Analysis

  • max time kernel
    140s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 22:08

General

  • Target

    5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe

  • Size

    252KB

  • MD5

    98b94959187e33ef4fdb4116cc2aa1e2

  • SHA1

    4df59ac87cfe2d6b88490452e5eb8abfc16ee167

  • SHA256

    5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35

  • SHA512

    32bfa406fba20266d90021be706d4691d9f9725a761c4ff57fd0f490bfd3e9cb3a6f929f1a143e0ca83931f3335960d18c4b7ca98a4a1a538e4ab5145c244ab8

  • SSDEEP

    3072:cOXQ2G+IpQZQne73qe8UzT+nWwXjDRJWwXjDRgjDRbL7oZC3:jvGlpQE4qNUzCrw

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

  • Discovers systems in the same network 1 TTPs 4 IoCs
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
    "C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
      C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\ProgramData\Application Data\wmimgmt.exe
        "C:\ProgramData\Application Data\wmimgmt.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\ProgramData\Application Data\wmimgmt.exe
          "C:\ProgramData\Application Data\wmimgmt.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:496
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /v:on /c "C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\ghi.bat"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2152
            • C:\Windows\SysWOW64\findstr.exe
              findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2164
            • C:\Windows\SysWOW64\chcp.com
              chcp
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1404
            • C:\Windows\SysWOW64\net.exe
              net user
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2056
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 user
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2316
            • C:\Windows\SysWOW64\net.exe
              net localgroup administrators
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1168
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 localgroup administrators
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2276
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2532
            • C:\Windows\SysWOW64\systeminfo.exe
              systeminfo
              6⤵
              • System Location Discovery: System Language Discovery
              • Gathers system information
              PID:2632
            • C:\Windows\SysWOW64\reg.exe
              reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1956
            • C:\Windows\SysWOW64\find.exe
              find "REG_"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1776
            • C:\Windows\SysWOW64\reg.exe
              reg query HKEY_CURRENT_USER\Software\Microsoft\Office
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2908
            • C:\Windows\SysWOW64\reg.exe
              reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
              6⤵
              • System Location Discovery: System Language Discovery
              PID:660
            • C:\Windows\SysWOW64\reg.exe
              reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1488
            • C:\Windows\SysWOW64\reg.exe
              reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2928
            • C:\Windows\SysWOW64\reg.exe
              reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
              6⤵
              • System Location Discovery: System Language Discovery
              PID:852
            • C:\Windows\SysWOW64\reg.exe
              reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3064
            • C:\Windows\SysWOW64\reg.exe
              reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2144
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /all
              6⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:296
            • C:\Windows\SysWOW64\NETSTAT.EXE
              netstat -ano
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Connections Discovery
              • Gathers network information
              • Suspicious use of AdjustPrivilegeToken
              PID:2036
            • C:\Windows\SysWOW64\ARP.EXE
              arp -a
              6⤵
              • Network Service Discovery
              • System Location Discovery: System Language Discovery
              PID:2788
            • C:\Windows\SysWOW64\NETSTAT.EXE
              netstat -r
              6⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:2376
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2228
                • C:\Windows\SysWOW64\ROUTE.EXE
                  C:\Windows\system32\route.exe print
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1112
            • C:\Windows\SysWOW64\net.exe
              net start
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1140
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1932
            • C:\Windows\SysWOW64\net.exe
              net use
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1408
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo n"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2168
            • C:\Windows\SysWOW64\net.exe
              net share
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1304
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 share
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1000
            • C:\Windows\SysWOW64\net.exe
              net view /domain
              6⤵
              • System Location Discovery: System Language Discovery
              • Discovers systems in the same network
              PID:1992
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:960
            • C:\Windows\SysWOW64\find.exe
              find /i /v "------"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2424
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3040
            • C:\Windows\SysWOW64\find.exe
              find /i /v "domain"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1988
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1684
            • C:\Windows\SysWOW64\find.exe
              find /i /v "¬A╛╣"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1132
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1544
            • C:\Windows\SysWOW64\find.exe
              find /i /v "░⌡ªµª¿"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2904
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1752
            • C:\Windows\SysWOW64\find.exe
              find /i /v "├ⁿ┴ε"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2452
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1748
            • C:\Windows\SysWOW64\find.exe
              find /i /v "completed successfully"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1732
            • C:\Windows\SysWOW64\net.exe
              net view /domain:"WORKGROUP"
              6⤵
              • System Location Discovery: System Language Discovery
              • Discovers systems in the same network
              PID:1784
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\workgrp.tmp "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1912
            • C:\Windows\SysWOW64\find.exe
              find "\\"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2256
            • C:\Windows\SysWOW64\net.exe
              net view \\ZQABOPWE
              6⤵
              • System Location Discovery: System Language Discovery
              • Discovers systems in the same network
              PID:2932
            • C:\Windows\SysWOW64\net.exe
              net view \\ZQABOPWE
              6⤵
              • System Location Discovery: System Language Discovery
              • Discovers systems in the same network
              PID:2344
            • C:\Windows\SysWOW64\find.exe
              find "Disk"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:340
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 1 ZQABOPWE
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1056
            • C:\Windows\SysWOW64\findstr.exe
              findstr /i "Pinging Reply Request Unknown"
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:1984

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\INFO.TXT

          Filesize

          7KB

          MD5

          d201284d6afc7144777cb22959679f8a

          SHA1

          67de29a0c0ee94dbe794ec2b31f3885961cadf8d

          SHA256

          c201f4be0f5a1c560e581a79d38c99d520f22304247651e858404af314d9515d

          SHA512

          bafd4d49c66b4f569c9e987d1305e6628dcf63d2964597268900cc45c662bf4ceab94a863a729c2f82a40f53d27779e5086f08da1436342fae1c4fc13e1ec2e9

        • C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\INFO.TXT

          Filesize

          24.9MB

          MD5

          e8e0931ef541816dc7aefa60a4bbc5ca

          SHA1

          5f98a9f99be4248900c73378e2374f077b013584

          SHA256

          a93f4af109bdba7184d0342c4297ca10798248477b271a7edb68dcfa2e5075d7

          SHA512

          8337e604573a645028ab45dfdf801478e92b1ed137de6018321c04a74ebfbe5f826268bc021ab340298f003e9640fbca419b21e6598f1e75938d96224f06f872

        • C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\drivers.p

          Filesize

          15B

          MD5

          4ff8e80638f36abd8fb131c19425317b

          SHA1

          358665afaf5f88dfebcdb7c56e963693c520c136

          SHA256

          6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

          SHA512

          d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

        • C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\ghi.bat

          Filesize

          3KB

          MD5

          8c6085bd713786647b4b4d9d14a14f0f

          SHA1

          6f6d5ce899e8ce5ea36662793ad768f7daf466e5

          SHA256

          a805b09be4a2503d73876264fa7a489e1efee619bbf7197c4ee8b084fbb1afbc

          SHA512

          c5e1a18fb945015746dcff969ea5dfe91497cdc756e3d8193518645ce7cb51de816338ba6a514f285bc1794d84e416b76485222e49409e5554a416ca29c5de10

        • C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\s.log

          Filesize

          153B

          MD5

          b256c8a481b065860c2812e742f50250

          SHA1

          51ddf02764fb12d88822450e8a27f9deac85fe54

          SHA256

          b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12

          SHA512

          f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360

        • C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\s.log

          Filesize

          64B

          MD5

          e29f80bf6f6a756e0bc6d7f5189a9bb2

          SHA1

          acdd1032b7dc189f8e68b390fe6fd964618acd72

          SHA256

          8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

          SHA512

          f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

        • C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\t.log

          Filesize

          72B

          MD5

          59f2768506355d8bc50979f6d64ded26

          SHA1

          b2d315b3857bec8335c526a08d08d6a1b5f5c151

          SHA256

          7f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569

          SHA512

          e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028

        • C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\workgrp.tmp

          Filesize

          234B

          MD5

          9f514a9a9be8c276f087b96c5672793f

          SHA1

          1246bb423354f1d2933b6ba349afc4cdc9081d7a

          SHA256

          1bad6d563fe359f1efab71d957041f1dc000b35b324a77e60e0d5333b3790107

          SHA512

          8fee0279266c8e27a3d4970881bad1767f7a7fd2ee7424b2bee5c5e2d2298f17788fd55ccbe874c076772c25f8a787b74b5c9256d6ed189ba77e7112640d7f1e

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\INFO.TXT

          Filesize

          43B

          MD5

          ede1840193bbfcde47e2c985ca40fbfc

          SHA1

          d243a17049d1c43c6acc5532ccac339c756b54bc

          SHA256

          6b5d4ee34ccd135ff6f2ae63118e3ed46223b584be51ea34bb6d225b48777df9

          SHA512

          bc096f3ec15c587871f03148a86c663d9480887eedc71d57d7bde18fa07dc094e991f79805b10ab5338d5d9926e1919d466c1d1dbf20eb0f8cfdd53cb2a9955e

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\INFO.TXT

          Filesize

          15KB

          MD5

          5f903513ae55f527e57f4d2e6bab7abc

          SHA1

          749c9c7039a4f741a31cd82ea3e59f9e68a6cd10

          SHA256

          6caab0d7e574a4a3838f6d13e9ad44c20b2feb0ffbbfbf7e01eb14aeede6fe12

          SHA512

          896042b9fc47d6c61e9d3932340f7dcbb12395ebfcdcd48d0d46146d6455b7e6b5e669038e0ae0b642f40d86b82e7384e00ee9b87c26b05cfa42ab61bdfc4c3d

        • C:\Users\Public\Documents\Media\line.dat

          Filesize

          74B

          MD5

          9a183fa5decb55ccafeeef2bc2c2338a

          SHA1

          048c8b157d61f5364c678a966045224b70b355d4

          SHA256

          6979a9d011a33426a574e41ccf15560e00af3c6975a48586fea43c3c9ac3ca2e

          SHA512

          b3aa00454b915928844af1a7836f2c088a202aa0ae3604cc511c5571ca20a4ed5c2a4c907f3e4a0d1dd8b6b329ce653a8f96d2c83ce91f64a899d3006f845e4a

        • \ProgramData\wmimgmt.exe

          Filesize

          252KB

          MD5

          98b94959187e33ef4fdb4116cc2aa1e2

          SHA1

          4df59ac87cfe2d6b88490452e5eb8abfc16ee167

          SHA256

          5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35

          SHA512

          32bfa406fba20266d90021be706d4691d9f9725a761c4ff57fd0f490bfd3e9cb3a6f929f1a143e0ca83931f3335960d18c4b7ca98a4a1a538e4ab5145c244ab8

        • memory/496-81-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

        • memory/496-93-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

        • memory/496-102-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

        • memory/496-99-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

        • memory/496-96-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

        • memory/496-89-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

        • memory/496-80-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

        • memory/496-82-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

        • memory/2556-21-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2556-15-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2656-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2656-4-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

        • memory/3052-0-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/3052-3-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB