Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
23-09-2021 06:57
Static task
static1
Behavioral task
behavioral1
Sample
f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe
Resource
win7-en-20210920
General
-
Target
f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe
-
Size
1.7MB
-
MD5
8e6fb813fdbfb1b6815c8f7c47a5ac13
-
SHA1
4b8c92a3a6c63d6c296b0c121619b23599168030
-
SHA256
f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30
-
SHA512
374fab3c87d3e03fd14081939833b1ac6192d7c35d86e6fef936bc6fd15f80e4b9f6fa09dd1bf8ba60b75f97e5603783c1b28fc673e47a4c9bc44bbaebdf28f4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
RAT.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\Chrome.exe" RAT.EXE -
Modifies security service 2 TTPs 1 IoCs
Processes:
Chrome.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Chrome.exe -
Executes dropped EXE 5 IoCs
Processes:
CHROME.EXERAT.EXECHROME.EXEChrome.exeCHROME.EXEpid process 2040 CHROME.EXE 1672 RAT.EXE 680 CHROME.EXE 712 Chrome.exe 1700 CHROME.EXE -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RAT.EXE upx \Users\Admin\AppData\Local\Temp\RAT.EXE upx C:\Users\Admin\AppData\Local\Temp\RAT.EXE upx C:\Users\Admin\AppData\Local\Temp\RAT.EXE upx \ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe upx \ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe upx C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe upx C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe upx -
Loads dropped DLL 7 IoCs
Processes:
f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exeRAT.EXEChrome.exepid process 1144 f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe 1144 f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe 1144 f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe 1672 RAT.EXE 1672 RAT.EXE 1672 RAT.EXE 712 Chrome.exe -
Processes:
Chrome.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Chrome.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RAT.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\Chrome.exe" RAT.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Chrome.exepid process 712 Chrome.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
RAT.EXEChrome.exedescription pid process Token: SeIncreaseQuotaPrivilege 1672 RAT.EXE Token: SeSecurityPrivilege 1672 RAT.EXE Token: SeTakeOwnershipPrivilege 1672 RAT.EXE Token: SeLoadDriverPrivilege 1672 RAT.EXE Token: SeSystemProfilePrivilege 1672 RAT.EXE Token: SeSystemtimePrivilege 1672 RAT.EXE Token: SeProfSingleProcessPrivilege 1672 RAT.EXE Token: SeIncBasePriorityPrivilege 1672 RAT.EXE Token: SeCreatePagefilePrivilege 1672 RAT.EXE Token: SeBackupPrivilege 1672 RAT.EXE Token: SeRestorePrivilege 1672 RAT.EXE Token: SeShutdownPrivilege 1672 RAT.EXE Token: SeDebugPrivilege 1672 RAT.EXE Token: SeSystemEnvironmentPrivilege 1672 RAT.EXE Token: SeChangeNotifyPrivilege 1672 RAT.EXE Token: SeRemoteShutdownPrivilege 1672 RAT.EXE Token: SeUndockPrivilege 1672 RAT.EXE Token: SeManageVolumePrivilege 1672 RAT.EXE Token: SeImpersonatePrivilege 1672 RAT.EXE Token: SeCreateGlobalPrivilege 1672 RAT.EXE Token: 33 1672 RAT.EXE Token: 34 1672 RAT.EXE Token: 35 1672 RAT.EXE Token: SeIncreaseQuotaPrivilege 712 Chrome.exe Token: SeSecurityPrivilege 712 Chrome.exe Token: SeTakeOwnershipPrivilege 712 Chrome.exe Token: SeLoadDriverPrivilege 712 Chrome.exe Token: SeSystemProfilePrivilege 712 Chrome.exe Token: SeSystemtimePrivilege 712 Chrome.exe Token: SeProfSingleProcessPrivilege 712 Chrome.exe Token: SeIncBasePriorityPrivilege 712 Chrome.exe Token: SeCreatePagefilePrivilege 712 Chrome.exe Token: SeBackupPrivilege 712 Chrome.exe Token: SeRestorePrivilege 712 Chrome.exe Token: SeShutdownPrivilege 712 Chrome.exe Token: SeDebugPrivilege 712 Chrome.exe Token: SeSystemEnvironmentPrivilege 712 Chrome.exe Token: SeChangeNotifyPrivilege 712 Chrome.exe Token: SeRemoteShutdownPrivilege 712 Chrome.exe Token: SeUndockPrivilege 712 Chrome.exe Token: SeManageVolumePrivilege 712 Chrome.exe Token: SeImpersonatePrivilege 712 Chrome.exe Token: SeCreateGlobalPrivilege 712 Chrome.exe Token: 33 712 Chrome.exe Token: 34 712 Chrome.exe Token: 35 712 Chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Chrome.exepid process 712 Chrome.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exeRAT.EXEcmd.execmd.exeChrome.exedescription pid process target process PID 1144 wrote to memory of 1672 1144 f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe RAT.EXE PID 1144 wrote to memory of 1672 1144 f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe RAT.EXE PID 1144 wrote to memory of 1672 1144 f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe RAT.EXE PID 1144 wrote to memory of 1672 1144 f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe RAT.EXE PID 1672 wrote to memory of 1712 1672 RAT.EXE cmd.exe PID 1672 wrote to memory of 1712 1672 RAT.EXE cmd.exe PID 1672 wrote to memory of 1712 1672 RAT.EXE cmd.exe PID 1672 wrote to memory of 1712 1672 RAT.EXE cmd.exe PID 1672 wrote to memory of 1520 1672 RAT.EXE cmd.exe PID 1672 wrote to memory of 1520 1672 RAT.EXE cmd.exe PID 1672 wrote to memory of 1520 1672 RAT.EXE cmd.exe PID 1672 wrote to memory of 1520 1672 RAT.EXE cmd.exe PID 1712 wrote to memory of 1220 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1220 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1220 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1220 1712 cmd.exe attrib.exe PID 1520 wrote to memory of 588 1520 cmd.exe attrib.exe PID 1520 wrote to memory of 588 1520 cmd.exe attrib.exe PID 1520 wrote to memory of 588 1520 cmd.exe attrib.exe PID 1520 wrote to memory of 588 1520 cmd.exe attrib.exe PID 1672 wrote to memory of 712 1672 RAT.EXE Chrome.exe PID 1672 wrote to memory of 712 1672 RAT.EXE Chrome.exe PID 1672 wrote to memory of 712 1672 RAT.EXE Chrome.exe PID 1672 wrote to memory of 712 1672 RAT.EXE Chrome.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe PID 712 wrote to memory of 1072 712 Chrome.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chrome.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Chrome.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1220 attrib.exe 588 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe"C:\Users\Admin\AppData\Local\Temp\f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RAT.EXE"C:\Users\Admin\AppData\Local\Temp\RAT.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RAT.EXE" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\RAT.EXE" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"3⤵
- Executes dropped EXE
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe"3⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exeMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exeMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
C:\Users\Admin\AppData\Local\Temp\RAT.EXEMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
C:\Users\Admin\AppData\Local\Temp\RAT.EXEMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exeMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exeMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
\Users\Admin\AppData\Local\Temp\RAT.EXEMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
\Users\Admin\AppData\Local\Temp\RAT.EXEMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
memory/588-67-0x0000000000000000-mapping.dmp
-
memory/712-72-0x0000000000000000-mapping.dmp
-
memory/712-79-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1072-80-0x0000000000000000-mapping.dmp
-
memory/1072-82-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1144-53-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/1220-66-0x0000000000000000-mapping.dmp
-
memory/1520-64-0x0000000000000000-mapping.dmp
-
memory/1672-58-0x0000000000000000-mapping.dmp
-
memory/1672-62-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1712-63-0x0000000000000000-mapping.dmp