Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 13:22
Behavioral task
behavioral1
Sample
TwentyApp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
TwentyApp.exe
Resource
win10v2004-20230220-en
General
-
Target
TwentyApp.exe
-
Size
3.3MB
-
MD5
5e2b1df5effbe5123eeff6752af2ca59
-
SHA1
2e1597b42c40155aa4f56ed708ea4aeb2a5d8698
-
SHA256
cd5d681f249663dde55b694693ead4e63ff1d626e5db57975aeaa41e65205c37
-
SHA512
e1ce42dbea6940dbf883ba32f4e934dce2803606a3109369ddfc9cf47e89d82f4f6fcb1854a0745a0e4cb0ad1e095627f35c03a06fa5f42693638039b58698c2
-
SSDEEP
98304:mZgO4UAJkCxZt3e0Y6qRlp5CNMqMDstLS7cqjAny:mZg3JlB3gXRlpkMqUM6cqjo
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
TwentyApp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TwentyApp.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 47 4448 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
TwentyApp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TwentyApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TwentyApp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TwentyApp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation TwentyApp.exe -
Processes:
resource yara_rule behavioral2/memory/1000-137-0x0000000000770000-0x0000000001036000-memory.dmp themida behavioral2/memory/1000-138-0x0000000000770000-0x0000000001036000-memory.dmp themida behavioral2/memory/1000-210-0x0000000000770000-0x0000000001036000-memory.dmp themida -
Processes:
TwentyApp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TwentyApp.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\WallPaper = " " reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
TwentyApp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings TwentyApp.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4108 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 4804 powershell.exe 4448 powershell.exe 4448 powershell.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
TwentyApp.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 1000 TwentyApp.exe Token: SeDebugPrivilege 4804 powershell.exe Token: SeDebugPrivilege 4448 powershell.exe Token: SeShutdownPrivilege 3444 powercfg.exe Token: SeCreatePagefilePrivilege 3444 powercfg.exe Token: SeShutdownPrivilege 4336 powercfg.exe Token: SeCreatePagefilePrivilege 4336 powercfg.exe Token: SeShutdownPrivilege 5068 powercfg.exe Token: SeCreatePagefilePrivilege 5068 powercfg.exe Token: SeShutdownPrivilege 3076 powercfg.exe Token: SeCreatePagefilePrivilege 3076 powercfg.exe Token: SeShutdownPrivilege 3824 powercfg.exe Token: SeCreatePagefilePrivilege 3824 powercfg.exe Token: SeShutdownPrivilege 4996 powercfg.exe Token: SeCreatePagefilePrivilege 4996 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
TwentyApp.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1000 wrote to memory of 4124 1000 TwentyApp.exe cmd.exe PID 1000 wrote to memory of 4124 1000 TwentyApp.exe cmd.exe PID 1000 wrote to memory of 4124 1000 TwentyApp.exe cmd.exe PID 4124 wrote to memory of 4804 4124 cmd.exe powershell.exe PID 4124 wrote to memory of 4804 4124 cmd.exe powershell.exe PID 4124 wrote to memory of 4804 4124 cmd.exe powershell.exe PID 1000 wrote to memory of 5056 1000 TwentyApp.exe cmd.exe PID 1000 wrote to memory of 5056 1000 TwentyApp.exe cmd.exe PID 1000 wrote to memory of 5056 1000 TwentyApp.exe cmd.exe PID 5056 wrote to memory of 4448 5056 cmd.exe powershell.exe PID 5056 wrote to memory of 4448 5056 cmd.exe powershell.exe PID 5056 wrote to memory of 4448 5056 cmd.exe powershell.exe PID 5056 wrote to memory of 3836 5056 cmd.exe cmd.exe PID 5056 wrote to memory of 3836 5056 cmd.exe cmd.exe PID 5056 wrote to memory of 3836 5056 cmd.exe cmd.exe PID 3836 wrote to memory of 3444 3836 cmd.exe powercfg.exe PID 3836 wrote to memory of 3444 3836 cmd.exe powercfg.exe PID 3836 wrote to memory of 3444 3836 cmd.exe powercfg.exe PID 5056 wrote to memory of 1156 5056 cmd.exe cmd.exe PID 5056 wrote to memory of 1156 5056 cmd.exe cmd.exe PID 5056 wrote to memory of 1156 5056 cmd.exe cmd.exe PID 1156 wrote to memory of 3696 1156 cmd.exe cmd.exe PID 1156 wrote to memory of 3696 1156 cmd.exe cmd.exe PID 1156 wrote to memory of 3696 1156 cmd.exe cmd.exe PID 1156 wrote to memory of 804 1156 cmd.exe findstr.exe PID 1156 wrote to memory of 804 1156 cmd.exe findstr.exe PID 1156 wrote to memory of 804 1156 cmd.exe findstr.exe PID 5056 wrote to memory of 4336 5056 cmd.exe powercfg.exe PID 5056 wrote to memory of 4336 5056 cmd.exe powercfg.exe PID 5056 wrote to memory of 4336 5056 cmd.exe powercfg.exe PID 5056 wrote to memory of 2768 5056 cmd.exe cmd.exe PID 5056 wrote to memory of 2768 5056 cmd.exe cmd.exe PID 5056 wrote to memory of 2768 5056 cmd.exe cmd.exe PID 2768 wrote to memory of 5068 2768 cmd.exe powercfg.exe PID 2768 wrote to memory of 5068 2768 cmd.exe powercfg.exe PID 2768 wrote to memory of 5068 2768 cmd.exe powercfg.exe PID 5056 wrote to memory of 3076 5056 cmd.exe powercfg.exe PID 5056 wrote to memory of 3076 5056 cmd.exe powercfg.exe PID 5056 wrote to memory of 3076 5056 cmd.exe powercfg.exe PID 5056 wrote to memory of 3824 5056 cmd.exe powercfg.exe PID 5056 wrote to memory of 3824 5056 cmd.exe powercfg.exe PID 5056 wrote to memory of 3824 5056 cmd.exe powercfg.exe PID 5056 wrote to memory of 4996 5056 cmd.exe powercfg.exe PID 5056 wrote to memory of 4996 5056 cmd.exe powercfg.exe PID 5056 wrote to memory of 4996 5056 cmd.exe powercfg.exe PID 1000 wrote to memory of 380 1000 TwentyApp.exe cmd.exe PID 1000 wrote to memory of 380 1000 TwentyApp.exe cmd.exe PID 1000 wrote to memory of 380 1000 TwentyApp.exe cmd.exe PID 380 wrote to memory of 4468 380 cmd.exe reg.exe PID 380 wrote to memory of 4468 380 cmd.exe reg.exe PID 380 wrote to memory of 4468 380 cmd.exe reg.exe PID 380 wrote to memory of 3360 380 cmd.exe reg.exe PID 380 wrote to memory of 3360 380 cmd.exe reg.exe PID 380 wrote to memory of 3360 380 cmd.exe reg.exe PID 380 wrote to memory of 3736 380 cmd.exe reg.exe PID 380 wrote to memory of 3736 380 cmd.exe reg.exe PID 380 wrote to memory of 3736 380 cmd.exe reg.exe PID 380 wrote to memory of 1564 380 cmd.exe reg.exe PID 380 wrote to memory of 1564 380 cmd.exe reg.exe PID 380 wrote to memory of 1564 380 cmd.exe reg.exe PID 380 wrote to memory of 2744 380 cmd.exe reg.exe PID 380 wrote to memory of 2744 380 cmd.exe reg.exe PID 380 wrote to memory of 2744 380 cmd.exe reg.exe PID 380 wrote to memory of 2076 380 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TwentyApp.exe"C:\Users\Admin\AppData\Local\Temp\TwentyApp.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C PowerShell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempTest.ps1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempTest.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\tempFile.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1012060155208282172/1075934313662644224/BitsumHighestPerformance.pow' -OutFile 'C:\Users\Admin\AppData\Local\Temp\powerplan.pow'3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powercfg import C:\Users\Admin\AppData\Local\Temp\powerplan.pow3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exepowercfg import C:\Users\Admin\AppData\Local\Temp\powerplan.pow4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo Imported Power Scheme Successfully. GUID: 25d9e331-57a9-4133-a3b8-08736d1a1459| findstr /C:"GUID:"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Imported Power Scheme Successfully. GUID: 25d9e331-57a9-4133-a3b8-08736d1a1459"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"GUID:"4⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg setactive 25d9e331-57a9-4133-a3b8-08736d1a14593⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powercfg /l3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exepowercfg /l4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /delete 381b4222-f694-41f0-9685-ff5bb260df2e3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /delete a1841308-3541-4fab-bc81-f71556f20b4a3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\tempFile.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "SystemUsesLightTheme" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallPaper /t REG_SZ /d " " /f3⤵
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Colors" /v "Background" /t REG_SZ /d "0 0 0" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers" /v BackgroundType /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers" /v CurrentWallpaperPath /t REG_SZ /d "" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 2 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Control Panel\Desktop" /v "FontSmoothing" /t REG_DWORD /d 2 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Control Panel\Desktop" /v "DragFullWindows" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarSmallIcons" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCortanaButton" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "OnboardUnpinCortana" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\gracias.txt2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5d0b07570db70ebeac52efd9130a16373
SHA127f6af7bdba4b097c09b10b75c417282c8bb8976
SHA2563fe45c78c812536fe56c3eeebe7d4621e65cc3a95119cedf9bf316f72eed71c7
SHA512fb7a161a9e3ffec85a60f46ab7d09a1281d666bbeeb0148d2fda5ec1bdee78682349e418cc8afc39dfdbe9e4fcec207c32d6f70db01e6008ae3c86394e354930
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
728B
MD59e12a27aa47b0f20bc931e9fb12e5409
SHA11579210717006ac5b4752b7cc2bc29f36c346bee
SHA256965ecb0197f26183dd7841bd03856fa9fa769d1c4123f6990a2822e5b15bd265
SHA512f8e7e9fb38555278a4145fe41c0ead54b72aed2759344f57acce95b531eaee40e7af2910d2dde25941a7be3729eea8ecf2e10450dd26da62bf92810d0df293c1
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x3dpmmep.3yb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\gracias.txtFilesize
197B
MD5f09d5847eccbfdd8a2a04df5ce0470aa
SHA1e59cb73b953f47ecf57551e640d5a10db5e244b9
SHA25666bdeebf85948d9e558a4a28d91bd9fc5a8d146a3f9ec17f913955788db2e61b
SHA5124165aa01640d5660d3def9b287bfde30a534341c217d5b8adb754bb2e10ee017ae14fbb73e5e43025dde987ad18cf4b893529d279be0820be759d70c8fe3407f
-
C:\Users\Admin\AppData\Local\Temp\powerplan.powFilesize
8KB
MD50eca9fdab5673f84347227601d6fab5f
SHA1579249ed234156595e735e216ff86395cdea0eeb
SHA256f8bdd77720170e6521fa0ff533cda9e4da8342d16f858159e74e8216bc22a306
SHA51204a3e6fe9cb624647e373caf3e850b95b288153d2df3451ec4ec8cc2486ccc5c2597400b0b548760fd22c2fc76a72b4111754a7de957d0bfbcc14ec34542bd57
-
C:\Users\Admin\AppData\Local\Temp\tempFile.batFilesize
898B
MD5f2976acd4e0dfcbff62b3994ad0182a6
SHA14b0f299d9e000a8629d7b4089f3460ef7458bbc0
SHA256b7ea575b6660463b4a60b495d66e4ccd9d25cca60dab20eaecb424f2ab4d72f2
SHA512b5369670e5b9abc350c958475745e5cd9bc45fe3355630945368b5a0fca6e264ba58c076271807998ea487c9cf50489fa87c710286ef9e95b6c49a9d0a453126
-
C:\Users\Admin\AppData\Local\Temp\tempFile.batFilesize
1KB
MD525b440d616b134fe36afd7f3953ee805
SHA1564c7c6d615bcd8df8872b878cffd4d66a758ea5
SHA256c9117710b529e1af1b5d5a0b191986a681f0fe72c6f24c96381d022b573d6e55
SHA512c2f96c60fb71538f6e74a13842e3f7f1152d320d4b8d6da6fae74b26c71b3fd1e1eec110345ec197bdb01c36676d966d3ef6bdd4f4c917152e67b2a77e33e3f3
-
memory/1000-145-0x0000000000770000-0x0000000001036000-memory.dmpFilesize
8.8MB
-
memory/1000-142-0x0000000005D70000-0x0000000005D80000-memory.dmpFilesize
64KB
-
memory/1000-146-0x0000000005D70000-0x0000000005D80000-memory.dmpFilesize
64KB
-
memory/1000-147-0x0000000005D70000-0x0000000005D80000-memory.dmpFilesize
64KB
-
memory/1000-137-0x0000000000770000-0x0000000001036000-memory.dmpFilesize
8.8MB
-
memory/1000-210-0x0000000000770000-0x0000000001036000-memory.dmpFilesize
8.8MB
-
memory/1000-138-0x0000000000770000-0x0000000001036000-memory.dmpFilesize
8.8MB
-
memory/1000-139-0x0000000006050000-0x00000000065F4000-memory.dmpFilesize
5.6MB
-
memory/1000-133-0x0000000000770000-0x0000000001036000-memory.dmpFilesize
8.8MB
-
memory/1000-143-0x0000000005D70000-0x0000000005D80000-memory.dmpFilesize
64KB
-
memory/1000-140-0x0000000005B40000-0x0000000005BD2000-memory.dmpFilesize
584KB
-
memory/1000-141-0x0000000005B10000-0x0000000005B1A000-memory.dmpFilesize
40KB
-
memory/4448-195-0x0000000007990000-0x000000000800A000-memory.dmpFilesize
6.5MB
-
memory/4448-181-0x0000000002D70000-0x0000000002D80000-memory.dmpFilesize
64KB
-
memory/4448-182-0x0000000002D70000-0x0000000002D80000-memory.dmpFilesize
64KB
-
memory/4448-193-0x0000000006140000-0x000000000615E000-memory.dmpFilesize
120KB
-
memory/4448-194-0x0000000002D70000-0x0000000002D80000-memory.dmpFilesize
64KB
-
memory/4448-196-0x0000000006630000-0x000000000664A000-memory.dmpFilesize
104KB
-
memory/4804-169-0x0000000005DD0000-0x0000000005E36000-memory.dmpFilesize
408KB
-
memory/4804-168-0x0000000005D60000-0x0000000005DC6000-memory.dmpFilesize
408KB
-
memory/4804-162-0x00000000055C0000-0x00000000055E2000-memory.dmpFilesize
136KB
-
memory/4804-161-0x0000000002B50000-0x0000000002B60000-memory.dmpFilesize
64KB
-
memory/4804-160-0x0000000002B50000-0x0000000002B60000-memory.dmpFilesize
64KB
-
memory/4804-159-0x00000000056C0000-0x0000000005CE8000-memory.dmpFilesize
6.2MB
-
memory/4804-158-0x0000000002AE0000-0x0000000002B16000-memory.dmpFilesize
216KB