Analysis
-
max time kernel
151s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 16:10
Behavioral task
behavioral1
Sample
PerX.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
PerX.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Scarletz.dll
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
Scarletz.dll
Resource
win10v2004-20220812-en
General
-
Target
PerX.exe
-
Size
700KB
-
MD5
2a1a572771597d924ed145efaf4c77d6
-
SHA1
0302a5986fadc56557018291003a2bc852fd0913
-
SHA256
333ea334c1a637d1ef888771bf6542953d28f76c26487356ff2a94a971667c55
-
SHA512
17560878ae608fe947220f0d640d72d51e7c607e238e8be7b9f19fc7d20a7dd631633c21f424629bb8f57963161d8226601308cf95ced86c7c178b64dd0302fc
-
SSDEEP
12288:Ddm3xc4L24cmoS8c97WyggbpPYfBZpLnPO2Vmi1ZXA2m/jl+mixj2:Ddm3xX9ggbpcLP7A2gomOC
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" PerX.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" PerX.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" PerX.exe -
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PerX.exe -
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" PerX.exe -
Executes dropped EXE 1 IoCs
Processes:
PerXmgr.exepid process 5072 PerXmgr.exe -
Processes:
resource yara_rule behavioral2/memory/3916-132-0x0000000000400000-0x0000000000531000-memory.dmp upx behavioral2/memory/3916-136-0x0000000002420000-0x00000000034AE000-memory.dmp upx behavioral2/memory/3916-137-0x0000000002420000-0x00000000034AE000-memory.dmp upx behavioral2/memory/3916-138-0x0000000000400000-0x0000000000531000-memory.dmp upx behavioral2/memory/3916-139-0x0000000002420000-0x00000000034AE000-memory.dmp upx -
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" PerX.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" PerX.exe -
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PerX.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
PerX.exedescription ioc process File opened (read-only) \??\Z: PerX.exe File opened (read-only) \??\F: PerX.exe File opened (read-only) \??\H: PerX.exe File opened (read-only) \??\R: PerX.exe File opened (read-only) \??\T: PerX.exe File opened (read-only) \??\P: PerX.exe File opened (read-only) \??\W: PerX.exe File opened (read-only) \??\Y: PerX.exe File opened (read-only) \??\E: PerX.exe File opened (read-only) \??\J: PerX.exe File opened (read-only) \??\K: PerX.exe File opened (read-only) \??\L: PerX.exe File opened (read-only) \??\N: PerX.exe File opened (read-only) \??\U: PerX.exe File opened (read-only) \??\V: PerX.exe File opened (read-only) \??\Q: PerX.exe File opened (read-only) \??\S: PerX.exe File opened (read-only) \??\X: PerX.exe File opened (read-only) \??\G: PerX.exe File opened (read-only) \??\I: PerX.exe File opened (read-only) \??\M: PerX.exe File opened (read-only) \??\O: PerX.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
PerX.exedescription ioc process File opened for modification C:\autorun.inf PerX.exe -
Drops file in Program Files directory 11 IoCs
Processes:
PerX.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe PerX.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe PerX.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe PerX.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe PerX.exe -
Drops file in Windows directory 1 IoCs
Processes:
PerX.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI PerX.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4532 5072 WerFault.exe PerXmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PerX.exepid process 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe 3916 PerX.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
PerX.exedescription pid process Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe Token: SeDebugPrivilege 3916 PerX.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
PerX.exedescription pid process target process PID 3916 wrote to memory of 5072 3916 PerX.exe PerXmgr.exe PID 3916 wrote to memory of 5072 3916 PerX.exe PerXmgr.exe PID 3916 wrote to memory of 5072 3916 PerX.exe PerXmgr.exe PID 3916 wrote to memory of 776 3916 PerX.exe fontdrvhost.exe PID 3916 wrote to memory of 784 3916 PerX.exe fontdrvhost.exe PID 3916 wrote to memory of 1016 3916 PerX.exe dwm.exe PID 3916 wrote to memory of 2700 3916 PerX.exe sihost.exe PID 3916 wrote to memory of 2816 3916 PerX.exe svchost.exe PID 3916 wrote to memory of 2868 3916 PerX.exe taskhostw.exe PID 3916 wrote to memory of 2376 3916 PerX.exe Explorer.EXE PID 3916 wrote to memory of 2936 3916 PerX.exe svchost.exe PID 3916 wrote to memory of 3276 3916 PerX.exe DllHost.exe PID 3916 wrote to memory of 3376 3916 PerX.exe StartMenuExperienceHost.exe PID 3916 wrote to memory of 3444 3916 PerX.exe RuntimeBroker.exe PID 3916 wrote to memory of 3532 3916 PerX.exe SearchApp.exe PID 3916 wrote to memory of 3700 3916 PerX.exe RuntimeBroker.exe PID 3916 wrote to memory of 5072 3916 PerX.exe PerXmgr.exe PID 3916 wrote to memory of 5072 3916 PerX.exe PerXmgr.exe PID 3916 wrote to memory of 776 3916 PerX.exe fontdrvhost.exe PID 3916 wrote to memory of 784 3916 PerX.exe fontdrvhost.exe PID 3916 wrote to memory of 1016 3916 PerX.exe dwm.exe PID 3916 wrote to memory of 2700 3916 PerX.exe sihost.exe PID 3916 wrote to memory of 2816 3916 PerX.exe svchost.exe PID 3916 wrote to memory of 2868 3916 PerX.exe taskhostw.exe PID 3916 wrote to memory of 2376 3916 PerX.exe Explorer.EXE PID 3916 wrote to memory of 2936 3916 PerX.exe svchost.exe PID 3916 wrote to memory of 3276 3916 PerX.exe DllHost.exe PID 3916 wrote to memory of 3376 3916 PerX.exe StartMenuExperienceHost.exe PID 3916 wrote to memory of 3444 3916 PerX.exe RuntimeBroker.exe PID 3916 wrote to memory of 3532 3916 PerX.exe SearchApp.exe PID 3916 wrote to memory of 3700 3916 PerX.exe RuntimeBroker.exe PID 3916 wrote to memory of 776 3916 PerX.exe fontdrvhost.exe PID 3916 wrote to memory of 784 3916 PerX.exe fontdrvhost.exe PID 3916 wrote to memory of 1016 3916 PerX.exe dwm.exe PID 3916 wrote to memory of 2700 3916 PerX.exe sihost.exe PID 3916 wrote to memory of 2816 3916 PerX.exe svchost.exe PID 3916 wrote to memory of 2868 3916 PerX.exe taskhostw.exe PID 3916 wrote to memory of 2376 3916 PerX.exe Explorer.EXE PID 3916 wrote to memory of 2936 3916 PerX.exe svchost.exe PID 3916 wrote to memory of 3276 3916 PerX.exe DllHost.exe PID 3916 wrote to memory of 3376 3916 PerX.exe StartMenuExperienceHost.exe PID 3916 wrote to memory of 3444 3916 PerX.exe RuntimeBroker.exe PID 3916 wrote to memory of 3532 3916 PerX.exe SearchApp.exe PID 3916 wrote to memory of 3700 3916 PerX.exe RuntimeBroker.exe PID 3916 wrote to memory of 776 3916 PerX.exe fontdrvhost.exe PID 3916 wrote to memory of 784 3916 PerX.exe fontdrvhost.exe PID 3916 wrote to memory of 1016 3916 PerX.exe dwm.exe PID 3916 wrote to memory of 2700 3916 PerX.exe sihost.exe PID 3916 wrote to memory of 2816 3916 PerX.exe svchost.exe PID 3916 wrote to memory of 2868 3916 PerX.exe taskhostw.exe PID 3916 wrote to memory of 2376 3916 PerX.exe Explorer.EXE PID 3916 wrote to memory of 2936 3916 PerX.exe svchost.exe PID 3916 wrote to memory of 3276 3916 PerX.exe DllHost.exe PID 3916 wrote to memory of 3376 3916 PerX.exe StartMenuExperienceHost.exe PID 3916 wrote to memory of 3444 3916 PerX.exe RuntimeBroker.exe PID 3916 wrote to memory of 3532 3916 PerX.exe SearchApp.exe PID 3916 wrote to memory of 3700 3916 PerX.exe RuntimeBroker.exe PID 3916 wrote to memory of 776 3916 PerX.exe fontdrvhost.exe PID 3916 wrote to memory of 784 3916 PerX.exe fontdrvhost.exe PID 3916 wrote to memory of 1016 3916 PerX.exe dwm.exe PID 3916 wrote to memory of 2700 3916 PerX.exe sihost.exe PID 3916 wrote to memory of 2816 3916 PerX.exe svchost.exe PID 3916 wrote to memory of 2868 3916 PerX.exe taskhostw.exe PID 3916 wrote to memory of 2376 3916 PerX.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PerX.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\PerX.exe"C:\Users\Admin\AppData\Local\Temp\PerX.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\PerXmgr.exeC:\Users\Admin\AppData\Local\Temp\PerXmgr.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 4444⤵
- Program crash
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5072 -ip 50721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PerXmgr.exeFilesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
C:\Users\Admin\AppData\Local\Temp\PerXmgr.exeFilesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
memory/3916-132-0x0000000000400000-0x0000000000531000-memory.dmpFilesize
1.2MB
-
memory/3916-136-0x0000000002420000-0x00000000034AE000-memory.dmpFilesize
16.6MB
-
memory/3916-137-0x0000000002420000-0x00000000034AE000-memory.dmpFilesize
16.6MB
-
memory/3916-138-0x0000000000400000-0x0000000000531000-memory.dmpFilesize
1.2MB
-
memory/3916-139-0x0000000002420000-0x00000000034AE000-memory.dmpFilesize
16.6MB
-
memory/5072-133-0x0000000000000000-mapping.dmp