Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-02-2024 11:35
Static task
static1
Behavioral task
behavioral1
Sample
BrickHillSetup.exe
Resource
win11-20231215-en
Errors
General
-
Target
BrickHillSetup.exe
-
Size
1.6MB
-
MD5
085c248832ef03881059faec18eae7ff
-
SHA1
8477892aadc283f5d000b2c36e4c44c370f59727
-
SHA256
d755331262471b1c5fb7c47ad5e0e5129f8c103f3e5df06120b3f8db61c31aae
-
SHA512
80d3327168c4597554f441cf29360d9ae982bd36afa7e6409c6e2b779eddc7a522f2bdcd190a82517fb445bf7714377f30a79c2cedea168f19139d82cc94c43f
-
SSDEEP
24576:u4nXubIQGyxbPV0db26ifZbRQKiFDhbGh3+shiy/wxwWIFgi5LPxf0XE:uqe3f60oKil5QhiyPbFT9eE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
BrickHillSetup.tmppid process 2132 BrickHillSetup.tmp -
Loads dropped DLL 1 IoCs
Processes:
SystemSettingsAdminFlows.exepid process 2632 SystemSettingsAdminFlows.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SystemSettingsAdminFlows.exedescription ioc process File opened (read-only) \??\F: SystemSettingsAdminFlows.exe -
Drops file in System32 directory 1 IoCs
Processes:
SystemSettingsAdminFlows.exedescription ioc process File opened for modification C:\Windows\system32\Recovery\ReAgent.xml SystemSettingsAdminFlows.exe -
Drops file in Windows directory 64 IoCs
Processes:
SystemSettingsAdminFlows.exeUserOOBEBroker.exedescription ioc process File created C:\Windows\Logs\PBR\ResetSession.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\WinRE\bootstat.dat SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File created C:\Windows\Logs\PBR\Panther\Contents0.dir SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setup.etl SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\Contents0.dir SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setupact.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\CBS SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\_s_35F6.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Logs\PBR\INF\setupapi.offline.20210605_121033.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\WinRE SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\cbs_intl.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setuperr.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\ResetSession.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setupinfo SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\SessionID.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Timestamp.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setuperr.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\PushButtonReset.etl SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\DISM\dism.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\ReAgent\ReAgent.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\INF\setupapi.dev.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\SessionID.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\diagerr.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\_s_3440.tmp SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\_s_3440.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\setupact.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\ReAgent SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\INF\setupapi.dev.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\unattend.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\BCDCopy SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\ReAgent\ReAgent.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\INF\setupapi.setup.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\Contents1.dir SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\diagerr.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setupact.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\ResetConfig.ini SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\ResetConfig.ini SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\setuperr.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG2 SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\cbs_unattend.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\DISM SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\Contents1.dir SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\_s_379D.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\cbs_unattend.log SystemSettingsAdminFlows.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
SystemSettingsAdminFlows.exevssvc.exedescription pid process Token: SeBackupPrivilege 2632 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 2632 SystemSettingsAdminFlows.exe Token: SeSystemEnvironmentPrivilege 2632 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 2632 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 2632 SystemSettingsAdminFlows.exe Token: SeSecurityPrivilege 2632 SystemSettingsAdminFlows.exe Token: SeTakeOwnershipPrivilege 2632 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 2632 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 2632 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 2420 vssvc.exe Token: SeRestorePrivilege 2420 vssvc.exe Token: SeAuditPrivilege 2420 vssvc.exe Token: SeTakeOwnershipPrivilege 2632 SystemSettingsAdminFlows.exe Token: SeTakeOwnershipPrivilege 2632 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 2632 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 2632 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 2632 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 2632 SystemSettingsAdminFlows.exe Token: SeShutdownPrivilege 2632 SystemSettingsAdminFlows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SystemSettingsAdminFlows.exeLogonUI.exepid process 2632 SystemSettingsAdminFlows.exe 2064 LogonUI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
BrickHillSetup.exedescription pid process target process PID 4736 wrote to memory of 2132 4736 BrickHillSetup.exe BrickHillSetup.tmp PID 4736 wrote to memory of 2132 4736 BrickHillSetup.exe BrickHillSetup.tmp PID 4736 wrote to memory of 2132 4736 BrickHillSetup.exe BrickHillSetup.tmp -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\is-Q49F0.tmp\BrickHillSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q49F0.tmp\BrickHillSetup.tmp" /SL5="$A0082,810935,780288,C:\Users\Admin\AppData\Local\Temp\BrickHillSetup.exe"2⤵
- Executes dropped EXE
PID:2132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3796
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:2592
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:988
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2632
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1092
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4264
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1224
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a22055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$SysReset\Logs\ResetConfig.iniFilesize
186B
MD547069918e9e83eb02bff5ce5498c9bbd
SHA117ffee2e0ddfec27bba8c1a3550d57c7f92960d5
SHA256e7688a4bb28fbb7b562886e29da34887d6189a52041de39b538d5c2caf3c932e
SHA5127a0d2ed36988aa921e0e09779bb8defe38133c8f6add2159cceeee59f5083d391fea2f7bee961b5bba4767e75eea8a2670e7900290c17ce7cc80fae7e037a4c1
-
C:\$SysReset\Logs\ResetConfig.iniFilesize
139B
MD527789b9569864c5733c5b4b70aca6f29
SHA1c5384b58a714aa4efde897bd6ac983c3e66c68ee
SHA2563aa5a68ed86f1495e52a315e5eb8e63223a8ad9a5a088e4c86561e0d7082bf3e
SHA512af48531910214538de481e547d03d59b00a5f4ca225fa206a0b2015f194243467cda48d7c8c52cebb6c9c704360aace6ce2068b604fe29b254180d4e25697a88
-
C:\$SysReset\Logs\setupact.logFilesize
115KB
MD56b88dcbc0d9ba3ea8f23d986e488fe75
SHA118df4da220ad9d051f8d62309e9bc9252833eecb
SHA256cfb2c005a565229af303d337c126d9441b9047b674464726508be0d722c325b2
SHA5123d0d5c555f41cd3bd99112b8c6d69c9418d11325accf43a54a2a1dc0a2d69d5faaa58b695fcaf1cd0cf972d96e1fabeee1d6711ca5a559b9ff1fc0f63305e17e
-
C:\$SysReset\Logs\setuperr.logFilesize
974B
MD522a15fcb1869f5c1428523acd43c7fe1
SHA1d71638a3fc0dfe46f2be9168a9d6c9af05cc0fa2
SHA256e1d6f853b25d5a44b20bb538780256b21986c69464d155c071274478c5a7a5e2
SHA512d8abd0de61562c88915e34bb45296c03b1aee3ae0b4f424896cde1b96a117a8a00970d0de8837e85bd91ad22bee082034c8dbfd42bf7804ad1bf6a244403f6d7
-
C:\$SysReset\ResetSession.xmlFilesize
7KB
MD5e4711f13b214beff5cdd98870d96c775
SHA168001eb945ef5f7e61dde5b81b2e0ed936f6ab3d
SHA2566417e6ac52d4aa241504d51f30882250ec02b6d4dfd53f674bf2f10ec19cecbb
SHA512ad872fdd4051b23762e807f1eab2d05a3aefff0d989bd898a4f0b95cdfe81da4ac087b0a4272d2a59bf2dbbbde4893231988ec66000640729f1930791ddee833
-
C:\Users\Admin\AppData\Local\Temp\is-Q49F0.tmp\BrickHillSetup.tmpFilesize
369KB
MD5adb120f932d838a4f9c2fbf564c8bfb1
SHA1f8dec889e5191639ce53b3e5d8a38697e5d28eaa
SHA256af09dafd516de074df7dbf28cdacd1c1d5b47087cfe43450044c17be084f5f9e
SHA512cc2cf65b10d104ca951adee6ee2711e6ed6bf741a1cb8283653ebc54b420ac009c7b2fba40a325dba056846d544a17e0fc4e473a140aba2600f7ca77ec617ef8
-
C:\Users\Admin\AppData\Local\Temp\{5CBEB16F-2428-4E42-B976-A22124BDE5F3}\ssshim.dllFilesize
148KB
MD53de653713e705e001c3f0be1efc51ed3
SHA163565592c266226d36604933e51725e90010da25
SHA256c78ebef77e03135b3cea0705d4c259d782ed80746faea4e9f4a851e494fa94f9
SHA5127db1063fa2a7c0bcf394d7a20984ab1b501cb24fae5e801addace77424ba773c948a87d8c3fb38f06366b1478f70ba0278c48f219d224ff6e904ff2ee161fb4e
-
C:\Windows\Logs\PBR\SessionID.xmlFilesize
106B
MD5f62c016d8c3704840605342912496cb2
SHA152db83877c68f0c6231920d21f385aabf2295a11
SHA25658e08c49e8edc95f0d7601e7da6964aefc3b309dcf05d40052a122526cdcf2f5
SHA5127c33ebad61c3eab915b6387ac5a1f0c2330c2a9e5e2e961223ed6f31ea9b11e01eb28bb11db98a8bb023951fc8a0007074790a20bfc8e3a319310f90c3476ac2
-
C:\Windows\Logs\PBR\Timestamp.xmlFilesize
42B
MD51e8e94976521234d29f736b4371d833e
SHA1127994f619b96c2dd61db537edda0e6c71700ef1
SHA25629227c2bca947358a7de7082eec2c490e61abb3c56f1181c600d8fedcfce5733
SHA5125aa42530e4b4cd3c1173e97fe277fe22feadbb605c9803851b4cf6c992fe9fafb30bfad6b625a3a62ce7ed7adab6f4faca4737dca693a663a73a3f9a060a0daf
-
C:\Windows\Logs\PBR\WinRE\bootstat.datFilesize
66KB
MD5668d82b83f8c52c0e5368a44b7eaa5a4
SHA1069ec5b3f9ae609baafe6e59651dd361a9c6b33f
SHA256106beb7dabcde632548e4e752c3c6222936ba8ddc2cf7e4864296070bd0553e1
SHA512e475a3b75a9fbd00c80da10debf287cbfa06a7d583cbc886e42db81f9e0b32f2dc6c3676181d430699bfb2ffe0c71f5e40bd80836d5c2794840d7d1ab0d9b98d
-
C:\Windows\Panther\UnattendGC\diagwrn.xmlFilesize
12KB
MD559b76eee2c8bb5d58c83c9aa70b74f9c
SHA171a79bdd2611769d320517a1ed3989f6639d6aa7
SHA256dbd958b3729f14ebb7119c736419a80f0be16240a8389c9366a90117cf365543
SHA512adbd369c77d34daf2b0237e2914f58daa8d048e88671aacd1e4855c5a0321103297e59a588973c40a702c7cb5e8c5c14b0ebd27eaab2e6f9ae427c83ca5bf793
-
C:\Windows\System32\Recovery\ReAgent.xmlFilesize
1KB
MD58e90c41bcb27192c11c4d2658c8eab9c
SHA147b03a04a351b5809d3b2b881e51f08e3a59ce29
SHA2565f0dc356410e6b895c5c64bfefeb715d100ec76745892f42e571fd20abdc6687
SHA512157417de446163d08f5d0aa6868fa8afe7f89425c828d1c39001aaac6f3a6870f8c4bcb4406944438b9fba74e7cbf7243f89aae89b5527511fb2a5dc08bec2a9
-
memory/2132-15-0x0000000002910000-0x0000000002911000-memory.dmpFilesize
4KB
-
memory/2132-9-0x0000000000400000-0x0000000000705000-memory.dmpFilesize
3.0MB
-
memory/2132-6-0x0000000002910000-0x0000000002911000-memory.dmpFilesize
4KB
-
memory/4736-1-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4736-8-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB