Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
05-12-2021 16:03
Behavioral task
behavioral1
Sample
9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe
Resource
win7-en-20211104
General
-
Target
9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe
-
Size
632KB
-
MD5
fbff18a879c2a26601e5d4f366640ede
-
SHA1
ef666c7d7ec1667b668ebf1c7e38876382da2fd0
-
SHA256
9e4037f440474202a6ddd5194a9dca8dbc2b9f51e399ec42a465ba98c7920912
-
SHA512
754cadb13884a49435bb01c32f4d30ee4ad595313a2c17efa1fc27094fe4f96cf9b46a8a3135de4d27ca9bc8d17044a99e79db7e0f963aaa76773fc0835bdd8f
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
is3mig73ma173_1.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile is3mig73ma173_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" is3mig73ma173_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile is3mig73ma173_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" is3mig73ma173_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ImagePath regedit.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\is3mig73ma173_1.exe cryptone C:\Users\Admin\AppData\Local\Temp\is3mig73ma173_1.exe cryptone -
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
is3mig73ma173_1.exepid process 2564 is3mig73ma173_1.exe -
Sets file execution options in registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
regedit.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.08 = "\"C:\\ProgramData\\Google Updater 2.08\\is3mig73ma173.exe\"" regedit.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.08 = "C:\\ProgramData\\Google Updater 2.08\\is3mig73ma173.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.08 = "\"C:\\ProgramData\\Google Updater 2.08\\is3mig73ma173.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.08 = "\"C:\\ProgramData\\Google Updater 2.08\\is3mig73ma173.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce regedit.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
is3mig73ma173_1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService is3mig73ma173_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus is3mig73ma173_1.exe -
Processes:
9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exeis3mig73ma173_1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA is3mig73ma173_1.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.08\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exeexplorer.exeis3mig73ma173_1.exepid process 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 2564 is3mig73ma173_1.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exeexplorer.exeis3mig73ma173_1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 is3mig73ma173_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString is3mig73ma173_1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
regedit.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" regedit.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager regedit.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\is3mig73ma173_1.exe:14F4FC7F explorer.exe File created C:\Users\Admin\AppData\Local\Temp\is3mig73ma173_1.exe:14F4FC7F explorer.exe -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 1116 regedit.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
explorer.exepid process 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe 3148 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exeis3mig73ma173_1.exepid process 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe 2564 is3mig73ma173_1.exe 2564 is3mig73ma173_1.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exepid process 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
Processes:
9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exeexplorer.exeis3mig73ma173_1.exeregedit.exedescription pid process Token: SeDebugPrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeRestorePrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeBackupPrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeLoadDriverPrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeCreatePagefilePrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeShutdownPrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeTakeOwnershipPrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeChangeNotifyPrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeCreateTokenPrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeMachineAccountPrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeSecurityPrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeAssignPrimaryTokenPrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeCreateGlobalPrivilege 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: 33 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe Token: SeDebugPrivilege 3148 explorer.exe Token: SeRestorePrivilege 3148 explorer.exe Token: SeBackupPrivilege 3148 explorer.exe Token: SeLoadDriverPrivilege 3148 explorer.exe Token: SeCreatePagefilePrivilege 3148 explorer.exe Token: SeShutdownPrivilege 3148 explorer.exe Token: SeTakeOwnershipPrivilege 3148 explorer.exe Token: SeChangeNotifyPrivilege 3148 explorer.exe Token: SeCreateTokenPrivilege 3148 explorer.exe Token: SeMachineAccountPrivilege 3148 explorer.exe Token: SeSecurityPrivilege 3148 explorer.exe Token: SeAssignPrimaryTokenPrivilege 3148 explorer.exe Token: SeCreateGlobalPrivilege 3148 explorer.exe Token: 33 3148 explorer.exe Token: SeDebugPrivilege 2564 is3mig73ma173_1.exe Token: SeRestorePrivilege 2564 is3mig73ma173_1.exe Token: SeBackupPrivilege 2564 is3mig73ma173_1.exe Token: SeLoadDriverPrivilege 2564 is3mig73ma173_1.exe Token: SeCreatePagefilePrivilege 2564 is3mig73ma173_1.exe Token: SeShutdownPrivilege 2564 is3mig73ma173_1.exe Token: SeTakeOwnershipPrivilege 2564 is3mig73ma173_1.exe Token: SeChangeNotifyPrivilege 2564 is3mig73ma173_1.exe Token: SeCreateTokenPrivilege 2564 is3mig73ma173_1.exe Token: SeMachineAccountPrivilege 2564 is3mig73ma173_1.exe Token: SeSecurityPrivilege 2564 is3mig73ma173_1.exe Token: SeAssignPrimaryTokenPrivilege 2564 is3mig73ma173_1.exe Token: SeCreateGlobalPrivilege 2564 is3mig73ma173_1.exe Token: 33 2564 is3mig73ma173_1.exe Token: SeCreatePagefilePrivilege 2564 is3mig73ma173_1.exe Token: SeCreatePagefilePrivilege 2564 is3mig73ma173_1.exe Token: SeCreatePagefilePrivilege 2564 is3mig73ma173_1.exe Token: SeCreatePagefilePrivilege 2564 is3mig73ma173_1.exe Token: SeCreatePagefilePrivilege 2564 is3mig73ma173_1.exe Token: SeDebugPrivilege 1116 regedit.exe Token: SeRestorePrivilege 1116 regedit.exe Token: SeBackupPrivilege 1116 regedit.exe Token: SeLoadDriverPrivilege 1116 regedit.exe Token: SeCreatePagefilePrivilege 1116 regedit.exe Token: SeShutdownPrivilege 1116 regedit.exe Token: SeTakeOwnershipPrivilege 1116 regedit.exe Token: SeChangeNotifyPrivilege 1116 regedit.exe Token: SeCreateTokenPrivilege 1116 regedit.exe Token: SeMachineAccountPrivilege 1116 regedit.exe Token: SeSecurityPrivilege 1116 regedit.exe Token: SeAssignPrimaryTokenPrivilege 1116 regedit.exe Token: SeCreateGlobalPrivilege 1116 regedit.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exeexplorer.exeis3mig73ma173_1.exedescription pid process target process PID 2452 wrote to memory of 3148 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe explorer.exe PID 2452 wrote to memory of 3148 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe explorer.exe PID 2452 wrote to memory of 3148 2452 9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe explorer.exe PID 3148 wrote to memory of 2564 3148 explorer.exe is3mig73ma173_1.exe PID 3148 wrote to memory of 2564 3148 explorer.exe is3mig73ma173_1.exe PID 3148 wrote to memory of 2564 3148 explorer.exe is3mig73ma173_1.exe PID 2564 wrote to memory of 1116 2564 is3mig73ma173_1.exe regedit.exe PID 2564 wrote to memory of 1116 2564 is3mig73ma173_1.exe regedit.exe PID 2564 wrote to memory of 1116 2564 is3mig73ma173_1.exe regedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe"C:\Users\Admin\AppData\Local\Temp\9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is3mig73ma173_1.exe/suac3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"4⤵
- Modifies security service
- Adds Run key to start application
- Modifies Internet Explorer settings
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is3mig73ma173_1.exeMD5
fbff18a879c2a26601e5d4f366640ede
SHA1ef666c7d7ec1667b668ebf1c7e38876382da2fd0
SHA2569e4037f440474202a6ddd5194a9dca8dbc2b9f51e399ec42a465ba98c7920912
SHA512754cadb13884a49435bb01c32f4d30ee4ad595313a2c17efa1fc27094fe4f96cf9b46a8a3135de4d27ca9bc8d17044a99e79db7e0f963aaa76773fc0835bdd8f
-
C:\Users\Admin\AppData\Local\Temp\is3mig73ma173_1.exeMD5
fbff18a879c2a26601e5d4f366640ede
SHA1ef666c7d7ec1667b668ebf1c7e38876382da2fd0
SHA2569e4037f440474202a6ddd5194a9dca8dbc2b9f51e399ec42a465ba98c7920912
SHA512754cadb13884a49435bb01c32f4d30ee4ad595313a2c17efa1fc27094fe4f96cf9b46a8a3135de4d27ca9bc8d17044a99e79db7e0f963aaa76773fc0835bdd8f
-
memory/1116-141-0x0000000002FD0000-0x0000000002FDB000-memory.dmpFilesize
44KB
-
memory/1116-140-0x00000000009B0000-0x0000000000A42000-memory.dmpFilesize
584KB
-
memory/1116-139-0x0000000000000000-mapping.dmp
-
memory/2452-122-0x0000000002DB0000-0x0000000002DB1000-memory.dmpFilesize
4KB
-
memory/2452-115-0x0000000002740000-0x0000000002773000-memory.dmpFilesize
204KB
-
memory/2452-116-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/2452-125-0x0000000002DD0000-0x0000000002DD1000-memory.dmpFilesize
4KB
-
memory/2452-118-0x00000000028C0000-0x0000000002926000-memory.dmpFilesize
408KB
-
memory/2452-120-0x00000000028C0000-0x0000000002926000-memory.dmpFilesize
408KB
-
memory/2452-123-0x0000000002DE0000-0x0000000002DEC000-memory.dmpFilesize
48KB
-
memory/2452-121-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/2564-137-0x0000000002780000-0x00000000027E6000-memory.dmpFilesize
408KB
-
memory/2564-130-0x0000000000000000-mapping.dmp
-
memory/2564-134-0x0000000002780000-0x00000000027E6000-memory.dmpFilesize
408KB
-
memory/2564-136-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/2564-138-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/3148-129-0x0000000006B20000-0x0000000006B22000-memory.dmpFilesize
8KB
-
memory/3148-127-0x0000000003470000-0x0000000003578000-memory.dmpFilesize
1.0MB
-
memory/3148-128-0x0000000003860000-0x0000000003996000-memory.dmpFilesize
1.2MB
-
memory/3148-126-0x0000000001030000-0x000000000146F000-memory.dmpFilesize
4.2MB
-
memory/3148-124-0x0000000000000000-mapping.dmp