Analysis
-
max time kernel
150s -
max time network
183s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-09-2021 17:41
Static task
static1
Behavioral task
behavioral1
Sample
PO-A5671.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PO-A5671.xlsx
Resource
win10-en
General
-
Target
PO-A5671.xlsx
-
Size
587KB
-
MD5
5e3cfa8a71fbefaeedfc0d3dbe9f7c51
-
SHA1
34bf9b8b6c46cfe5ef624cbded56f2d59e1e59d3
-
SHA256
6b8fb4d4e872cf97e4e4943a9eee6a6d8175f518c039fdc066caae45b21fc5a8
-
SHA512
9cd7e84b15743bba2b420b17fdc92b7c9b79fb4ad87ab089313662a640ae080154d351522b82adb4e8d624e48d31594d2c51193ccb5b5ab3368956791bba07f5
Malware Config
Extracted
xloader
2.3
ecuu
http://www.polaritelibrairie.com/ecuu/
buoy8boats.com
tomrings.com
o-distribs.com
majesticgroupinc.com
tehridam.com
yzwjtoys.com
castro-online.run
aquarius-twins.com
jamesrrossfineart.com
pavarasupatthonkol.com
rivermarketdentistry.com
gyiblrjd.icu
redcountrypodcast.com
youngbrotherspharmacyga.com
betsysobiech.com
neocleanpro.com
ingpatrimoine.com
mustangsallytransportation.com
jsvfcxzn.com
krsfpjuoekcd.info
cricutcutfiles.club
fjucurta.com
soberrituals.com
mercamoderna.com
empirerack.com
poorwhitetrashlivesmatter.net
the-boardroom-usa.com
boldgroupghana.com
stathotshots.com
workabhaile.com
drgigadvisors.com
tfqvslhlh.club
meo6.com
myreti.com
tasteofourneighborhood.com
manufacturedinjapan.com
listenstech.com
jdcloud-neucampus.com
westgateoptometry.store
sourcefirstconsulting.com
xmasmobitvbuy.com
blackhillsfarmtn.com
georgiaforless.com
enovexcorp.com
nxtelligence.com
emotionalgangster.com
chainsawsparts.com
dplqyz.com
lossaboresdemama.com
805thaifood.com
safeandsoundyachtservices.com
grandparentsandkids.com
catalystdentalallies.com
keplersark.com
desrefuses.com
comerciolimited.com
cotonslife.com
pegasusf.xyz
rocketmortgagedeceit.com
mypartydelivered.com
gvassummit2020.com
thefamilybubble.com
lgjccz.com
donnaquerns.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1736-75-0x0000000000000000-mapping.dmp xloader behavioral1/memory/1736-84-0x0000000010410000-0x0000000010439000-memory.dmp xloader behavioral1/memory/568-90-0x00000000000E0000-0x0000000000109000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run NETSTAT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MBLXN08HL8 = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" NETSTAT.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 520 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1780 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 520 EQNEDT32.EXE 520 EQNEDT32.EXE 520 EQNEDT32.EXE 520 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NETSTAT.EXEvbc.exedescription ioc process Key created \Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NETSTAT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qrativml = "C:\\Users\\Public\\Libraries\\lmvitarQ.url" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ieinstal.exeNETSTAT.EXEdescription pid process target process PID 1736 set thread context of 1208 1736 ieinstal.exe Explorer.EXE PID 568 set thread context of 1208 568 NETSTAT.EXE Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 568 NETSTAT.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1652 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
ieinstal.exeNETSTAT.EXEpid process 1736 ieinstal.exe 1736 ieinstal.exe 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE 568 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ieinstal.exeNETSTAT.EXEpid process 1736 ieinstal.exe 1736 ieinstal.exe 1736 ieinstal.exe 568 NETSTAT.EXE 568 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ieinstal.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 1736 ieinstal.exe Token: SeDebugPrivilege 568 NETSTAT.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1652 EXCEL.EXE 1652 EXCEL.EXE 1652 EXCEL.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
EQNEDT32.EXEvbc.execmd.execmd.exeExplorer.EXEcmd.exedescription pid process target process PID 520 wrote to memory of 1780 520 EQNEDT32.EXE vbc.exe PID 520 wrote to memory of 1780 520 EQNEDT32.EXE vbc.exe PID 520 wrote to memory of 1780 520 EQNEDT32.EXE vbc.exe PID 520 wrote to memory of 1780 520 EQNEDT32.EXE vbc.exe PID 1780 wrote to memory of 1736 1780 vbc.exe ieinstal.exe PID 1780 wrote to memory of 1736 1780 vbc.exe ieinstal.exe PID 1780 wrote to memory of 1736 1780 vbc.exe ieinstal.exe PID 1780 wrote to memory of 1736 1780 vbc.exe ieinstal.exe PID 1780 wrote to memory of 1736 1780 vbc.exe ieinstal.exe PID 1780 wrote to memory of 1736 1780 vbc.exe ieinstal.exe PID 1780 wrote to memory of 1736 1780 vbc.exe ieinstal.exe PID 1780 wrote to memory of 1736 1780 vbc.exe ieinstal.exe PID 1780 wrote to memory of 1736 1780 vbc.exe ieinstal.exe PID 1780 wrote to memory of 1736 1780 vbc.exe ieinstal.exe PID 1780 wrote to memory of 316 1780 vbc.exe cmd.exe PID 1780 wrote to memory of 316 1780 vbc.exe cmd.exe PID 1780 wrote to memory of 316 1780 vbc.exe cmd.exe PID 1780 wrote to memory of 316 1780 vbc.exe cmd.exe PID 316 wrote to memory of 1600 316 cmd.exe cmd.exe PID 316 wrote to memory of 1600 316 cmd.exe cmd.exe PID 316 wrote to memory of 1600 316 cmd.exe cmd.exe PID 316 wrote to memory of 1600 316 cmd.exe cmd.exe PID 1600 wrote to memory of 616 1600 cmd.exe reg.exe PID 1600 wrote to memory of 616 1600 cmd.exe reg.exe PID 1600 wrote to memory of 616 1600 cmd.exe reg.exe PID 1600 wrote to memory of 616 1600 cmd.exe reg.exe PID 1600 wrote to memory of 1056 1600 cmd.exe reg.exe PID 1600 wrote to memory of 1056 1600 cmd.exe reg.exe PID 1600 wrote to memory of 1056 1600 cmd.exe reg.exe PID 1600 wrote to memory of 1056 1600 cmd.exe reg.exe PID 1600 wrote to memory of 464 1600 cmd.exe schtasks.exe PID 1600 wrote to memory of 464 1600 cmd.exe schtasks.exe PID 1600 wrote to memory of 464 1600 cmd.exe schtasks.exe PID 1600 wrote to memory of 464 1600 cmd.exe schtasks.exe PID 1208 wrote to memory of 568 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 568 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 568 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 568 1208 Explorer.EXE NETSTAT.EXE PID 1780 wrote to memory of 1488 1780 vbc.exe cmd.exe PID 1780 wrote to memory of 1488 1780 vbc.exe cmd.exe PID 1780 wrote to memory of 1488 1780 vbc.exe cmd.exe PID 1780 wrote to memory of 1488 1780 vbc.exe cmd.exe PID 1488 wrote to memory of 1168 1488 cmd.exe reg.exe PID 1488 wrote to memory of 1168 1488 cmd.exe reg.exe PID 1488 wrote to memory of 1168 1488 cmd.exe reg.exe PID 1488 wrote to memory of 1168 1488 cmd.exe reg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO-A5671.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Trast.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\nest.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f4⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Trast.batMD5
4068c9f69fcd8a171c67f81d4a952a54
SHA14d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA25624222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d
-
C:\Users\Public\UKO.batMD5
eaf8d967454c3bbddbf2e05a421411f8
SHA16170880409b24de75c2dc3d56a506fbff7f6622c
SHA256f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9
-
C:\Users\Public\nest.batMD5
8ada51400b7915de2124baaf75e3414c
SHA11a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA25645aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA5129afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68
-
C:\Users\Public\vbc.exeMD5
ea00df3b8aa4a4478c89c6a9416cb0e7
SHA1b6267f81bb9d9f5c16e62cd7fa79223a495fb649
SHA256db2a76da1ad83542b367043776fe2d62942250aee57aae235317e0723d5254a4
SHA5124db0b9e989108308b630b9136effbba88a1fa862cf8f3fb348812fe3a50b4ee330aa7da6be97f045cdb1047513b07f7bfd2e1702652892151f85ded196084d80
-
C:\Users\Public\vbc.exeMD5
ea00df3b8aa4a4478c89c6a9416cb0e7
SHA1b6267f81bb9d9f5c16e62cd7fa79223a495fb649
SHA256db2a76da1ad83542b367043776fe2d62942250aee57aae235317e0723d5254a4
SHA5124db0b9e989108308b630b9136effbba88a1fa862cf8f3fb348812fe3a50b4ee330aa7da6be97f045cdb1047513b07f7bfd2e1702652892151f85ded196084d80
-
\Users\Public\vbc.exeMD5
ea00df3b8aa4a4478c89c6a9416cb0e7
SHA1b6267f81bb9d9f5c16e62cd7fa79223a495fb649
SHA256db2a76da1ad83542b367043776fe2d62942250aee57aae235317e0723d5254a4
SHA5124db0b9e989108308b630b9136effbba88a1fa862cf8f3fb348812fe3a50b4ee330aa7da6be97f045cdb1047513b07f7bfd2e1702652892151f85ded196084d80
-
\Users\Public\vbc.exeMD5
ea00df3b8aa4a4478c89c6a9416cb0e7
SHA1b6267f81bb9d9f5c16e62cd7fa79223a495fb649
SHA256db2a76da1ad83542b367043776fe2d62942250aee57aae235317e0723d5254a4
SHA5124db0b9e989108308b630b9136effbba88a1fa862cf8f3fb348812fe3a50b4ee330aa7da6be97f045cdb1047513b07f7bfd2e1702652892151f85ded196084d80
-
\Users\Public\vbc.exeMD5
ea00df3b8aa4a4478c89c6a9416cb0e7
SHA1b6267f81bb9d9f5c16e62cd7fa79223a495fb649
SHA256db2a76da1ad83542b367043776fe2d62942250aee57aae235317e0723d5254a4
SHA5124db0b9e989108308b630b9136effbba88a1fa862cf8f3fb348812fe3a50b4ee330aa7da6be97f045cdb1047513b07f7bfd2e1702652892151f85ded196084d80
-
\Users\Public\vbc.exeMD5
ea00df3b8aa4a4478c89c6a9416cb0e7
SHA1b6267f81bb9d9f5c16e62cd7fa79223a495fb649
SHA256db2a76da1ad83542b367043776fe2d62942250aee57aae235317e0723d5254a4
SHA5124db0b9e989108308b630b9136effbba88a1fa862cf8f3fb348812fe3a50b4ee330aa7da6be97f045cdb1047513b07f7bfd2e1702652892151f85ded196084d80
-
memory/316-76-0x0000000000000000-mapping.dmp
-
memory/464-82-0x0000000000000000-mapping.dmp
-
memory/520-63-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/568-89-0x0000000000F00000-0x0000000000F09000-memory.dmpFilesize
36KB
-
memory/568-92-0x00000000009F0000-0x0000000000A7F000-memory.dmpFilesize
572KB
-
memory/568-90-0x00000000000E0000-0x0000000000109000-memory.dmpFilesize
164KB
-
memory/568-88-0x0000000000000000-mapping.dmp
-
memory/568-91-0x0000000002310000-0x0000000002613000-memory.dmpFilesize
3.0MB
-
memory/616-80-0x0000000000000000-mapping.dmp
-
memory/1056-81-0x0000000000000000-mapping.dmp
-
memory/1168-95-0x0000000000000000-mapping.dmp
-
memory/1208-96-0x0000000007340000-0x00000000074B8000-memory.dmpFilesize
1.5MB
-
memory/1208-87-0x0000000004CF0000-0x0000000004E6A000-memory.dmpFilesize
1.5MB
-
memory/1488-93-0x0000000000000000-mapping.dmp
-
memory/1600-78-0x0000000000000000-mapping.dmp
-
memory/1652-72-0x0000000005EA0000-0x0000000006AEA000-memory.dmpFilesize
12.3MB
-
memory/1652-71-0x0000000005EA0000-0x0000000006AEA000-memory.dmpFilesize
12.3MB
-
memory/1652-61-0x00000000716D1000-0x00000000716D3000-memory.dmpFilesize
8KB
-
memory/1652-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1652-60-0x000000002F0C1000-0x000000002F0C4000-memory.dmpFilesize
12KB
-
memory/1652-97-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1736-83-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1736-86-0x00000000001C0000-0x00000000001D0000-memory.dmpFilesize
64KB
-
memory/1736-84-0x0000000010410000-0x0000000010439000-memory.dmpFilesize
164KB
-
memory/1736-85-0x00000000020A0000-0x00000000023A3000-memory.dmpFilesize
3.0MB
-
memory/1736-75-0x0000000000000000-mapping.dmp
-
memory/1780-70-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1780-68-0x0000000000000000-mapping.dmp