Analysis
-
max time kernel
141s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 07:04
Static task
static1
Behavioral task
behavioral1
Sample
Inv_36571_VIC_Pty_Ltd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Inv_36571_VIC_Pty_Ltd.exe
Resource
win10v20201028
General
-
Target
Inv_36571_VIC_Pty_Ltd.exe
-
Size
580KB
-
MD5
5b1363c3b88bd52a0f4044b51c0791d8
-
SHA1
3b1b46eb883c1b79e403e12c3157b6423f13af07
-
SHA256
04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
-
SHA512
1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
Processes:
opera.exeptfile.exeopera.exeptfile.exeopera.exeptfile.exeopera.exeptfile.exepid process 1860 opera.exe 2956 ptfile.exe 3280 opera.exe 4664 ptfile.exe 192 opera.exe 4728 ptfile.exe 5032 opera.exe 3200 ptfile.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4808-11-0x00000000069A0000-0x00000000069C1000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Roaming\\opera.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Inv_36571_VIC_Pty_Ltd.exeptfile.exeopera.exeptfile.exeopera.exeptfile.exeopera.exeptfile.exepid process 4808 Inv_36571_VIC_Pty_Ltd.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 652 ptfile.exe 1860 opera.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 2956 ptfile.exe 3280 opera.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 4664 ptfile.exe 192 opera.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe 4728 ptfile.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Inv_36571_VIC_Pty_Ltd.exepid process 4808 Inv_36571_VIC_Pty_Ltd.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Inv_36571_VIC_Pty_Ltd.exeptfile.exeopera.exeptfile.exeopera.exeptfile.exeopera.exeptfile.exeopera.exeptfile.exedescription pid process Token: SeDebugPrivilege 4808 Inv_36571_VIC_Pty_Ltd.exe Token: SeDebugPrivilege 652 ptfile.exe Token: SeDebugPrivilege 1860 opera.exe Token: SeDebugPrivilege 2956 ptfile.exe Token: SeDebugPrivilege 3280 opera.exe Token: SeDebugPrivilege 4664 ptfile.exe Token: SeDebugPrivilege 192 opera.exe Token: SeDebugPrivilege 4728 ptfile.exe Token: SeDebugPrivilege 5032 opera.exe Token: SeDebugPrivilege 3200 ptfile.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
Inv_36571_VIC_Pty_Ltd.execmd.exeptfile.exeopera.exeptfile.exeopera.exeptfile.exeopera.exeptfile.exeopera.exedescription pid process target process PID 4808 wrote to memory of 540 4808 Inv_36571_VIC_Pty_Ltd.exe cmd.exe PID 4808 wrote to memory of 540 4808 Inv_36571_VIC_Pty_Ltd.exe cmd.exe PID 4808 wrote to memory of 540 4808 Inv_36571_VIC_Pty_Ltd.exe cmd.exe PID 540 wrote to memory of 892 540 cmd.exe reg.exe PID 540 wrote to memory of 892 540 cmd.exe reg.exe PID 540 wrote to memory of 892 540 cmd.exe reg.exe PID 4808 wrote to memory of 652 4808 Inv_36571_VIC_Pty_Ltd.exe ptfile.exe PID 4808 wrote to memory of 652 4808 Inv_36571_VIC_Pty_Ltd.exe ptfile.exe PID 4808 wrote to memory of 652 4808 Inv_36571_VIC_Pty_Ltd.exe ptfile.exe PID 652 wrote to memory of 1860 652 ptfile.exe opera.exe PID 652 wrote to memory of 1860 652 ptfile.exe opera.exe PID 652 wrote to memory of 1860 652 ptfile.exe opera.exe PID 1860 wrote to memory of 2956 1860 opera.exe ptfile.exe PID 1860 wrote to memory of 2956 1860 opera.exe ptfile.exe PID 1860 wrote to memory of 2956 1860 opera.exe ptfile.exe PID 2956 wrote to memory of 3280 2956 ptfile.exe opera.exe PID 2956 wrote to memory of 3280 2956 ptfile.exe opera.exe PID 2956 wrote to memory of 3280 2956 ptfile.exe opera.exe PID 3280 wrote to memory of 4664 3280 opera.exe ptfile.exe PID 3280 wrote to memory of 4664 3280 opera.exe ptfile.exe PID 3280 wrote to memory of 4664 3280 opera.exe ptfile.exe PID 4664 wrote to memory of 192 4664 ptfile.exe opera.exe PID 4664 wrote to memory of 192 4664 ptfile.exe opera.exe PID 4664 wrote to memory of 192 4664 ptfile.exe opera.exe PID 192 wrote to memory of 4728 192 opera.exe ptfile.exe PID 192 wrote to memory of 4728 192 opera.exe ptfile.exe PID 192 wrote to memory of 4728 192 opera.exe ptfile.exe PID 4728 wrote to memory of 5032 4728 ptfile.exe opera.exe PID 4728 wrote to memory of 5032 4728 ptfile.exe opera.exe PID 4728 wrote to memory of 5032 4728 ptfile.exe opera.exe PID 5032 wrote to memory of 3200 5032 opera.exe ptfile.exe PID 5032 wrote to memory of 3200 5032 opera.exe ptfile.exe PID 5032 wrote to memory of 3200 5032 opera.exe ptfile.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inv_36571_VIC_Pty_Ltd.exe"C:\Users\Admin\AppData\Local\Temp\Inv_36571_VIC_Pty_Ltd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "chrome" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\opera.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "chrome" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\opera.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\ptfile.exe"C:\Users\Admin\AppData\Local\Temp\ptfile.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\opera.exe"C:\Users\Admin\AppData\Roaming\opera.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ptfile.exe"C:\Users\Admin\AppData\Local\Temp\ptfile.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\opera.exe"C:\Users\Admin\AppData\Roaming\opera.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ptfile.exe"C:\Users\Admin\AppData\Local\Temp\ptfile.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\opera.exe"C:\Users\Admin\AppData\Roaming\opera.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ptfile.exe"C:\Users\Admin\AppData\Local\Temp\ptfile.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\opera.exe"C:\Users\Admin\AppData\Roaming\opera.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ptfile.exe"C:\Users\Admin\AppData\Local\Temp\ptfile.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\opera.exe.logMD5
ffa47c5de0b2b62b550f6a2c9fdbb476
SHA1c110729f2443f4ac24fa88f1d6eea4b96ba7f630
SHA2561ff5097fb93764c9f820f5747d8e74546e4ff072a0bf029720ad656873a0badc
SHA51292f846c6f0f0b3308b2fae0c882238d1b944992f2e9081bc06ffa1a64bd6576eeced05028f8e1aa7145333edef5dd72ef9a901caf6fcf5db38651c72b1832cd2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ptfile.exe.logMD5
ffa47c5de0b2b62b550f6a2c9fdbb476
SHA1c110729f2443f4ac24fa88f1d6eea4b96ba7f630
SHA2561ff5097fb93764c9f820f5747d8e74546e4ff072a0bf029720ad656873a0badc
SHA51292f846c6f0f0b3308b2fae0c882238d1b944992f2e9081bc06ffa1a64bd6576eeced05028f8e1aa7145333edef5dd72ef9a901caf6fcf5db38651c72b1832cd2
-
C:\Users\Admin\AppData\Local\Temp\ptfile.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
C:\Users\Admin\AppData\Local\Temp\ptfile.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
C:\Users\Admin\AppData\Local\Temp\ptfile.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
C:\Users\Admin\AppData\Local\Temp\ptfile.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
C:\Users\Admin\AppData\Roaming\opera.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
C:\Users\Admin\AppData\Roaming\opera.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
C:\Users\Admin\AppData\Roaming\opera.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
C:\Users\Admin\AppData\Roaming\opera.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
C:\Users\Admin\AppData\Roaming\opera.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
C:\Users\Admin\AppData\Roaming\opera.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
C:\Users\Admin\AppData\Roaming\opera.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
C:\Users\Admin\AppData\Roaming\opera.exeMD5
5b1363c3b88bd52a0f4044b51c0791d8
SHA13b1b46eb883c1b79e403e12c3157b6423f13af07
SHA25604b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d
SHA5121370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0
-
memory/192-112-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/192-101-0x0000000000000000-mapping.dmp
-
memory/192-126-0x0000000002511000-0x0000000002512000-memory.dmpFilesize
4KB
-
memory/192-104-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/540-15-0x0000000000000000-mapping.dmp
-
memory/652-26-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/652-32-0x00000000057E1000-0x00000000057E2000-memory.dmpFilesize
4KB
-
memory/652-18-0x0000000000000000-mapping.dmp
-
memory/652-19-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/892-16-0x0000000000000000-mapping.dmp
-
memory/1860-33-0x0000000000000000-mapping.dmp
-
memory/1860-43-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/1860-36-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/1860-59-0x0000000004FB1000-0x0000000004FB2000-memory.dmpFilesize
4KB
-
memory/2956-57-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/2956-60-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/2956-66-0x0000000004D51000-0x0000000004D52000-memory.dmpFilesize
4KB
-
memory/2956-52-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/2956-49-0x0000000000000000-mapping.dmp
-
memory/3200-161-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/3200-153-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/3200-151-0x0000000000000000-mapping.dmp
-
memory/3200-166-0x00000000054B1000-0x00000000054B2000-memory.dmpFilesize
4KB
-
memory/3280-67-0x0000000000000000-mapping.dmp
-
memory/3280-71-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/3280-78-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/3280-93-0x0000000005671000-0x0000000005672000-memory.dmpFilesize
4KB
-
memory/4664-86-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/4664-94-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/4664-84-0x0000000000000000-mapping.dmp
-
memory/4664-100-0x00000000053B1000-0x00000000053B2000-memory.dmpFilesize
4KB
-
memory/4728-119-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/4728-133-0x00000000054A1000-0x00000000054A2000-memory.dmpFilesize
4KB
-
memory/4728-127-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/4728-117-0x0000000000000000-mapping.dmp
-
memory/4808-2-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/4808-3-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/4808-11-0x00000000069A0000-0x00000000069C1000-memory.dmpFilesize
132KB
-
memory/4808-8-0x0000000005BD0000-0x0000000005BD1000-memory.dmpFilesize
4KB
-
memory/4808-9-0x0000000005CB0000-0x0000000005CB1000-memory.dmpFilesize
4KB
-
memory/4808-17-0x0000000007830000-0x0000000007831000-memory.dmpFilesize
4KB
-
memory/4808-6-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/4808-7-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/4808-5-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/4808-14-0x0000000005CB1000-0x0000000005CB2000-memory.dmpFilesize
4KB
-
memory/4808-13-0x0000000006950000-0x0000000006951000-memory.dmpFilesize
4KB
-
memory/4808-12-0x0000000006B50000-0x0000000006B51000-memory.dmpFilesize
4KB
-
memory/5032-137-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/5032-149-0x0000000004C71000-0x0000000004C72000-memory.dmpFilesize
4KB
-
memory/5032-144-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/5032-134-0x0000000000000000-mapping.dmp