Analysis
-
max time kernel
146s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 06:36
Behavioral task
behavioral1
Sample
Document.doc.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Document.doc.scr
Resource
win10v2004-20240412-en
General
-
Target
Document.doc.scr
-
Size
194KB
-
MD5
b7b4c97132d03eead1fa9a9352dee6c2
-
SHA1
c9eb1bdc528076fa9c91668addf0723294ac1575
-
SHA256
1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2
-
SHA512
cb0023bc6783a94a27d2d4a67c214e8657fd334d1a94a7dba51277363dee2a67e7ecc5fc0788cead1c4e0e2dc7d9aa758203f89dce162184869d20a44d171903
-
SSDEEP
3072:v6glyuxE4GsUPnliByocWepXKD0/9Wy1Og/ZK99r:v6gDBGpvEByocWehKD0/EWfg3
Malware Config
Signatures
-
Renames multiple (610) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6775.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation 6775.tmp -
Deletes itself 1 IoCs
Processes:
6775.tmppid process 2036 6775.tmp -
Executes dropped EXE 1 IoCs
Processes:
6775.tmppid process 2036 6775.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
Document.doc.scrdescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1132431369-515282257-1998160155-1000\desktop.ini Document.doc.scr File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\desktop.ini Document.doc.scr -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPyx5npff3_pty2ftmk8dvukfp.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP98c8y6beyp4sb7j6kpd74inxd.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPq9igtviv5z5cwj1eqitqob46d.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
Document.doc.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\te8ZzuVLn.bmp" Document.doc.scr Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\te8ZzuVLn.bmp" Document.doc.scr -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
Document.doc.scr6775.tmppid process 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 2036 6775.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
Document.doc.scrdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop Document.doc.scr Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\WallpaperStyle = "10" Document.doc.scr -
Modifies registry class 5 IoCs
Processes:
Document.doc.scrdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.te8ZzuVLn Document.doc.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.te8ZzuVLn\ = "te8ZzuVLn" Document.doc.scr Key created \REGISTRY\MACHINE\SOFTWARE\Classes\te8ZzuVLn\DefaultIcon Document.doc.scr Key created \REGISTRY\MACHINE\SOFTWARE\Classes\te8ZzuVLn Document.doc.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\te8ZzuVLn\DefaultIcon\ = "C:\\ProgramData\\te8ZzuVLn.ico" Document.doc.scr -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Document.doc.scrpid process 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr 1524 Document.doc.scr -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
6775.tmppid process 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp 2036 6775.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Document.doc.scrdescription pid process Token: SeAssignPrimaryTokenPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeDebugPrivilege 1524 Document.doc.scr Token: 36 1524 Document.doc.scr Token: SeImpersonatePrivilege 1524 Document.doc.scr Token: SeIncBasePriorityPrivilege 1524 Document.doc.scr Token: SeIncreaseQuotaPrivilege 1524 Document.doc.scr Token: 33 1524 Document.doc.scr Token: SeManageVolumePrivilege 1524 Document.doc.scr Token: SeProfSingleProcessPrivilege 1524 Document.doc.scr Token: SeRestorePrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSystemProfilePrivilege 1524 Document.doc.scr Token: SeTakeOwnershipPrivilege 1524 Document.doc.scr Token: SeShutdownPrivilege 1524 Document.doc.scr Token: SeDebugPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeBackupPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr Token: SeSecurityPrivilege 1524 Document.doc.scr -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 2980 ONENOTE.EXE 2980 ONENOTE.EXE 2980 ONENOTE.EXE 2980 ONENOTE.EXE 2980 ONENOTE.EXE 2980 ONENOTE.EXE 2980 ONENOTE.EXE 2980 ONENOTE.EXE 2980 ONENOTE.EXE 2980 ONENOTE.EXE 2980 ONENOTE.EXE 2980 ONENOTE.EXE 2980 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Document.doc.scrprintfilterpipelinesvc.exe6775.tmpdescription pid process target process PID 1524 wrote to memory of 3620 1524 Document.doc.scr splwow64.exe PID 1524 wrote to memory of 3620 1524 Document.doc.scr splwow64.exe PID 3872 wrote to memory of 2980 3872 printfilterpipelinesvc.exe ONENOTE.EXE PID 3872 wrote to memory of 2980 3872 printfilterpipelinesvc.exe ONENOTE.EXE PID 1524 wrote to memory of 2036 1524 Document.doc.scr 6775.tmp PID 1524 wrote to memory of 2036 1524 Document.doc.scr 6775.tmp PID 1524 wrote to memory of 2036 1524 Document.doc.scr 6775.tmp PID 1524 wrote to memory of 2036 1524 Document.doc.scr 6775.tmp PID 2036 wrote to memory of 3372 2036 6775.tmp cmd.exe PID 2036 wrote to memory of 3372 2036 6775.tmp cmd.exe PID 2036 wrote to memory of 3372 2036 6775.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.doc.scr"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
-
C:\ProgramData\6775.tmp"C:\ProgramData\6775.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6775.tmp >> NUL3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B25EEBB4-86E1-4458-829A-4726F5601C22}.xps" 1335850059713700002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-1132431369-515282257-1998160155-1000\desktop.iniFilesize
129B
MD564672649c86a19495b82f21796477f6a
SHA14d96fb867a8ce30aeddeee20a5e829432770186d
SHA2564f773b76e504344241a7ef56e5fa36acc490b67b209dda0b32fed7a475ff0fde
SHA512941a0b5b805560daec1722872582b8b7f6f20c09165bcce3502215b47e5d3a0ee2b6c65c7b6c327c883009d1b1e53ebd8f422a08488c70d73845eeb9a9aa47d2
-
C:\ProgramData\6775.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDFilesize
194KB
MD5e3042a59dbdf1e18e1217173f93ac25a
SHA1dbfd0a907601dee0b34b4e0d0219a4bc59547bda
SHA2565e53adc1c894b2bd3b4d7a0f6bf3924b13aaa6c3a4326b01f3cf16e5f0e3e937
SHA51206026dc65e6c7c5bdc3ea5607a0c35f1360fbce9aa7aea9862eddd6c531d2d08fe6cdd8aabf057908a01330180c0b146f301e43ca96e23dc4c4fc4e8abafd649
-
C:\Users\Admin\AppData\Local\Temp\{026F6FB3-3F13-4011-B790-0BA45726AE51}Filesize
4KB
MD525ca16823ffc13b0ee384bc960d8e472
SHA11b6ed010b458730819079879fa33befe46c3a58f
SHA256d24a98d5d36d031b729d07177f927c3e62eeffd22ccad1ae3e40065a368400c5
SHA512c146d2c3f59280ae776be20dc862806a9f9817e858d3e917c285711164e437faf68d3be1da9369c76aa5a0f67efb130447a13155e224abe48456b5d2a3696168
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2Filesize
4KB
MD5ee564b1142bb23e7a312204bc33d62b7
SHA104531c371229198ee9447bc805d6e76a56472084
SHA256afc02da04e23a3535cabfd0ef519e744e3e49b1bb7f4a1774a8ca9cd21084614
SHA5124fcebf8da3f8dd58518543cb42f4d683c9207d15939cd6302ecca5c6e88e813c7e9e4c875c6cef73625ac9cbdeb7e6000a5fba170f00dc0a3b2879d3c0d9dd73
-
C:\te8ZzuVLn.README.txtFilesize
434B
MD5ad29bd8c66e114ff57c943d16c78f72a
SHA15ab070ee89a36f38facae4dfc8ec5ce3e59af46e
SHA2566fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c
SHA512a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1
-
F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\DDDDDDDDDDDFilesize
129B
MD56523ca70962fcef3fa2a654847de3d75
SHA1d842d5af1d88075d127e11a5893937e57ecf1883
SHA2566a164699420be2f65e4844569ded1d64224c7af77ef2e995a43b49be91676b80
SHA5127799d6a0734e015743ab9edb15d3f4296c341fbe8589a175cbb03475bb792b38a7bfb0aa9b76f90d47243b7a3b80693b95c1956b2d5dc14289a50e687f9afcca
-
memory/1524-1-0x0000000002CC0000-0x0000000002CD0000-memory.dmpFilesize
64KB
-
memory/1524-0-0x0000000002CC0000-0x0000000002CD0000-memory.dmpFilesize
64KB
-
memory/2036-2793-0x000000007FDE0000-0x000000007FDE1000-memory.dmpFilesize
4KB
-
memory/2036-2804-0x000000007FDC0000-0x000000007FDC1000-memory.dmpFilesize
4KB
-
memory/2036-2798-0x000000007FE40000-0x000000007FE41000-memory.dmpFilesize
4KB
-
memory/2036-2794-0x000000007FE00000-0x000000007FE01000-memory.dmpFilesize
4KB
-
memory/2036-2800-0x0000000002460000-0x0000000002470000-memory.dmpFilesize
64KB
-
memory/2036-2801-0x0000000002460000-0x0000000002470000-memory.dmpFilesize
64KB
-
memory/2036-2803-0x000000007FE20000-0x000000007FE21000-memory.dmpFilesize
4KB
-
memory/2980-2805-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2814-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2802-0x00007FF8D4FD0000-0x00007FF8D4FE0000-memory.dmpFilesize
64KB
-
memory/2980-2799-0x00007FF8D4FD0000-0x00007FF8D4FE0000-memory.dmpFilesize
64KB
-
memory/2980-2797-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2806-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2807-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2809-0x00007FF8D29C0000-0x00007FF8D29D0000-memory.dmpFilesize
64KB
-
memory/2980-2808-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2811-0x00007FF8D29C0000-0x00007FF8D29D0000-memory.dmpFilesize
64KB
-
memory/2980-2812-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2813-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2810-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2796-0x00007FF8D4FD0000-0x00007FF8D4FE0000-memory.dmpFilesize
64KB
-
memory/2980-2815-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2816-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2817-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2818-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2820-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2819-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2821-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2823-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2795-0x00007FF8D4FD0000-0x00007FF8D4FE0000-memory.dmpFilesize
64KB
-
memory/2980-2764-0x00007FF8D4FD0000-0x00007FF8D4FE0000-memory.dmpFilesize
64KB
-
memory/2980-2847-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB
-
memory/2980-2848-0x00007FF914F50000-0x00007FF915145000-memory.dmpFilesize
2.0MB