Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 09:15
Behavioral task
behavioral1
Sample
TwentyApp.exe
Resource
win10v2004-20230220-en
General
-
Target
TwentyApp.exe
-
Size
3.3MB
-
MD5
5e2b1df5effbe5123eeff6752af2ca59
-
SHA1
2e1597b42c40155aa4f56ed708ea4aeb2a5d8698
-
SHA256
cd5d681f249663dde55b694693ead4e63ff1d626e5db57975aeaa41e65205c37
-
SHA512
e1ce42dbea6940dbf883ba32f4e934dce2803606a3109369ddfc9cf47e89d82f4f6fcb1854a0745a0e4cb0ad1e095627f35c03a06fa5f42693638039b58698c2
-
SSDEEP
98304:mZgO4UAJkCxZt3e0Y6qRlp5CNMqMDstLS7cqjAny:mZg3JlB3gXRlpkMqUM6cqjo
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
TwentyApp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TwentyApp.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 60 1372 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
TwentyApp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TwentyApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TwentyApp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TwentyApp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation TwentyApp.exe -
Processes:
resource yara_rule behavioral1/memory/1252-137-0x0000000000450000-0x0000000000D16000-memory.dmp themida behavioral1/memory/1252-138-0x0000000000450000-0x0000000000D16000-memory.dmp themida behavioral1/memory/1252-198-0x0000000000450000-0x0000000000D16000-memory.dmp themida -
Processes:
TwentyApp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TwentyApp.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallPaper = " " reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
TwentyApp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings TwentyApp.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4496 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 744 powershell.exe 1372 powershell.exe 1372 powershell.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
TwentyApp.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 1252 TwentyApp.exe Token: SeDebugPrivilege 744 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeShutdownPrivilege 2292 powercfg.exe Token: SeCreatePagefilePrivilege 2292 powercfg.exe Token: SeShutdownPrivilege 1660 powercfg.exe Token: SeCreatePagefilePrivilege 1660 powercfg.exe Token: SeShutdownPrivilege 4980 powercfg.exe Token: SeCreatePagefilePrivilege 4980 powercfg.exe Token: SeShutdownPrivilege 3292 powercfg.exe Token: SeCreatePagefilePrivilege 3292 powercfg.exe Token: SeShutdownPrivilege 1508 powercfg.exe Token: SeCreatePagefilePrivilege 1508 powercfg.exe Token: SeShutdownPrivilege 3500 powercfg.exe Token: SeCreatePagefilePrivilege 3500 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
TwentyApp.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1252 wrote to memory of 3272 1252 TwentyApp.exe cmd.exe PID 1252 wrote to memory of 3272 1252 TwentyApp.exe cmd.exe PID 1252 wrote to memory of 3272 1252 TwentyApp.exe cmd.exe PID 3272 wrote to memory of 744 3272 cmd.exe powershell.exe PID 3272 wrote to memory of 744 3272 cmd.exe powershell.exe PID 3272 wrote to memory of 744 3272 cmd.exe powershell.exe PID 1252 wrote to memory of 3304 1252 TwentyApp.exe cmd.exe PID 1252 wrote to memory of 3304 1252 TwentyApp.exe cmd.exe PID 1252 wrote to memory of 3304 1252 TwentyApp.exe cmd.exe PID 3304 wrote to memory of 1372 3304 cmd.exe powershell.exe PID 3304 wrote to memory of 1372 3304 cmd.exe powershell.exe PID 3304 wrote to memory of 1372 3304 cmd.exe powershell.exe PID 3304 wrote to memory of 2140 3304 cmd.exe cmd.exe PID 3304 wrote to memory of 2140 3304 cmd.exe cmd.exe PID 3304 wrote to memory of 2140 3304 cmd.exe cmd.exe PID 2140 wrote to memory of 2292 2140 cmd.exe powercfg.exe PID 2140 wrote to memory of 2292 2140 cmd.exe powercfg.exe PID 2140 wrote to memory of 2292 2140 cmd.exe powercfg.exe PID 3304 wrote to memory of 2204 3304 cmd.exe cmd.exe PID 3304 wrote to memory of 2204 3304 cmd.exe cmd.exe PID 3304 wrote to memory of 2204 3304 cmd.exe cmd.exe PID 2204 wrote to memory of 3556 2204 cmd.exe cmd.exe PID 2204 wrote to memory of 3556 2204 cmd.exe cmd.exe PID 2204 wrote to memory of 3556 2204 cmd.exe cmd.exe PID 2204 wrote to memory of 3884 2204 cmd.exe findstr.exe PID 2204 wrote to memory of 3884 2204 cmd.exe findstr.exe PID 2204 wrote to memory of 3884 2204 cmd.exe findstr.exe PID 3304 wrote to memory of 1660 3304 cmd.exe powercfg.exe PID 3304 wrote to memory of 1660 3304 cmd.exe powercfg.exe PID 3304 wrote to memory of 1660 3304 cmd.exe powercfg.exe PID 3304 wrote to memory of 1964 3304 cmd.exe cmd.exe PID 3304 wrote to memory of 1964 3304 cmd.exe cmd.exe PID 3304 wrote to memory of 1964 3304 cmd.exe cmd.exe PID 1964 wrote to memory of 4980 1964 cmd.exe powercfg.exe PID 1964 wrote to memory of 4980 1964 cmd.exe powercfg.exe PID 1964 wrote to memory of 4980 1964 cmd.exe powercfg.exe PID 3304 wrote to memory of 3292 3304 cmd.exe powercfg.exe PID 3304 wrote to memory of 3292 3304 cmd.exe powercfg.exe PID 3304 wrote to memory of 3292 3304 cmd.exe powercfg.exe PID 3304 wrote to memory of 1508 3304 cmd.exe powercfg.exe PID 3304 wrote to memory of 1508 3304 cmd.exe powercfg.exe PID 3304 wrote to memory of 1508 3304 cmd.exe powercfg.exe PID 3304 wrote to memory of 3500 3304 cmd.exe powercfg.exe PID 3304 wrote to memory of 3500 3304 cmd.exe powercfg.exe PID 3304 wrote to memory of 3500 3304 cmd.exe powercfg.exe PID 1252 wrote to memory of 4344 1252 TwentyApp.exe cmd.exe PID 1252 wrote to memory of 4344 1252 TwentyApp.exe cmd.exe PID 1252 wrote to memory of 4344 1252 TwentyApp.exe cmd.exe PID 4344 wrote to memory of 1332 4344 cmd.exe reg.exe PID 4344 wrote to memory of 1332 4344 cmd.exe reg.exe PID 4344 wrote to memory of 1332 4344 cmd.exe reg.exe PID 4344 wrote to memory of 2252 4344 cmd.exe reg.exe PID 4344 wrote to memory of 2252 4344 cmd.exe reg.exe PID 4344 wrote to memory of 2252 4344 cmd.exe reg.exe PID 4344 wrote to memory of 4352 4344 cmd.exe reg.exe PID 4344 wrote to memory of 4352 4344 cmd.exe reg.exe PID 4344 wrote to memory of 4352 4344 cmd.exe reg.exe PID 4344 wrote to memory of 4592 4344 cmd.exe reg.exe PID 4344 wrote to memory of 4592 4344 cmd.exe reg.exe PID 4344 wrote to memory of 4592 4344 cmd.exe reg.exe PID 4344 wrote to memory of 2936 4344 cmd.exe reg.exe PID 4344 wrote to memory of 2936 4344 cmd.exe reg.exe PID 4344 wrote to memory of 2936 4344 cmd.exe reg.exe PID 4344 wrote to memory of 1496 4344 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TwentyApp.exe"C:\Users\Admin\AppData\Local\Temp\TwentyApp.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C PowerShell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempTest.ps1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempTest.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\tempFile.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1012060155208282172/1075934313662644224/BitsumHighestPerformance.pow' -OutFile 'C:\Users\Admin\AppData\Local\Temp\powerplan.pow'3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powercfg import C:\Users\Admin\AppData\Local\Temp\powerplan.pow3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exepowercfg import C:\Users\Admin\AppData\Local\Temp\powerplan.pow4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo Imported Power Scheme Successfully. GUID: 11d01da9-2679-4929-8d67-7ffeb71a8c7b| findstr /C:"GUID:"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Imported Power Scheme Successfully. GUID: 11d01da9-2679-4929-8d67-7ffeb71a8c7b"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"GUID:"4⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg setactive 11d01da9-2679-4929-8d67-7ffeb71a8c7b3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powercfg /l3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exepowercfg /l4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /delete 381b4222-f694-41f0-9685-ff5bb260df2e3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /delete a1841308-3541-4fab-bc81-f71556f20b4a3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\tempFile.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "SystemUsesLightTheme" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallPaper /t REG_SZ /d " " /f3⤵
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Colors" /v "Background" /t REG_SZ /d "0 0 0" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers" /v BackgroundType /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers" /v CurrentWallpaperPath /t REG_SZ /d "" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 2 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Control Panel\Desktop" /v "FontSmoothing" /t REG_DWORD /d 2 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Control Panel\Desktop" /v "DragFullWindows" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarSmallIcons" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCortanaButton" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "OnboardUnpinCortana" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\gracias.txt2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5d0b07570db70ebeac52efd9130a16373
SHA127f6af7bdba4b097c09b10b75c417282c8bb8976
SHA2563fe45c78c812536fe56c3eeebe7d4621e65cc3a95119cedf9bf316f72eed71c7
SHA512fb7a161a9e3ffec85a60f46ab7d09a1281d666bbeeb0148d2fda5ec1bdee78682349e418cc8afc39dfdbe9e4fcec207c32d6f70db01e6008ae3c86394e354930
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
728B
MD5f74ab2ac0c5d88a6485fe96be2dba1a2
SHA17e9d08b6e3cef0bf879bf6ce5904dce083f0e767
SHA256392ec80061f9edec140f1c85e1d96196c303d2bde7ff842729702ef404aa9b34
SHA512492a94629386a109f489d494de84a5ebf1d33d1e2da1d344aa435a75efb2a5fe456a26a27dd202d513f0cae472a3fb88e3267cfbb8765ca86f77508d4b2f248b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_taxrajgn.0pg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\gracias.txtFilesize
197B
MD5f09d5847eccbfdd8a2a04df5ce0470aa
SHA1e59cb73b953f47ecf57551e640d5a10db5e244b9
SHA25666bdeebf85948d9e558a4a28d91bd9fc5a8d146a3f9ec17f913955788db2e61b
SHA5124165aa01640d5660d3def9b287bfde30a534341c217d5b8adb754bb2e10ee017ae14fbb73e5e43025dde987ad18cf4b893529d279be0820be759d70c8fe3407f
-
C:\Users\Admin\AppData\Local\Temp\powerplan.powFilesize
8KB
MD50eca9fdab5673f84347227601d6fab5f
SHA1579249ed234156595e735e216ff86395cdea0eeb
SHA256f8bdd77720170e6521fa0ff533cda9e4da8342d16f858159e74e8216bc22a306
SHA51204a3e6fe9cb624647e373caf3e850b95b288153d2df3451ec4ec8cc2486ccc5c2597400b0b548760fd22c2fc76a72b4111754a7de957d0bfbcc14ec34542bd57
-
C:\Users\Admin\AppData\Local\Temp\tempFile.batFilesize
898B
MD5f2976acd4e0dfcbff62b3994ad0182a6
SHA14b0f299d9e000a8629d7b4089f3460ef7458bbc0
SHA256b7ea575b6660463b4a60b495d66e4ccd9d25cca60dab20eaecb424f2ab4d72f2
SHA512b5369670e5b9abc350c958475745e5cd9bc45fe3355630945368b5a0fca6e264ba58c076271807998ea487c9cf50489fa87c710286ef9e95b6c49a9d0a453126
-
C:\Users\Admin\AppData\Local\Temp\tempFile.batFilesize
1KB
MD525b440d616b134fe36afd7f3953ee805
SHA1564c7c6d615bcd8df8872b878cffd4d66a758ea5
SHA256c9117710b529e1af1b5d5a0b191986a681f0fe72c6f24c96381d022b573d6e55
SHA512c2f96c60fb71538f6e74a13842e3f7f1152d320d4b8d6da6fae74b26c71b3fd1e1eec110345ec197bdb01c36676d966d3ef6bdd4f4c917152e67b2a77e33e3f3
-
memory/744-164-0x0000000002B00000-0x0000000002B10000-memory.dmpFilesize
64KB
-
memory/744-163-0x0000000002B00000-0x0000000002B10000-memory.dmpFilesize
64KB
-
memory/744-158-0x0000000005D30000-0x0000000005D96000-memory.dmpFilesize
408KB
-
memory/744-149-0x0000000002A50000-0x0000000002A86000-memory.dmpFilesize
216KB
-
memory/744-150-0x00000000055A0000-0x0000000005BC8000-memory.dmpFilesize
6.2MB
-
memory/744-151-0x00000000054C0000-0x00000000054E2000-memory.dmpFilesize
136KB
-
memory/744-157-0x0000000005BD0000-0x0000000005C36000-memory.dmpFilesize
408KB
-
memory/1252-143-0x0000000005C10000-0x0000000005C20000-memory.dmpFilesize
64KB
-
memory/1252-139-0x0000000005F50000-0x00000000064F4000-memory.dmpFilesize
5.6MB
-
memory/1252-145-0x0000000000450000-0x0000000000D16000-memory.dmpFilesize
8.8MB
-
memory/1252-133-0x0000000000450000-0x0000000000D16000-memory.dmpFilesize
8.8MB
-
memory/1252-142-0x0000000005920000-0x000000000592A000-memory.dmpFilesize
40KB
-
memory/1252-141-0x0000000005C10000-0x0000000005C20000-memory.dmpFilesize
64KB
-
memory/1252-140-0x00000000059A0000-0x0000000005A32000-memory.dmpFilesize
584KB
-
memory/1252-181-0x0000000005C10000-0x0000000005C20000-memory.dmpFilesize
64KB
-
memory/1252-137-0x0000000000450000-0x0000000000D16000-memory.dmpFilesize
8.8MB
-
memory/1252-198-0x0000000000450000-0x0000000000D16000-memory.dmpFilesize
8.8MB
-
memory/1252-138-0x0000000000450000-0x0000000000D16000-memory.dmpFilesize
8.8MB
-
memory/1252-146-0x0000000005C10000-0x0000000005C20000-memory.dmpFilesize
64KB
-
memory/1372-187-0x0000000005060000-0x0000000005070000-memory.dmpFilesize
64KB
-
memory/1372-186-0x00000000069F0000-0x0000000006A0A000-memory.dmpFilesize
104KB
-
memory/1372-185-0x0000000007B80000-0x00000000081FA000-memory.dmpFilesize
6.5MB
-
memory/1372-183-0x00000000064F0000-0x000000000650E000-memory.dmpFilesize
120KB
-
memory/1372-182-0x0000000005060000-0x0000000005070000-memory.dmpFilesize
64KB