Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-03-2021 09:25
Static task
static1
Behavioral task
behavioral1
Sample
3fad84ee18e4583656019ae08b317607.exe
Resource
win7v20201028
General
-
Target
3fad84ee18e4583656019ae08b317607.exe
-
Size
709KB
-
MD5
3fad84ee18e4583656019ae08b317607
-
SHA1
fb719a92039d2892fc6a7d91de15454554215543
-
SHA256
273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
-
SHA512
496d0359641b844042af175ce4bda3801150af9ee720fad8d43a6a7cdf6ab4de96ac263525aa1c36dec89be71a71ce9f28b5a0017798b5c40ef8d2602bf66378
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
u5yo171gs9_1.exesmgokaswoci577.exem79oi5c5sw79ysa.exepid process 336 u5yo171gs9_1.exe 1112 smgokaswoci577.exe 1612 m79oi5c5sw79ysa.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 4 IoCs
Processes:
explorer.exem79oi5c5sw79ysa.exepid process 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1612 m79oi5c5sw79ysa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\u5yo171gs9.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\u5yo171gs9.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\u5yo171gs9.exe" explorer.exe -
Processes:
3fad84ee18e4583656019ae08b317607.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fad84ee18e4583656019ae08b317607.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
3fad84ee18e4583656019ae08b317607.exeexplorer.exepid process 1240 3fad84ee18e4583656019ae08b317607.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3fad84ee18e4583656019ae08b317607.exeu5yo171gs9_1.exedescription pid process target process PID 1340 set thread context of 1240 1340 3fad84ee18e4583656019ae08b317607.exe 3fad84ee18e4583656019ae08b317607.exe PID 336 set thread context of 0 336 u5yo171gs9_1.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3fad84ee18e4583656019ae08b317607.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3fad84ee18e4583656019ae08b317607.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3fad84ee18e4583656019ae08b317607.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\u5yo171gs9_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\u5yo171gs9_1.exe:14EDFC78 explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
explorer.exepid process 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
3fad84ee18e4583656019ae08b317607.exeexplorer.exepid process 1240 3fad84ee18e4583656019ae08b317607.exe 1240 3fad84ee18e4583656019ae08b317607.exe 1540 explorer.exe 1540 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3fad84ee18e4583656019ae08b317607.exepid process 1240 3fad84ee18e4583656019ae08b317607.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
3fad84ee18e4583656019ae08b317607.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeRestorePrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeBackupPrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeLoadDriverPrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeCreatePagefilePrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeShutdownPrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeTakeOwnershipPrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeChangeNotifyPrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeCreateTokenPrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeMachineAccountPrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeSecurityPrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeAssignPrimaryTokenPrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeCreateGlobalPrivilege 1240 3fad84ee18e4583656019ae08b317607.exe Token: 33 1240 3fad84ee18e4583656019ae08b317607.exe Token: SeDebugPrivilege 1540 explorer.exe Token: SeRestorePrivilege 1540 explorer.exe Token: SeBackupPrivilege 1540 explorer.exe Token: SeLoadDriverPrivilege 1540 explorer.exe Token: SeCreatePagefilePrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe Token: SeTakeOwnershipPrivilege 1540 explorer.exe Token: SeChangeNotifyPrivilege 1540 explorer.exe Token: SeCreateTokenPrivilege 1540 explorer.exe Token: SeMachineAccountPrivilege 1540 explorer.exe Token: SeSecurityPrivilege 1540 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1540 explorer.exe Token: SeCreateGlobalPrivilege 1540 explorer.exe Token: 33 1540 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
smgokaswoci577.exepid process 1112 smgokaswoci577.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
3fad84ee18e4583656019ae08b317607.exe3fad84ee18e4583656019ae08b317607.exeexplorer.exedescription pid process target process PID 1340 wrote to memory of 1240 1340 3fad84ee18e4583656019ae08b317607.exe 3fad84ee18e4583656019ae08b317607.exe PID 1340 wrote to memory of 1240 1340 3fad84ee18e4583656019ae08b317607.exe 3fad84ee18e4583656019ae08b317607.exe PID 1340 wrote to memory of 1240 1340 3fad84ee18e4583656019ae08b317607.exe 3fad84ee18e4583656019ae08b317607.exe PID 1340 wrote to memory of 1240 1340 3fad84ee18e4583656019ae08b317607.exe 3fad84ee18e4583656019ae08b317607.exe PID 1340 wrote to memory of 1240 1340 3fad84ee18e4583656019ae08b317607.exe 3fad84ee18e4583656019ae08b317607.exe PID 1340 wrote to memory of 1240 1340 3fad84ee18e4583656019ae08b317607.exe 3fad84ee18e4583656019ae08b317607.exe PID 1240 wrote to memory of 1540 1240 3fad84ee18e4583656019ae08b317607.exe explorer.exe PID 1240 wrote to memory of 1540 1240 3fad84ee18e4583656019ae08b317607.exe explorer.exe PID 1240 wrote to memory of 1540 1240 3fad84ee18e4583656019ae08b317607.exe explorer.exe PID 1240 wrote to memory of 1540 1240 3fad84ee18e4583656019ae08b317607.exe explorer.exe PID 1240 wrote to memory of 1540 1240 3fad84ee18e4583656019ae08b317607.exe explorer.exe PID 1240 wrote to memory of 1540 1240 3fad84ee18e4583656019ae08b317607.exe explorer.exe PID 1240 wrote to memory of 1540 1240 3fad84ee18e4583656019ae08b317607.exe explorer.exe PID 1540 wrote to memory of 1164 1540 explorer.exe Dwm.exe PID 1540 wrote to memory of 1164 1540 explorer.exe Dwm.exe PID 1540 wrote to memory of 1164 1540 explorer.exe Dwm.exe PID 1540 wrote to memory of 1164 1540 explorer.exe Dwm.exe PID 1540 wrote to memory of 1164 1540 explorer.exe Dwm.exe PID 1540 wrote to memory of 1164 1540 explorer.exe Dwm.exe PID 1540 wrote to memory of 1196 1540 explorer.exe Explorer.EXE PID 1540 wrote to memory of 1196 1540 explorer.exe Explorer.EXE PID 1540 wrote to memory of 1196 1540 explorer.exe Explorer.EXE PID 1540 wrote to memory of 1196 1540 explorer.exe Explorer.EXE PID 1540 wrote to memory of 1196 1540 explorer.exe Explorer.EXE PID 1540 wrote to memory of 1196 1540 explorer.exe Explorer.EXE PID 1540 wrote to memory of 336 1540 explorer.exe u5yo171gs9_1.exe PID 1540 wrote to memory of 336 1540 explorer.exe u5yo171gs9_1.exe PID 1540 wrote to memory of 336 1540 explorer.exe u5yo171gs9_1.exe PID 1540 wrote to memory of 336 1540 explorer.exe u5yo171gs9_1.exe PID 1540 wrote to memory of 336 1540 explorer.exe u5yo171gs9_1.exe PID 1540 wrote to memory of 336 1540 explorer.exe u5yo171gs9_1.exe PID 1540 wrote to memory of 336 1540 explorer.exe u5yo171gs9_1.exe PID 1540 wrote to memory of 1112 1540 explorer.exe smgokaswoci577.exe PID 1540 wrote to memory of 1112 1540 explorer.exe smgokaswoci577.exe PID 1540 wrote to memory of 1112 1540 explorer.exe smgokaswoci577.exe PID 1540 wrote to memory of 1112 1540 explorer.exe smgokaswoci577.exe PID 1540 wrote to memory of 1112 1540 explorer.exe smgokaswoci577.exe PID 1540 wrote to memory of 1112 1540 explorer.exe smgokaswoci577.exe PID 1540 wrote to memory of 1112 1540 explorer.exe smgokaswoci577.exe PID 1540 wrote to memory of 1612 1540 explorer.exe m79oi5c5sw79ysa.exe PID 1540 wrote to memory of 1612 1540 explorer.exe m79oi5c5sw79ysa.exe PID 1540 wrote to memory of 1612 1540 explorer.exe m79oi5c5sw79ysa.exe PID 1540 wrote to memory of 1612 1540 explorer.exe m79oi5c5sw79ysa.exe PID 1540 wrote to memory of 1612 1540 explorer.exe m79oi5c5sw79ysa.exe PID 1540 wrote to memory of 1612 1540 explorer.exe m79oi5c5sw79ysa.exe PID 1540 wrote to memory of 1612 1540 explorer.exe m79oi5c5sw79ysa.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\3fad84ee18e4583656019ae08b317607.exe"C:\Users\Admin\AppData\Local\Temp\3fad84ee18e4583656019ae08b317607.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3fad84ee18e4583656019ae08b317607.exe"C:\Users\Admin\AppData\Local\Temp\3fad84ee18e4583656019ae08b317607.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u5yo171gs9_1.exe/suac5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\smgokaswoci577.exe"C:\Users\Admin\AppData\Local\Temp\smgokaswoci577.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\m79oi5c5sw79ysa.exe"C:\Users\Admin\AppData\Local\Temp\m79oi5c5sw79ysa.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\m79oi5c5sw79ysa.exeMD5
50803bdba827e6ae4600da26b5e81800
SHA1e3650665dd57b79514d33fe8e8d8ff8429b52c55
SHA25602dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b
SHA512c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50
-
C:\Users\Admin\AppData\Local\Temp\m79oi5c5sw79ysa.exeMD5
50803bdba827e6ae4600da26b5e81800
SHA1e3650665dd57b79514d33fe8e8d8ff8429b52c55
SHA25602dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b
SHA512c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50
-
C:\Users\Admin\AppData\Local\Temp\smgokaswoci577.exeMD5
08cdfd0d3a406601c42f087da16ec6c8
SHA148fd8eef568d2372e2a883283e58e5def81fef07
SHA256eb7cea525ecef555356c13b6948c21ddad4b8a622ff4c027f285c0c096570253
SHA512d522fc9c5815c93a1dc114c63db53879346e435397cad79a105a412cb18459335a1bfc3cfc9e7f6469cd703e2014538aa3c649442b80214a945e76ed50d26940
-
C:\Users\Admin\AppData\Local\Temp\u5yo171gs9_1.exeMD5
3fad84ee18e4583656019ae08b317607
SHA1fb719a92039d2892fc6a7d91de15454554215543
SHA256273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
SHA512496d0359641b844042af175ce4bda3801150af9ee720fad8d43a6a7cdf6ab4de96ac263525aa1c36dec89be71a71ce9f28b5a0017798b5c40ef8d2602bf66378
-
C:\Users\Admin\AppData\Local\Temp\u5yo171gs9_1.exeMD5
3fad84ee18e4583656019ae08b317607
SHA1fb719a92039d2892fc6a7d91de15454554215543
SHA256273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
SHA512496d0359641b844042af175ce4bda3801150af9ee720fad8d43a6a7cdf6ab4de96ac263525aa1c36dec89be71a71ce9f28b5a0017798b5c40ef8d2602bf66378
-
\Users\Admin\AppData\Local\Temp\Costura\1ACF592E7018DA88DDC32B96D203A4BE\32\sqlite3.dllMD5
0a855f27a1e48991d14c593cb930d2b2
SHA101935b77a59ab90be4af37bb4e8bc57fbdcf23a1
SHA25643d11ddfa64be9a2eeb94574f21fd45334e4598506f3d5ae1446c7a0add10300
SHA512bfc680d50d043c438c0c4bc97f7830010bf302e9e81296c57b1a06e3e87a2000444e44fadec20ca2025260bf745629971bfca02ff59469085fc7eada7912e873
-
\Users\Admin\AppData\Local\Temp\m79oi5c5sw79ysa.exeMD5
50803bdba827e6ae4600da26b5e81800
SHA1e3650665dd57b79514d33fe8e8d8ff8429b52c55
SHA25602dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b
SHA512c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50
-
\Users\Admin\AppData\Local\Temp\smgokaswoci577.exeMD5
08cdfd0d3a406601c42f087da16ec6c8
SHA148fd8eef568d2372e2a883283e58e5def81fef07
SHA256eb7cea525ecef555356c13b6948c21ddad4b8a622ff4c027f285c0c096570253
SHA512d522fc9c5815c93a1dc114c63db53879346e435397cad79a105a412cb18459335a1bfc3cfc9e7f6469cd703e2014538aa3c649442b80214a945e76ed50d26940
-
\Users\Admin\AppData\Local\Temp\u5yo171gs9_1.exeMD5
3fad84ee18e4583656019ae08b317607
SHA1fb719a92039d2892fc6a7d91de15454554215543
SHA256273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
SHA512496d0359641b844042af175ce4bda3801150af9ee720fad8d43a6a7cdf6ab4de96ac263525aa1c36dec89be71a71ce9f28b5a0017798b5c40ef8d2602bf66378
-
memory/336-25-0x0000000000000000-mapping.dmp
-
memory/1112-29-0x0000000000000000-mapping.dmp
-
memory/1196-40-0x0000000002A50000-0x0000000002A56000-memory.dmpFilesize
24KB
-
memory/1240-8-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1240-6-0x00000000005B0000-0x00000000005BC000-memory.dmpFilesize
48KB
-
memory/1240-20-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/1240-3-0x00000000004015C6-mapping.dmp
-
memory/1240-4-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB
-
memory/1240-5-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1240-9-0x00000000002B0000-0x00000000002BD000-memory.dmpFilesize
52KB
-
memory/1240-10-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/1240-2-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1240-7-0x0000000000230000-0x0000000000296000-memory.dmpFilesize
408KB
-
memory/1540-11-0x0000000000000000-mapping.dmp
-
memory/1540-13-0x0000000075061000-0x0000000075063000-memory.dmpFilesize
8KB
-
memory/1540-14-0x0000000077A30000-0x0000000077BB1000-memory.dmpFilesize
1.5MB
-
memory/1540-19-0x00000000003B0000-0x00000000003BC000-memory.dmpFilesize
48KB
-
memory/1540-15-0x00000000001D0000-0x00000000002EB000-memory.dmpFilesize
1.1MB
-
memory/1540-22-0x0000000000680000-0x0000000000682000-memory.dmpFilesize
8KB
-
memory/1612-34-0x0000000000000000-mapping.dmp
-
memory/1612-39-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/1876-23-0x000007FEF7D20000-0x000007FEF7F9A000-memory.dmpFilesize
2.5MB