Analysis
-
max time kernel
242s -
max time network
240s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
15-04-2023 04:16
General
-
Target
Setup for cm2demo_oWTv-t1.exe
-
Size
1.7MB
-
MD5
99a9fbd5fee72ce51585309390a46717
-
SHA1
ff39c56312090a909c2c0c82629c552a3b252a98
-
SHA256
833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa
-
SHA512
97f9a98fb48c8281818163d3dbe66fa246e1fe6a5a67f15175419992b0ca389cbe086e457177c21ce9c99ff05a1e0b508812cdf30220090a438dd8c94f73c6b7
-
SSDEEP
24576:R4nXubIQGyxbPV0db26Wmd0l4sv1Et9uGpckT52zedlq89Ws5uIzk5aM/phdO7:Rqe3f61mZSffPMWrQ0ZkA
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 4 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup for cm2demo_oWTv-t1.exe"C:\Users\Admin\AppData\Local\Temp\Setup for cm2demo_oWTv-t1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-1G8EP.tmp\Setup for cm2demo_oWTv-t1.tmp"C:\Users\Admin\AppData\Local\Temp\is-1G8EP.tmp\Setup for cm2demo_oWTv-t1.tmp" /SL5="$80030,831488,831488,C:\Users\Admin\AppData\Local\Temp\Setup for cm2demo_oWTv-t1.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-SBCK8.tmp\file_oWTv-t1.exe"C:\Users\Admin\AppData\Local\Temp\is-SBCK8.tmp\file_oWTv-t1.exe" /LANG=en /NA=Rh85hR643⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-G67GD.tmp\file_oWTv-t1.tmp"C:\Users\Admin\AppData\Local\Temp\is-G67GD.tmp\file_oWTv-t1.tmp" /SL5="$20200,1559708,780800,C:\Users\Admin\AppData\Local\Temp\is-SBCK8.tmp\file_oWTv-t1.exe" /LANG=en /NA=Rh85hR644⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\prod0_extract\booking.com.exe"C:\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\prod0_extract\booking.com.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-VER3C.tmp\booking.com.tmp"C:\Users\Admin\AppData\Local\Temp\is-VER3C.tmp\booking.com.tmp" /SL5="$50086,44041568,831488,C:\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\prod0_extract\booking.com.exe" /VERYSILENT6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\booking.com\is-47CJ2.tmpFilesize
80.9MB
MD5e0eb85cbc618e8d8b5a65394da966902
SHA1e348bddc0d4efd87f2f51ca759de564a3729ec1d
SHA25679b37e88304ae6714bfed2bad59bc12b70f2f8332c6d901fef4d666dee953819
SHA5122ed5a12583d2d365f802c1b3a4e354585f5d11e86cc74412baee8546305984f06d47906e915ac3597dd13fa0c220c8f7aa27dd25eb68db59253ccd264e6dbf43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
4KB
MD5f7dcb24540769805e5bb30d193944dce
SHA1e26c583c562293356794937d9e2e6155d15449ee
SHA2566b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6FGHNCOX\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\E6652YO4\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Users\Admin\AppData\Local\Temp\is-1G8EP.tmp\Setup for cm2demo_oWTv-t1.tmpFilesize
3.0MB
MD50c229cd26910820581b5809c62fe5619
SHA128c0630385b21f29e3e2bcc34865e5d15726eaa0
SHA256abfa49a915d2e0a82561ca440365e6a2d59f228533b56a8f78addf000a1081b3
SHA512b8ff3dc65f7c0e03721572af738ec4886ba895dc70c1a41a3ce8c8abe0946d167cec71913017fd11d5892452db761ea88901a5a09a681ae779dd531edbb83a2a
-
C:\Users\Admin\AppData\Local\Temp\is-G67GD.tmp\file_oWTv-t1.tmpFilesize
2.9MB
MD5623a3abd7b318e1f410b1e12a42c7b71
SHA188e34041850ec4019dae469adc608e867b936d21
SHA256fe1a4555d18617532248d2eaa8d3fcc2c74182f994a964a62cf418295e8554d3
SHA5129afea88e4617e0f11416c2a2c416a6aa2d5d1f702d98d2cc223b399736191a6d002d1b717020ca6aae09e835c6356b7ddafad71e101dacab15967d89a105e391
-
C:\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\Booking_com.pngFilesize
148KB
MD50c3679093b2b4b5eeaa107a0b4441a7f
SHA1179cabf5c3e647fe4a0d68e61b1473af5a803f31
SHA256b781277a2aa83f02bfa16e1ec60bef3227c79082ae22385c356e0b87d225f30b
SHA51266334fe661226b0dbcad18b7cc5b4c63249a7c939f6b07e4d84587022837142274b4287e6faa051952bef10d352dcc77786f677842f82dfabdf4b349f6d70303
-
C:\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\finish.pngFilesize
2KB
MD57afaf9e0e99fd80fa1023a77524f5587
SHA1e20c9c27691810b388c73d2ca3e67e109c2b69b6
SHA256760b70612bb9bd967c2d15a5133a50ccce8c0bd46a6464d76875298dcc45dea0
SHA512a090626e7b7f67fb5aa207aae0cf65c3a27e1b85e22c9728eee7475bd9bb7375ca93baaecc662473f9a427b4f505d55f2c61ba36bda460e4e6947fe22eedb044
-
C:\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\mainlogo.pngFilesize
7KB
MD5c552e74a342cb35fa8b45ed4190c1609
SHA11e914f5a79af3bc1dc990a9f2d1ebdb41edc82d5
SHA256d386a1220f26de84d3b9a220db6a058e94d82b2403c8f70103ee20fa5579407f
SHA51280837907c8febe9306b149114b637b491bedede7c49d426e6ce9c1b416014c4beb4de57da1bef39a3783a345971b92532ce374f9138255588ebae6d15232a081
-
C:\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\prod0.zipFilesize
42.3MB
MD5a6236fe786cfd405d7dd6c5577478655
SHA1fcb0aca7f5ecf530a1f21e2e3c6e2a21cbf13202
SHA256438101d9a184e61d6ffb6e84b18adadb9ba9cf87d54c8c152c8f6193a5b0a272
SHA5122a259f41619e3324fede19931a600d6fa29522402ec83fe695945676e0f1b17a32739c02c676b95ae73dd0e509114011cba0bdebcebeda643accf24645b90f50
-
C:\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\prod0_extract\booking.com.exeFilesize
42.9MB
MD5056f5a50acb5e5708822dcddc7c74bcf
SHA1b9b18c4db2250740ac6cde056350864baa259e01
SHA2568d8347df5bbe962aa966288489a01a9a95d2ded4551d9c3c56306e19f712313c
SHA512edfe23eec1e855309d780feaaf7e59fcf7491441ca489d8f2bfc423a673e04438191c75be6f122fb5bf3c157f739fee864d4f83d14f77b0e7973496473441450
-
C:\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\prod0_extract\booking.com.exeFilesize
42.9MB
MD5056f5a50acb5e5708822dcddc7c74bcf
SHA1b9b18c4db2250740ac6cde056350864baa259e01
SHA2568d8347df5bbe962aa966288489a01a9a95d2ded4551d9c3c56306e19f712313c
SHA512edfe23eec1e855309d780feaaf7e59fcf7491441ca489d8f2bfc423a673e04438191c75be6f122fb5bf3c157f739fee864d4f83d14f77b0e7973496473441450
-
C:\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\prod0_extract\booking.com.exeFilesize
42.9MB
MD5056f5a50acb5e5708822dcddc7c74bcf
SHA1b9b18c4db2250740ac6cde056350864baa259e01
SHA2568d8347df5bbe962aa966288489a01a9a95d2ded4551d9c3c56306e19f712313c
SHA512edfe23eec1e855309d780feaaf7e59fcf7491441ca489d8f2bfc423a673e04438191c75be6f122fb5bf3c157f739fee864d4f83d14f77b0e7973496473441450
-
C:\Users\Admin\AppData\Local\Temp\is-SBCK8.tmp\file_oWTv-t1.exeFilesize
2.3MB
MD5bcf79c6ac6046082c712d5884ab690e2
SHA183bd26f0db64a38e01fdaf85872dd91db9a422eb
SHA25698ab6d6cef5d69b67aaa74c3319f96976a28aef9547a7171c3ff9fa074384f27
SHA512f2bf2aab51adea108396f0ad4b5b1af0a634dd5fed7838912bee1b31e23a11918bf569499dc4e7bdb870e5f1fff1aa3fb578e689f00f537c97fd38ca4de63f44
-
C:\Users\Admin\AppData\Local\Temp\is-SBCK8.tmp\file_oWTv-t1.exeFilesize
2.3MB
MD5bcf79c6ac6046082c712d5884ab690e2
SHA183bd26f0db64a38e01fdaf85872dd91db9a422eb
SHA25698ab6d6cef5d69b67aaa74c3319f96976a28aef9547a7171c3ff9fa074384f27
SHA512f2bf2aab51adea108396f0ad4b5b1af0a634dd5fed7838912bee1b31e23a11918bf569499dc4e7bdb870e5f1fff1aa3fb578e689f00f537c97fd38ca4de63f44
-
C:\Users\Admin\AppData\Local\Temp\is-VER3C.tmp\booking.com.tmpFilesize
3.0MB
MD557e1b2c7657531b07873d76bb9675fe7
SHA1fca3d4bca18f4d2b43d842cd8cb9a6c52274334d
SHA256141550a06909c4a437dca18ebaf232457dde776cc1c6691a31ef42254e09113e
SHA5127583f7c41ad3e2288f9a3ab4f32dcd7e0fd45ab007818cf5cae004cd49e25b0109d023cd35b35e24bc0e5a93db7c03ed7c57cb554a9f8fd4cd7918478373991b
-
C:\Users\Admin\AppData\Local\Temp\is-VER3C.tmp\booking.com.tmpFilesize
3.0MB
MD557e1b2c7657531b07873d76bb9675fe7
SHA1fca3d4bca18f4d2b43d842cd8cb9a6c52274334d
SHA256141550a06909c4a437dca18ebaf232457dde776cc1c6691a31ef42254e09113e
SHA5127583f7c41ad3e2288f9a3ab4f32dcd7e0fd45ab007818cf5cae004cd49e25b0109d023cd35b35e24bc0e5a93db7c03ed7c57cb554a9f8fd4cd7918478373991b
-
C:\Users\Admin\Downloads\cm2demo.zipFilesize
1.9MB
MD554803cf42ba84f17ad77eb066a1b51f5
SHA1130b1736fc5c5d32f17829b605209dbb7bf034a2
SHA256cdb7930dcb5e99eac92b8ddd8ab7f8301f07a68b3ea1ced8067141943fc2484e
SHA512d67b8b17fcf2794d3298ea5e3ba278333164caa39ccef55e284f27febdadf442ae52578f632b4c75f53c6e5efe7a4948036875fcdeac5aa83fea82720cd3ce20
-
\Users\Admin\AppData\Local\Temp\is-NK57K.tmp\idp.dllFilesize
228KB
MD59a83f220bf8ca569e3cfa654539a47a4
SHA19d1fb7087c12512d5f66d9d75f2fbae8e1196544
SHA256b1c4c9b2dd6a40974fa8789b218b52d967f5ccd1b47e95b4f6bda4b6ce864d0d
SHA5129b6460aca9720a4762a28e78a0e5f3e7358f73383926caf7f4a071e66c79f1032abd131432387f108de27894c147e2f34f01b094b6688826ce78f007d9dafbc5
-
\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\Helper.dllFilesize
2.0MB
MD54eb0347e66fa465f602e52c03e5c0b4b
SHA1fdfedb72614d10766565b7f12ab87f1fdca3ea81
SHA256c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc
SHA5124c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd
-
\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\botva2.dllFilesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
\Users\Admin\AppData\Local\Temp\is-QKPL0.tmp\botva2.dllFilesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
memory/2076-168-0x0000000005450000-0x000000000545F000-memory.dmpFilesize
60KB
-
memory/2076-203-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/2076-244-0x0000000005450000-0x000000000545F000-memory.dmpFilesize
60KB
-
memory/2076-243-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/2076-169-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/2076-167-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/2076-144-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/2076-179-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/2076-190-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/2076-180-0x0000000005450000-0x000000000545F000-memory.dmpFilesize
60KB
-
memory/2076-154-0x0000000005450000-0x000000000545F000-memory.dmpFilesize
60KB
-
memory/3708-226-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/3708-320-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/3708-252-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/4112-160-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/4112-165-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/4112-119-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/4116-162-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/4116-161-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/4116-163-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/4116-124-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/4652-248-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/4652-220-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/4684-271-0x000001856C900000-0x000001856C910000-memory.dmpFilesize
64KB
-
memory/4684-253-0x000001856C020000-0x000001856C030000-memory.dmpFilesize
64KB
-
memory/4844-130-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4844-166-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
