Analysis
-
max time kernel
84s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 09:57
Static task
static1
Behavioral task
behavioral1
Sample
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe
Resource
win10v2004-20220722-en
General
-
Target
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe
-
Size
791KB
-
MD5
39ffa3dd5db6edf0f208d118be8cb64a
-
SHA1
f523071595fc01b6134f961a9f6760636d1c64d1
-
SHA256
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a
-
SHA512
7143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral1/memory/768-73-0x0000000000090000-0x0000000000120000-memory.dmp m00nd3v_logger behavioral1/memory/768-74-0x0000000000090000-0x0000000000120000-memory.dmp m00nd3v_logger behavioral1/memory/768-78-0x0000000000090000-0x0000000000120000-memory.dmp m00nd3v_logger behavioral1/memory/768-76-0x000000000048B1CE-mapping.dmp m00nd3v_logger behavioral1/memory/768-79-0x0000000000090000-0x0000000000120000-memory.dmp m00nd3v_logger behavioral1/memory/768-83-0x0000000000090000-0x0000000000120000-memory.dmp m00nd3v_logger behavioral1/memory/768-87-0x0000000000090000-0x0000000000120000-memory.dmp m00nd3v_logger -
Executes dropped EXE 2 IoCs
Processes:
install.exeinstall.exepid process 1636 install.exe 768 install.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
install.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "rundll32.exe" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "rundll32.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe install.exe -
Loads dropped DLL 1 IoCs
Processes:
install.exepid process 1636 install.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
install.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Installer = "C:\\Users\\Admin\\AppData\\Roaming\\install.exe -boot" install.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
install.exedescription pid process target process PID 1636 set thread context of 768 1636 install.exe install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exeinstall.exepid process 1856 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe 1636 install.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exeinstall.exedescription pid process Token: SeDebugPrivilege 1856 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe Token: SeDebugPrivilege 1636 install.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exeexplorer.exeinstall.exedescription pid process target process PID 1856 wrote to memory of 1992 1856 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe cmd.exe PID 1856 wrote to memory of 1992 1856 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe cmd.exe PID 1856 wrote to memory of 1992 1856 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe cmd.exe PID 1856 wrote to memory of 1992 1856 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe cmd.exe PID 1856 wrote to memory of 1464 1856 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe explorer.exe PID 1856 wrote to memory of 1464 1856 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe explorer.exe PID 1856 wrote to memory of 1464 1856 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe explorer.exe PID 1856 wrote to memory of 1464 1856 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe explorer.exe PID 1204 wrote to memory of 1636 1204 explorer.exe install.exe PID 1204 wrote to memory of 1636 1204 explorer.exe install.exe PID 1204 wrote to memory of 1636 1204 explorer.exe install.exe PID 1204 wrote to memory of 1636 1204 explorer.exe install.exe PID 1204 wrote to memory of 1636 1204 explorer.exe install.exe PID 1204 wrote to memory of 1636 1204 explorer.exe install.exe PID 1204 wrote to memory of 1636 1204 explorer.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe PID 1636 wrote to memory of 768 1636 install.exe install.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe"C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe" "C:\Users\Admin\AppData\Roaming\install.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\install.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\install.exe"C:\Users\Admin\AppData\Roaming\install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\install.exe"C:\Users\Admin\AppData\Roaming\install.exe"3⤵
- Executes dropped EXE
- Sets file execution options in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\install.exeFilesize
791KB
MD539ffa3dd5db6edf0f208d118be8cb64a
SHA1f523071595fc01b6134f961a9f6760636d1c64d1
SHA2565fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a
SHA5127143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc
-
C:\Users\Admin\AppData\Roaming\install.exeFilesize
791KB
MD539ffa3dd5db6edf0f208d118be8cb64a
SHA1f523071595fc01b6134f961a9f6760636d1c64d1
SHA2565fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a
SHA5127143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc
-
C:\Users\Admin\AppData\Roaming\install.exeFilesize
791KB
MD539ffa3dd5db6edf0f208d118be8cb64a
SHA1f523071595fc01b6134f961a9f6760636d1c64d1
SHA2565fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a
SHA5127143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc
-
\Users\Admin\AppData\Roaming\install.exeFilesize
791KB
MD539ffa3dd5db6edf0f208d118be8cb64a
SHA1f523071595fc01b6134f961a9f6760636d1c64d1
SHA2565fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a
SHA5127143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc
-
memory/768-79-0x0000000000090000-0x0000000000120000-memory.dmpFilesize
576KB
-
memory/768-83-0x0000000000090000-0x0000000000120000-memory.dmpFilesize
576KB
-
memory/768-92-0x0000000074780000-0x0000000074D2B000-memory.dmpFilesize
5.7MB
-
memory/768-91-0x0000000074780000-0x0000000074D2B000-memory.dmpFilesize
5.7MB
-
memory/768-89-0x0000000074780000-0x0000000074D2B000-memory.dmpFilesize
5.7MB
-
memory/768-90-0x0000000074780000-0x0000000074D2B000-memory.dmpFilesize
5.7MB
-
memory/768-87-0x0000000000090000-0x0000000000120000-memory.dmpFilesize
576KB
-
memory/768-76-0x000000000048B1CE-mapping.dmp
-
memory/768-78-0x0000000000090000-0x0000000000120000-memory.dmpFilesize
576KB
-
memory/768-74-0x0000000000090000-0x0000000000120000-memory.dmpFilesize
576KB
-
memory/768-70-0x0000000000090000-0x0000000000120000-memory.dmpFilesize
576KB
-
memory/768-71-0x0000000000090000-0x0000000000120000-memory.dmpFilesize
576KB
-
memory/768-73-0x0000000000090000-0x0000000000120000-memory.dmpFilesize
576KB
-
memory/1204-62-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmpFilesize
8KB
-
memory/1464-60-0x0000000071C21000-0x0000000071C23000-memory.dmpFilesize
8KB
-
memory/1464-58-0x0000000000000000-mapping.dmp
-
memory/1636-68-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1636-67-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1636-84-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1636-64-0x0000000000000000-mapping.dmp
-
memory/1856-55-0x0000000074780000-0x0000000074D2B000-memory.dmpFilesize
5.7MB
-
memory/1856-54-0x00000000761D1000-0x00000000761D3000-memory.dmpFilesize
8KB
-
memory/1856-57-0x0000000074780000-0x0000000074D2B000-memory.dmpFilesize
5.7MB
-
memory/1856-61-0x0000000074780000-0x0000000074D2B000-memory.dmpFilesize
5.7MB
-
memory/1992-56-0x0000000000000000-mapping.dmp