Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 03:07
Behavioral task
behavioral1
Sample
Document.doc.scr
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Document.doc.scr
Resource
win10v2004-20240226-en
General
-
Target
Document.doc.scr
-
Size
194KB
-
MD5
50e5dec57451005668704281688ca55d
-
SHA1
67dd4ac7eb8c193b39149b34d3a0d5bc21c3f200
-
SHA256
062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1
-
SHA512
29ca4a44795c71d3e2b4e3417355ebb93765157d464d6d5a3fe6774056d934d57081c72001fb29e47982da11e5a5ccfdbcc958d05a11fb49bd8bf84e6d0c61ad
-
SSDEEP
3072:66glyuxE4GsUPnliByocWepRGbVZqid91h2ys+tU:66gDBGpvEByocWeubV4inP9B
Malware Config
Signatures
-
Renames multiple (609) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9566.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 9566.tmp -
Deletes itself 1 IoCs
Processes:
9566.tmppid process 2240 9566.tmp -
Executes dropped EXE 1 IoCs
Processes:
9566.tmppid process 2240 9566.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
Document.doc.scrdescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini Document.doc.scr File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini Document.doc.scr -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\PP8ew3nw3nq4gs_mnf6ixay20bd.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPeb2jx1lqxp0dqv5_083v6_ksb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPsbowxs9rft00rese83w5l4v4b.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
Document.doc.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Qs2QSInbk.bmp" Document.doc.scr Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Qs2QSInbk.bmp" Document.doc.scr -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
Document.doc.scr9566.tmppid process 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 2240 9566.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
Document.doc.scrdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop Document.doc.scr Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10" Document.doc.scr -
Modifies registry class 5 IoCs
Processes:
Document.doc.scrdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk Document.doc.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk\ = "Qs2QSInbk" Document.doc.scr Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon Document.doc.scr Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk Document.doc.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon\ = "C:\\ProgramData\\Qs2QSInbk.ico" Document.doc.scr -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Document.doc.scrpid process 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr 1364 Document.doc.scr -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
9566.tmppid process 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp 2240 9566.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Document.doc.scrdescription pid process Token: SeAssignPrimaryTokenPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeDebugPrivilege 1364 Document.doc.scr Token: 36 1364 Document.doc.scr Token: SeImpersonatePrivilege 1364 Document.doc.scr Token: SeIncBasePriorityPrivilege 1364 Document.doc.scr Token: SeIncreaseQuotaPrivilege 1364 Document.doc.scr Token: 33 1364 Document.doc.scr Token: SeManageVolumePrivilege 1364 Document.doc.scr Token: SeProfSingleProcessPrivilege 1364 Document.doc.scr Token: SeRestorePrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSystemProfilePrivilege 1364 Document.doc.scr Token: SeTakeOwnershipPrivilege 1364 Document.doc.scr Token: SeShutdownPrivilege 1364 Document.doc.scr Token: SeDebugPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeBackupPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr Token: SeSecurityPrivilege 1364 Document.doc.scr -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 4080 ONENOTE.EXE 4080 ONENOTE.EXE 4080 ONENOTE.EXE 4080 ONENOTE.EXE 4080 ONENOTE.EXE 4080 ONENOTE.EXE 4080 ONENOTE.EXE 4080 ONENOTE.EXE 4080 ONENOTE.EXE 4080 ONENOTE.EXE 4080 ONENOTE.EXE 4080 ONENOTE.EXE 4080 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Document.doc.scrprintfilterpipelinesvc.exe9566.tmpdescription pid process target process PID 1364 wrote to memory of 4492 1364 Document.doc.scr splwow64.exe PID 1364 wrote to memory of 4492 1364 Document.doc.scr splwow64.exe PID 548 wrote to memory of 4080 548 printfilterpipelinesvc.exe ONENOTE.EXE PID 548 wrote to memory of 4080 548 printfilterpipelinesvc.exe ONENOTE.EXE PID 1364 wrote to memory of 2240 1364 Document.doc.scr 9566.tmp PID 1364 wrote to memory of 2240 1364 Document.doc.scr 9566.tmp PID 1364 wrote to memory of 2240 1364 Document.doc.scr 9566.tmp PID 1364 wrote to memory of 2240 1364 Document.doc.scr 9566.tmp PID 2240 wrote to memory of 948 2240 9566.tmp cmd.exe PID 2240 wrote to memory of 948 2240 9566.tmp cmd.exe PID 2240 wrote to memory of 948 2240 9566.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.doc.scr"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4492 -
C:\ProgramData\9566.tmp"C:\ProgramData\9566.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9566.tmp >> NUL3⤵PID:948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4576
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5BA70C8C-637E-48A2-A8EA-7B0E76C654F0}.xps" 1335848807163200002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:3992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.iniFilesize
129B
MD5398a59172d9c44d9604d4067df112acb
SHA113e51d8782ef0da080e3bb9e7d078aa9b5fb068e
SHA2567044422bb6ddf26d458a496244449077dcebe5cc3157a8ead2269f34e22b2c31
SHA512193da77062757bb2f30da3a870eebd6f68c00f7d6c713de7ef5cf2eda06cba220cb059f38ace1ba9427e853c02fbb09161aca0d1173450fdd30668a2146f531b
-
C:\ProgramData\9566.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Qs2QSInbk.README.txtFilesize
434B
MD5ad29bd8c66e114ff57c943d16c78f72a
SHA15ab070ee89a36f38facae4dfc8ec5ce3e59af46e
SHA2566fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c
SHA512a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDFilesize
194KB
MD55a7e8de98a4b7fd1ecc52b02fa0565b5
SHA19a9599fabcc11c9961c35907d7da8ca97131ec63
SHA256fbbfb22e291a460d80bf5b82442448a3c82bc9d15dbb63c654a7ee3bd7fcfb2e
SHA512d3b4159fd230d806e8911a0075244401cd82765c73f49398b77cc495ca6d4fb3af6fda816f9e6788b9422df8859feb6b684c792dc8af1c18e47b7dde8a7feaf4
-
C:\Users\Admin\AppData\Local\Temp\{E91C1C1E-6F21-4F16-BA78-7A51F0CC5897}Filesize
4KB
MD577e084b6025b0cc6482856e0cd44cfb1
SHA13bc63ef2c1f3d14f9763f6d867de5bb38e8357cd
SHA256fd04e38773f6dc0b5c44156022bf6490b578cc5804420a28b3d031166ba7a1e0
SHA512b155706ca7044a3178720e7f7e0e45a88614255f5850dcdf543a2bc795a0a092db1f2e26f7bdcced47f308892e6d42b1ec8b4199f5a4a6b515e7f51b545d64ad
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2Filesize
4KB
MD54e3763b36147f8c7dcf3e90033631118
SHA14bee6e6161ab291236a82ba07ef1dab0758c48a0
SHA2564844b9898930bfbbf656068242cd654a9d49bedc0334fe1854342d109cb8f462
SHA51255f15a5d70efe7f32c93f06589559e38bbd2c6ef338738ead8eeb2c1b04f4e3229b1e581f588d7416a816c2a0b5b49bfed874f1dd476676f59f5872d938437b2
-
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDDFilesize
129B
MD5e94c593841101105515af9ec3d334797
SHA1772b741734ea3cb2cea84ae2b94ee920d5e39532
SHA2568fd4875043d0fbc75fd4164d61ceb0b06aba2eac04f46bcf677aaeaa812c9aeb
SHA512ba990015cc9801c95ea65564b970a57b90c0cbb18aed91ed51b175fb24500ec909eee821f027fd820f8001f8b314f4c57933b862c294664fe3f69f94ca46f683
-
memory/1364-1-0x0000000002BC0000-0x0000000002BD0000-memory.dmpFilesize
64KB
-
memory/1364-2790-0x0000000002BC0000-0x0000000002BD0000-memory.dmpFilesize
64KB
-
memory/1364-2791-0x0000000002BC0000-0x0000000002BD0000-memory.dmpFilesize
64KB
-
memory/1364-0-0x0000000002BC0000-0x0000000002BD0000-memory.dmpFilesize
64KB
-
memory/1364-2-0x0000000002BC0000-0x0000000002BD0000-memory.dmpFilesize
64KB
-
memory/1364-2789-0x0000000002BC0000-0x0000000002BD0000-memory.dmpFilesize
64KB
-
memory/2240-2850-0x000000007FDC0000-0x000000007FDC1000-memory.dmpFilesize
4KB
-
memory/2240-2852-0x000000007FE00000-0x000000007FE01000-memory.dmpFilesize
4KB
-
memory/2240-2853-0x000000007FE40000-0x000000007FE41000-memory.dmpFilesize
4KB
-
memory/2240-2851-0x000000007FDE0000-0x000000007FDE1000-memory.dmpFilesize
4KB
-
memory/2240-2849-0x000000007FE20000-0x000000007FE21000-memory.dmpFilesize
4KB
-
memory/2240-2848-0x00000000024E0000-0x00000000024F0000-memory.dmpFilesize
64KB
-
memory/2240-2847-0x00000000024E0000-0x00000000024F0000-memory.dmpFilesize
64KB
-
memory/4080-2803-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmpFilesize
64KB
-
memory/4080-2845-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmpFilesize
2.0MB
-
memory/4080-2846-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmpFilesize
2.0MB
-
memory/4080-2816-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmpFilesize
2.0MB
-
memory/4080-2815-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmpFilesize
2.0MB
-
memory/4080-2814-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmpFilesize
64KB
-
memory/4080-2813-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmpFilesize
2.0MB
-
memory/4080-2811-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmpFilesize
64KB
-
memory/4080-2806-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmpFilesize
64KB
-
memory/4080-2808-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmpFilesize
2.0MB
-
memory/4080-2854-0x00007FFE68110000-0x00007FFE68120000-memory.dmpFilesize
64KB
-
memory/4080-2855-0x00007FFE68110000-0x00007FFE68120000-memory.dmpFilesize
64KB
-
memory/4080-2805-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmpFilesize
2.0MB
-
memory/4080-2804-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmpFilesize
64KB
-
memory/4080-2877-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmpFilesize
2.0MB
-
memory/4080-2878-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmpFilesize
2.0MB
-
memory/4080-2879-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmpFilesize
2.0MB