Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04-06-2023 18:13
Static task
static1
Behavioral task
behavioral1
Sample
426937c153dd506951c7f40a94094c48.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
426937c153dd506951c7f40a94094c48.exe
Resource
win10v2004-20230220-en
General
-
Target
426937c153dd506951c7f40a94094c48.exe
-
Size
863KB
-
MD5
426937c153dd506951c7f40a94094c48
-
SHA1
fb1e60c760f716e3058e3187d701899ba136d6a2
-
SHA256
2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3
-
SHA512
4404e37eced0a0bfa8255e6549d0b9212cd7fd3be87b012879bbf9898b7ffa36d28c27525f4d2b9edc64100ab29e302afe4bbd2594f3810ad4e1701b13405103
-
SSDEEP
24576:Zjy6Akw+amJpYfdwzcfeJs9ReYWCW8kCt9g7:w6Akwhm0fdXO/D8j
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 3 IoCs
Processes:
Set-UP.exeWindowsDefenderUpdates.exeWindowsDefenderUpdates.exepid process 1868 Set-UP.exe 892 WindowsDefenderUpdates.exe 1744 WindowsDefenderUpdates.exe -
Loads dropped DLL 1 IoCs
Processes:
WindowsDefenderUpdates.exepid process 892 WindowsDefenderUpdates.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Set-UP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Set-UP.exe Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Set-UP.exe Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Set-UP.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
426937c153dd506951c7f40a94094c48.exeWindowsDefenderUpdates.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 426937c153dd506951c7f40a94094c48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 426937c153dd506951c7f40a94094c48.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\15b122136b434dc511739d7a4ab3aeae = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsDefenderUpdates.exe\" .." WindowsDefenderUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\15b122136b434dc511739d7a4ab3aeae = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsDefenderUpdates.exe\" .." WindowsDefenderUpdates.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
Set-UP.exedescription ioc process File created C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Desktop\desktop.ini Set-UP.exe File created C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Documents\desktop.ini Set-UP.exe File created C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Downloads\desktop.ini Set-UP.exe File created C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Pictures\desktop.ini Set-UP.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 api.ipify.org 3 freegeoip.app 6 freegeoip.app 17 api.ipify.org 18 api.ipify.org 19 ip-api.com 21 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Set-UP.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Set-UP.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Set-UP.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Set-UP.exepid process 1868 Set-UP.exe 1868 Set-UP.exe 1868 Set-UP.exe 1868 Set-UP.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
Set-UP.exeWindowsDefenderUpdates.exedescription pid process Token: SeDebugPrivilege 1868 Set-UP.exe Token: SeDebugPrivilege 1744 WindowsDefenderUpdates.exe Token: 33 1744 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1744 WindowsDefenderUpdates.exe Token: 33 1744 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1744 WindowsDefenderUpdates.exe Token: 33 1744 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1744 WindowsDefenderUpdates.exe Token: 33 1744 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1744 WindowsDefenderUpdates.exe Token: 33 1744 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1744 WindowsDefenderUpdates.exe Token: 33 1744 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1744 WindowsDefenderUpdates.exe Token: 33 1744 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1744 WindowsDefenderUpdates.exe Token: 33 1744 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1744 WindowsDefenderUpdates.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
426937c153dd506951c7f40a94094c48.exeWindowsDefenderUpdates.exeWindowsDefenderUpdates.exedescription pid process target process PID 1872 wrote to memory of 1868 1872 426937c153dd506951c7f40a94094c48.exe Set-UP.exe PID 1872 wrote to memory of 1868 1872 426937c153dd506951c7f40a94094c48.exe Set-UP.exe PID 1872 wrote to memory of 1868 1872 426937c153dd506951c7f40a94094c48.exe Set-UP.exe PID 1872 wrote to memory of 1868 1872 426937c153dd506951c7f40a94094c48.exe Set-UP.exe PID 1872 wrote to memory of 892 1872 426937c153dd506951c7f40a94094c48.exe WindowsDefenderUpdates.exe PID 1872 wrote to memory of 892 1872 426937c153dd506951c7f40a94094c48.exe WindowsDefenderUpdates.exe PID 1872 wrote to memory of 892 1872 426937c153dd506951c7f40a94094c48.exe WindowsDefenderUpdates.exe PID 1872 wrote to memory of 892 1872 426937c153dd506951c7f40a94094c48.exe WindowsDefenderUpdates.exe PID 1872 wrote to memory of 892 1872 426937c153dd506951c7f40a94094c48.exe WindowsDefenderUpdates.exe PID 1872 wrote to memory of 892 1872 426937c153dd506951c7f40a94094c48.exe WindowsDefenderUpdates.exe PID 1872 wrote to memory of 892 1872 426937c153dd506951c7f40a94094c48.exe WindowsDefenderUpdates.exe PID 892 wrote to memory of 1744 892 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 892 wrote to memory of 1744 892 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 892 wrote to memory of 1744 892 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 892 wrote to memory of 1744 892 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 892 wrote to memory of 1744 892 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 892 wrote to memory of 1744 892 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 892 wrote to memory of 1744 892 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 1744 wrote to memory of 1900 1744 WindowsDefenderUpdates.exe netsh.exe PID 1744 wrote to memory of 1900 1744 WindowsDefenderUpdates.exe netsh.exe PID 1744 wrote to memory of 1900 1744 WindowsDefenderUpdates.exe netsh.exe PID 1744 wrote to memory of 1900 1744 WindowsDefenderUpdates.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Set-UP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Set-UP.exe -
outlook_win_path 1 IoCs
Processes:
Set-UP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Set-UP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\426937c153dd506951c7f40a94094c48.exe"C:\Users\Admin\AppData\Local\Temp\426937c153dd506951c7f40a94094c48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exe"C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exe" "WindowsDefenderUpdates.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exeFilesize
1.0MB
MD53398c825546a8f031901e1e31b6304e7
SHA1ca8e0b923acf197f7cfe12c7e1b8a81087c10b40
SHA2561a59d39530e38660cc483a1b5a090036206db446ac8573f1a2ec76ba4d3e2858
SHA512ca404a7e26a586597242b51bb145b38157ab3414627e2d7168f3124b3caf9785d58e1628832a8a15bef7192a88e4fb5404b65684efc6d7d2e43c7f5d54dc270e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exeFilesize
1.0MB
MD53398c825546a8f031901e1e31b6304e7
SHA1ca8e0b923acf197f7cfe12c7e1b8a81087c10b40
SHA2561a59d39530e38660cc483a1b5a090036206db446ac8573f1a2ec76ba4d3e2858
SHA512ca404a7e26a586597242b51bb145b38157ab3414627e2d7168f3124b3caf9785d58e1628832a8a15bef7192a88e4fb5404b65684efc6d7d2e43c7f5d54dc270e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Local\YBHADZIG\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Desktop\ReadLock.jpgFilesize
1.4MB
MD556b89ccf18070c1bdbacdb2c19d615b0
SHA11c282830de90b27228e2e4e83b8f157f77d0375f
SHA256eaf8fc071f9ebafe80fd85e81d488f986ecc345f8b8d0dcb7c56e24ae6497990
SHA51220020acf03162c889106ad41067a9ae1d964c135761678adb98a30fc761e9766bf63f9df2a1ca4e3e48fb305399c4bbd9a0fabc531d8aa4acacae15003120e83
-
C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Documents\SwitchSave.txtFilesize
1.3MB
MD58fb5de3cfc422e064812cd45e010e271
SHA134a4c0a29eae8832d71ce3eae47e8d8f369ac26f
SHA2564c59655a55aed83bbb7e3b5a5659c3dacf805dc2002f7df3694aae1f014b3724
SHA5125fa7b7e5d11e731c5c2d7091597e48d470817629eca316e13ec7d481c0b6deccac9cfe9c7e0d29ad070373a59eb5bcd0982256fc8d1c13858627eaca538014be
-
C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Downloads\CheckpointCompress.cssFilesize
494KB
MD52b8a91f9e33dd63d19e80d1858ddd6a4
SHA1049bb609ebe58027f538871d5c883598e71e7114
SHA25637879927e1975ac11c25177f7c59ed87d99ffba8a6a10ee343f2652da1d63dda
SHA5129396121e85e175b9ca3ede91049e0a0221e51f8d885fa7e7bd9069b4be6745031d028c0c8efea16e81185429636aa4438306d7c990916dc830155a4f0fdf16d0
-
C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Downloads\CompareProtect.jpgFilesize
667KB
MD5b3eb40e65e150a64289eeb0362631cb9
SHA14e6d7bfd5d2135d4910c15caf569769bbfcfdf42
SHA25668806faf4e1462b67a3565968018e3f1b58331356338fb7e9577d596a91463f4
SHA512558c46c260acdb94cbcbd167592fd70baad8d8cf413ba96a52feed52182491a439d89c5611ce665a484fe6f529b9d113c83f5d13d0d8de7a6f11b6fe023e8f02
-
C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Downloads\GetSend.svgFilesize
479KB
MD5b7c28c32ea50069e7e1d6d90db4ca3d6
SHA13b86de81b88d112a9761f739c2eea75c45945cdc
SHA256c57ab5375bf58d928c20a0cd128bfbd19479d31a538dcbda4382b6794e9a4f70
SHA512414f20a59070390cfe2940da4ca56f690348fc157e77bf4a197e6345683c4be4ae4ab10a40c375c6c27cb47f32e080e5d693aac298bd730d223e725f90616e24
-
C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Pictures\BackupConvert.jpgFilesize
220KB
MD52d879ce3a29873c0eef6c22e9487851e
SHA19496468d84576f68dd04001ad2097f47bf3d3582
SHA256879b1e44183772cda2abb89b65e05617a13ab1584213c0f4d0d113360318e6a7
SHA51215035bda38c6c86fb891d44aab2ba94c4e0a365991211e9760a9809051b5647727519915f6868737d7c0213f88a97af00b01a8bc377ff3336935da5a9fb8e8b1
-
C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Pictures\DenyConvertTo.jpegFilesize
565KB
MD52386a50f0babe4aa7b3c7e79dfdc6677
SHA1ad33dab74b196ff007bd656c258d7c21bbae03e2
SHA2568633004f73a6494be537fd75d7ba53dbcb043a6251be97dc51cc8868b8fd6bf1
SHA51276659da6733942dc043c49c1eb78d5fc081d62221d5239efd940dd3283a1760d075d261779c6bfc5f09b04a898617189724b17899783a7cbd999dde1163f2a11
-
C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Pictures\ExitMove.svgFilesize
285KB
MD57176a19a365394a36729a05d8a7a75ec
SHA10ae55957b2805d16f2da3e4c07de7801af5d4bd6
SHA256aa398e41665f38dbdbce5710876843fc745076d13927ec738e1f2501e495d320
SHA512f8a58e3b80f4eb2f9ba56bbc915600c33d401e7247257ea3ddec99fdea01ab3ee744554fe535490a85313f9860dd778a4c72f130ce33eb8df9b91a75d1d5a384
-
C:\Users\Admin\AppData\Local\YBHADZIG\FileGrabber\Pictures\PopSelect.jpgFilesize
479KB
MD509a9c70cbf4ba288561a836ac648e159
SHA1345c38432457e3b8f48f6e2cab81e23aaee4613d
SHA25600e96dddc42fcc444ec326cdfb726cb941e4eabb27b2b4a8f0842c520135bdcb
SHA51248afdcbcef11e67667013718869c4842ea8bfd9945dee4956c240a4f764994cfe63243ae4010922fd5594720343d44f750ecbf58928cf6d9429810e1f52f7440
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
memory/892-256-0x0000000000D10000-0x0000000000D50000-memory.dmpFilesize
256KB
-
memory/1744-266-0x0000000002060000-0x00000000020A0000-memory.dmpFilesize
256KB
-
memory/1744-264-0x0000000002060000-0x00000000020A0000-memory.dmpFilesize
256KB
-
memory/1744-265-0x0000000002060000-0x00000000020A0000-memory.dmpFilesize
256KB
-
memory/1744-267-0x0000000002060000-0x00000000020A0000-memory.dmpFilesize
256KB
-
memory/1744-268-0x0000000002060000-0x00000000020A0000-memory.dmpFilesize
256KB
-
memory/1744-269-0x0000000002060000-0x00000000020A0000-memory.dmpFilesize
256KB
-
memory/1744-270-0x0000000002060000-0x00000000020A0000-memory.dmpFilesize
256KB
-
memory/1868-63-0x0000000000200000-0x0000000000206000-memory.dmpFilesize
24KB
-
memory/1868-62-0x0000000000AD0000-0x0000000000BDE000-memory.dmpFilesize
1.1MB
-
memory/1868-64-0x0000000004BC0000-0x0000000004C00000-memory.dmpFilesize
256KB
-
memory/1868-183-0x0000000004BC0000-0x0000000004C00000-memory.dmpFilesize
256KB