Analysis
-
max time kernel
155s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
21-02-2022 22:21
Static task
static1
Behavioral task
behavioral1
Sample
Invoice Payment Details.exe
Resource
win7-en-20211208
General
-
Target
Invoice Payment Details.exe
-
Size
892KB
-
MD5
9570c6d8cef329a8984dc89ecc786c28
-
SHA1
f318481b2fa2cc222bb783974c917f7c2b352c8f
-
SHA256
a55e49e3dffd386fbe1b8cfdafb4bcca81264b48e1fa2f9d68a7b8b12ec2bc7e
-
SHA512
3f1a3827be7daa886136c039b22a91d8c577e18f651cb414a2f9ebae258e45772533f17253f58a600c05b1307ef618ec6dd49ceebc5128333f53f83068293251
Malware Config
Extracted
xloader
2.3
kio8
greeaircondition.com
thewilmingtonguide.com
cbluedotlivewdmall.com
globalcrime24.com
heightsplace.com
ghar.pro
asosbira.com
melolandia.com
velactun.com
erniesimms.com
nutbullet.com
drizzerstr.com
hnqym888.com
ghorowaseba.com
1317efoxchasedrive.info
stjudetroop623.com
facestaj.com
airpromaskaccessories.com
wolfetailors.com
56ohdc2016.com
estedindustries.com
magmaplant.net
tf-iot.com
jtkqmz.com
helmihendrahasilbumi.com
audiencetrust.sucks
thespiritualabolitionist.com
lauratoots.com
fantasticsgelato.com
allinoncrypto.site
youremsys.com
awesome-veganism.com
tsunrp.net
systizen.com
73gardinerdrive.com
legamedary.com
newyorkcityhemorrhoidclinic.com
ffhcompany.com
angermgmtathome.com
plantationrevival.com
utopicvibes.net
envirocare-ss.com
domentemenegi20.com
gropedais.club
thaibizgermany.com
noimagreece.com
yogabizhelp.com
sanrenzong.com
bingent.info
chinhphucphaidep.online
dubojx.com
jennaloren.com
thedesigneryshop.com
opera-historica.com
pizzaterry.com
the-aviate.com
perteprampram01.net
pastormariorondon.com
dream-case.com
ocleanwholesaler.com
masdimensiones.com
fireworkstycoons.com
porntvh.com
fixedpriceelectrician.com
smallcoloradoweddings.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2324-138-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2324-144-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1720-149-0x0000000000D20000-0x0000000000D49000-memory.dmp xloader -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Invoice Payment Details.exeInvoice Payment Details.exechkdsk.exedescription pid process target process PID 2372 set thread context of 2324 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2324 set thread context of 2412 2324 Invoice Payment Details.exe Explorer.EXE PID 2324 set thread context of 2412 2324 Invoice Payment Details.exe Explorer.EXE PID 1720 set thread context of 2412 1720 chkdsk.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132901321677651083" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.081301" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4304" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.998413" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4120" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.830213" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
Invoice Payment Details.exeInvoice Payment Details.exechkdsk.exepid process 2372 Invoice Payment Details.exe 2372 Invoice Payment Details.exe 2372 Invoice Payment Details.exe 2372 Invoice Payment Details.exe 2324 Invoice Payment Details.exe 2324 Invoice Payment Details.exe 2324 Invoice Payment Details.exe 2324 Invoice Payment Details.exe 2324 Invoice Payment Details.exe 2324 Invoice Payment Details.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe 1720 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2412 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Invoice Payment Details.exechkdsk.exepid process 2324 Invoice Payment Details.exe 2324 Invoice Payment Details.exe 2324 Invoice Payment Details.exe 2324 Invoice Payment Details.exe 1720 chkdsk.exe 1720 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Invoice Payment Details.exeInvoice Payment Details.exeExplorer.EXEchkdsk.exedescription pid process Token: SeDebugPrivilege 2372 Invoice Payment Details.exe Token: SeDebugPrivilege 2324 Invoice Payment Details.exe Token: SeShutdownPrivilege 2412 Explorer.EXE Token: SeCreatePagefilePrivilege 2412 Explorer.EXE Token: SeDebugPrivilege 1720 chkdsk.exe Token: SeShutdownPrivilege 2412 Explorer.EXE Token: SeCreatePagefilePrivilege 2412 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Invoice Payment Details.exeExplorer.EXEchkdsk.exedescription pid process target process PID 2372 wrote to memory of 3724 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2372 wrote to memory of 3724 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2372 wrote to memory of 3724 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2372 wrote to memory of 4020 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2372 wrote to memory of 4020 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2372 wrote to memory of 4020 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2372 wrote to memory of 2324 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2372 wrote to memory of 2324 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2372 wrote to memory of 2324 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2372 wrote to memory of 2324 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2372 wrote to memory of 2324 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2372 wrote to memory of 2324 2372 Invoice Payment Details.exe Invoice Payment Details.exe PID 2412 wrote to memory of 1720 2412 Explorer.EXE chkdsk.exe PID 2412 wrote to memory of 1720 2412 Explorer.EXE chkdsk.exe PID 2412 wrote to memory of 1720 2412 Explorer.EXE chkdsk.exe PID 1720 wrote to memory of 2280 1720 chkdsk.exe cmd.exe PID 1720 wrote to memory of 2280 1720 chkdsk.exe cmd.exe PID 1720 wrote to memory of 2280 1720 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"3⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"3⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2324 -
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3316
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3364
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3908
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3052
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2576
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"3⤵PID:2280
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3520
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:616
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1720-149-0x0000000000D20000-0x0000000000D49000-memory.dmpFilesize
164KB
-
memory/1720-151-0x00000000056A0000-0x000000000572F000-memory.dmpFilesize
572KB
-
memory/1720-150-0x0000000005770000-0x0000000005ABA000-memory.dmpFilesize
3.3MB
-
memory/1720-148-0x0000000000E50000-0x0000000000E5A000-memory.dmpFilesize
40KB
-
memory/2324-146-0x0000000001180000-0x0000000001190000-memory.dmpFilesize
64KB
-
memory/2324-144-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2324-145-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/2324-142-0x0000000001120000-0x0000000001130000-memory.dmpFilesize
64KB
-
memory/2324-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2324-140-0x0000000001250000-0x000000000159A000-memory.dmpFilesize
3.3MB
-
memory/2324-141-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/2372-137-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/2372-135-0x0000000005750000-0x000000000575A000-memory.dmpFilesize
40KB
-
memory/2372-136-0x00000000058C0000-0x0000000005916000-memory.dmpFilesize
344KB
-
memory/2372-130-0x00000000748CE000-0x00000000748CF000-memory.dmpFilesize
4KB
-
memory/2372-134-0x0000000005820000-0x00000000058B2000-memory.dmpFilesize
584KB
-
memory/2372-133-0x0000000005D30000-0x00000000062D4000-memory.dmpFilesize
5.6MB
-
memory/2372-132-0x0000000005640000-0x00000000056DC000-memory.dmpFilesize
624KB
-
memory/2372-131-0x0000000000C40000-0x0000000000D24000-memory.dmpFilesize
912KB
-
memory/2412-143-0x00000000084A0000-0x00000000085DA000-memory.dmpFilesize
1.2MB
-
memory/2412-147-0x0000000008D20000-0x0000000008E4C000-memory.dmpFilesize
1.2MB
-
memory/2412-152-0x0000000009250000-0x00000000093DC000-memory.dmpFilesize
1.5MB