Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
06-10-2021 10:18
Static task
static1
General
-
Target
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe
-
Size
339KB
-
MD5
5ecdf9607af624d3ec1ed2bc9f0e9146
-
SHA1
d68079d495932ef242efc76e96fe6d75a1ab8dc0
-
SHA256
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb
-
SHA512
b7fe77eb6f6fbd620a5a7d187d1355fb43ece505d46846703ea71e84205fb6511867756552202a5b95163cc651a5ab9a14cb1b0c13e50260a5c57993df39835c
Malware Config
Extracted
xloader
2.5
p08r
http://www.puremicrodosing.com/p08r/
focalstead.com
adult-affi2401.com
tamaracastrillejo.com
klimatika.pro
vineyardsimple.com
maskrgl.com
anamontenegro.website
lockolock.com
lkdgd.com
bgcs.online
tasteofgadsdencounty.com
abbastanza.info
serviciomovistar.online
xaudix.com
flintandfern.com
ranchoptician.com
tradeplay.net
chazuo.store
fb90km.com
americandropper.com
shopmoly.com
standunitedforamerica.us
whiteknucklegrips.com
clarysvillemotel.online
cunnters.com
cameroon-infos.net
minisoshop.com
consulitate.xyz
iriny1.com
globalservicesproviders.com
mai1xia.xyz
apeironnature.com
snobite.net
hyvecommerce.com
consumersvoice.net
blinglj.com
oarlary.xyz
elemnetoutdoor.com
wandawallinbristow.com
cyworldl.com
windpeople.store
happinessfashionline.com
representelectrical.com
istc3.com
alskdfalskdf.com
micaixmt.com
outnoble.online
bbeway.com
truenettnpasumo3.xyz
989451.com
kennycheng.tech
rankedclub.com
alynzmy.top
topcatrecords.net
yappiiblog.com
cannaonline.net
universityplacehome.com
tksonline.club
curlya-shop.com
checkbox-staging-pmgi.com
ziomotors.com
underdodrat.info
110cy.top
musiciridium.com
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3452-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3452-120-0x000000000041D440-mapping.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exepid process 3340 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 3452 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe -
Loads dropped DLL 1 IoCs
Processes:
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exepid process 3340 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exedescription pid process target process PID 3340 set thread context of 3452 3340 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe -
Drops file in Program Files directory 53 IoCs
Processes:
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exedescription ioc process File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe -
Drops file in Windows directory 1 IoCs
Processes:
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exedescription ioc process File opened for modification C:\Windows\svchost.com 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exepid process 3452 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 3452 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exedescription pid process target process PID 4076 wrote to memory of 3340 4076 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe PID 4076 wrote to memory of 3340 4076 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe PID 4076 wrote to memory of 3340 4076 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe PID 3340 wrote to memory of 3452 3340 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe PID 3340 wrote to memory of 3452 3340 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe PID 3340 wrote to memory of 3452 3340 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe PID 3340 wrote to memory of 3452 3340 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe PID 3340 wrote to memory of 3452 3340 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe PID 3340 wrote to memory of 3452 3340 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe"C:\Users\Admin\AppData\Local\Temp\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3452
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exeMD5
d41f65d9b8b141d40387320ce54f9ac3
SHA133fea576d37736131811f5c528aa6439ca53ed95
SHA25621350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
SHA5125dd5cc2e596cdab2209ecea994739a0c476b869545d2e5446d6f57237b1d6a539de48d407ec065ee9406ca1933104e7db585c59a80ec7933206ead7fc2c73851
-
C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exeMD5
d41f65d9b8b141d40387320ce54f9ac3
SHA133fea576d37736131811f5c528aa6439ca53ed95
SHA25621350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
SHA5125dd5cc2e596cdab2209ecea994739a0c476b869545d2e5446d6f57237b1d6a539de48d407ec065ee9406ca1933104e7db585c59a80ec7933206ead7fc2c73851
-
C:\Users\Admin\AppData\Local\Temp\3582-490\934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb.exeMD5
d41f65d9b8b141d40387320ce54f9ac3
SHA133fea576d37736131811f5c528aa6439ca53ed95
SHA25621350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
SHA5125dd5cc2e596cdab2209ecea994739a0c476b869545d2e5446d6f57237b1d6a539de48d407ec065ee9406ca1933104e7db585c59a80ec7933206ead7fc2c73851
-
\Users\Admin\AppData\Local\Temp\nsw8B01.tmp\xkbzkendk.dllMD5
78443d8d2652df75871fecb3890f917f
SHA1c44b6f398134befbb76700830deb602453167660
SHA256bb9fc7790c243f818df28e4bd1acfcef303a2391163444daec38edc99b5b39be
SHA512dc30b45af4cac2735edd0953c7197e801d716f4f891611af6b80f16d8b2b2053ca5477a66964cee499d53dc40820ac08796037ba5855c9c521a7cee64dda0a76
-
memory/3340-115-0x0000000000000000-mapping.dmp
-
memory/3452-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3452-120-0x000000000041D440-mapping.dmp
-
memory/3452-122-0x00000000009B0000-0x0000000000CD0000-memory.dmpFilesize
3.1MB