Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 22:00
Static task
static1
Behavioral task
behavioral1
Sample
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Resource
win7v20201028
General
-
Target
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
-
Size
710KB
-
MD5
3e01b25d00cf3a9d93e4d4934fbeb8d1
-
SHA1
db596e58d89f5cbb2ac89c38f8a03a7b09aa90fa
-
SHA256
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee
-
SHA512
bcb72c63699f1353bd5d3e9a2e8a8e1ce85174d481a88821d99f8be5ffa59f4ff4ba3ef7a24725b3e09807ded257f39e6a5e7b3d17b6d975f76d33661292c672
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
c75u59s5_1.exe5ossye7sc9w75.exek3a3i533.exepid process 4092 c75u59s5_1.exe 3452 5ossye7sc9w75.exe 604 k3a3i533.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\c75u59s5.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\c75u59s5.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\c75u59s5.exe\"" explorer.exe -
Processes:
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exeexplorer.exepid process 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exec75u59s5_1.exedescription pid process target process PID 4760 set thread context of 5024 4760 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe PID 4092 set thread context of 0 4092 c75u59s5_1.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\c75u59s5_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\c75u59s5_1.exe:14EDFC78 explorer.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
explorer.exepid process 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
5ossye7sc9w75.exek3a3i533.exepid process 3452 5ossye7sc9w75.exe 604 k3a3i533.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exepid process 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exepid process 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exeexplorer.exedescription pid process Token: SeDebugPrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeRestorePrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeBackupPrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeLoadDriverPrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeCreatePagefilePrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeShutdownPrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeTakeOwnershipPrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeChangeNotifyPrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeCreateTokenPrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeMachineAccountPrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeSecurityPrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeAssignPrimaryTokenPrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeCreateGlobalPrivilege 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: 33 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe Token: SeDebugPrivilege 4200 explorer.exe Token: SeRestorePrivilege 4200 explorer.exe Token: SeBackupPrivilege 4200 explorer.exe Token: SeLoadDriverPrivilege 4200 explorer.exe Token: SeCreatePagefilePrivilege 4200 explorer.exe Token: SeShutdownPrivilege 4200 explorer.exe Token: SeTakeOwnershipPrivilege 4200 explorer.exe Token: SeChangeNotifyPrivilege 4200 explorer.exe Token: SeCreateTokenPrivilege 4200 explorer.exe Token: SeMachineAccountPrivilege 4200 explorer.exe Token: SeSecurityPrivilege 4200 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4200 explorer.exe Token: SeCreateGlobalPrivilege 4200 explorer.exe Token: 33 4200 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
5ossye7sc9w75.exek3a3i533.exepid process 3452 5ossye7sc9w75.exe 604 k3a3i533.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
5ossye7sc9w75.exek3a3i533.exepid process 3452 5ossye7sc9w75.exe 3452 5ossye7sc9w75.exe 604 k3a3i533.exe 604 k3a3i533.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exeexplorer.exedescription pid process target process PID 4760 wrote to memory of 5024 4760 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe PID 4760 wrote to memory of 5024 4760 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe PID 4760 wrote to memory of 5024 4760 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe PID 4760 wrote to memory of 5024 4760 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe PID 4760 wrote to memory of 5024 4760 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe PID 5024 wrote to memory of 4200 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe explorer.exe PID 5024 wrote to memory of 4200 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe explorer.exe PID 5024 wrote to memory of 4200 5024 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe explorer.exe PID 4200 wrote to memory of 4092 4200 explorer.exe c75u59s5_1.exe PID 4200 wrote to memory of 4092 4200 explorer.exe c75u59s5_1.exe PID 4200 wrote to memory of 4092 4200 explorer.exe c75u59s5_1.exe PID 4200 wrote to memory of 3452 4200 explorer.exe 5ossye7sc9w75.exe PID 4200 wrote to memory of 3452 4200 explorer.exe 5ossye7sc9w75.exe PID 4200 wrote to memory of 604 4200 explorer.exe k3a3i533.exe PID 4200 wrote to memory of 604 4200 explorer.exe k3a3i533.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe"C:\Users\Admin\AppData\Local\Temp\6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe"C:\Users\Admin\AppData\Local\Temp\6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c75u59s5_1.exe/suac4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\5ossye7sc9w75.exe"C:\Users\Admin\AppData\Local\Temp\5ossye7sc9w75.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\k3a3i533.exe"C:\Users\Admin\AppData\Local\Temp\k3a3i533.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5ossye7sc9w75.exeMD5
c7948777384f447d7964e80a5293810e
SHA1035365a28bee0a196901f93932e1e62762ad20b4
SHA25643c0f2925d3949ec5ae103a0423b35b65e5eed6676a64b5b642aaf5baf609f6c
SHA512e5fca7eac77e9fc0a18f07782e4e810961c82f5c3a502f437fd982cf28918af909b28d1e5c2f85e765ceb1f1ecc2d202eb9911140af0fdb111ee38646fa49960
-
C:\Users\Admin\AppData\Local\Temp\5ossye7sc9w75.exeMD5
c7948777384f447d7964e80a5293810e
SHA1035365a28bee0a196901f93932e1e62762ad20b4
SHA25643c0f2925d3949ec5ae103a0423b35b65e5eed6676a64b5b642aaf5baf609f6c
SHA512e5fca7eac77e9fc0a18f07782e4e810961c82f5c3a502f437fd982cf28918af909b28d1e5c2f85e765ceb1f1ecc2d202eb9911140af0fdb111ee38646fa49960
-
C:\Users\Admin\AppData\Local\Temp\c75u59s5_1.exeMD5
3e01b25d00cf3a9d93e4d4934fbeb8d1
SHA1db596e58d89f5cbb2ac89c38f8a03a7b09aa90fa
SHA2566ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee
SHA512bcb72c63699f1353bd5d3e9a2e8a8e1ce85174d481a88821d99f8be5ffa59f4ff4ba3ef7a24725b3e09807ded257f39e6a5e7b3d17b6d975f76d33661292c672
-
C:\Users\Admin\AppData\Local\Temp\c75u59s5_1.exeMD5
3e01b25d00cf3a9d93e4d4934fbeb8d1
SHA1db596e58d89f5cbb2ac89c38f8a03a7b09aa90fa
SHA2566ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee
SHA512bcb72c63699f1353bd5d3e9a2e8a8e1ce85174d481a88821d99f8be5ffa59f4ff4ba3ef7a24725b3e09807ded257f39e6a5e7b3d17b6d975f76d33661292c672
-
C:\Users\Admin\AppData\Local\Temp\k3a3i533.exeMD5
8b24634b0ef69cbe9c50db7fefbe302e
SHA14ff6c1f82191ab1ce371b432c6f9d9d2f2b9adcc
SHA256f11b4d253e6e8ece1b9fec752dafa180bb4989505ae76a4356f9b373c617812e
SHA5121e66c7d335f6cbed4e67613af07e1ac076fc0d2dc0f09cc756361daf765231b5d48ff9059bceff2aefcbe4d1078b776ad4f4b08164c0a6d3f5b873cc36414dd1
-
C:\Users\Admin\AppData\Local\Temp\k3a3i533.exeMD5
8b24634b0ef69cbe9c50db7fefbe302e
SHA14ff6c1f82191ab1ce371b432c6f9d9d2f2b9adcc
SHA256f11b4d253e6e8ece1b9fec752dafa180bb4989505ae76a4356f9b373c617812e
SHA5121e66c7d335f6cbed4e67613af07e1ac076fc0d2dc0f09cc756361daf765231b5d48ff9059bceff2aefcbe4d1078b776ad4f4b08164c0a6d3f5b873cc36414dd1
-
memory/604-21-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/604-20-0x00007FFBE2F60000-0x00007FFBE394C000-memory.dmpFilesize
9.9MB
-
memory/604-17-0x0000000000000000-mapping.dmp
-
memory/3452-15-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/3452-11-0x0000000000000000-mapping.dmp
-
memory/3452-14-0x00007FFBE2F60000-0x00007FFBE394C000-memory.dmpFilesize
9.9MB
-
memory/4092-8-0x0000000000000000-mapping.dmp
-
memory/4200-7-0x0000000000120000-0x0000000000560000-memory.dmpFilesize
4.2MB
-
memory/4200-5-0x0000000000000000-mapping.dmp
-
memory/4200-6-0x0000000000120000-0x0000000000560000-memory.dmpFilesize
4.2MB
-
memory/5024-0-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5024-4-0x0000000002C20000-0x0000000003060000-memory.dmpFilesize
4.2MB
-
memory/5024-3-0x00000000027D0000-0x00000000028EB000-memory.dmpFilesize
1.1MB
-
memory/5024-1-0x00000000004015C6-mapping.dmp
-
memory/5024-2-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB