Analysis
-
max time kernel
149s -
max time network
179s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-08-2021 17:22
Static task
static1
Behavioral task
behavioral1
Sample
FX-Transfer-Form.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
FX-Transfer-Form.xlsx
Resource
win10v20210410
General
-
Target
FX-Transfer-Form.xlsx
-
Size
1.5MB
-
MD5
31b142cebbf97b880ead6a2dc3f415e2
-
SHA1
b8b33c7492e0c6a25b2677f1126663d06a91fc2c
-
SHA256
4411b4a05f3bc654dc86eba66de02e9a20751357b57a411468eee55cf3c879ec
-
SHA512
0d4863b7184165fffa02a6bf10a5c157ed8246774cc5da7d9013d8bf448df123abaedbdf2260913b64ca52804190472fbabc483ccffc1b3cc485010d7234e325
Malware Config
Extracted
xloader
2.3
6mam
http://www.mobiessence.com/6mam/
gxduoke.com
lawmetricssolicitors.com
e-bizbox.com
ilovemehoodie.com
marcuslafond.com
bransolute.com
kuppers.info
kykyryky.art
vavasoo.com
tlamj.com
besport24.com
hibachiexpressnctogo.com
elglink99.com
maximos.world
uniamaa.com
aladinfarma.com
opticatervisof.com
delhibudokankarate.com
juliekifyukstyle.com
fuzhourexian.com
qvcrx.com
trendyheld.com
hanasugisaki.com
mylifeinpark.com
importexportasia.com
paypalticket5396173.info
threatprotection.net
mayartpaints.com
miamiqueensdress.com
designtomade.com
apacshift.support
candlewooddmc.com
riveraitc.com
adenxsdesign.com
fanbase.fan
beastninjas.com
shkanghong.com
f9fui8.xyz
bgpetty.com
ryderevanrobisonstudio.com
dragonshipping.com
schoolfrontoffice.com
mypursuitpodcast.com
moneyfollowsaction.com
blueline-productions.co.uk
munnarorganics.com
bagyat.com
scientiaxliv.com
genesysshop.com
freehypnosisevent.com
amazebrowser.com
coicplat.com
annettebrownlee.com
hangrylocal.com
titanusedcarsworth.com
geekotronic.com
microwgreens.com
cannamalism.com
at-academy.com
envirotechpropertiesltd.com
ramseybusinessinstitute.info
sublos.com
kilbyrnefarm.com
expressnailsspa.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-82-0x0000000000000000-mapping.dmp xloader behavioral1/memory/1380-91-0x0000000010410000-0x0000000010439000-memory.dmp xloader behavioral1/memory/1164-98-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1256 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1744 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1256 EQNEDT32.EXE 1256 EQNEDT32.EXE 1256 EQNEDT32.EXE 1256 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
vbc.exemsiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fuvajut = "C:\\Users\\Public\\Libraries\\tujavuF.url" vbc.exe Key created \Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNUDU = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" msiexec.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ieinstal.exemsiexec.exedescription pid process target process PID 1380 set thread context of 1208 1380 ieinstal.exe Explorer.EXE PID 1164 set thread context of 1208 1164 msiexec.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1648 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
ieinstal.exemsiexec.exepid process 1380 ieinstal.exe 1380 ieinstal.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe 1164 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ieinstal.exemsiexec.exepid process 1380 ieinstal.exe 1380 ieinstal.exe 1380 ieinstal.exe 1164 msiexec.exe 1164 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ieinstal.exeExplorer.EXEmsiexec.exedescription pid process Token: SeDebugPrivilege 1380 ieinstal.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeDebugPrivilege 1164 msiexec.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
EQNEDT32.EXEvbc.execmd.execmd.exeExplorer.EXEcmd.exedescription pid process target process PID 1256 wrote to memory of 1744 1256 EQNEDT32.EXE vbc.exe PID 1256 wrote to memory of 1744 1256 EQNEDT32.EXE vbc.exe PID 1256 wrote to memory of 1744 1256 EQNEDT32.EXE vbc.exe PID 1256 wrote to memory of 1744 1256 EQNEDT32.EXE vbc.exe PID 1744 wrote to memory of 1380 1744 vbc.exe ieinstal.exe PID 1744 wrote to memory of 1380 1744 vbc.exe ieinstal.exe PID 1744 wrote to memory of 1380 1744 vbc.exe ieinstal.exe PID 1744 wrote to memory of 1380 1744 vbc.exe ieinstal.exe PID 1744 wrote to memory of 1380 1744 vbc.exe ieinstal.exe PID 1744 wrote to memory of 1380 1744 vbc.exe ieinstal.exe PID 1744 wrote to memory of 1380 1744 vbc.exe ieinstal.exe PID 1744 wrote to memory of 1380 1744 vbc.exe ieinstal.exe PID 1744 wrote to memory of 1380 1744 vbc.exe ieinstal.exe PID 1744 wrote to memory of 1380 1744 vbc.exe ieinstal.exe PID 1744 wrote to memory of 1168 1744 vbc.exe cmd.exe PID 1744 wrote to memory of 1168 1744 vbc.exe cmd.exe PID 1744 wrote to memory of 1168 1744 vbc.exe cmd.exe PID 1744 wrote to memory of 1168 1744 vbc.exe cmd.exe PID 1168 wrote to memory of 1576 1168 cmd.exe cmd.exe PID 1168 wrote to memory of 1576 1168 cmd.exe cmd.exe PID 1168 wrote to memory of 1576 1168 cmd.exe cmd.exe PID 1168 wrote to memory of 1576 1168 cmd.exe cmd.exe PID 1576 wrote to memory of 1768 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1768 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1768 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1768 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1724 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1724 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1724 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1724 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1708 1576 cmd.exe schtasks.exe PID 1576 wrote to memory of 1708 1576 cmd.exe schtasks.exe PID 1576 wrote to memory of 1708 1576 cmd.exe schtasks.exe PID 1576 wrote to memory of 1708 1576 cmd.exe schtasks.exe PID 1208 wrote to memory of 1164 1208 Explorer.EXE msiexec.exe PID 1208 wrote to memory of 1164 1208 Explorer.EXE msiexec.exe PID 1208 wrote to memory of 1164 1208 Explorer.EXE msiexec.exe PID 1208 wrote to memory of 1164 1208 Explorer.EXE msiexec.exe PID 1208 wrote to memory of 1164 1208 Explorer.EXE msiexec.exe PID 1208 wrote to memory of 1164 1208 Explorer.EXE msiexec.exe PID 1208 wrote to memory of 1164 1208 Explorer.EXE msiexec.exe PID 1744 wrote to memory of 1876 1744 vbc.exe cmd.exe PID 1744 wrote to memory of 1876 1744 vbc.exe cmd.exe PID 1744 wrote to memory of 1876 1744 vbc.exe cmd.exe PID 1744 wrote to memory of 1876 1744 vbc.exe cmd.exe PID 1876 wrote to memory of 1680 1876 cmd.exe reg.exe PID 1876 wrote to memory of 1680 1876 cmd.exe reg.exe PID 1876 wrote to memory of 1680 1876 cmd.exe reg.exe PID 1876 wrote to memory of 1680 1876 cmd.exe reg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\FX-Transfer-Form.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Trast.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\nest.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f4⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Trast.batMD5
4068c9f69fcd8a171c67f81d4a952a54
SHA14d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA25624222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d
-
C:\Users\Public\UKO.batMD5
eaf8d967454c3bbddbf2e05a421411f8
SHA16170880409b24de75c2dc3d56a506fbff7f6622c
SHA256f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9
-
C:\Users\Public\nest.batMD5
8ada51400b7915de2124baaf75e3414c
SHA11a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA25645aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA5129afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68
-
C:\Users\Public\vbc.exeMD5
442d2d8a7820a1c0c0ba418476d67fb0
SHA197ce48bc5177efca1214d82aec85049373fe4671
SHA256be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406
SHA5121251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9
-
C:\Users\Public\vbc.exeMD5
442d2d8a7820a1c0c0ba418476d67fb0
SHA197ce48bc5177efca1214d82aec85049373fe4671
SHA256be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406
SHA5121251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9
-
\Users\Public\vbc.exeMD5
442d2d8a7820a1c0c0ba418476d67fb0
SHA197ce48bc5177efca1214d82aec85049373fe4671
SHA256be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406
SHA5121251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9
-
\Users\Public\vbc.exeMD5
442d2d8a7820a1c0c0ba418476d67fb0
SHA197ce48bc5177efca1214d82aec85049373fe4671
SHA256be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406
SHA5121251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9
-
\Users\Public\vbc.exeMD5
442d2d8a7820a1c0c0ba418476d67fb0
SHA197ce48bc5177efca1214d82aec85049373fe4671
SHA256be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406
SHA5121251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9
-
\Users\Public\vbc.exeMD5
442d2d8a7820a1c0c0ba418476d67fb0
SHA197ce48bc5177efca1214d82aec85049373fe4671
SHA256be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406
SHA5121251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9
-
memory/1164-97-0x0000000000E70000-0x0000000000E84000-memory.dmpFilesize
80KB
-
memory/1164-98-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1164-95-0x0000000000000000-mapping.dmp
-
memory/1164-99-0x0000000002290000-0x0000000002593000-memory.dmpFilesize
3.0MB
-
memory/1164-101-0x0000000000AD0000-0x0000000000B60000-memory.dmpFilesize
576KB
-
memory/1168-83-0x0000000000000000-mapping.dmp
-
memory/1208-94-0x0000000007340000-0x000000000749B000-memory.dmpFilesize
1.4MB
-
memory/1208-104-0x00000000074A0000-0x000000000761A000-memory.dmpFilesize
1.5MB
-
memory/1256-63-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1380-93-0x0000000000410000-0x0000000000421000-memory.dmpFilesize
68KB
-
memory/1380-90-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1380-92-0x00000000021A0000-0x00000000024A3000-memory.dmpFilesize
3.0MB
-
memory/1380-82-0x0000000000000000-mapping.dmp
-
memory/1380-91-0x0000000010410000-0x0000000010439000-memory.dmpFilesize
164KB
-
memory/1576-85-0x0000000000000000-mapping.dmp
-
memory/1648-105-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1648-61-0x00000000716D1000-0x00000000716D3000-memory.dmpFilesize
8KB
-
memory/1648-80-0x0000000006270000-0x0000000006EBA000-memory.dmpFilesize
12.3MB
-
memory/1648-60-0x000000002F661000-0x000000002F664000-memory.dmpFilesize
12KB
-
memory/1648-76-0x0000000006270000-0x0000000006EBA000-memory.dmpFilesize
12.3MB
-
memory/1648-78-0x0000000006270000-0x0000000006EBA000-memory.dmpFilesize
12.3MB
-
memory/1648-79-0x0000000006270000-0x0000000006EBA000-memory.dmpFilesize
12.3MB
-
memory/1648-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1648-77-0x0000000006270000-0x0000000006EBA000-memory.dmpFilesize
12.3MB
-
memory/1680-103-0x0000000000000000-mapping.dmp
-
memory/1708-89-0x0000000000000000-mapping.dmp
-
memory/1724-88-0x0000000000000000-mapping.dmp
-
memory/1744-68-0x0000000000000000-mapping.dmp
-
memory/1744-72-0x0000000000240000-0x000000000025B000-memory.dmpFilesize
108KB
-
memory/1744-75-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1768-87-0x0000000000000000-mapping.dmp
-
memory/1876-100-0x0000000000000000-mapping.dmp