Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe
Resource
win10v20201028
General
-
Target
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe
-
Size
94KB
-
MD5
339da8fcce98e2165a73e2f22e42b4ff
-
SHA1
e06ae91d935d95db3cffaf168836b875cea541bf
-
SHA256
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3
-
SHA512
bc61737e3f2c547a193665106a482e4573e593551b27b3a6cdad6a3f8215146d71a90ecb763cac916dfbb55e9c5f5aa01c9887293fd5f2e14a795c26ccfbb2b3
Malware Config
Extracted
C:\Users\Public\Libraries\1B68F-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\ProgramData\Microsoft\Windows Security Health\Logs\1B68F-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Users\Admin\Music\1B68F-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\ProgramData\Microsoft\User Account Pictures\1B68F-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\1B68F-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\1B68F-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral2/memory/4756-1-0x0000000001380000-0x000000000139B000-memory.dmp netwalker_ransomware behavioral2/memory/368-2-0x0000000003700000-0x000000000371B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ExportConvertTo.tiff explorer.exe File opened for modification C:\Users\Admin\Pictures\ConnectStart.tiff explorer.exe File opened for modification C:\Users\Admin\Pictures\ImportConvertTo.tiff explorer.exe File opened for modification C:\Users\Admin\Pictures\FindMove.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 368 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1b68f3c6 = "C:\\Program Files (x86)\\1b68f3c6\\1b68f3c6.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exedescription pid process target process PID 4756 set thread context of 368 4756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe explorer.exe -
Drops file in Program Files directory 17189 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr.gif explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_cancel_18.svg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\156.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.wink.small.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\WideTile.scale-100.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms explorer.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Extreme_Altitude_Unearned_small.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\cardback.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsSmallTile.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-125.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\NewScene.scale-180.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-150_contrast-white.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-150.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\fk_16x11.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-125.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\SurfaceProfiles\canvas12oz_512x512_nm.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-96.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.tree.dat explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\1B68F-Readme.txt explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\1B68F-Readme.txt explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\1B68F-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.winmd explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\green_button.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated_contrast-white.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-400.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\DeselectAll.scale-140.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-32_altform-unplated_contrast-white.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\retry_icon.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5313_32x32x32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-30_altform-unplated.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_18.svg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-unplated_contrast-white.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-256.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated_contrast-white.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4260 vssadmin.exe 8376 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 23522 IoCs
Processes:
explorer.exeexplorer.exepid process 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exeexplorer.exepid process 4756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe 368 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevssvc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2812 explorer.exe Token: SeBackupPrivilege 3868 vssvc.exe Token: SeRestorePrivilege 3868 vssvc.exe Token: SeAuditPrivilege 3868 vssvc.exe Token: SeDebugPrivilege 368 explorer.exe Token: SeImpersonatePrivilege 368 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exeexplorer.exeexplorer.exedescription pid process target process PID 4756 wrote to memory of 368 4756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe explorer.exe PID 4756 wrote to memory of 368 4756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe explorer.exe PID 4756 wrote to memory of 368 4756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe explorer.exe PID 368 wrote to memory of 2812 368 explorer.exe explorer.exe PID 368 wrote to memory of 2812 368 explorer.exe explorer.exe PID 368 wrote to memory of 2812 368 explorer.exe explorer.exe PID 2812 wrote to memory of 4260 2812 explorer.exe vssadmin.exe PID 2812 wrote to memory of 4260 2812 explorer.exe vssadmin.exe PID 368 wrote to memory of 7164 368 explorer.exe notepad.exe PID 368 wrote to memory of 7164 368 explorer.exe notepad.exe PID 368 wrote to memory of 7164 368 explorer.exe notepad.exe PID 368 wrote to memory of 8376 368 explorer.exe vssadmin.exe PID 368 wrote to memory of 8376 368 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe"C:\Users\Admin\AppData\Local\Temp\98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\1B68F-Readme.txt"3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\1B68F-Readme.txtMD5
e051bcffb4d45e7480325f6dcef381be
SHA16398ee544a7a60c9e2ac4197b4d78712f226b5b6
SHA256a32e8b304d968c767023eba5712a554af7b429d360419453100ff69ba813103a
SHA512fabc29ccccb39e22311d2f33ccc67c6754ff1a0d3bab25929cc30481c395c50816988c6ced1b44d9d17870a190f91632628a759e7d56e499fbdafb4ee7212e93
-
memory/368-0-0x0000000000000000-mapping.dmp
-
memory/368-2-0x0000000003700000-0x000000000371B000-memory.dmpFilesize
108KB
-
memory/2812-3-0x0000000000000000-mapping.dmp
-
memory/4260-4-0x0000000000000000-mapping.dmp
-
memory/4756-1-0x0000000001380000-0x000000000139B000-memory.dmpFilesize
108KB
-
memory/7164-6-0x0000000000000000-mapping.dmp
-
memory/8376-7-0x0000000000000000-mapping.dmp