Analysis
-
max time kernel
123s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
16-10-2021 00:21
General
-
Target
fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe
-
Size
727KB
-
MD5
f910255f4ace1b36d8ae4e4529da6754
-
SHA1
650f4289e43c451095a9946c9391594e263c0fd5
-
SHA256
fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886
-
SHA512
241a45ac29b430aa67c85591258022c5b00b6bb55247f51f7ffcb73be1276cf4bc8f4649ba668b6885cbbbfee8609fda788b63b1169c86200d633ff70451b6e5
Malware Config
Extracted
vidar
41.4
1008
https://mas.to/@sslam
-
profile_id
1008
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Vidar Stealer 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Loads dropped DLL 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry key 1 TTPs 1 IoCs
-
NTFS ADS 4 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe"C:\Users\Admin\AppData\Local\Temp\fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\O6DV018CD4UB8WOM.exe"C:\ProgramData\O6DV018CD4UB8WOM.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hlhsew5i\hlhsew5i.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE7C.tmp" "c:\Users\Admin\AppData\Local\Temp\hlhsew5i\CSCDE9952661A4146A1965C9E710AF8E9.TMP"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f5⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start TermService7⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 22802⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\O6DV018CD4UB8WOM.exeMD5
2e3b62f4f1669b3615608ea31e1796dd
SHA19f9584588e480c0cfc18b770da47b00919e24219
SHA256f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625
SHA5122879f87ce2e3c075512408fbdb17a01209663c2f635c3e07cec1d8e9b1f0490c9219eea2229dcd5863467435d35bef874e9d5fd243e46b02850d0157288b95af
-
C:\ProgramData\O6DV018CD4UB8WOM.exeMD5
2e3b62f4f1669b3615608ea31e1796dd
SHA19f9584588e480c0cfc18b770da47b00919e24219
SHA256f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625
SHA5122879f87ce2e3c075512408fbdb17a01209663c2f635c3e07cec1d8e9b1f0490c9219eea2229dcd5863467435d35bef874e9d5fd243e46b02850d0157288b95af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\RESAE7C.tmpMD5
6ebede43fab53325092b66ea87b4b2e6
SHA111a171005e13d2f4dba9e4096a95dcd422ed4301
SHA256d1680b21fedc0e1a28d95f0ae2592d483bfdda5d8f5f996522b57c347c0eb54c
SHA512b274c02555c7f4514a98c0f7609ed8ecfac062eedb24efc5cc0bc9c352dab7380ef58681d77f59cbbf31b4cbe70cab2adc04f13763c34dc2683b3215f91dbf4f
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
841cc93778b4ec353d0075d717b90df4
SHA1287f652b7be199d127aab4655055654a6ea2bed6
SHA25677f2e15c057346682081eae41389c9d91ba710c2f91107a9c59543c71cf6cad1
SHA512a98053ebe4279d8b312a27f634ca2a9b4d929e15f8d27bdb2e89706a9fa967035e58a5d5cec2be0e5ea763b8c278884863f91d8ca270d4a30a20c51d00b72541
-
C:\Users\Admin\AppData\Local\Temp\hlhsew5i\hlhsew5i.dllMD5
6b0969fadf65dd57fbf9a40f7b9e1814
SHA17ef0034f22477fab683177e1d38636b383dcee9b
SHA2564ebb0d43cdf95bcecd268c72a57d0612ee2b709f919e94007d2b40f9e0c893cf
SHA5124f7a24b61d29bdbfb8b4c5e5493a2d806c7ff0ca82f18a5b243f744645161b85657d66ede0cf3b74de47da63ce22f2ec8f5c8497c107e03699afe88b766b181b
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\hlhsew5i\CSCDE9952661A4146A1965C9E710AF8E9.TMPMD5
ce345cc8d1cb40b5f80eb9d106d39a00
SHA1061e9da0157a7730c0e3972029a72ae3155fe89d
SHA256597844070e300b8269f7d5951a75404fdd0344affde5a10ecdfd6e6197834e67
SHA5120df02518c89cf33e47cc8df31b62f4f9ed295436ddb0c46855f580900228668cf471d3f9ea31d6a355ba5ddfb7fb9dba928d7bc3c712a4f9f268268cc0aa0358
-
\??\c:\Users\Admin\AppData\Local\Temp\hlhsew5i\hlhsew5i.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\hlhsew5i\hlhsew5i.cmdlineMD5
b39d8dfd96da21eeb395103965fb2e3b
SHA14213e64891f5c3d2710d929aaf2e7f0de86fa486
SHA256ff6317a38387eda3f426ceb1aec62f132c42fda1f9c3d9473bb0785201a3dfe6
SHA5123ccca4f8e266f73e98498d94e4a9574b25d039ee49228de391f783c1bf8db919d0c88ef9c228a9317b2a6467d000359604fe244c4d4e29d9eefd737c5f626864
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
memory/392-1039-0x0000000000000000-mapping.dmp
-
memory/416-1035-0x0000000000000000-mapping.dmp
-
memory/692-710-0x0000000000000000-mapping.dmp
-
memory/692-819-0x000000007F3F0000-0x000000007F3F1000-memory.dmpFilesize
4KB
-
memory/692-722-0x00000000072E0000-0x00000000072E1000-memory.dmpFilesize
4KB
-
memory/692-724-0x00000000072E2000-0x00000000072E3000-memory.dmpFilesize
4KB
-
memory/960-990-0x0000000000000000-mapping.dmp
-
memory/964-151-0x0000000005114000-0x0000000005115000-memory.dmpFilesize
4KB
-
memory/964-137-0x000000000040330C-mapping.dmp
-
memory/964-140-0x0000000000400000-0x000000000080B000-memory.dmpFilesize
4.0MB
-
memory/964-143-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/964-142-0x0000000000400000-0x000000000080B000-memory.dmpFilesize
4.0MB
-
memory/964-144-0x0000000005530000-0x000000000592F000-memory.dmpFilesize
4.0MB
-
memory/964-145-0x0000000005112000-0x0000000005113000-memory.dmpFilesize
4KB
-
memory/964-146-0x0000000005113000-0x0000000005114000-memory.dmpFilesize
4KB
-
memory/964-149-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/964-136-0x0000000000400000-0x000000000080B000-memory.dmpFilesize
4.0MB
-
memory/1168-989-0x0000000000000000-mapping.dmp
-
memory/1172-991-0x0000000000000000-mapping.dmp
-
memory/1516-1056-0x0000000000000000-mapping.dmp
-
memory/1568-173-0x0000000000000000-mapping.dmp
-
memory/1748-1028-0x0000000000000000-mapping.dmp
-
memory/1836-1033-0x0000000000000000-mapping.dmp
-
memory/2036-1037-0x0000000000000000-mapping.dmp
-
memory/2092-1057-0x0000000000000000-mapping.dmp
-
memory/2276-176-0x0000000000000000-mapping.dmp
-
memory/2296-1034-0x0000000000000000-mapping.dmp
-
memory/2352-117-0x0000000000400000-0x0000000001729000-memory.dmpFilesize
19.2MB
-
memory/2352-116-0x00000000033D0000-0x00000000034A6000-memory.dmpFilesize
856KB
-
memory/2480-1036-0x0000000000000000-mapping.dmp
-
memory/2796-165-0x0000000008010000-0x0000000008011000-memory.dmpFilesize
4KB
-
memory/2796-182-0x0000000006983000-0x0000000006984000-memory.dmpFilesize
4KB
-
memory/2796-171-0x0000000009620000-0x0000000009621000-memory.dmpFilesize
4KB
-
memory/2796-172-0x0000000008CA0000-0x0000000008CA1000-memory.dmpFilesize
4KB
-
memory/2796-164-0x0000000007F40000-0x0000000007F41000-memory.dmpFilesize
4KB
-
memory/2796-163-0x0000000007C80000-0x0000000007C81000-memory.dmpFilesize
4KB
-
memory/2796-162-0x00000000078B0000-0x00000000078B1000-memory.dmpFilesize
4KB
-
memory/2796-160-0x00000000077D0000-0x00000000077D1000-memory.dmpFilesize
4KB
-
memory/2796-159-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2796-158-0x0000000006982000-0x0000000006983000-memory.dmpFilesize
4KB
-
memory/2796-157-0x0000000006980000-0x0000000006981000-memory.dmpFilesize
4KB
-
memory/2796-180-0x0000000008D30000-0x0000000008D31000-memory.dmpFilesize
4KB
-
memory/2796-156-0x0000000006FC0000-0x0000000006FC1000-memory.dmpFilesize
4KB
-
memory/2796-153-0x00000000042C0000-0x00000000042C1000-memory.dmpFilesize
4KB
-
memory/2796-203-0x0000000006B10000-0x0000000006B11000-memory.dmpFilesize
4KB
-
memory/2796-154-0x00000000042C0000-0x00000000042C1000-memory.dmpFilesize
4KB
-
memory/2796-155-0x00000000067D0000-0x00000000067D1000-memory.dmpFilesize
4KB
-
memory/2796-152-0x0000000000000000-mapping.dmp
-
memory/2796-167-0x00000000042C0000-0x00000000042C1000-memory.dmpFilesize
4KB
-
memory/2796-1159-0x000000007F710000-0x000000007F711000-memory.dmpFilesize
4KB
-
memory/3016-239-0x000000007EE60000-0x000000007EE61000-memory.dmpFilesize
4KB
-
memory/3016-213-0x0000000006BA0000-0x0000000006BA1000-memory.dmpFilesize
4KB
-
memory/3016-214-0x0000000006BA2000-0x0000000006BA3000-memory.dmpFilesize
4KB
-
memory/3016-206-0x0000000002CA0000-0x0000000002CA1000-memory.dmpFilesize
4KB
-
memory/3016-205-0x0000000002CA0000-0x0000000002CA1000-memory.dmpFilesize
4KB
-
memory/3016-204-0x0000000000000000-mapping.dmp
-
memory/3088-1038-0x0000000000000000-mapping.dmp
-
memory/3256-471-0x0000000004F62000-0x0000000004F63000-memory.dmpFilesize
4KB
-
memory/3256-459-0x0000000000000000-mapping.dmp
-
memory/3256-470-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/3256-600-0x000000007EEB0000-0x000000007EEB1000-memory.dmpFilesize
4KB
-
memory/3532-1029-0x0000000000000000-mapping.dmp
-
memory/3796-1032-0x0000000000000000-mapping.dmp
-
memory/3896-130-0x00000000064A0000-0x00000000064C1000-memory.dmpFilesize
132KB
-
memory/3896-131-0x0000000006540000-0x0000000006541000-memory.dmpFilesize
4KB
-
memory/3896-132-0x0000000006500000-0x0000000006501000-memory.dmpFilesize
4KB
-
memory/3896-133-0x0000000005D21000-0x0000000005D22000-memory.dmpFilesize
4KB
-
memory/3896-129-0x0000000005D20000-0x0000000005D21000-memory.dmpFilesize
4KB
-
memory/3896-128-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/3896-127-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/3896-126-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/3896-134-0x0000000006800000-0x000000000680B000-memory.dmpFilesize
44KB
-
memory/3896-125-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/3896-123-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/3896-120-0x0000000000000000-mapping.dmp
-
memory/3896-135-0x0000000008CB0000-0x0000000008CB1000-memory.dmpFilesize
4KB