Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 12:34
Static task
static1
Behavioral task
behavioral1
Sample
7bca80dd5c19443aa59f1e1d32a14986.exe
Resource
win7v20201028
General
-
Target
7bca80dd5c19443aa59f1e1d32a14986.exe
-
Size
1.0MB
-
MD5
a4eeeca0638de7188fc51993ded01fea
-
SHA1
9ddf88b0a022e6ca1e70f450126b6d3c27cbb573
-
SHA256
61d4ffa8f628b886b63e70a83fc7fcaf89cfe976ef1554f20d481487e5da94fe
-
SHA512
335e22ec69fc84715d4d28367e71bd8fc57e0538982375c86d3d0c5d4d0a8a3b0b616bf434873742c97855d5bc64adce17bb2f8a70e71cbfe0b1862b5c6858e3
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
2ORAPNk7URLRiqa3hnDm.exereviewruntime.execonhost.exepid process 2020 2ORAPNk7URLRiqa3hnDm.exe 784 reviewruntime.exe 1336 conhost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.execmd.exepid process 2016 cmd.exe 820 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
conhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features conhost.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ipinfo.io 8 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs
Processes:
conhost.exepid process 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
reviewruntime.exedescription ioc process File created C:\Program Files\Java\jdk1.7.0_80\jre\System.exe reviewruntime.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\System.exe reviewruntime.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a reviewruntime.exe -
Drops file in Windows directory 2 IoCs
Processes:
reviewruntime.exedescription ioc process File created C:\Windows\debug\WIA\svchost.exe reviewruntime.exe File created C:\Windows\debug\WIA\f4d236fdec2fd03914189c3b26e5cb0dfea9d761 reviewruntime.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1604 schtasks.exe 1860 schtasks.exe 1828 schtasks.exe 1276 schtasks.exe 1824 schtasks.exe 1792 schtasks.exe 1908 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
reviewruntime.execonhost.exepowershell.exepid process 784 reviewruntime.exe 1336 conhost.exe 1336 conhost.exe 1920 powershell.exe 1920 powershell.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe 1336 conhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
reviewruntime.execonhost.exepowershell.exedescription pid process Token: SeDebugPrivilege 784 reviewruntime.exe Token: SeDebugPrivilege 1336 conhost.exe Token: SeDebugPrivilege 1920 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1336 conhost.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
7bca80dd5c19443aa59f1e1d32a14986.exeWScript.execmd.exe2ORAPNk7URLRiqa3hnDm.exeWScript.execmd.exereviewruntime.execonhost.exedescription pid process target process PID 1744 wrote to memory of 1820 1744 7bca80dd5c19443aa59f1e1d32a14986.exe WScript.exe PID 1744 wrote to memory of 1820 1744 7bca80dd5c19443aa59f1e1d32a14986.exe WScript.exe PID 1744 wrote to memory of 1820 1744 7bca80dd5c19443aa59f1e1d32a14986.exe WScript.exe PID 1744 wrote to memory of 1820 1744 7bca80dd5c19443aa59f1e1d32a14986.exe WScript.exe PID 1820 wrote to memory of 2016 1820 WScript.exe cmd.exe PID 1820 wrote to memory of 2016 1820 WScript.exe cmd.exe PID 1820 wrote to memory of 2016 1820 WScript.exe cmd.exe PID 1820 wrote to memory of 2016 1820 WScript.exe cmd.exe PID 2016 wrote to memory of 2020 2016 cmd.exe 2ORAPNk7URLRiqa3hnDm.exe PID 2016 wrote to memory of 2020 2016 cmd.exe 2ORAPNk7URLRiqa3hnDm.exe PID 2016 wrote to memory of 2020 2016 cmd.exe 2ORAPNk7URLRiqa3hnDm.exe PID 2016 wrote to memory of 2020 2016 cmd.exe 2ORAPNk7URLRiqa3hnDm.exe PID 2020 wrote to memory of 1740 2020 2ORAPNk7URLRiqa3hnDm.exe WScript.exe PID 2020 wrote to memory of 1740 2020 2ORAPNk7URLRiqa3hnDm.exe WScript.exe PID 2020 wrote to memory of 1740 2020 2ORAPNk7URLRiqa3hnDm.exe WScript.exe PID 2020 wrote to memory of 1740 2020 2ORAPNk7URLRiqa3hnDm.exe WScript.exe PID 1740 wrote to memory of 820 1740 WScript.exe cmd.exe PID 1740 wrote to memory of 820 1740 WScript.exe cmd.exe PID 1740 wrote to memory of 820 1740 WScript.exe cmd.exe PID 1740 wrote to memory of 820 1740 WScript.exe cmd.exe PID 820 wrote to memory of 784 820 cmd.exe reviewruntime.exe PID 820 wrote to memory of 784 820 cmd.exe reviewruntime.exe PID 820 wrote to memory of 784 820 cmd.exe reviewruntime.exe PID 820 wrote to memory of 784 820 cmd.exe reviewruntime.exe PID 784 wrote to memory of 1604 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1604 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1604 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1860 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1860 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1860 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1828 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1828 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1828 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1276 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1276 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1276 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1824 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1824 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1824 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1792 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1792 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1792 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1908 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1908 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1908 784 reviewruntime.exe schtasks.exe PID 784 wrote to memory of 1336 784 reviewruntime.exe conhost.exe PID 784 wrote to memory of 1336 784 reviewruntime.exe conhost.exe PID 784 wrote to memory of 1336 784 reviewruntime.exe conhost.exe PID 1336 wrote to memory of 1920 1336 conhost.exe powershell.exe PID 1336 wrote to memory of 1920 1336 conhost.exe powershell.exe PID 1336 wrote to memory of 1920 1336 conhost.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bca80dd5c19443aa59f1e1d32a14986.exe"C:\Users\Admin\AppData\Local\Temp\7bca80dd5c19443aa59f1e1d32a14986.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\brokernet\tpMDQ4PywPQzcvfRXV4ZglMEfSHxJ6.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\brokernet\pnotGSxdh5CXKZwArEdYL4V4nAwV2V.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\brokernet\2ORAPNk7URLRiqa3hnDm.exe2ORAPNk7URLRiqa3hnDm.exe -p3429224301224079efb02d13ea4e8140761d094e4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\brokernet\ZIH4iAr0ojQw4M3djezMReyfj8zlug.vbe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\brokernet\ZFrWPPoku5WymlXeSwM2KOsbP5Cd03.bat" "6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\brokernet\reviewruntime.exe"C:\brokernet\reviewruntime.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\System.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\csrss.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Windows\debug\WIA\svchost.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\svchost.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\conhost.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\conhost.exe"C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\conhost.exe"8⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\conhost.exeMD5
e14e00f3928c30c1058722868732c8af
SHA1440fcb1df423c4d99eb0824c35d5dec9f3a772d8
SHA2563a84f5d279959b1de1e5eab23b22a0d2dd5b9d011fd0227171f30c97ecdcf712
SHA512252af7dbe495fdebee9fd8d43039e33dd203f0ae7ccc8b4d8a0873d87c911954edbc5f2aecbc727176136c599f6d63cf764c09cbba5ee6c035e8cfa6e5036fe3
-
C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\conhost.exeMD5
e14e00f3928c30c1058722868732c8af
SHA1440fcb1df423c4d99eb0824c35d5dec9f3a772d8
SHA2563a84f5d279959b1de1e5eab23b22a0d2dd5b9d011fd0227171f30c97ecdcf712
SHA512252af7dbe495fdebee9fd8d43039e33dd203f0ae7ccc8b4d8a0873d87c911954edbc5f2aecbc727176136c599f6d63cf764c09cbba5ee6c035e8cfa6e5036fe3
-
C:\brokernet\2ORAPNk7URLRiqa3hnDm.exeMD5
fbf43fe73c7e0d8dcf50dd57096e6b3a
SHA16c379a589e9d2e8f9e34d37c2d5a8137747cdc6f
SHA2563f5110cdc23b3b8f41f8ed7a89be00734d83976b048dbea6fe4c630da07a9a7c
SHA5127a9b89bd21e003d848d0e10c2e7efffa6280f41f7a1a9bcb15725f8b97100829c544d7bd4220681508ca4a803a92e7a1e15a983c3384d21a85a47ca3621de396
-
C:\brokernet\2ORAPNk7URLRiqa3hnDm.exeMD5
fbf43fe73c7e0d8dcf50dd57096e6b3a
SHA16c379a589e9d2e8f9e34d37c2d5a8137747cdc6f
SHA2563f5110cdc23b3b8f41f8ed7a89be00734d83976b048dbea6fe4c630da07a9a7c
SHA5127a9b89bd21e003d848d0e10c2e7efffa6280f41f7a1a9bcb15725f8b97100829c544d7bd4220681508ca4a803a92e7a1e15a983c3384d21a85a47ca3621de396
-
C:\brokernet\ZFrWPPoku5WymlXeSwM2KOsbP5Cd03.batMD5
15962dfcba62cc2271f937dc297cb0ce
SHA1dca931246f33ac7b5a6ea4508d6503773a03c189
SHA25630574fa5d4466b7ae216adc5098a9b6ad89519f83a772b940032dcc45d8cd773
SHA5128a1637fe9be192a17200bf4ad2971b0fb863aa7947a21e5cee642ff92897decedffd7fbcf0dcbafdbab1752c6304ac4cebd29bea753bcc1e41b7c4ef96f0887a
-
C:\brokernet\ZIH4iAr0ojQw4M3djezMReyfj8zlug.vbeMD5
2f3f88038897bc8c67f5d05f264b59b3
SHA178e439754137db0c02b773b6e1bee167458aa5f3
SHA25698f25c4a48c835a8ad6559082e6115924b2ffd2ad96e3917793cc07ae5b7d913
SHA5123220ce2b65362def3917f6224c5c8284adab791a584ef0d007930034d47fa41068394dbeb947b98913aa9619a6cba195d087d1e6ac34c5c691e00a3e71b39810
-
C:\brokernet\pnotGSxdh5CXKZwArEdYL4V4nAwV2V.batMD5
0f4fbe7d6ac99b88cd9478587f5ed80d
SHA1ec7964a07c22a5e60927da0268e1884186849722
SHA2567b875b89c286b6d3c35e38360ec5bfdc6525b860ab87ae3f7ff0f9d6d79e791f
SHA512a9386b91da6e9e381cf3075f08b9b04fcee80a8db25d4472729b92d7948e0b763135769ba1dd7ed7165b824607438a59ed69a28ecfdb1bb11cd5e0b1c3ad4645
-
C:\brokernet\reviewruntime.exeMD5
e14e00f3928c30c1058722868732c8af
SHA1440fcb1df423c4d99eb0824c35d5dec9f3a772d8
SHA2563a84f5d279959b1de1e5eab23b22a0d2dd5b9d011fd0227171f30c97ecdcf712
SHA512252af7dbe495fdebee9fd8d43039e33dd203f0ae7ccc8b4d8a0873d87c911954edbc5f2aecbc727176136c599f6d63cf764c09cbba5ee6c035e8cfa6e5036fe3
-
C:\brokernet\reviewruntime.exeMD5
e14e00f3928c30c1058722868732c8af
SHA1440fcb1df423c4d99eb0824c35d5dec9f3a772d8
SHA2563a84f5d279959b1de1e5eab23b22a0d2dd5b9d011fd0227171f30c97ecdcf712
SHA512252af7dbe495fdebee9fd8d43039e33dd203f0ae7ccc8b4d8a0873d87c911954edbc5f2aecbc727176136c599f6d63cf764c09cbba5ee6c035e8cfa6e5036fe3
-
C:\brokernet\tpMDQ4PywPQzcvfRXV4ZglMEfSHxJ6.vbeMD5
f9e803a994c4758562f5e667be1ca87f
SHA19b8af281ac195dbddb570242cd8998862637bd05
SHA2564a7f8394b61aff5cd341d428a5e94f1bd8f09d194c7d30fc4033d320b821f466
SHA5124999eb3af7020c801bbcc10b47a37872bda46b5868baba79755dddd9af3d825f96d6d5e372780c38eb1c2d567c4e01b105229cd36d06c8a6c965ca9539fa1320
-
\brokernet\2ORAPNk7URLRiqa3hnDm.exeMD5
fbf43fe73c7e0d8dcf50dd57096e6b3a
SHA16c379a589e9d2e8f9e34d37c2d5a8137747cdc6f
SHA2563f5110cdc23b3b8f41f8ed7a89be00734d83976b048dbea6fe4c630da07a9a7c
SHA5127a9b89bd21e003d848d0e10c2e7efffa6280f41f7a1a9bcb15725f8b97100829c544d7bd4220681508ca4a803a92e7a1e15a983c3384d21a85a47ca3621de396
-
\brokernet\reviewruntime.exeMD5
e14e00f3928c30c1058722868732c8af
SHA1440fcb1df423c4d99eb0824c35d5dec9f3a772d8
SHA2563a84f5d279959b1de1e5eab23b22a0d2dd5b9d011fd0227171f30c97ecdcf712
SHA512252af7dbe495fdebee9fd8d43039e33dd203f0ae7ccc8b4d8a0873d87c911954edbc5f2aecbc727176136c599f6d63cf764c09cbba5ee6c035e8cfa6e5036fe3
-
memory/784-23-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/784-20-0x000007FEF4D90000-0x000007FEF577C000-memory.dmpFilesize
9.9MB
-
memory/784-21-0x00000000012F0000-0x00000000012F1000-memory.dmpFilesize
4KB
-
memory/784-17-0x0000000000000000-mapping.dmp
-
memory/820-14-0x0000000000000000-mapping.dmp
-
memory/1276-27-0x0000000000000000-mapping.dmp
-
memory/1336-35-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/1336-37-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/1336-34-0x000007FEF4D90000-0x000007FEF577C000-memory.dmpFilesize
9.9MB
-
memory/1336-31-0x0000000000000000-mapping.dmp
-
memory/1604-24-0x0000000000000000-mapping.dmp
-
memory/1740-11-0x0000000000000000-mapping.dmp
-
memory/1740-15-0x00000000028E0000-0x00000000028E4000-memory.dmpFilesize
16KB
-
memory/1744-0-0x00000000024D0000-0x00000000025D1000-memory.dmpFilesize
1.0MB
-
memory/1792-29-0x0000000000000000-mapping.dmp
-
memory/1820-2-0x0000000000000000-mapping.dmp
-
memory/1820-6-0x0000000002690000-0x0000000002694000-memory.dmpFilesize
16KB
-
memory/1824-28-0x0000000000000000-mapping.dmp
-
memory/1828-26-0x0000000000000000-mapping.dmp
-
memory/1860-25-0x0000000000000000-mapping.dmp
-
memory/1908-30-0x0000000000000000-mapping.dmp
-
memory/1920-39-0x000007FEF4D90000-0x000007FEF577C000-memory.dmpFilesize
9.9MB
-
memory/1920-38-0x0000000000000000-mapping.dmp
-
memory/1920-40-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/1920-41-0x000000001AD60000-0x000000001AD61000-memory.dmpFilesize
4KB
-
memory/1920-42-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/1920-43-0x00000000027D0000-0x00000000027D1000-memory.dmpFilesize
4KB
-
memory/1920-44-0x000000001AB30000-0x000000001AB31000-memory.dmpFilesize
4KB
-
memory/1920-47-0x000000001AC90000-0x000000001AC91000-memory.dmpFilesize
4KB
-
memory/1920-59-0x000000001AB60000-0x000000001AB61000-memory.dmpFilesize
4KB
-
memory/1920-60-0x000000001AB70000-0x000000001AB71000-memory.dmpFilesize
4KB
-
memory/2016-5-0x0000000000000000-mapping.dmp
-
memory/2020-9-0x0000000000000000-mapping.dmp