Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-03-2021 10:35
Static task
static1
Behavioral task
behavioral1
Sample
Documento--SII--33875.bin.exe
Resource
win7v20201028
General
-
Target
Documento--SII--33875.bin.exe
-
Size
833KB
-
MD5
2ced2c14eece71c72c5e45e8a607bb4c
-
SHA1
13a700a297a7e5697d69bb743c3b256ac10a14e2
-
SHA256
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
-
SHA512
199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
3ce9om5c3u5_1.exe1aek5ikgy73.exeki7ym5c7i7ym.exepid process 1536 3ce9om5c3u5_1.exe 692 1aek5ikgy73.exe 908 ki7ym5c7i7ym.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 4 IoCs
Processes:
explorer.exeki7ym5c7i7ym.exepid process 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 908 ki7ym5c7i7ym.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\3ce9om5c3u5.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\3ce9om5c3u5.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\3ce9om5c3u5.exe\"" explorer.exe -
Processes:
Documento--SII--33875.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Documento--SII--33875.bin.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
Documento--SII--33875.bin.exeexplorer.exepid process 1940 Documento--SII--33875.bin.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Documento--SII--33875.bin.exe3ce9om5c3u5_1.exedescription pid process target process PID 1616 set thread context of 1940 1616 Documento--SII--33875.bin.exe Documento--SII--33875.bin.exe PID 1536 set thread context of 0 1536 3ce9om5c3u5_1.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Documento--SII--33875.bin.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Documento--SII--33875.bin.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Documento--SII--33875.bin.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exe:14EDFC78 explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
explorer.exepid process 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Documento--SII--33875.bin.exeexplorer.exepid process 1940 Documento--SII--33875.bin.exe 1940 Documento--SII--33875.bin.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Documento--SII--33875.bin.exepid process 1940 Documento--SII--33875.bin.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Documento--SII--33875.bin.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1940 Documento--SII--33875.bin.exe Token: SeRestorePrivilege 1940 Documento--SII--33875.bin.exe Token: SeBackupPrivilege 1940 Documento--SII--33875.bin.exe Token: SeLoadDriverPrivilege 1940 Documento--SII--33875.bin.exe Token: SeCreatePagefilePrivilege 1940 Documento--SII--33875.bin.exe Token: SeShutdownPrivilege 1940 Documento--SII--33875.bin.exe Token: SeTakeOwnershipPrivilege 1940 Documento--SII--33875.bin.exe Token: SeChangeNotifyPrivilege 1940 Documento--SII--33875.bin.exe Token: SeCreateTokenPrivilege 1940 Documento--SII--33875.bin.exe Token: SeMachineAccountPrivilege 1940 Documento--SII--33875.bin.exe Token: SeSecurityPrivilege 1940 Documento--SII--33875.bin.exe Token: SeAssignPrimaryTokenPrivilege 1940 Documento--SII--33875.bin.exe Token: SeCreateGlobalPrivilege 1940 Documento--SII--33875.bin.exe Token: 33 1940 Documento--SII--33875.bin.exe Token: SeDebugPrivilege 2040 explorer.exe Token: SeRestorePrivilege 2040 explorer.exe Token: SeBackupPrivilege 2040 explorer.exe Token: SeLoadDriverPrivilege 2040 explorer.exe Token: SeCreatePagefilePrivilege 2040 explorer.exe Token: SeShutdownPrivilege 2040 explorer.exe Token: SeTakeOwnershipPrivilege 2040 explorer.exe Token: SeChangeNotifyPrivilege 2040 explorer.exe Token: SeCreateTokenPrivilege 2040 explorer.exe Token: SeMachineAccountPrivilege 2040 explorer.exe Token: SeSecurityPrivilege 2040 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2040 explorer.exe Token: SeCreateGlobalPrivilege 2040 explorer.exe Token: 33 2040 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1aek5ikgy73.exepid process 692 1aek5ikgy73.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
Documento--SII--33875.bin.exeDocumento--SII--33875.bin.exeexplorer.exedescription pid process target process PID 1616 wrote to memory of 1940 1616 Documento--SII--33875.bin.exe Documento--SII--33875.bin.exe PID 1616 wrote to memory of 1940 1616 Documento--SII--33875.bin.exe Documento--SII--33875.bin.exe PID 1616 wrote to memory of 1940 1616 Documento--SII--33875.bin.exe Documento--SII--33875.bin.exe PID 1616 wrote to memory of 1940 1616 Documento--SII--33875.bin.exe Documento--SII--33875.bin.exe PID 1616 wrote to memory of 1940 1616 Documento--SII--33875.bin.exe Documento--SII--33875.bin.exe PID 1616 wrote to memory of 1940 1616 Documento--SII--33875.bin.exe Documento--SII--33875.bin.exe PID 1940 wrote to memory of 2040 1940 Documento--SII--33875.bin.exe explorer.exe PID 1940 wrote to memory of 2040 1940 Documento--SII--33875.bin.exe explorer.exe PID 1940 wrote to memory of 2040 1940 Documento--SII--33875.bin.exe explorer.exe PID 1940 wrote to memory of 2040 1940 Documento--SII--33875.bin.exe explorer.exe PID 1940 wrote to memory of 2040 1940 Documento--SII--33875.bin.exe explorer.exe PID 1940 wrote to memory of 2040 1940 Documento--SII--33875.bin.exe explorer.exe PID 1940 wrote to memory of 2040 1940 Documento--SII--33875.bin.exe explorer.exe PID 2040 wrote to memory of 1208 2040 explorer.exe Dwm.exe PID 2040 wrote to memory of 1208 2040 explorer.exe Dwm.exe PID 2040 wrote to memory of 1208 2040 explorer.exe Dwm.exe PID 2040 wrote to memory of 1208 2040 explorer.exe Dwm.exe PID 2040 wrote to memory of 1208 2040 explorer.exe Dwm.exe PID 2040 wrote to memory of 1208 2040 explorer.exe Dwm.exe PID 2040 wrote to memory of 1272 2040 explorer.exe Explorer.EXE PID 2040 wrote to memory of 1272 2040 explorer.exe Explorer.EXE PID 2040 wrote to memory of 1272 2040 explorer.exe Explorer.EXE PID 2040 wrote to memory of 1272 2040 explorer.exe Explorer.EXE PID 2040 wrote to memory of 1272 2040 explorer.exe Explorer.EXE PID 2040 wrote to memory of 1272 2040 explorer.exe Explorer.EXE PID 2040 wrote to memory of 1088 2040 explorer.exe DllHost.exe PID 2040 wrote to memory of 1088 2040 explorer.exe DllHost.exe PID 2040 wrote to memory of 1088 2040 explorer.exe DllHost.exe PID 2040 wrote to memory of 1088 2040 explorer.exe DllHost.exe PID 2040 wrote to memory of 1088 2040 explorer.exe DllHost.exe PID 2040 wrote to memory of 1088 2040 explorer.exe DllHost.exe PID 2040 wrote to memory of 1536 2040 explorer.exe 3ce9om5c3u5_1.exe PID 2040 wrote to memory of 1536 2040 explorer.exe 3ce9om5c3u5_1.exe PID 2040 wrote to memory of 1536 2040 explorer.exe 3ce9om5c3u5_1.exe PID 2040 wrote to memory of 1536 2040 explorer.exe 3ce9om5c3u5_1.exe PID 2040 wrote to memory of 1536 2040 explorer.exe 3ce9om5c3u5_1.exe PID 2040 wrote to memory of 1536 2040 explorer.exe 3ce9om5c3u5_1.exe PID 2040 wrote to memory of 1536 2040 explorer.exe 3ce9om5c3u5_1.exe PID 2040 wrote to memory of 692 2040 explorer.exe 1aek5ikgy73.exe PID 2040 wrote to memory of 692 2040 explorer.exe 1aek5ikgy73.exe PID 2040 wrote to memory of 692 2040 explorer.exe 1aek5ikgy73.exe PID 2040 wrote to memory of 692 2040 explorer.exe 1aek5ikgy73.exe PID 2040 wrote to memory of 692 2040 explorer.exe 1aek5ikgy73.exe PID 2040 wrote to memory of 692 2040 explorer.exe 1aek5ikgy73.exe PID 2040 wrote to memory of 692 2040 explorer.exe 1aek5ikgy73.exe PID 2040 wrote to memory of 908 2040 explorer.exe ki7ym5c7i7ym.exe PID 2040 wrote to memory of 908 2040 explorer.exe ki7ym5c7i7ym.exe PID 2040 wrote to memory of 908 2040 explorer.exe ki7ym5c7i7ym.exe PID 2040 wrote to memory of 908 2040 explorer.exe ki7ym5c7i7ym.exe PID 2040 wrote to memory of 908 2040 explorer.exe ki7ym5c7i7ym.exe PID 2040 wrote to memory of 908 2040 explorer.exe ki7ym5c7i7ym.exe PID 2040 wrote to memory of 908 2040 explorer.exe ki7ym5c7i7ym.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe"C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe"C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exe/suac5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1aek5ikgy73.exe"C:\Users\Admin\AppData\Local\Temp\1aek5ikgy73.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exe"C:\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1aek5ikgy73.exeMD5
08cdfd0d3a406601c42f087da16ec6c8
SHA148fd8eef568d2372e2a883283e58e5def81fef07
SHA256eb7cea525ecef555356c13b6948c21ddad4b8a622ff4c027f285c0c096570253
SHA512d522fc9c5815c93a1dc114c63db53879346e435397cad79a105a412cb18459335a1bfc3cfc9e7f6469cd703e2014538aa3c649442b80214a945e76ed50d26940
-
C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exeMD5
2ced2c14eece71c72c5e45e8a607bb4c
SHA113a700a297a7e5697d69bb743c3b256ac10a14e2
SHA2564efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
SHA512199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06
-
C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exeMD5
2ced2c14eece71c72c5e45e8a607bb4c
SHA113a700a297a7e5697d69bb743c3b256ac10a14e2
SHA2564efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
SHA512199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06
-
C:\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exeMD5
50803bdba827e6ae4600da26b5e81800
SHA1e3650665dd57b79514d33fe8e8d8ff8429b52c55
SHA25602dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b
SHA512c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50
-
C:\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exeMD5
50803bdba827e6ae4600da26b5e81800
SHA1e3650665dd57b79514d33fe8e8d8ff8429b52c55
SHA25602dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b
SHA512c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50
-
\Users\Admin\AppData\Local\Temp\1aek5ikgy73.exeMD5
08cdfd0d3a406601c42f087da16ec6c8
SHA148fd8eef568d2372e2a883283e58e5def81fef07
SHA256eb7cea525ecef555356c13b6948c21ddad4b8a622ff4c027f285c0c096570253
SHA512d522fc9c5815c93a1dc114c63db53879346e435397cad79a105a412cb18459335a1bfc3cfc9e7f6469cd703e2014538aa3c649442b80214a945e76ed50d26940
-
\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exeMD5
2ced2c14eece71c72c5e45e8a607bb4c
SHA113a700a297a7e5697d69bb743c3b256ac10a14e2
SHA2564efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
SHA512199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06
-
\Users\Admin\AppData\Local\Temp\Costura\1ACF592E7018DA88DDC32B96D203A4BE\32\sqlite3.dllMD5
0a855f27a1e48991d14c593cb930d2b2
SHA101935b77a59ab90be4af37bb4e8bc57fbdcf23a1
SHA25643d11ddfa64be9a2eeb94574f21fd45334e4598506f3d5ae1446c7a0add10300
SHA512bfc680d50d043c438c0c4bc97f7830010bf302e9e81296c57b1a06e3e87a2000444e44fadec20ca2025260bf745629971bfca02ff59469085fc7eada7912e873
-
\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exeMD5
50803bdba827e6ae4600da26b5e81800
SHA1e3650665dd57b79514d33fe8e8d8ff8429b52c55
SHA25602dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b
SHA512c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50
-
memory/692-30-0x0000000000000000-mapping.dmp
-
memory/908-39-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/908-35-0x0000000000000000-mapping.dmp
-
memory/1088-23-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmpFilesize
2.5MB
-
memory/1088-24-0x0000000000100000-0x0000000000106000-memory.dmpFilesize
24KB
-
memory/1272-41-0x0000000002A80000-0x0000000002A86000-memory.dmpFilesize
24KB
-
memory/1536-26-0x0000000000000000-mapping.dmp
-
memory/1940-5-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1940-8-0x00000000003C0000-0x00000000003CD000-memory.dmpFilesize
52KB
-
memory/1940-3-0x00000000004015C6-mapping.dmp
-
memory/1940-4-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1940-6-0x0000000001C90000-0x0000000001CF6000-memory.dmpFilesize
408KB
-
memory/1940-7-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1940-2-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1940-10-0x00000000024E0000-0x00000000024EC000-memory.dmpFilesize
48KB
-
memory/1940-9-0x0000000001C30000-0x0000000001C31000-memory.dmpFilesize
4KB
-
memory/2040-19-0x0000000000450000-0x000000000045C000-memory.dmpFilesize
48KB
-
memory/2040-11-0x0000000000000000-mapping.dmp
-
memory/2040-13-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/2040-14-0x0000000077BE0000-0x0000000077D61000-memory.dmpFilesize
1.5MB
-
memory/2040-22-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/2040-15-0x0000000000160000-0x000000000029A000-memory.dmpFilesize
1.2MB
-
memory/2040-20-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB