C0000-0x000000000169F000-memory.dmpFilesize
3.9MB
-
memory/1200-55-0x0000000000EF0000-0x00000000012BC000-memory.dmpFilesize
3.8MB
-
memory/1200-57-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1200-60-0x00000000012C0000-0x000000000169F000-memory.dmpFilesize
3.9MB
-
memory/1200-61-0x0000000000400000-0x0000000000C49000-memory.dmpFilesize
8.3MB
-
memory/1200-54-0x0000000000EF0000-0x00000000012BC000-memory.dmpFilesize
3.8MB
-
memory/1460-79-0x00000000027A0000-0x0000000002E02000-memory.dmpFilesize
6.4MB
-
memory/1460-71-0x0000000000000000-mapping.dmp
-
memory/1460-84-0x00000000027A0000-0x0000000002E02000-memory.dmpFilesize
6.4MB
-
memory/1460-80-0x00000000027A0000-0x0000000002E02000-memory.dmpFilesize
6.4MB
-
memory/1576-96-0x0000000000000000-mapping.dmp
-
memory/1780-83-0x0000000072C50000-0x00000000731FB000-memory.dmpFilesize
5.7MB
-
memory/1780-86-0x0000000072C50000-0x00000000731FB000-memory.dmpFilesize
5.7MB
-
memory/1780-81-0x0000000000000000-mapping.dmp
-
memory/1800-78-0x00000000027A0000-0x0000000002E02000-memory.dmpFilesize
6.4MB
-
memory/1800-70-0x00000000027A0000-0x0000000002E02000-memory.dmpFilesize
6.4MB
-
memory/1800-69-0x00000000027A0000-0x0000000002E02000-memory.dmpFilesize
6.4MB
-
memory/1800-68-0x00000000027A0000-0x0000000002E02000-memory.dmpFilesize
6.4MB
-
memory/1800-67-0x0000000002100000-0x00000000024CD000-memory.dmpFilesize
3.8MB
-
memory/1800-58-0x0000000000000000-mapping.dmp
-
memory/1868-91-0x0000000000000000-mapping.dmp