Analysis
-
max time kernel
139s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 03:06
Static task
static1
Behavioral task
behavioral1
Sample
DHL_AWB #1008936572891_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DHL_AWB #1008936572891_pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
DHL_AWB #1008936572891_pdf.exe
-
Size
1.5MB
-
MD5
183595e45c54758cd9adaeb3afe302e9
-
SHA1
aa4e83e6080009a5aa03e29f74ed6a5f0a0b3f3a
-
SHA256
b46bd25fca309781558509bdb4f408b085d83c74e71adc5de4eeb349bc8c4c7a
-
SHA512
01b868664c430433720a10929aef909355a5487b6cbc2f21d27ac143a84bf440235585934ad50bc82e0ff1c7269fcc65fb89944a7d5b0c2e0719352b1c89211c
Malware Config
Extracted
matiex
https://api.telegram.org/bot1328029504:AAGKFzQ1tJdWqJzQg7lW0DK-JgG0_8hFEEk/sendMessage?chat_id=1072388187
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Matiex Main Payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/1952-54-0x0000000000A30000-0x0000000000BB4000-memory.dmp family_matiex \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exe family_matiex C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exe family_matiex C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exe family_matiex behavioral1/memory/2008-61-0x0000000000E10000-0x0000000000E84000-memory.dmp family_matiex \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exe family_matiex \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exe family_matiex \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exe family_matiex \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exe family_matiex \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exe family_matiex -
AgentTesla Payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1952-54-0x0000000000A30000-0x0000000000BB4000-memory.dmp family_agenttesla behavioral1/memory/776-68-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/776-69-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/776-70-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/776-71-0x00000000004549AE-mapping.dmp family_agenttesla behavioral1/memory/776-74-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/776-76-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
dup.exeRegAsm.exepid process 2008 dup.exe 776 RegAsm.exe -
Drops startup file 1 IoCs
Processes:
DHL_AWB #1008936572891_pdf.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exe DHL_AWB #1008936572891_pdf.exe -
Loads dropped DLL 8 IoCs
Processes:
DHL_AWB #1008936572891_pdf.exeRegAsm.exeWerFault.exepid process 1952 DHL_AWB #1008936572891_pdf.exe 1952 DHL_AWB #1008936572891_pdf.exe 776 RegAsm.exe 1644 WerFault.exe 1644 WerFault.exe 1644 WerFault.exe 1644 WerFault.exe 1644 WerFault.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
RegAsm.exedup.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dup.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dup.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dup.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WEqfDb = "C:\\Users\\Admin\\AppData\\Roaming\\WEqfDb\\WEqfDb.exe" RegAsm.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 freegeoip.app 4 checkip.dyndns.org 8 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_AWB #1008936572891_pdf.exedescription pid process target process PID 1952 set thread context of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1644 2008 WerFault.exe dup.exe -
Processes:
dup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 dup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 dup.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
DHL_AWB #1008936572891_pdf.exeRegAsm.exepid process 1952 DHL_AWB #1008936572891_pdf.exe 1952 DHL_AWB #1008936572891_pdf.exe 1952 DHL_AWB #1008936572891_pdf.exe 776 RegAsm.exe 776 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DHL_AWB #1008936572891_pdf.exedup.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1952 DHL_AWB #1008936572891_pdf.exe Token: SeDebugPrivilege 2008 dup.exe Token: SeDebugPrivilege 776 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
DHL_AWB #1008936572891_pdf.exedup.exedescription pid process target process PID 1952 wrote to memory of 2008 1952 DHL_AWB #1008936572891_pdf.exe dup.exe PID 1952 wrote to memory of 2008 1952 DHL_AWB #1008936572891_pdf.exe dup.exe PID 1952 wrote to memory of 2008 1952 DHL_AWB #1008936572891_pdf.exe dup.exe PID 1952 wrote to memory of 2008 1952 DHL_AWB #1008936572891_pdf.exe dup.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 1952 wrote to memory of 776 1952 DHL_AWB #1008936572891_pdf.exe RegAsm.exe PID 2008 wrote to memory of 1644 2008 dup.exe WerFault.exe PID 2008 wrote to memory of 1644 2008 dup.exe WerFault.exe PID 2008 wrote to memory of 1644 2008 dup.exe WerFault.exe PID 2008 wrote to memory of 1644 2008 dup.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 17843⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeFilesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeFilesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exeFilesize
437KB
MD5a00d79da5aabd341cbec7060bcf9ecd2
SHA1c889f6bf15609d30148784f3b588fe2dc2b27aaf
SHA2562c7a809f39f6e82b2d2aec711f6a994a39d9868ecca6d522ed1bc6b62e87c4a1
SHA512edcf708321b16d359e1bbaeb6ef92589b49722f711dfb0a27e978bd3731b202686a057dfd18ec44ad5f870c00a495b5f5583f3e0227f86d17baf8e2f6956ffb3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exeFilesize
437KB
MD5a00d79da5aabd341cbec7060bcf9ecd2
SHA1c889f6bf15609d30148784f3b588fe2dc2b27aaf
SHA2562c7a809f39f6e82b2d2aec711f6a994a39d9868ecca6d522ed1bc6b62e87c4a1
SHA512edcf708321b16d359e1bbaeb6ef92589b49722f711dfb0a27e978bd3731b202686a057dfd18ec44ad5f870c00a495b5f5583f3e0227f86d17baf8e2f6956ffb3
-
\Users\Admin\AppData\Local\Temp\RegAsm.exeFilesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Local\Temp\RegAsm.exeFilesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exeFilesize
437KB
MD5a00d79da5aabd341cbec7060bcf9ecd2
SHA1c889f6bf15609d30148784f3b588fe2dc2b27aaf
SHA2562c7a809f39f6e82b2d2aec711f6a994a39d9868ecca6d522ed1bc6b62e87c4a1
SHA512edcf708321b16d359e1bbaeb6ef92589b49722f711dfb0a27e978bd3731b202686a057dfd18ec44ad5f870c00a495b5f5583f3e0227f86d17baf8e2f6956ffb3
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exeFilesize
437KB
MD5a00d79da5aabd341cbec7060bcf9ecd2
SHA1c889f6bf15609d30148784f3b588fe2dc2b27aaf
SHA2562c7a809f39f6e82b2d2aec711f6a994a39d9868ecca6d522ed1bc6b62e87c4a1
SHA512edcf708321b16d359e1bbaeb6ef92589b49722f711dfb0a27e978bd3731b202686a057dfd18ec44ad5f870c00a495b5f5583f3e0227f86d17baf8e2f6956ffb3
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exeFilesize
437KB
MD5a00d79da5aabd341cbec7060bcf9ecd2
SHA1c889f6bf15609d30148784f3b588fe2dc2b27aaf
SHA2562c7a809f39f6e82b2d2aec711f6a994a39d9868ecca6d522ed1bc6b62e87c4a1
SHA512edcf708321b16d359e1bbaeb6ef92589b49722f711dfb0a27e978bd3731b202686a057dfd18ec44ad5f870c00a495b5f5583f3e0227f86d17baf8e2f6956ffb3
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exeFilesize
437KB
MD5a00d79da5aabd341cbec7060bcf9ecd2
SHA1c889f6bf15609d30148784f3b588fe2dc2b27aaf
SHA2562c7a809f39f6e82b2d2aec711f6a994a39d9868ecca6d522ed1bc6b62e87c4a1
SHA512edcf708321b16d359e1bbaeb6ef92589b49722f711dfb0a27e978bd3731b202686a057dfd18ec44ad5f870c00a495b5f5583f3e0227f86d17baf8e2f6956ffb3
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exeFilesize
437KB
MD5a00d79da5aabd341cbec7060bcf9ecd2
SHA1c889f6bf15609d30148784f3b588fe2dc2b27aaf
SHA2562c7a809f39f6e82b2d2aec711f6a994a39d9868ecca6d522ed1bc6b62e87c4a1
SHA512edcf708321b16d359e1bbaeb6ef92589b49722f711dfb0a27e978bd3731b202686a057dfd18ec44ad5f870c00a495b5f5583f3e0227f86d17baf8e2f6956ffb3
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dup.exeFilesize
437KB
MD5a00d79da5aabd341cbec7060bcf9ecd2
SHA1c889f6bf15609d30148784f3b588fe2dc2b27aaf
SHA2562c7a809f39f6e82b2d2aec711f6a994a39d9868ecca6d522ed1bc6b62e87c4a1
SHA512edcf708321b16d359e1bbaeb6ef92589b49722f711dfb0a27e978bd3731b202686a057dfd18ec44ad5f870c00a495b5f5583f3e0227f86d17baf8e2f6956ffb3
-
memory/776-68-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/776-70-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/776-71-0x00000000004549AE-mapping.dmp
-
memory/776-69-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/776-74-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/776-76-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/776-66-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/776-65-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1644-80-0x0000000000000000-mapping.dmp
-
memory/1952-54-0x0000000000A30000-0x0000000000BB4000-memory.dmpFilesize
1.5MB
-
memory/1952-63-0x0000000002220000-0x000000000222A000-memory.dmpFilesize
40KB
-
memory/1952-56-0x0000000000430000-0x0000000000444000-memory.dmpFilesize
80KB
-
memory/1952-55-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/2008-61-0x0000000000E10000-0x0000000000E84000-memory.dmpFilesize
464KB
-
memory/2008-58-0x0000000000000000-mapping.dmp