Analysis
-
max time kernel
36s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-02-2023 02:42
Static task
static1
Behavioral task
behavioral1
Sample
1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58.dll
Resource
win10v2004-20230220-en
General
-
Target
1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58.dll
-
Size
76KB
-
MD5
8a132d9eb16ab0a492c7858fa5d6b6fb
-
SHA1
bb3d3258e9207f9499f3f7dcf53442fc8ddabd45
-
SHA256
1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58
-
SHA512
7f74eece1ba22e553f86c151b5364207b06b46ffb58330406021c668e2ee5fa332a8dabcf227278f10dfbc7a6d2593f5d2fb32e344c33fca174874300c9eb985
-
SSDEEP
1536:PaX1IbkVQJih8Ls2WZYbz+n26HNmAC6UsK4Xe:0KntKmzK2736UsK4
Malware Config
Extracted
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
quantum
Extracted
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
quantum
http://iwwbtudyckekvukw7462v32ugqgnzzzaxsyw5yfxhe24ok5hbc46x6qd.onion/?cid=5f9d05e06bea5711acba31a7b1740c806cd99c792cc74b7548ea0fb0e5dc0d32
Signatures
-
Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\StopSet.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\StopSet.tiff => \??\c:\Users\Admin\Pictures\StopSet.tiff.quantum rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\UpdateGet.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\UpdateGet.tiff => \??\c:\Users\Admin\Pictures\UpdateGet.tiff.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\ShowGrant.tiff => \??\c:\Users\Admin\Pictures\ShowGrant.tiff.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\MountGrant.raw => \??\c:\Users\Admin\Pictures\MountGrant.raw.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\PushUnregister.raw => \??\c:\Users\Admin\Pictures\PushUnregister.raw.quantum rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\ShowGrant.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\UnblockExit.tif => \??\c:\Users\Admin\Pictures\UnblockExit.tif.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\ExpandGet.png => \??\c:\Users\Admin\Pictures\ExpandGet.png.quantum rundll32.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1924 cmd.exe -
Drops desktop.ini file(s) 26 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Documents\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Downloads\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Music\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Videos\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Libraries\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Links\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Searches\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Desktop\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Documents\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Music\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Videos\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini rundll32.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{94E42D81-B25A-11ED-80B1-DEF2FB1055A6} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1048 rundll32.exe 1048 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeRestorePrivilege 1048 rundll32.exe Token: SeDebugPrivilege 1048 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1856 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1856 iexplore.exe 1856 iexplore.exe 812 IEXPLORE.EXE 812 IEXPLORE.EXE 812 IEXPLORE.EXE 812 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.execmd.exeiexplore.exedescription pid process target process PID 1048 wrote to memory of 1924 1048 rundll32.exe cmd.exe PID 1048 wrote to memory of 1924 1048 rundll32.exe cmd.exe PID 1048 wrote to memory of 1924 1048 rundll32.exe cmd.exe PID 1924 wrote to memory of 680 1924 cmd.exe attrib.exe PID 1924 wrote to memory of 680 1924 cmd.exe attrib.exe PID 1924 wrote to memory of 680 1924 cmd.exe attrib.exe PID 1856 wrote to memory of 812 1856 iexplore.exe IEXPLORE.EXE PID 1856 wrote to memory of 812 1856 iexplore.exe IEXPLORE.EXE PID 1856 wrote to memory of 812 1856 iexplore.exe IEXPLORE.EXE PID 1856 wrote to memory of 812 1856 iexplore.exe IEXPLORE.EXE -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58.dll,#11⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C6539.bat" "C:\Users\Admin\AppData\Local\Temp\1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58.dll""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58.dll"3⤵
- Views/modifies file attributes
PID:680
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1856 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD537d508a97857e4d3bb467d6d4e88f7dd
SHA11f1913c3a5d5a614ba7fe0b393a5a834fcedc895
SHA256f113ce0b2c68c412eba3d0a3e0a85ae5a4324610bb6ddc6c4919da0dc5710bcd
SHA51225f7262997d1b6ca4642d15601b6a437451bf567b462becaf342202404f428709dd33b68c52c898630bcccf75ef7af6b246ef9b74f9194fbb818542c986b4844
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a5a35b739a682db0ad1a5676b3577328
SHA15b4fa23426ad4669ad7c4451151399867431d000
SHA2560b1496d20af83e5bb836a6779ce05cf7a8fb13712d2c4b4a211119c59a4f2d24
SHA5122251b08df5706a35222bac975461e1f9585d0eeb488f24283e110af0409dcce5e37a475bbcea28b6dba9703e201a8640b12a075a8200f790bd2cf1ace16a11e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e5646c2b8987276e2a005e38139a0e56
SHA10693a3e9b90125ba8b124436fe840d558a5f7ef9
SHA25697de76816161cd7d27682d56d228a57700f95b701d90d07519ce7befd82aa670
SHA5123931b1cda5a69de196738f66282c9d2c0e78300df141ae8f41d142479ca4b09608566da1019a9aaf631c12dc391179bbf027b3dbf5700821a58ae96e58bb8e31
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58663ece71573879d2b2f88301823e2e0
SHA1f629b2091736e453dd977182527b971e27577a33
SHA25678d4bec6b54c960529b49437d1a7be8cfdd58366eb2ddb9fe7bbe59b4f776a5d
SHA51285b6bd43b97a1e3e92f27dc01cb68b0a19c8d22c39e399ab8d0e19d34ec136848481589535ca85a343c5c9ff7c8921e367291dea8176164b64c46081bfb92517
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e0ec06be5a594756abf4f30e4f0b5620
SHA1a64d9d201c26d6b0a69fe717b7660a9815ffe8f5
SHA2569cbc1f5288ef717ca80a5695ed05199c0132ece159b9e7f1a19bf8dfbb67081e
SHA5127584d0036909458842f54535d582beb8f29b13f2c0341c968241e0566d543c6e4452c7309333a12718d4f8c815043d89622f86fe47a4642bdb94937d9dcc27e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ab9d346927d65fa1df8f12ce12254f54
SHA1167b110b28caeea8562192edf58ee264cacf9280
SHA2562a5d7d6dea8a1c5cc6d2f343768b092a86aada11ad31adcbf80b7ec0b1d38642
SHA5122635548d74fa7643b8c76452f6e1e6362cc62ebfd20b5bdf0c99722b1116c78c54ab5a2ada750c2dd72f675337e32b88c4115436d78240c82cde75b41670ce89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54c2d2c45ef87f11ed546bb0eb4552768
SHA1fe0b1e4b0fe71828d246031d68e2bb9b5c20ea89
SHA256589e9422dd717c16b669e7a40131bfabe723ff8d5d9aef0dae0adf23815f5951
SHA512fc470430d4525aee131e52c5030ba9059d0ed98a64febd9415f46e53ae0081b511cdb9f0ced34338a4f582a4a5d7a93658a096bca763fa8736fb28bf79f1ed1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54c2d2c45ef87f11ed546bb0eb4552768
SHA1fe0b1e4b0fe71828d246031d68e2bb9b5c20ea89
SHA256589e9422dd717c16b669e7a40131bfabe723ff8d5d9aef0dae0adf23815f5951
SHA512fc470430d4525aee131e52c5030ba9059d0ed98a64febd9415f46e53ae0081b511cdb9f0ced34338a4f582a4a5d7a93658a096bca763fa8736fb28bf79f1ed1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59ff58f582c12deaf9d21858488685ec2
SHA1897b36711496280d4649b3e599878905c110390d
SHA256f726d674ed70d8885ecd2535d946c7beb7e0cfffa4f9a17ecf6b56a89c7f082c
SHA5120e592e2280fd977c9751497678b0283da7eb62572ed0fa549620261ac3e8611dae3d3d788b609fa662faa1dedfc26ddf5485391e50f50ccb49c7db475c3241fe
-
C:\Users\Admin\AppData\Local\Temp\006C6539.batFilesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
C:\Users\Admin\AppData\Local\Temp\006C6539.batFilesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
C:\Users\Admin\AppData\Local\Temp\CabC3FD.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\TarC47E.tmpFilesize
161KB
MD573b4b714b42fc9a6aaefd0ae59adb009
SHA1efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA51273af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd
-
C:\Users\Admin\Desktop\README_TO_DECRYPT.htmlFilesize
2KB
MD54df060dc750138c9798a4bd67c12df48
SHA1dcfe51c4f91986c4b7dc2e2021cc5e2f4067f4ee
SHA256292a998380e66a988ccf413eb661e03c9ea9697059bf51af53bbe47c1c0e1160
SHA5127e5babf2137c0cfafee337440b7c66f64a0d1621e90b27cf51ff1789b33998ada6e900be45876d8059dbd863eb1e97be393848a8ae32bb4769a783f6c19966a6
-
C:\Users\Admin\Desktop\README_TO_DECRYPT.htmlFilesize
2KB
MD54df060dc750138c9798a4bd67c12df48
SHA1dcfe51c4f91986c4b7dc2e2021cc5e2f4067f4ee
SHA256292a998380e66a988ccf413eb661e03c9ea9697059bf51af53bbe47c1c0e1160
SHA5127e5babf2137c0cfafee337440b7c66f64a0d1621e90b27cf51ff1789b33998ada6e900be45876d8059dbd863eb1e97be393848a8ae32bb4769a783f6c19966a6
-
memory/812-352-0x0000000002880000-0x0000000002882000-memory.dmpFilesize
8KB
-
memory/1856-351-0x0000000002490000-0x00000000024A0000-memory.dmpFilesize
64KB