Analysis
-
max time kernel
107s -
max time network
109s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 13:39
Static task
static1
Behavioral task
behavioral1
Sample
dotEXE1.exe
Resource
win10v20201028
Errors
General
-
Target
dotEXE1.exe
-
Size
7.6MB
-
MD5
577594e40e94b665829e6e23c7fc8203
-
SHA1
0085845381c7d3f6bdb07a8281fdb7302f733577
-
SHA256
417ad511cc354f6391cc90451d8925ae8df9a0cb5808fa9bac0c2e91d3a243af
-
SHA512
5c7c4c646f87dee1d16cd5839b1e439d3d0d9c7e1c1808c480c113fa8b169ec7468b06341cfdfba9b08dfd836427514e41eb3410599d0f94a27ad29f3fa82c07
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
s.exedotEXEPatcher.exedotEXE.exepid process 4364 s.exe 2908 dotEXEPatcher.exe 4644 dotEXE.exe -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
dotEXEPatcher.exedotEXE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dotEXEPatcher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dotEXEPatcher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dotEXE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dotEXE.exe -
Loads dropped DLL 1 IoCs
Processes:
dotEXE.exepid process 4644 dotEXE.exe -
Processes:
dotEXEPatcher.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dotEXEPatcher.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dotEXEPatcher.exepid process 2908 dotEXEPatcher.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 1184 tasklist.exe 4880 tasklist.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Modifies registry class 2 IoCs
Processes:
dotEXE1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance dotEXE1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance dotEXE1.exe -
Suspicious behavior: EnumeratesProcesses 74 IoCs
Processes:
tasklist.exedotEXE.exepid process 1184 tasklist.exe 1184 tasklist.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe 4644 dotEXE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 1184 tasklist.exe Token: SeDebugPrivilege 4880 tasklist.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
dotEXE1.exejavaw.exedotEXEPatcher.exedotEXE.exejavaw.exeLogonUI.exepid process 4704 dotEXE1.exe 4704 dotEXE1.exe 4504 javaw.exe 4504 javaw.exe 2908 dotEXEPatcher.exe 4644 dotEXE.exe 3976 javaw.exe 3976 javaw.exe 1412 LogonUI.exe 1412 LogonUI.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
s.exejavaw.exejavaw.exejavaw.exedotEXEPatcher.exejavaw.exejavaw.exedescription pid process target process PID 4364 wrote to memory of 3052 4364 s.exe javaw.exe PID 4364 wrote to memory of 3052 4364 s.exe javaw.exe PID 3052 wrote to memory of 4504 3052 javaw.exe javaw.exe PID 3052 wrote to memory of 4504 3052 javaw.exe javaw.exe PID 4504 wrote to memory of 1184 4504 javaw.exe tasklist.exe PID 4504 wrote to memory of 1184 4504 javaw.exe tasklist.exe PID 4504 wrote to memory of 2540 4504 javaw.exe javaw.exe PID 4504 wrote to memory of 2540 4504 javaw.exe javaw.exe PID 2540 wrote to memory of 188 2540 javaw.exe javaw.exe PID 2540 wrote to memory of 188 2540 javaw.exe javaw.exe PID 2908 wrote to memory of 4644 2908 dotEXEPatcher.exe dotEXE.exe PID 2908 wrote to memory of 4644 2908 dotEXEPatcher.exe dotEXE.exe PID 2908 wrote to memory of 4644 2908 dotEXEPatcher.exe dotEXE.exe PID 188 wrote to memory of 3976 188 javaw.exe javaw.exe PID 188 wrote to memory of 3976 188 javaw.exe javaw.exe PID 3976 wrote to memory of 4880 3976 javaw.exe tasklist.exe PID 3976 wrote to memory of 4880 3976 javaw.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe"C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\s.exe"C:\Users\Admin\Desktop\s.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Xmx256m -Dfile.encoding=UTF-8 -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv6Addresses=false -jar "C:\Users\Admin\Desktop\s.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -XX:+DisableAttachMechanism -Xmx256M -jar C:\Users\Admin\Desktop\s.exe3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\tasklist.exetasklist /V /FI "STATUS eq RUNNING" /FO CSV /NH4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\.prostocraft\Updater.jar -copyPendingUpdate C:\Users\Admin\Desktop\s.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Xmx256M -jar C:\Users\Admin\Desktop\s.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -XX:+DisableAttachMechanism -Xmx256M -jar C:\Users\Admin\Desktop\s.exe6⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\tasklist.exetasklist /V /FI "STATUS eq RUNNING" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\dotEXEPatcher.exe"C:\Users\Admin\Desktop\dotEXEPatcher.exe" C:\Users\Admin\Desktop\dotEXE.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\dotEXE.exe"C:\Users\Admin\Desktop\dotEXE.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
2ad6b967c75850561bd9d832c04eff61
SHA1a6417c91b92f2bf1af81b02957609c08336c766d
SHA2563c9cd41072a03bd80b4e53306cf11558ad31a6bf485893daa6088f1b040eec8c
SHA512fa4ffec980e4321ee48fe40b54422ee2631a6cb6a11f31715b7c2b3c574ae2f891cda4309507b56004ed735f766134af953cf4e8ca3bcc07e00f73324d545ca6
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
966fbc3e25c2998689c29691475176f3
SHA152bd03c8c08f35bc3d7a85500f1c7f1e752e520c
SHA256d7d6f9c3fbc43c471c06547b793f35d3ef9d14008295967ff80c6ed9cb564ab8
SHA512c228c2cd7692620752af522d07a83a5c607fe8d788da11276af38e98183d087346e4647ed8b335050cdd6c1119eb40ecd29a8d1db8b66738de60bf40c63aee4a
-
C:\Users\Admin\.prostocraft\Updater.jarMD5
85bf36ab663244b4a78a728a511873ce
SHA1620b09bf71be00c14fe15f87e736fd0e77366b7d
SHA256da31668a58f996527a9617a670e41e2cedc441817bef94c7147d43af84d3d411
SHA5122949521445d3b1a3578e283803e731e6fb99d266366621a058d0d82ab20cf090c91a35cb79b1fb82ce38f412d0d8c3d83b723c3e54fc8719d5a1c0ee356929ff
-
C:\Users\Admin\.prostocraft\logs\latest.logMD5
e9f20eca6f2cc31f979c308bf6aa75f4
SHA146a688435f35818fd34c61d8fff1367decb58913
SHA25623b100a9d410942a46a3430db49bcb3073629e0be634c68370cf9c41a5dfc835
SHA512d04034fa182ef7401208fb5094f45b986e128ee5cfe3864e890555289d1b781640e042fc3ddcfc62d95be817873e56f0d832cd6085a0f5eb4f0f511d1590dfd7
-
C:\Users\Admin\.prostocraft\pending-update.exeMD5
9db2bca7577252622a841d2a1add925f
SHA13ecef99f64ec69d753dd6daf3b79b936424b6686
SHA2567fd9d4c68d8d09d1e70b3b853e59c6ba15ab962e1528f9346e737fe607f5b614
SHA51210a8cca310485142254d71a2cb572cc909253dc22c5e24d06e97cd2c36bb1548622900d618fc1fc8f89b40ad4b410b3195e34e7d053f1f4cf1027c285139b207
-
C:\Users\Admin\.prostocraft\settings.jsonMD5
31ecfb5b14bbc0207ec94af00425f5fc
SHA16ea181577179f3e95ac5b9e2ef5da9d4903f94f7
SHA256c821800d70c0c28d248de1fe3e36cea3b36aef98f178cd7ed5cc68ad7af28214
SHA5125d6797b933d620ca1596b5f8c612e9ca682738bfd2f4ff9c7dccd7d95c0d52913eda1f9bcf0a7ba8b49c10fbbc60f019d905f4195a30450c65333b98665ca7fd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\83aa4cc77f591dfc2374580bbd95f6ba_4a1d5b5d-6336-41a4-a4da-b4af65e6deffMD5
c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
C:\Users\Admin\Desktop\VenTaz.dllMD5
51cc261f26d457fd9124e0fee73b1685
SHA11c18998b876a5a3bcf578bf060b7f9ad0b60a1be
SHA25693cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70
SHA512fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072
-
C:\Users\Admin\Desktop\dotEXE.exeMD5
e86baf40ee8cca6731a956df1c4551df
SHA16227915aa0348b97e817432c55c486621b7aadd8
SHA2560f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a
SHA5127b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a
-
C:\Users\Admin\Desktop\dotEXE.exeMD5
e86baf40ee8cca6731a956df1c4551df
SHA16227915aa0348b97e817432c55c486621b7aadd8
SHA2560f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a
SHA5127b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a
-
C:\Users\Admin\Desktop\dotEXEPatcher.exeMD5
dce9450af517d871efddfa963473997e
SHA119ddcb014becd8ab04aed8e454b38cb895198fe3
SHA256ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6
SHA51211ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea
-
C:\Users\Admin\Desktop\dotEXEPatcher.exeMD5
dce9450af517d871efddfa963473997e
SHA119ddcb014becd8ab04aed8e454b38cb895198fe3
SHA256ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6
SHA51211ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea
-
C:\Users\Admin\Desktop\s.exeMD5
575033a2ec1fc9de82fecde5f0e6f151
SHA100914dbe00302d3a0e5ac674256fb4c3412af88e
SHA25661e4956804acbc4505ac4483edeffd242f5835b34e7c6538ff4cca2a349e85fb
SHA512f05f8399b3b3f1e276d2ba00ccc7b074df5910f0dc27ccdb3f730838b709ec434e29078db0b3f94152fa8f6ee98d2f9b09d86a0429c5de5d65d0c2f5d099c856
-
C:\Users\Admin\Desktop\s.exeMD5
575033a2ec1fc9de82fecde5f0e6f151
SHA100914dbe00302d3a0e5ac674256fb4c3412af88e
SHA25661e4956804acbc4505ac4483edeffd242f5835b34e7c6538ff4cca2a349e85fb
SHA512f05f8399b3b3f1e276d2ba00ccc7b074df5910f0dc27ccdb3f730838b709ec434e29078db0b3f94152fa8f6ee98d2f9b09d86a0429c5de5d65d0c2f5d099c856
-
C:\Users\Admin\Desktop\s.exeMD5
9db2bca7577252622a841d2a1add925f
SHA13ecef99f64ec69d753dd6daf3b79b936424b6686
SHA2567fd9d4c68d8d09d1e70b3b853e59c6ba15ab962e1528f9346e737fe607f5b614
SHA51210a8cca310485142254d71a2cb572cc909253dc22c5e24d06e97cd2c36bb1548622900d618fc1fc8f89b40ad4b410b3195e34e7d053f1f4cf1027c285139b207
-
\Users\Admin\Desktop\VenTaz.dllMD5
51cc261f26d457fd9124e0fee73b1685
SHA11c18998b876a5a3bcf578bf060b7f9ad0b60a1be
SHA25693cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70
SHA512fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072
-
memory/188-70-0x0000000000000000-mapping.dmp
-
memory/1184-34-0x0000000000000000-mapping.dmp
-
memory/2540-65-0x0000000000000000-mapping.dmp
-
memory/2908-77-0x00007FF701D30000-0x00007FF702263000-memory.dmpFilesize
5.2MB
-
memory/2908-76-0x00007FF701D30000-0x00007FF702263000-memory.dmpFilesize
5.2MB
-
memory/3052-3-0x0000000000000000-mapping.dmp
-
memory/3976-92-0x0000000000000000-mapping.dmp
-
memory/4504-14-0x0000000000000000-mapping.dmp
-
memory/4644-83-0x0000000000000000-mapping.dmp
-
memory/4644-91-0x00007FF79D1C0000-0x00007FF79D92C000-memory.dmpFilesize
7.4MB
-
memory/4644-94-0x00007FF79D1C0000-0x00007FF79D92C000-memory.dmpFilesize
7.4MB
-
memory/4880-115-0x0000000000000000-mapping.dmp