Resubmissions

03-07-2024 16:04

240703-thygmaycpc 10

01-07-2024 18:12

240701-ws6xvswbkj 10

01-07-2024 18:03

240701-wm5sls1gka 10

01-07-2024 18:03

240701-wm39sa1gjf 10

01-07-2024 18:03

240701-wm2e7avhkj 10

01-07-2024 18:03

240701-wmzxcs1fre 10

01-07-2024 18:02

240701-wmzats1frc 10

01-07-2024 18:02

240701-wmvbwa1fqh 10

22-11-2023 17:02

231122-vkac9adg64 10

Analysis

  • max time kernel
    70s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 19:24

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: LdmmWU9wdcfM7fZaaclYCCu3xyg3UKEwI4eRAGn0Qwoof5xqHy9Q3hhNC5q477rpNjETRwuMA+2qEQCKUzBzmgDljmGUtmOcLFCqvdUbNUGO6iY7IMRgpAmgGnV4cIqofIU7TWzucra8UecV86wPRFTLEmj8OUSBuU1NgGBZnRDnbN+ZaJdl3vBy+Yp1KCsWNhoPKSWAC+exMWrrsd1uIyJAtW4itL1kWuhwE773CiMIAUTTNWpJSONDlCoc8d4CBThkZrLh4pjuCn9K2qP9xKEPPdl9IJ9LZMPN21wgQ+wHHPcKogfSZNwPzDuhZeKfCyv62PLrgK1+0ZTAP4y7E4Qj0SUcMsUwwoJmTBjBaz5SwNoaMIk3oEo/Xu1bSyO14WmMyMO4B4jlFTEFKZZpyS8T5LM+Tj/KvBdzpAQ6MfPslEGlFiYr5gakLgkx6DZCtsyC9S/XOMo39dKtQYpMJaA+GrcrK7iL+4BVPmASlIE2I2/+fgu0qGsqDTEk+WewgB7v+oiareMb9TwpKXG6B9cudHm5pfHRgCClJYd9sPpQhGF1fI42DU14ibwLz6M7isKFn+x7PprXMOSRxbtpfldANAiUaC9y0wsezGntGtm3xChuNKFD0P3fBNTQM+DTodmX0bAfBln1TGVAMMMoj+qm6scVls/ZK0BZAbKe85g= Number of files that were processed is: 1218

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 47 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24328 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 118 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
        PID:4128
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
        2⤵
          PID:3468
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
          2⤵
            PID:3568
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config SstpSvc start= disabled
            2⤵
              PID:3824
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mspub.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4244
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mydesktopqos.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4280
            • C:\Windows\SYSTEM32\sc.exe
              "sc.exe" config SQLWriter start= disabled
              2⤵
                PID:3560
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4300
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mysqld.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:712
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqbcoreservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4192
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM firefoxconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4432
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM agntsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4052
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM thebat.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:380
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM steam.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4524
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM encsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:528
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM excel.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:636
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM CNTAoSMgr.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1436
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlwriter.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1620
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM tbirdconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1876
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM thebat64.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2608
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM dbeng50.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2380
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM ocomm.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2116
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM infopath.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2676
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mbamtray.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:216
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM zoolz.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1396
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" IM thunderbird.exe /F
                2⤵
                • Kills process with taskkill
                PID:4356
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM dbsnmp.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4596
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM xfssvccon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2268
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mspub.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3920
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM Ntrtscan.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1616
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM isqlplussvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4212
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM onenote.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4296
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM PccNTMon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2364
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM msaccess.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4228
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM outlook.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:828
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM tmlisten.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3656
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM msftesql.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3896
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM powerpnt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:208
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopqos.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4624
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM visio.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4376
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3620
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM winword.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:664
                • C:\Windows\System32\Conhost.exe
                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  3⤵
                    PID:4356
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM mysqld-nt.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5136
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM mysqld-opt.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5216
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM ocautoupds.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5320
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM wordpad.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5180
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM ocssd.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5380
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM oracle.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5416
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM sqlagent.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5504
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM sqlbrowser.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5536
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM sqlservr.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5680
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM synctime.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5708
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5740
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                  2⤵
                  • Opens file in notepad (likely ransom note)
                  PID:6452
                • C:\Windows\SYSTEM32\cmd.exe
                  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                  2⤵
                    PID:6464
                    • C:\Windows\system32\PING.EXE
                      ping 127.0.0.7 -n 3
                      3⤵
                      • Runs ping.exe
                      PID:4976
                    • C:\Windows\system32\fsutil.exe
                      fsutil file setZeroData offset=0 length=524288 “%s”
                      3⤵
                        PID:5932
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
                      2⤵
                        PID:6516
                        • C:\Windows\system32\choice.exe
                          choice /C Y /N /D Y /T 3
                          3⤵
                            PID:6036

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                        MD5

                        c6b0a774fa56e0169ed7bb7b25c114dd

                        SHA1

                        bcdba7d4ecfff2180510850e585b44691ea81ba5

                        SHA256

                        b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

                        SHA512

                        42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        MD5

                        93d96cb2aa88e65c7ff6b8856eef08a7

                        SHA1

                        db2979d08e784e750ec7dc860205f7a5be10b4fc

                        SHA256

                        8d11f3a63f12ef8a3fb1bca920508f8d6ef6f3220f6d10b40c47ac2ad48d7e71

                        SHA512

                        5135293950b2bcac9e86fe8200610b296f3dc19c010bb596ff1a76a7f4fe4b7cae7f39b06a2c8944c864b396866e6db117f83dfaa0b4dd773b9b0e068be9d2de

                      • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                        MD5

                        70d3a5e987a572d3211bd400392442b1

                        SHA1

                        b2b2ab288b3490d32a29d9d36f17c3ac46536e61

                        SHA256

                        59b2a711e320ba503e5a0c78fbdc0de7bd963c206b418ae8ce084e57ed76cf9c

                        SHA512

                        b90910c46ccc59edda8597dddfc8dab169ef02e50a6a3faf4ed98349f0b636a46693b15dacd899982fd71bb4f91eee9a2bcd238d1d6b715857b2f0b2481d13ec

                      • memory/208-43-0x0000000000000000-mapping.dmp
                      • memory/216-29-0x0000000000000000-mapping.dmp
                      • memory/380-18-0x0000000000000000-mapping.dmp
                      • memory/528-20-0x0000000000000000-mapping.dmp
                      • memory/636-21-0x0000000000000000-mapping.dmp
                      • memory/664-47-0x0000000000000000-mapping.dmp
                      • memory/712-14-0x0000000000000000-mapping.dmp
                      • memory/828-40-0x0000000000000000-mapping.dmp
                      • memory/1396-30-0x0000000000000000-mapping.dmp
                      • memory/1436-22-0x0000000000000000-mapping.dmp
                      • memory/1616-35-0x0000000000000000-mapping.dmp
                      • memory/1620-23-0x0000000000000000-mapping.dmp
                      • memory/1876-24-0x0000000000000000-mapping.dmp
                      • memory/2116-27-0x0000000000000000-mapping.dmp
                      • memory/2268-33-0x0000000000000000-mapping.dmp
                      • memory/2364-38-0x0000000000000000-mapping.dmp
                      • memory/2380-25-0x0000000000000000-mapping.dmp
                      • memory/2608-26-0x0000000000000000-mapping.dmp
                      • memory/2676-28-0x0000000000000000-mapping.dmp
                      • memory/3468-6-0x0000000000000000-mapping.dmp
                      • memory/3560-8-0x0000000000000000-mapping.dmp
                      • memory/3568-7-0x0000000000000000-mapping.dmp
                      • memory/3620-46-0x0000000000000000-mapping.dmp
                      • memory/3656-41-0x0000000000000000-mapping.dmp
                      • memory/3824-9-0x0000000000000000-mapping.dmp
                      • memory/3896-42-0x0000000000000000-mapping.dmp
                      • memory/3920-34-0x0000000000000000-mapping.dmp
                      • memory/4052-17-0x0000000000000000-mapping.dmp
                      • memory/4128-5-0x0000000000000000-mapping.dmp
                      • memory/4192-15-0x0000000000000000-mapping.dmp
                      • memory/4212-36-0x0000000000000000-mapping.dmp
                      • memory/4228-39-0x0000000000000000-mapping.dmp
                      • memory/4244-11-0x0000000000000000-mapping.dmp
                      • memory/4280-12-0x0000000000000000-mapping.dmp
                      • memory/4296-37-0x0000000000000000-mapping.dmp
                      • memory/4300-13-0x0000000000000000-mapping.dmp
                      • memory/4356-31-0x0000000000000000-mapping.dmp
                      • memory/4376-45-0x0000000000000000-mapping.dmp
                      • memory/4432-16-0x0000000000000000-mapping.dmp
                      • memory/4524-19-0x0000000000000000-mapping.dmp
                      • memory/4596-32-0x0000000000000000-mapping.dmp
                      • memory/4624-44-0x0000000000000000-mapping.dmp
                      • memory/4816-2-0x00007FFBE4620000-0x00007FFBE500C000-memory.dmp
                        Filesize

                        9.9MB

                      • memory/4816-10-0x000000001B0C0000-0x000000001B0C2000-memory.dmp
                        Filesize

                        8KB

                      • memory/4816-3-0x0000000000370000-0x0000000000371000-memory.dmp
                        Filesize

                        4KB

                      • memory/4976-70-0x0000000000000000-mapping.dmp
                      • memory/5136-48-0x0000000000000000-mapping.dmp
                      • memory/5180-49-0x0000000000000000-mapping.dmp
                      • memory/5216-50-0x0000000000000000-mapping.dmp
                      • memory/5320-51-0x0000000000000000-mapping.dmp
                      • memory/5380-52-0x0000000000000000-mapping.dmp
                      • memory/5416-53-0x0000000000000000-mapping.dmp
                      • memory/5504-54-0x0000000000000000-mapping.dmp
                      • memory/5536-55-0x0000000000000000-mapping.dmp
                      • memory/5680-56-0x0000000000000000-mapping.dmp
                      • memory/5708-57-0x0000000000000000-mapping.dmp
                      • memory/5740-64-0x000002CCB98D3000-0x000002CCB98D5000-memory.dmp
                        Filesize

                        8KB

                      • memory/5740-60-0x000002CCA11F0000-0x000002CCA11F1000-memory.dmp
                        Filesize

                        4KB

                      • memory/5740-63-0x000002CCB98D6000-0x000002CCB98D8000-memory.dmp
                        Filesize

                        8KB

                      • memory/5740-59-0x00007FFBE4620000-0x00007FFBE500C000-memory.dmp
                        Filesize

                        9.9MB

                      • memory/5740-62-0x000002CCB98D0000-0x000002CCB98D2000-memory.dmp
                        Filesize

                        8KB

                      • memory/5740-61-0x000002CCBC240000-0x000002CCBC241000-memory.dmp
                        Filesize

                        4KB

                      • memory/5740-58-0x0000000000000000-mapping.dmp
                      • memory/5932-73-0x0000000000000000-mapping.dmp
                      • memory/6036-72-0x0000000000000000-mapping.dmp
                      • memory/6452-67-0x0000000000000000-mapping.dmp
                      • memory/6464-68-0x0000000000000000-mapping.dmp
                      • memory/6516-69-0x0000000000000000-mapping.dmp