Analysis
-
max time kernel
118s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-02-2022 13:44
Static task
static1
Behavioral task
behavioral1
Sample
488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe
Resource
win7-en-20211208
General
-
Target
488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe
-
Size
6.0MB
-
MD5
a2d41440e015f546c646d23e96bba3fb
-
SHA1
d42da38f61490026b421d5ac37618f84978fa42e
-
SHA256
488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648
-
SHA512
7fc71dcef3f8e33b0b31e5611bcdbea4db0e43833df0daf9a798206baf5574a09a14c7e9e1a3496404e22fca2993eb654748879bf8ce040a1b5e08f3d1902b94
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 56 3280 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
bescab.exechawervp.exeIntelRapid.exepid process 4488 bescab.exe 4464 chawervp.exe 4336 IntelRapid.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
chawervp.exeIntelRapid.exebescab.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chawervp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chawervp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bescab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bescab.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
chawervp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation chawervp.exe -
Drops startup file 1 IoCs
Processes:
bescab.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk bescab.exe -
Loads dropped DLL 1 IoCs
Processes:
488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exepid process 408 488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\runkly\bescab.exe themida C:\Users\Admin\AppData\Local\Temp\runkly\bescab.exe themida C:\Users\Admin\AppData\Local\Temp\runkly\chawervp.exe themida C:\Users\Admin\AppData\Local\Temp\runkly\chawervp.exe themida behavioral2/memory/4488-135-0x00007FF604170000-0x00007FF604AD3000-memory.dmp themida behavioral2/memory/4488-136-0x00007FF604170000-0x00007FF604AD3000-memory.dmp themida behavioral2/memory/4464-138-0x0000000000140000-0x00000000007AE000-memory.dmp themida behavioral2/memory/4464-140-0x0000000000140000-0x00000000007AE000-memory.dmp themida behavioral2/memory/4488-141-0x00007FF604170000-0x00007FF604AD3000-memory.dmp themida behavioral2/memory/4464-142-0x0000000000140000-0x00000000007AE000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida behavioral2/memory/4336-145-0x00007FF737B50000-0x00007FF7384B3000-memory.dmp themida behavioral2/memory/4336-146-0x00007FF737B50000-0x00007FF7384B3000-memory.dmp themida behavioral2/memory/4336-147-0x00007FF737B50000-0x00007FF7384B3000-memory.dmp themida -
Processes:
bescab.exechawervp.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bescab.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA chawervp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelRapid.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
bescab.exechawervp.exeIntelRapid.exepid process 4488 bescab.exe 4464 chawervp.exe 4336 IntelRapid.exe -
Drops file in Program Files directory 3 IoCs
Processes:
488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
chawervp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString chawervp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chawervp.exe -
Modifies registry class 1 IoCs
Processes:
chawervp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings chawervp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
IntelRapid.exepid process 4336 IntelRapid.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chawervp.exepid process 4464 chawervp.exe 4464 chawervp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 908 svchost.exe Token: SeCreatePagefilePrivilege 908 svchost.exe Token: SeShutdownPrivilege 908 svchost.exe Token: SeCreatePagefilePrivilege 908 svchost.exe Token: SeShutdownPrivilege 908 svchost.exe Token: SeCreatePagefilePrivilege 908 svchost.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe Token: SeRestorePrivilege 2908 TiWorker.exe Token: SeSecurityPrivilege 2908 TiWorker.exe Token: SeBackupPrivilege 2908 TiWorker.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exebescab.exechawervp.exedescription pid process target process PID 408 wrote to memory of 4488 408 488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe bescab.exe PID 408 wrote to memory of 4488 408 488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe bescab.exe PID 408 wrote to memory of 4464 408 488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe chawervp.exe PID 408 wrote to memory of 4464 408 488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe chawervp.exe PID 408 wrote to memory of 4464 408 488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe chawervp.exe PID 4488 wrote to memory of 4336 4488 bescab.exe IntelRapid.exe PID 4488 wrote to memory of 4336 4488 bescab.exe IntelRapid.exe PID 4464 wrote to memory of 4012 4464 chawervp.exe WScript.exe PID 4464 wrote to memory of 4012 4464 chawervp.exe WScript.exe PID 4464 wrote to memory of 4012 4464 chawervp.exe WScript.exe PID 4464 wrote to memory of 3280 4464 chawervp.exe WScript.exe PID 4464 wrote to memory of 3280 4464 chawervp.exe WScript.exe PID 4464 wrote to memory of 3280 4464 chawervp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe"C:\Users\Admin\AppData\Local\Temp\488c8ca1ddf12bd8a8a137cedc546c17b436839a1c91382bb6e6f3e333a63648.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\runkly\bescab.exe"C:\Users\Admin\AppData\Local\Temp\runkly\bescab.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Local\Temp\runkly\chawervp.exe"C:\Users\Admin\AppData\Local\Temp\runkly\chawervp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\itlctxncaeh.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pvaorjoqh.vbs"3⤵
- Blocklisted process makes network request
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
d53b5780264bf0c3e3ce0423c03856a2
SHA13c7c200ef4916408526912613e0bf7e86b01f1d7
SHA256313601ddc9b2de8637d56c50010fdd2bc2a84cfd5da588cd4296c4e2309b9519
SHA51292d056fc6d7ea00e7ccf4dfc06d31f1685525d3e9898e25bb63939eb3d49258eca05a5be36c0e1d63f9fda13edd130b8cb54744018a240ce3c955d3ae6750efe
-
C:\Users\Admin\AppData\Local\Temp\itlctxncaeh.vbsMD5
cd5c117a693e9eb28c19460f0b795aed
SHA14ed7f5ed2dbd90646ee0f2319122fb764ed293c0
SHA25680121df406fd8624a36001c2a272e9803a68074b4cc9611a3c13ba1c2b9c19b3
SHA512d9b89d8b51d379426253c5b8206b49a7a635be965f108ccb4429a455fc72dfa1eb77cec04646ca641285ec389097383284ec2e8b22888c5bcff42b2e3ebd5a98
-
C:\Users\Admin\AppData\Local\Temp\nsr9C4E.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
C:\Users\Admin\AppData\Local\Temp\pvaorjoqh.vbsMD5
7dc9e07622a084bf1b7ddcdd7fc20361
SHA1bb1fa51e5600ff56b0f019513c5e7513fab86fa4
SHA256355aafc258f2b231cc4ae35e8c8f26fa682b67d10fa16b8fdd6398267e9844ae
SHA51233f7be042e28de097dafad1a9023d2e8b4cd45ad8082237fe09edc213369848146edee9ba229d12d08bf16a187ae10750fb130fcbcd17c8643f5c0c807fe3f65
-
C:\Users\Admin\AppData\Local\Temp\runkly\bescab.exeMD5
7353d83c321cb341abed242c33856850
SHA110207907f7cc70fc0735c0415f21590775fff835
SHA25621a8f01c939e887621a2e3b25ab165a135a842a695fbaec75a1cf13a67fabd37
SHA512275e19eaad5bdd067694d96e5bfe5e27079b6bfd8953ce3519fa5cb80a8b62add21c453a81a9bf7845dad0801871297db2d3de740ef8c74ef718faef5430544c
-
C:\Users\Admin\AppData\Local\Temp\runkly\bescab.exeMD5
7353d83c321cb341abed242c33856850
SHA110207907f7cc70fc0735c0415f21590775fff835
SHA25621a8f01c939e887621a2e3b25ab165a135a842a695fbaec75a1cf13a67fabd37
SHA512275e19eaad5bdd067694d96e5bfe5e27079b6bfd8953ce3519fa5cb80a8b62add21c453a81a9bf7845dad0801871297db2d3de740ef8c74ef718faef5430544c
-
C:\Users\Admin\AppData\Local\Temp\runkly\chawervp.exeMD5
2ca1fa563d961e96561622edcab5d864
SHA1d9fcd898fe5ddc4a19ae97a6c4ff1f2664a808ac
SHA256dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e
SHA512916443f39a0e14431b369a6b9c8d37ab12689559f39f3bbd0f9988aa17db2a914c01c9e14cbf7be92146427046e81c76e3dc91f1e767428079c60956e1414b7d
-
C:\Users\Admin\AppData\Local\Temp\runkly\chawervp.exeMD5
2ca1fa563d961e96561622edcab5d864
SHA1d9fcd898fe5ddc4a19ae97a6c4ff1f2664a808ac
SHA256dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e
SHA512916443f39a0e14431b369a6b9c8d37ab12689559f39f3bbd0f9988aa17db2a914c01c9e14cbf7be92146427046e81c76e3dc91f1e767428079c60956e1414b7d
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
7353d83c321cb341abed242c33856850
SHA110207907f7cc70fc0735c0415f21590775fff835
SHA25621a8f01c939e887621a2e3b25ab165a135a842a695fbaec75a1cf13a67fabd37
SHA512275e19eaad5bdd067694d96e5bfe5e27079b6bfd8953ce3519fa5cb80a8b62add21c453a81a9bf7845dad0801871297db2d3de740ef8c74ef718faef5430544c
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
7353d83c321cb341abed242c33856850
SHA110207907f7cc70fc0735c0415f21590775fff835
SHA25621a8f01c939e887621a2e3b25ab165a135a842a695fbaec75a1cf13a67fabd37
SHA512275e19eaad5bdd067694d96e5bfe5e27079b6bfd8953ce3519fa5cb80a8b62add21c453a81a9bf7845dad0801871297db2d3de740ef8c74ef718faef5430544c
-
memory/908-151-0x0000021409280000-0x0000021409284000-memory.dmpFilesize
16KB
-
memory/908-150-0x0000021406590000-0x00000214065A0000-memory.dmpFilesize
64KB
-
memory/908-149-0x0000021406530000-0x0000021406540000-memory.dmpFilesize
64KB
-
memory/4336-147-0x00007FF737B50000-0x00007FF7384B3000-memory.dmpFilesize
9.4MB
-
memory/4336-145-0x00007FF737B50000-0x00007FF7384B3000-memory.dmpFilesize
9.4MB
-
memory/4336-146-0x00007FF737B50000-0x00007FF7384B3000-memory.dmpFilesize
9.4MB
-
memory/4464-142-0x0000000000140000-0x00000000007AE000-memory.dmpFilesize
6.4MB
-
memory/4464-140-0x0000000000140000-0x00000000007AE000-memory.dmpFilesize
6.4MB
-
memory/4464-139-0x0000000077104000-0x0000000077106000-memory.dmpFilesize
8KB
-
memory/4464-138-0x0000000000140000-0x00000000007AE000-memory.dmpFilesize
6.4MB
-
memory/4488-141-0x00007FF604170000-0x00007FF604AD3000-memory.dmpFilesize
9.4MB
-
memory/4488-137-0x00007FFC61650000-0x00007FFC61652000-memory.dmpFilesize
8KB
-
memory/4488-136-0x00007FF604170000-0x00007FF604AD3000-memory.dmpFilesize
9.4MB
-
memory/4488-135-0x00007FF604170000-0x00007FF604AD3000-memory.dmpFilesize
9.4MB