Analysis
-
max time kernel
11s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 14:29
Static task
static1
Behavioral task
behavioral1
Sample
38e3ff2c1ad395cc854e2b620adc1a0f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
38e3ff2c1ad395cc854e2b620adc1a0f.exe
Resource
win10-20220414-en
Behavioral task
behavioral3
Sample
38e3ff2c1ad395cc854e2b620adc1a0f.exe
Resource
win11-20220223-en
General
-
Target
38e3ff2c1ad395cc854e2b620adc1a0f.exe
-
Size
7.6MB
-
MD5
38e3ff2c1ad395cc854e2b620adc1a0f
-
SHA1
ff1f4c054615337476ec558d22c69f578c5a9af2
-
SHA256
49a3b199025018458e69db1fcf9db5b7f9dd1f9e825c5ed94caff4103ad4fa0b
-
SHA512
0bd5b7b8dd03f9099504d6271e2bcd4aac0fd8a24b6097ac71ce33328bf4e7c305183919c40c1a64271eebf48643040ad4d0f0311bcd04a5143f237e39f16d98
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
38e3ff2c1ad395cc854e2b620adc1a0f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 38e3ff2c1ad395cc854e2b620adc1a0f.exe -
Executes dropped EXE 2 IoCs
Processes:
update.exeSecurityHealthService32.exepid process 2040 update.exe 1152 SecurityHealthService32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
38e3ff2c1ad395cc854e2b620adc1a0f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 38e3ff2c1ad395cc854e2b620adc1a0f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 38e3ff2c1ad395cc854e2b620adc1a0f.exe -
Deletes itself 1 IoCs
Processes:
update.exepid process 2040 update.exe -
Loads dropped DLL 2 IoCs
Processes:
38e3ff2c1ad395cc854e2b620adc1a0f.exeupdate.exepid process 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe 2040 update.exe -
Processes:
resource yara_rule behavioral1/memory/1180-55-0x00000000011C0000-0x0000000001DFB000-memory.dmp themida behavioral1/memory/1180-56-0x00000000011C0000-0x0000000001DFB000-memory.dmp themida behavioral1/memory/1180-57-0x00000000011C0000-0x0000000001DFB000-memory.dmp themida behavioral1/memory/1180-58-0x00000000011C0000-0x0000000001DFB000-memory.dmp themida behavioral1/memory/1180-59-0x00000000011C0000-0x0000000001DFB000-memory.dmp themida behavioral1/memory/1180-83-0x00000000011C0000-0x0000000001DFB000-memory.dmp themida -
Processes:
38e3ff2c1ad395cc854e2b620adc1a0f.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 38e3ff2c1ad395cc854e2b620adc1a0f.exe -
Drops file in Windows directory 3 IoCs
Processes:
SecurityHealthService32.exeupdate.exedescription ioc process File created C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe SecurityHealthService32.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe SecurityHealthService32.exe File created C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe update.exe -
Processes:
update.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION update.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main update.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl update.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION update.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\update.exe = "11001" update.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SecurityHealthService32.exepid process 1152 SecurityHealthService32.exe 1152 SecurityHealthService32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
38e3ff2c1ad395cc854e2b620adc1a0f.exepid process 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
38e3ff2c1ad395cc854e2b620adc1a0f.exeupdate.exedescription pid process target process PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 1180 wrote to memory of 2040 1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe update.exe PID 2040 wrote to memory of 816 2040 update.exe powershell.exe PID 2040 wrote to memory of 816 2040 update.exe powershell.exe PID 2040 wrote to memory of 816 2040 update.exe powershell.exe PID 2040 wrote to memory of 816 2040 update.exe powershell.exe PID 2040 wrote to memory of 1664 2040 update.exe powershell.exe PID 2040 wrote to memory of 1664 2040 update.exe powershell.exe PID 2040 wrote to memory of 1664 2040 update.exe powershell.exe PID 2040 wrote to memory of 1664 2040 update.exe powershell.exe PID 2040 wrote to memory of 1948 2040 update.exe powershell.exe PID 2040 wrote to memory of 1948 2040 update.exe powershell.exe PID 2040 wrote to memory of 1948 2040 update.exe powershell.exe PID 2040 wrote to memory of 1948 2040 update.exe powershell.exe PID 2040 wrote to memory of 688 2040 update.exe powershell.exe PID 2040 wrote to memory of 688 2040 update.exe powershell.exe PID 2040 wrote to memory of 688 2040 update.exe powershell.exe PID 2040 wrote to memory of 688 2040 update.exe powershell.exe PID 2040 wrote to memory of 1200 2040 update.exe powershell.exe PID 2040 wrote to memory of 1200 2040 update.exe powershell.exe PID 2040 wrote to memory of 1200 2040 update.exe powershell.exe PID 2040 wrote to memory of 1200 2040 update.exe powershell.exe PID 2040 wrote to memory of 1088 2040 update.exe powershell.exe PID 2040 wrote to memory of 1088 2040 update.exe powershell.exe PID 2040 wrote to memory of 1088 2040 update.exe powershell.exe PID 2040 wrote to memory of 1088 2040 update.exe powershell.exe PID 2040 wrote to memory of 1868 2040 update.exe powershell.exe PID 2040 wrote to memory of 1868 2040 update.exe powershell.exe PID 2040 wrote to memory of 1868 2040 update.exe powershell.exe PID 2040 wrote to memory of 1868 2040 update.exe powershell.exe PID 2040 wrote to memory of 1152 2040 update.exe SecurityHealthService32.exe PID 2040 wrote to memory of 1152 2040 update.exe SecurityHealthService32.exe PID 2040 wrote to memory of 1152 2040 update.exe SecurityHealthService32.exe PID 2040 wrote to memory of 1152 2040 update.exe SecurityHealthService32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38e3ff2c1ad395cc854e2b620adc1a0f.exe"C:\Users\Admin\AppData\Local\Temp\38e3ff2c1ad395cc854e2b620adc1a0f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthService.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthServiceManager.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthService32.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\System32"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\Temp"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\Tasks\Microsoft\Windows"3⤵
-
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe"C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe"C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe"4⤵
-
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe"C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\update.exeFilesize
7.3MB
MD541f159509017d234e08eb4f820bab935
SHA11c27a70f922a95f66f58d8e4b7e91d92c84da6e3
SHA2564460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31
SHA5120fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab
-
C:\Users\Admin\AppData\Local\Temp\update.exeFilesize
7.3MB
MD541f159509017d234e08eb4f820bab935
SHA11c27a70f922a95f66f58d8e4b7e91d92c84da6e3
SHA2564460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31
SHA5120fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD51b7f4d3010e4feb4e7135745a6179729
SHA1fb7d4928d5dafdc2b736424cab4728fb3905e6e3
SHA256d896d38ecc7e9d006d4bf6b536f47110fbe8f5eea513544e908afccecaf82ea8
SHA512a7e192325ce6b71aa2c9841c520e4e54c73aeeb7b5b97fc90b8bff15335558e58520f21d029b9f7b2a8878e0ce4bf8566c4d43e59381ad98185bcef5a719bbfa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD51b7f4d3010e4feb4e7135745a6179729
SHA1fb7d4928d5dafdc2b736424cab4728fb3905e6e3
SHA256d896d38ecc7e9d006d4bf6b536f47110fbe8f5eea513544e908afccecaf82ea8
SHA512a7e192325ce6b71aa2c9841c520e4e54c73aeeb7b5b97fc90b8bff15335558e58520f21d029b9f7b2a8878e0ce4bf8566c4d43e59381ad98185bcef5a719bbfa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD51b7f4d3010e4feb4e7135745a6179729
SHA1fb7d4928d5dafdc2b736424cab4728fb3905e6e3
SHA256d896d38ecc7e9d006d4bf6b536f47110fbe8f5eea513544e908afccecaf82ea8
SHA512a7e192325ce6b71aa2c9841c520e4e54c73aeeb7b5b97fc90b8bff15335558e58520f21d029b9f7b2a8878e0ce4bf8566c4d43e59381ad98185bcef5a719bbfa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD51b7f4d3010e4feb4e7135745a6179729
SHA1fb7d4928d5dafdc2b736424cab4728fb3905e6e3
SHA256d896d38ecc7e9d006d4bf6b536f47110fbe8f5eea513544e908afccecaf82ea8
SHA512a7e192325ce6b71aa2c9841c520e4e54c73aeeb7b5b97fc90b8bff15335558e58520f21d029b9f7b2a8878e0ce4bf8566c4d43e59381ad98185bcef5a719bbfa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD51b7f4d3010e4feb4e7135745a6179729
SHA1fb7d4928d5dafdc2b736424cab4728fb3905e6e3
SHA256d896d38ecc7e9d006d4bf6b536f47110fbe8f5eea513544e908afccecaf82ea8
SHA512a7e192325ce6b71aa2c9841c520e4e54c73aeeb7b5b97fc90b8bff15335558e58520f21d029b9f7b2a8878e0ce4bf8566c4d43e59381ad98185bcef5a719bbfa
-
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exeFilesize
485KB
MD5242bc7c5c924f53af3d876624f802be8
SHA1ce435b3ca9982de65635c9a4e912b9f1b5961f4c
SHA256a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045
SHA512bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6
-
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exeFilesize
485KB
MD5242bc7c5c924f53af3d876624f802be8
SHA1ce435b3ca9982de65635c9a4e912b9f1b5961f4c
SHA256a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045
SHA512bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6
-
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exeFilesize
485KB
MD5242bc7c5c924f53af3d876624f802be8
SHA1ce435b3ca9982de65635c9a4e912b9f1b5961f4c
SHA256a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045
SHA512bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6
-
C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exeFilesize
485KB
MD5242bc7c5c924f53af3d876624f802be8
SHA1ce435b3ca9982de65635c9a4e912b9f1b5961f4c
SHA256a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045
SHA512bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6
-
\Users\Admin\AppData\Local\Temp\update.exeFilesize
7.3MB
MD541f159509017d234e08eb4f820bab935
SHA11c27a70f922a95f66f58d8e4b7e91d92c84da6e3
SHA2564460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31
SHA5120fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab
-
\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exeFilesize
485KB
MD5242bc7c5c924f53af3d876624f802be8
SHA1ce435b3ca9982de65635c9a4e912b9f1b5961f4c
SHA256a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045
SHA512bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6
-
\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exeFilesize
485KB
MD5242bc7c5c924f53af3d876624f802be8
SHA1ce435b3ca9982de65635c9a4e912b9f1b5961f4c
SHA256a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045
SHA512bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6
-
memory/280-109-0x0000000000000000-mapping.dmp
-
memory/688-89-0x0000000000000000-mapping.dmp
-
memory/816-86-0x0000000000000000-mapping.dmp
-
memory/1088-91-0x0000000000000000-mapping.dmp
-
memory/1088-115-0x0000000073C10000-0x00000000741BB000-memory.dmpFilesize
5.7MB
-
memory/1152-101-0x0000000000000000-mapping.dmp
-
memory/1180-83-0x00000000011C0000-0x0000000001DFB000-memory.dmpFilesize
12.2MB
-
memory/1180-59-0x00000000011C0000-0x0000000001DFB000-memory.dmpFilesize
12.2MB
-
memory/1180-54-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/1180-58-0x00000000011C0000-0x0000000001DFB000-memory.dmpFilesize
12.2MB
-
memory/1180-57-0x00000000011C0000-0x0000000001DFB000-memory.dmpFilesize
12.2MB
-
memory/1180-56-0x00000000011C0000-0x0000000001DFB000-memory.dmpFilesize
12.2MB
-
memory/1180-55-0x00000000011C0000-0x0000000001DFB000-memory.dmpFilesize
12.2MB
-
memory/1200-90-0x0000000000000000-mapping.dmp
-
memory/1200-119-0x0000000073C10000-0x00000000741BB000-memory.dmpFilesize
5.7MB
-
memory/1548-105-0x0000000000000000-mapping.dmp
-
memory/1664-87-0x0000000000000000-mapping.dmp
-
memory/1664-120-0x0000000073C10000-0x00000000741BB000-memory.dmpFilesize
5.7MB
-
memory/1868-92-0x0000000000000000-mapping.dmp
-
memory/1868-114-0x0000000073C10000-0x00000000741BB000-memory.dmpFilesize
5.7MB
-
memory/1948-88-0x0000000000000000-mapping.dmp
-
memory/1948-116-0x0000000073C10000-0x00000000741BB000-memory.dmpFilesize
5.7MB
-
memory/2040-71-0x0000000010000000-0x0000000010085000-memory.dmpFilesize
532KB
-
memory/2040-68-0x0000000010000000-0x0000000010085000-memory.dmpFilesize
532KB
-
memory/2040-75-0x000000007DD60000-0x000000007DE70000-memory.dmpFilesize
1.1MB
-
memory/2040-73-0x000000007DD60000-0x000000007DE70000-memory.dmpFilesize
1.1MB
-
memory/2040-72-0x0000000010000000-0x0000000010085000-memory.dmpFilesize
532KB
-
memory/2040-79-0x000000007DD60000-0x000000007DE70000-memory.dmpFilesize
1.1MB
-
memory/2040-70-0x0000000010000000-0x0000000010085000-memory.dmpFilesize
532KB
-
memory/2040-77-0x000000007DD60000-0x000000007DE70000-memory.dmpFilesize
1.1MB
-
memory/2040-66-0x0000000010000000-0x0000000010085000-memory.dmpFilesize
532KB
-
memory/2040-81-0x000000007DD60000-0x000000007DE70000-memory.dmpFilesize
1.1MB
-
memory/2040-62-0x0000000010000000-0x0000000010085000-memory.dmpFilesize
532KB
-
memory/2040-84-0x0000000010000000-0x0000000010085000-memory.dmpFilesize
532KB
-
memory/2040-117-0x0000000010000000-0x0000000010085000-memory.dmpFilesize
532KB
-
memory/2040-118-0x000000007DD60000-0x000000007DE70000-memory.dmpFilesize
1.1MB
-
memory/2040-61-0x0000000000000000-mapping.dmp
-
memory/2040-85-0x000000007DD60000-0x000000007DE70000-memory.dmpFilesize
1.1MB