Analysis
-
max time kernel
33s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
01-04-2023 14:25
General
-
Target
Endermanch@Ana.exe
-
Size
2.1MB
-
MD5
f571faca510bffe809c76c1828d44523
-
SHA1
7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2
-
SHA256
117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb
-
SHA512
a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51
-
SSDEEP
49152:OwVYlfBUDiZx8Fa/Q0NuB3btlnCItWNSwoy:OxPUDQmso0NuBZlnCItM
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Ana.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Ana.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AV.EXE"C:\Users\Admin\AppData\Local\Temp\AV.EXE"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8563⤵
-
C:\Users\Admin\AppData\Local\Temp\AV2.EXE"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\nN17766EcFpF17766\nN17766EcFpF17766.exe"\nN17766EcFpF17766\nN17766EcFpF17766.exe" "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DB.EXE"C:\Users\Admin\AppData\Local\Temp\DB.EXE"2⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlgpclntz.exeC:\Windows\SysWOW64\wlgpclntz.exe3⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exe/c C:\Users\Admin\AppData\Local\Temp\~unins8046.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\EN.EXE"C:\Users\Admin\AppData\Local\Temp\EN.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EN.EXE > nul3⤵
-
C:\Users\Admin\AppData\Local\Temp\SB.EXE"C:\Users\Admin\AppData\Local\Temp\SB.EXE"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.0.774764109\199675081" -parentBuildID 20221007134813 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbfbde71-df88-4276-95f9-0e11bca034b2} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 1924 231833e9558 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.1.580447423\147414" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20848 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27ea54e2-e407-46dc-8442-82ff74283ea1} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 2316 2318330e958 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.2.1629785321\408111916" -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3092 -prefsLen 20931 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f549a5c-3a2b-4a1e-9884-f79b7c2dcbea} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 3104 231871ce858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.3.449611620\1524482403" -childID 2 -isForBrowser -prefsHandle 3432 -prefMapHandle 3424 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fde8ef3-4dd8-446d-9631-f946319fad37} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 3460 23187efb558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.4.740820199\425981886" -childID 3 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a21e13a-15f8-4588-9540-238c4129aeb9} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 3544 231844cdb58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.5.2002164765\1594850312" -childID 4 -isForBrowser -prefsHandle 3576 -prefMapHandle 3532 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a346c60-5e22-46d8-838c-9b6f9a9d5cbc} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 3588 23187efb858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.6.852530274\945176174" -childID 5 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d698c873-9993-4f97-b9b1-c1443cfeeecb} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 3608 23187efbb58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.7.1673303452\1693003610" -childID 6 -isForBrowser -prefsHandle 3624 -prefMapHandle 3608 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40b820a6-5c91-45d9-b348-fe386e733a5b} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 3628 23187efbe58 tab3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2956 -ip 29561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AV.EXEFilesize
1.1MB
MD5f284568010505119f479617a2e7dc189
SHA1e23707625cce0035e3c1d2255af1ed326583a1ea
SHA25626c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf
-
C:\Users\Admin\AppData\Local\Temp\AV.EXEFilesize
1.1MB
MD5f284568010505119f479617a2e7dc189
SHA1e23707625cce0035e3c1d2255af1ed326583a1ea
SHA25626c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf
-
C:\Users\Admin\AppData\Local\Temp\AV.EXEFilesize
1.1MB
MD5f284568010505119f479617a2e7dc189
SHA1e23707625cce0035e3c1d2255af1ed326583a1ea
SHA25626c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf
-
C:\Users\Admin\AppData\Local\Temp\AV2.EXEFilesize
368KB
MD5014578edb7da99e5ba8dd84f5d26dfd5
SHA1df56d701165a480e925a153856cbc3ab799c5a04
SHA2564ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068
-
C:\Users\Admin\AppData\Local\Temp\AV2.EXEFilesize
368KB
MD5014578edb7da99e5ba8dd84f5d26dfd5
SHA1df56d701165a480e925a153856cbc3ab799c5a04
SHA2564ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068
-
C:\Users\Admin\AppData\Local\Temp\AV2.EXEFilesize
368KB
MD5014578edb7da99e5ba8dd84f5d26dfd5
SHA1df56d701165a480e925a153856cbc3ab799c5a04
SHA2564ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068
-
C:\Users\Admin\AppData\Local\Temp\DB.EXEFilesize
243KB
MD5c6746a62feafcb4fca301f606f7101fa
SHA1e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642
-
C:\Users\Admin\AppData\Local\Temp\DB.EXEFilesize
243KB
MD5c6746a62feafcb4fca301f606f7101fa
SHA1e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642
-
C:\Users\Admin\AppData\Local\Temp\DB.EXEFilesize
243KB
MD5c6746a62feafcb4fca301f606f7101fa
SHA1e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642
-
C:\Users\Admin\AppData\Local\Temp\EN.EXEFilesize
6KB
MD5621f2279f69686e8547e476b642b6c46
SHA166f486cd566f86ab16015fe74f50d4515decce88
SHA256c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e
-
C:\Users\Admin\AppData\Local\Temp\EN.EXEFilesize
6KB
MD5621f2279f69686e8547e476b642b6c46
SHA166f486cd566f86ab16015fe74f50d4515decce88
SHA256c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e
-
C:\Users\Admin\AppData\Local\Temp\EN.EXEFilesize
6KB
MD5621f2279f69686e8547e476b642b6c46
SHA166f486cd566f86ab16015fe74f50d4515decce88
SHA256c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e
-
C:\Users\Admin\AppData\Local\Temp\GB.EXEFilesize
149KB
MD5fe731b4c6684d643eb5b55613ef9ed31
SHA1cfafe2a14f5413278304920154eb467f7c103c80
SHA256e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496
SHA512f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e
-
C:\Users\Admin\AppData\Local\Temp\SB.EXEFilesize
224KB
MD59252e1be9776af202d6ad5c093637022
SHA16cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA51298b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea
-
C:\Users\Admin\AppData\Local\Temp\SB.EXEFilesize
224KB
MD59252e1be9776af202d6ad5c093637022
SHA16cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA51298b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea
-
C:\Users\Admin\AppData\Local\Temp\SB.EXEFilesize
224KB
MD59252e1be9776af202d6ad5c093637022
SHA16cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA51298b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea
-
C:\Users\Admin\AppData\Local\Temp\tsa.crtFilesize
1010B
MD56e630504be525e953debd0ce831b9aa0
SHA1edfa47b3edf98af94954b5b0850286a324608503
SHA2562563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5
SHA512bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2
-
C:\Users\Admin\AppData\Local\Temp\~unins8046.batFilesize
49B
MD59e0a2f5ab30517809b95a1ff1dd98c53
SHA15c1eefdf10e67d1e9216e2e3f5e92352d583c9ce
SHA25697ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32
SHA512e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.jsFilesize
6KB
MD59971fa8fa89a208685d3e30835832fb5
SHA15d9972a3bdbd4c18b3648597d2fd9f9fd6e30300
SHA25613417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084
SHA51202b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f
-
C:\Windows\SysWOW64\wlgpclntz.exeFilesize
101KB
MD59176eb72f9d9ae4df53f7d19516b99e2
SHA1b4e39f1f53c97ecd391c7a4fe2202d6ece8d890c
SHA2560f110b84c4f4f1f5ef40d4278a76441cb50cd6ddf98e4f8d91f180864a285957
SHA512548bdd7a55039bb3e511f463b36d031cfe37da0c4f7ce22bf50e251523b5d15afedcb246265e1496308d6998b6cdd6e856499e72dcddc368ae9f2fc9b6c9c3e9
-
C:\Windows\SysWOW64\wlgpclntz.exeFilesize
101KB
MD59176eb72f9d9ae4df53f7d19516b99e2
SHA1b4e39f1f53c97ecd391c7a4fe2202d6ece8d890c
SHA2560f110b84c4f4f1f5ef40d4278a76441cb50cd6ddf98e4f8d91f180864a285957
SHA512548bdd7a55039bb3e511f463b36d031cfe37da0c4f7ce22bf50e251523b5d15afedcb246265e1496308d6998b6cdd6e856499e72dcddc368ae9f2fc9b6c9c3e9
-
C:\nN17766EcFpF17766\nN17766EcFpF17766.exeFilesize
368KB
MD5d593750ab8a4edd4b7809184e3e60c1d
SHA13d770852fe296627ef3bb763e0dcb0258d461ef3
SHA256af6074c0e20e7ee4777549c73171a1ef62cda1e3c30b292651a61d364fe1525d
SHA51267d3450129a6b29b6e3600b591b25ef2fc39c6efe638457923c7e1ec8486657273f5a7c414c186a66822257d5668f185b1d9396414c811920219436b4748d2d9
-
memory/1164-204-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1496-169-0x00000000001C0000-0x00000000001F1000-memory.dmpFilesize
196KB
-
memory/1496-199-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/1496-183-0x00000000005C0000-0x0000000000653000-memory.dmpFilesize
588KB
-
memory/1496-168-0x0000000000400000-0x0000000000445000-memory.dmpFilesize
276KB
-
memory/1496-190-0x00000000005C0000-0x0000000000653000-memory.dmpFilesize
588KB
-
memory/1496-192-0x00000000005C0000-0x0000000000653000-memory.dmpFilesize
588KB
-
memory/2956-210-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/2956-201-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2956-200-0x00000000007F0000-0x00000000007F3000-memory.dmpFilesize
12KB
-
memory/3844-240-0x00000000015B0000-0x00000000015C0000-memory.dmpFilesize
64KB
-
memory/3844-198-0x00000000015B0000-0x00000000015C0000-memory.dmpFilesize
64KB
-
memory/3980-197-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB