Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 19:41
Static task
static1
Behavioral task
behavioral1
Sample
CFDI__Manager__12365.exe
Resource
win7v20201028
General
-
Target
CFDI__Manager__12365.exe
-
Size
809KB
-
MD5
5b7c3ff3556606c67a61527f81579eee
-
SHA1
75299ed8a21eebe1b1969e065e80f02ad21d4267
-
SHA256
82e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f
-
SHA512
6484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
75oy151k7_1.execc9mwi9s.exeg5e5akco9usg.exepid process 1196 75oy151k7_1.exe 272 cc9mwi9s.exe 1376 g5e5akco9usg.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 3 IoCs
Processes:
explorer.exepid process 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\75oy151k7.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\75oy151k7.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\75oy151k7.exe\"" explorer.exe -
Processes:
CFDI__Manager__12365.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CFDI__Manager__12365.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
CFDI__Manager__12365.exeexplorer.exepid process 904 CFDI__Manager__12365.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
CFDI__Manager__12365.exe75oy151k7_1.exedescription pid process target process PID 1904 set thread context of 904 1904 CFDI__Manager__12365.exe CFDI__Manager__12365.exe PID 1196 set thread context of 0 1196 75oy151k7_1.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exeCFDI__Manager__12365.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CFDI__Manager__12365.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CFDI__Manager__12365.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\75oy151k7_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\75oy151k7_1.exe:14EDFC78 explorer.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
explorer.exepid process 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
CFDI__Manager__12365.exeexplorer.exepid process 904 CFDI__Manager__12365.exe 904 CFDI__Manager__12365.exe 1596 explorer.exe 1596 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
CFDI__Manager__12365.exepid process 904 CFDI__Manager__12365.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
CFDI__Manager__12365.exeexplorer.exedescription pid process Token: SeDebugPrivilege 904 CFDI__Manager__12365.exe Token: SeRestorePrivilege 904 CFDI__Manager__12365.exe Token: SeBackupPrivilege 904 CFDI__Manager__12365.exe Token: SeLoadDriverPrivilege 904 CFDI__Manager__12365.exe Token: SeCreatePagefilePrivilege 904 CFDI__Manager__12365.exe Token: SeShutdownPrivilege 904 CFDI__Manager__12365.exe Token: SeTakeOwnershipPrivilege 904 CFDI__Manager__12365.exe Token: SeChangeNotifyPrivilege 904 CFDI__Manager__12365.exe Token: SeCreateTokenPrivilege 904 CFDI__Manager__12365.exe Token: SeMachineAccountPrivilege 904 CFDI__Manager__12365.exe Token: SeSecurityPrivilege 904 CFDI__Manager__12365.exe Token: SeAssignPrimaryTokenPrivilege 904 CFDI__Manager__12365.exe Token: SeCreateGlobalPrivilege 904 CFDI__Manager__12365.exe Token: 33 904 CFDI__Manager__12365.exe Token: SeDebugPrivilege 1596 explorer.exe Token: SeRestorePrivilege 1596 explorer.exe Token: SeBackupPrivilege 1596 explorer.exe Token: SeLoadDriverPrivilege 1596 explorer.exe Token: SeCreatePagefilePrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeTakeOwnershipPrivilege 1596 explorer.exe Token: SeChangeNotifyPrivilege 1596 explorer.exe Token: SeCreateTokenPrivilege 1596 explorer.exe Token: SeMachineAccountPrivilege 1596 explorer.exe Token: SeSecurityPrivilege 1596 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1596 explorer.exe Token: SeCreateGlobalPrivilege 1596 explorer.exe Token: 33 1596 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
g5e5akco9usg.exepid process 1376 g5e5akco9usg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cc9mwi9s.exepid process 272 cc9mwi9s.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
CFDI__Manager__12365.exeCFDI__Manager__12365.exeexplorer.exedescription pid process target process PID 1904 wrote to memory of 904 1904 CFDI__Manager__12365.exe CFDI__Manager__12365.exe PID 1904 wrote to memory of 904 1904 CFDI__Manager__12365.exe CFDI__Manager__12365.exe PID 1904 wrote to memory of 904 1904 CFDI__Manager__12365.exe CFDI__Manager__12365.exe PID 1904 wrote to memory of 904 1904 CFDI__Manager__12365.exe CFDI__Manager__12365.exe PID 1904 wrote to memory of 904 1904 CFDI__Manager__12365.exe CFDI__Manager__12365.exe PID 1904 wrote to memory of 904 1904 CFDI__Manager__12365.exe CFDI__Manager__12365.exe PID 904 wrote to memory of 1596 904 CFDI__Manager__12365.exe explorer.exe PID 904 wrote to memory of 1596 904 CFDI__Manager__12365.exe explorer.exe PID 904 wrote to memory of 1596 904 CFDI__Manager__12365.exe explorer.exe PID 904 wrote to memory of 1596 904 CFDI__Manager__12365.exe explorer.exe PID 904 wrote to memory of 1596 904 CFDI__Manager__12365.exe explorer.exe PID 904 wrote to memory of 1596 904 CFDI__Manager__12365.exe explorer.exe PID 904 wrote to memory of 1596 904 CFDI__Manager__12365.exe explorer.exe PID 1596 wrote to memory of 1228 1596 explorer.exe Dwm.exe PID 1596 wrote to memory of 1228 1596 explorer.exe Dwm.exe PID 1596 wrote to memory of 1228 1596 explorer.exe Dwm.exe PID 1596 wrote to memory of 1228 1596 explorer.exe Dwm.exe PID 1596 wrote to memory of 1228 1596 explorer.exe Dwm.exe PID 1596 wrote to memory of 1228 1596 explorer.exe Dwm.exe PID 1596 wrote to memory of 1268 1596 explorer.exe Explorer.EXE PID 1596 wrote to memory of 1268 1596 explorer.exe Explorer.EXE PID 1596 wrote to memory of 1268 1596 explorer.exe Explorer.EXE PID 1596 wrote to memory of 1268 1596 explorer.exe Explorer.EXE PID 1596 wrote to memory of 1268 1596 explorer.exe Explorer.EXE PID 1596 wrote to memory of 1268 1596 explorer.exe Explorer.EXE PID 1596 wrote to memory of 1196 1596 explorer.exe 75oy151k7_1.exe PID 1596 wrote to memory of 1196 1596 explorer.exe 75oy151k7_1.exe PID 1596 wrote to memory of 1196 1596 explorer.exe 75oy151k7_1.exe PID 1596 wrote to memory of 1196 1596 explorer.exe 75oy151k7_1.exe PID 1596 wrote to memory of 1196 1596 explorer.exe 75oy151k7_1.exe PID 1596 wrote to memory of 1196 1596 explorer.exe 75oy151k7_1.exe PID 1596 wrote to memory of 1196 1596 explorer.exe 75oy151k7_1.exe PID 1596 wrote to memory of 272 1596 explorer.exe cc9mwi9s.exe PID 1596 wrote to memory of 272 1596 explorer.exe cc9mwi9s.exe PID 1596 wrote to memory of 272 1596 explorer.exe cc9mwi9s.exe PID 1596 wrote to memory of 272 1596 explorer.exe cc9mwi9s.exe PID 1596 wrote to memory of 272 1596 explorer.exe cc9mwi9s.exe PID 1596 wrote to memory of 272 1596 explorer.exe cc9mwi9s.exe PID 1596 wrote to memory of 272 1596 explorer.exe cc9mwi9s.exe PID 1596 wrote to memory of 1376 1596 explorer.exe g5e5akco9usg.exe PID 1596 wrote to memory of 1376 1596 explorer.exe g5e5akco9usg.exe PID 1596 wrote to memory of 1376 1596 explorer.exe g5e5akco9usg.exe PID 1596 wrote to memory of 1376 1596 explorer.exe g5e5akco9usg.exe PID 1596 wrote to memory of 1376 1596 explorer.exe g5e5akco9usg.exe PID 1596 wrote to memory of 1376 1596 explorer.exe g5e5akco9usg.exe PID 1596 wrote to memory of 1376 1596 explorer.exe g5e5akco9usg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\75oy151k7_1.exe/suac5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\cc9mwi9s.exe"C:\Users\Admin\AppData\Local\Temp\cc9mwi9s.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\g5e5akco9usg.exe"C:\Users\Admin\AppData\Local\Temp\g5e5akco9usg.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\75oy151k7_1.exeMD5
5b7c3ff3556606c67a61527f81579eee
SHA175299ed8a21eebe1b1969e065e80f02ad21d4267
SHA25682e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f
SHA5126484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c
-
C:\Users\Admin\AppData\Local\Temp\75oy151k7_1.exeMD5
5b7c3ff3556606c67a61527f81579eee
SHA175299ed8a21eebe1b1969e065e80f02ad21d4267
SHA25682e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f
SHA5126484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c
-
C:\Users\Admin\AppData\Local\Temp\cc9mwi9s.exeMD5
6176d4702486a540afc4752ff32748e7
SHA11c59b8f1271a97a09967dacd8b8111d9c0e1b48a
SHA256dc3f9a25a8df96d5a7f6e5fdb83159512c679462569f80ba8c639e08f7ded0eb
SHA512bb88baed4e080b239c409d6bf5e187de68cbf6c298001b98be284f1772fcffc3c9b02ddf32a54cb70c2fcb08feadf20ca24ceacf2a0d84535c653e9eaab41d76
-
C:\Users\Admin\AppData\Local\Temp\g5e5akco9usg.exeMD5
8ae38d41a537a39a726499d9195bb360
SHA1d391b0d22763cc804451364bbe9fb102d6f32fac
SHA2568a6ed4f0513731fc02d9f2153e5573310745b53a2db3f41968bddc974e3cae84
SHA5127c0975bded07d27aff598d18d34f249782754edfd347433c8234070c380b3ba92ad3f70c9aa6a793974013092536c866bed7b8675bf4979fe0ea1cffe98aded3
-
C:\Users\Admin\AppData\Local\Temp\g5e5akco9usg.exeMD5
8ae38d41a537a39a726499d9195bb360
SHA1d391b0d22763cc804451364bbe9fb102d6f32fac
SHA2568a6ed4f0513731fc02d9f2153e5573310745b53a2db3f41968bddc974e3cae84
SHA5127c0975bded07d27aff598d18d34f249782754edfd347433c8234070c380b3ba92ad3f70c9aa6a793974013092536c866bed7b8675bf4979fe0ea1cffe98aded3
-
\Users\Admin\AppData\Local\Temp\75oy151k7_1.exeMD5
5b7c3ff3556606c67a61527f81579eee
SHA175299ed8a21eebe1b1969e065e80f02ad21d4267
SHA25682e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f
SHA5126484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c
-
\Users\Admin\AppData\Local\Temp\cc9mwi9s.exeMD5
6176d4702486a540afc4752ff32748e7
SHA11c59b8f1271a97a09967dacd8b8111d9c0e1b48a
SHA256dc3f9a25a8df96d5a7f6e5fdb83159512c679462569f80ba8c639e08f7ded0eb
SHA512bb88baed4e080b239c409d6bf5e187de68cbf6c298001b98be284f1772fcffc3c9b02ddf32a54cb70c2fcb08feadf20ca24ceacf2a0d84535c653e9eaab41d76
-
\Users\Admin\AppData\Local\Temp\g5e5akco9usg.exeMD5
8ae38d41a537a39a726499d9195bb360
SHA1d391b0d22763cc804451364bbe9fb102d6f32fac
SHA2568a6ed4f0513731fc02d9f2153e5573310745b53a2db3f41968bddc974e3cae84
SHA5127c0975bded07d27aff598d18d34f249782754edfd347433c8234070c380b3ba92ad3f70c9aa6a793974013092536c866bed7b8675bf4979fe0ea1cffe98aded3
-
memory/272-29-0x0000000000000000-mapping.dmp
-
memory/340-23-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB
-
memory/904-5-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/904-3-0x00000000004015C6-mapping.dmp
-
memory/904-8-0x00000000001D0000-0x00000000001DD000-memory.dmpFilesize
52KB
-
memory/904-9-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/904-20-0x0000000001DC0000-0x0000000001DC1000-memory.dmpFilesize
4KB
-
memory/904-4-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/904-2-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/904-7-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/904-6-0x0000000001C40000-0x0000000001CA6000-memory.dmpFilesize
408KB
-
memory/904-10-0x0000000001DD0000-0x0000000001DDC000-memory.dmpFilesize
48KB
-
memory/1196-25-0x0000000000000000-mapping.dmp
-
memory/1268-43-0x00000000025A0000-0x00000000025A6000-memory.dmpFilesize
24KB
-
memory/1376-38-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/1376-41-0x000000001B5B2000-0x000000001B5B3000-memory.dmpFilesize
4KB
-
memory/1376-34-0x0000000000000000-mapping.dmp
-
memory/1376-37-0x000007FEF5730000-0x000007FEF611C000-memory.dmpFilesize
9.9MB
-
memory/1376-40-0x000000001B5B0000-0x000000001B5B2000-memory.dmpFilesize
8KB
-
memory/1376-42-0x000000001B5B7000-0x000000001B5D6000-memory.dmpFilesize
124KB
-
memory/1596-11-0x0000000000000000-mapping.dmp
-
memory/1596-13-0x0000000074D71000-0x0000000074D73000-memory.dmpFilesize
8KB
-
memory/1596-22-0x0000000002090000-0x0000000002092000-memory.dmpFilesize
8KB
-
memory/1596-15-0x0000000000200000-0x0000000000334000-memory.dmpFilesize
1.2MB
-
memory/1596-19-0x00000000009B0000-0x00000000009BC000-memory.dmpFilesize
48KB
-
memory/1596-14-0x0000000077740000-0x00000000778C1000-memory.dmpFilesize
1.5MB