Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
ef43e97cb61e5d54d4953a4d3278f220.exe
Resource
win7-20220414-en
General
-
Target
ef43e97cb61e5d54d4953a4d3278f220.exe
-
Size
828KB
-
MD5
ef43e97cb61e5d54d4953a4d3278f220
-
SHA1
16e593f0ddae9e67c5dd725d383552a0414ab292
-
SHA256
45d1b699698ba99b1a8c51ef57d3ed895b762f418cc05f8c54425e3cebcea4c0
-
SHA512
3e978d30d2bf94a2fe506c44f7bafb94cc3fe8a50a8db1232c2de6b34fd22fd9ec951c63290e3983c42bdf278e00d940c49858b1faa61bdf90bf299532631b71
Malware Config
Extracted
xloader
2.6
pdrq
welchsunstar.com
mppservicesllc.com
wiresofteflon.com
brabov.xyz
compnonoch.site
yourbuilderworks.com
iamsamirahman.com
eriqoes.com
eastudio.design
skyearth-est.com
teethfitness.com
razaancreates.com
shfbfs.com
joyfulbrokekids.com
kjbolden.com
howirep.com
deedeesmainecoons.website
e-powair.com
aheatea.com
shalfey0009.xyz
designcolor.style
netflixpaymentpending.ca
bothoitrang3.site
motondiarts.com
staynmocean.com
miamivideoshows.com
berendsit.com
yndzjs.com
yiwenhome.xyz
royaldeals.net
clearvison-ts.com
peluqueriasusanagalan.com
thelittlewellnessstudio.com
gurulotaska.com
smgsj.com
followpanelbd.com
prinirwedding.com
3559.fyi
amcvips.com
bigroof.top
chipbio-zt.com
candelasluxuryretreat.com
jboycephotography.com
affiliateindex.xyz
grannysseasonings.com
lcl-inc-test.com
beadallcreations.jewelry
yzzhome.top
tobe-science.com
cincinnaticustomrenovation.com
survaicommercial.xyz
businessdirectorymania.com
phqworld.com
miamigocars.com
labfour.systems
gregoryzeitler.com
dj-mary.com
one1-day.com
vegfiber.com
sfbayraw.net
xn--bndarsloto-s4a.com
felipesb.com
108580.com
1swj06mjrowgi.xyz
koalaglen.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions ef43e97cb61e5d54d4953a4d3278f220.exe -
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/436-142-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/436-157-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/1320-162-0x0000000000E80000-0x0000000000EAB000-memory.dmp xloader behavioral2/memory/1320-168-0x0000000000E80000-0x0000000000EAB000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msdt.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TPXDBRQ8JBT = "C:\\Program Files (x86)\\Kktj8zxp0\\IconCachejbcphpxp.exe" msdt.exe -
Executes dropped EXE 1 IoCs
Processes:
IconCachejbcphpxp.exepid process 3656 IconCachejbcphpxp.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools ef43e97cb61e5d54d4953a4d3278f220.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ef43e97cb61e5d54d4953a4d3278f220.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ef43e97cb61e5d54d4953a4d3278f220.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ef43e97cb61e5d54d4953a4d3278f220.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ef43e97cb61e5d54d4953a4d3278f220.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ef43e97cb61e5d54d4953a4d3278f220.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exeRegSvcs.exemsdt.exedescription pid process target process PID 3116 set thread context of 436 3116 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 436 set thread context of 1124 436 RegSvcs.exe Explorer.EXE PID 1320 set thread context of 1124 1320 msdt.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
msdt.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Kktj8zxp0\IconCachejbcphpxp.exe msdt.exe File opened for modification C:\Program Files (x86)\Kktj8zxp0 Explorer.EXE File created C:\Program Files (x86)\Kktj8zxp0\IconCachejbcphpxp.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Kktj8zxp0\IconCachejbcphpxp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exepowershell.exeRegSvcs.exemsdt.exepid process 3116 ef43e97cb61e5d54d4953a4d3278f220.exe 3116 ef43e97cb61e5d54d4953a4d3278f220.exe 3452 powershell.exe 3116 ef43e97cb61e5d54d4953a4d3278f220.exe 436 RegSvcs.exe 436 RegSvcs.exe 3452 powershell.exe 436 RegSvcs.exe 436 RegSvcs.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1124 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exemsdt.exepid process 436 RegSvcs.exe 436 RegSvcs.exe 436 RegSvcs.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe 1320 msdt.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exepowershell.exeRegSvcs.exemsdt.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3116 ef43e97cb61e5d54d4953a4d3278f220.exe Token: SeDebugPrivilege 3452 powershell.exe Token: SeDebugPrivilege 436 RegSvcs.exe Token: SeDebugPrivilege 1320 msdt.exe Token: SeShutdownPrivilege 1124 Explorer.EXE Token: SeCreatePagefilePrivilege 1124 Explorer.EXE Token: SeShutdownPrivilege 1124 Explorer.EXE Token: SeCreatePagefilePrivilege 1124 Explorer.EXE Token: SeShutdownPrivilege 1124 Explorer.EXE Token: SeCreatePagefilePrivilege 1124 Explorer.EXE Token: SeShutdownPrivilege 1124 Explorer.EXE Token: SeCreatePagefilePrivilege 1124 Explorer.EXE Token: SeShutdownPrivilege 1124 Explorer.EXE Token: SeCreatePagefilePrivilege 1124 Explorer.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exeExplorer.EXEmsdt.exedescription pid process target process PID 3116 wrote to memory of 3452 3116 ef43e97cb61e5d54d4953a4d3278f220.exe powershell.exe PID 3116 wrote to memory of 3452 3116 ef43e97cb61e5d54d4953a4d3278f220.exe powershell.exe PID 3116 wrote to memory of 3452 3116 ef43e97cb61e5d54d4953a4d3278f220.exe powershell.exe PID 3116 wrote to memory of 4212 3116 ef43e97cb61e5d54d4953a4d3278f220.exe schtasks.exe PID 3116 wrote to memory of 4212 3116 ef43e97cb61e5d54d4953a4d3278f220.exe schtasks.exe PID 3116 wrote to memory of 4212 3116 ef43e97cb61e5d54d4953a4d3278f220.exe schtasks.exe PID 3116 wrote to memory of 436 3116 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 3116 wrote to memory of 436 3116 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 3116 wrote to memory of 436 3116 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 3116 wrote to memory of 436 3116 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 3116 wrote to memory of 436 3116 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 3116 wrote to memory of 436 3116 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 1124 wrote to memory of 1320 1124 Explorer.EXE msdt.exe PID 1124 wrote to memory of 1320 1124 Explorer.EXE msdt.exe PID 1124 wrote to memory of 1320 1124 Explorer.EXE msdt.exe PID 1320 wrote to memory of 220 1320 msdt.exe cmd.exe PID 1320 wrote to memory of 220 1320 msdt.exe cmd.exe PID 1320 wrote to memory of 220 1320 msdt.exe cmd.exe PID 1320 wrote to memory of 2508 1320 msdt.exe cmd.exe PID 1320 wrote to memory of 2508 1320 msdt.exe cmd.exe PID 1320 wrote to memory of 2508 1320 msdt.exe cmd.exe PID 1320 wrote to memory of 4772 1320 msdt.exe cmd.exe PID 1320 wrote to memory of 4772 1320 msdt.exe cmd.exe PID 1320 wrote to memory of 4772 1320 msdt.exe cmd.exe PID 1320 wrote to memory of 1820 1320 msdt.exe Firefox.exe PID 1320 wrote to memory of 1820 1320 msdt.exe Firefox.exe PID 1320 wrote to memory of 1820 1320 msdt.exe Firefox.exe PID 1124 wrote to memory of 3656 1124 Explorer.EXE IconCachejbcphpxp.exe PID 1124 wrote to memory of 3656 1124 Explorer.EXE IconCachejbcphpxp.exe PID 1124 wrote to memory of 3656 1124 Explorer.EXE IconCachejbcphpxp.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\ef43e97cb61e5d54d4953a4d3278f220.exe"C:\Users\Admin\AppData\Local\Temp\ef43e97cb61e5d54d4953a4d3278f220.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lIaHFEbpq.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lIaHFEbpq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67D7.tmp"3⤵
- Creates scheduled task(s)
PID:4212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:220
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:2508
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:4772
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1820
-
C:\Program Files (x86)\Kktj8zxp0\IconCachejbcphpxp.exe"C:\Program Files (x86)\Kktj8zxp0\IconCachejbcphpxp.exe"2⤵
- Executes dropped EXE
PID:3656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Kktj8zxp0\IconCachejbcphpxp.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Program Files (x86)\Kktj8zxp0\IconCachejbcphpxp.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmp67D7.tmpFilesize
1KB
MD52258bea626699bd5a009e3bb020e79ea
SHA1474c289b99b4a067ef2b623a4090671292489988
SHA256aba19cfc1a944b742dd03abe39e0fb6c309db102a0bb32cac2567a0bfdee499b
SHA5128c413d9f5e08f9d32dfc870b23558ce0f822fffa9dea753713daebe3dea298c468455c4672c8f9e4fef3ad3960d17d4299d847533864ed4aa86dde1799b0fd55
-
memory/220-159-0x0000000000000000-mapping.dmp
-
memory/436-157-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/436-147-0x0000000001AD0000-0x0000000001E1A000-memory.dmpFilesize
3.3MB
-
memory/436-141-0x0000000000000000-mapping.dmp
-
memory/436-142-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/436-148-0x0000000001440000-0x0000000001451000-memory.dmpFilesize
68KB
-
memory/1124-169-0x0000000008010000-0x0000000008142000-memory.dmpFilesize
1.2MB
-
memory/1124-167-0x0000000008010000-0x0000000008142000-memory.dmpFilesize
1.2MB
-
memory/1124-149-0x0000000007EC0000-0x0000000008001000-memory.dmpFilesize
1.3MB
-
memory/1320-166-0x0000000002C50000-0x0000000002CE0000-memory.dmpFilesize
576KB
-
memory/1320-156-0x0000000000000000-mapping.dmp
-
memory/1320-168-0x0000000000E80000-0x0000000000EAB000-memory.dmpFilesize
172KB
-
memory/1320-163-0x0000000002EF0000-0x000000000323A000-memory.dmpFilesize
3.3MB
-
memory/1320-162-0x0000000000E80000-0x0000000000EAB000-memory.dmpFilesize
172KB
-
memory/1320-160-0x0000000000070000-0x00000000000C7000-memory.dmpFilesize
348KB
-
memory/2508-170-0x0000000000000000-mapping.dmp
-
memory/3116-130-0x0000000000550000-0x0000000000626000-memory.dmpFilesize
856KB
-
memory/3116-131-0x0000000005550000-0x0000000005AF4000-memory.dmpFilesize
5.6MB
-
memory/3116-132-0x0000000005040000-0x00000000050D2000-memory.dmpFilesize
584KB
-
memory/3116-133-0x0000000004FE0000-0x0000000004FEA000-memory.dmpFilesize
40KB
-
memory/3116-134-0x0000000008A80000-0x0000000008B1C000-memory.dmpFilesize
624KB
-
memory/3116-135-0x0000000008CC0000-0x0000000008D26000-memory.dmpFilesize
408KB
-
memory/3452-164-0x0000000007500000-0x000000000751A000-memory.dmpFilesize
104KB
-
memory/3452-138-0x00000000048D0000-0x0000000004906000-memory.dmpFilesize
216KB
-
memory/3452-161-0x00000000073F0000-0x00000000073FE000-memory.dmpFilesize
56KB
-
memory/3452-150-0x00000000064D0000-0x0000000006502000-memory.dmpFilesize
200KB
-
memory/3452-140-0x0000000004FC0000-0x00000000055E8000-memory.dmpFilesize
6.2MB
-
memory/3452-143-0x0000000004DD0000-0x0000000004DF2000-memory.dmpFilesize
136KB
-
memory/3452-152-0x0000000006410000-0x000000000642E000-memory.dmpFilesize
120KB
-
memory/3452-165-0x00000000074E0000-0x00000000074E8000-memory.dmpFilesize
32KB
-
memory/3452-136-0x0000000000000000-mapping.dmp
-
memory/3452-158-0x0000000007440000-0x00000000074D6000-memory.dmpFilesize
600KB
-
memory/3452-144-0x00000000055F0000-0x0000000005656000-memory.dmpFilesize
408KB
-
memory/3452-153-0x0000000007800000-0x0000000007E7A000-memory.dmpFilesize
6.5MB
-
memory/3452-146-0x0000000005EB0000-0x0000000005ECE000-memory.dmpFilesize
120KB
-
memory/3452-151-0x0000000075440000-0x000000007548C000-memory.dmpFilesize
304KB
-
memory/3452-154-0x00000000071C0000-0x00000000071DA000-memory.dmpFilesize
104KB
-
memory/3452-155-0x0000000007230000-0x000000000723A000-memory.dmpFilesize
40KB
-
memory/3656-174-0x0000000000000000-mapping.dmp
-
memory/3656-177-0x0000000000FB0000-0x0000000000FBE000-memory.dmpFilesize
56KB
-
memory/3656-178-0x0000000005760000-0x000000000579C000-memory.dmpFilesize
240KB
-
memory/4212-137-0x0000000000000000-mapping.dmp
-
memory/4772-172-0x0000000000000000-mapping.dmp