Analysis
-
max time kernel
146s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-02-2021 00:38
Static task
static1
Behavioral task
behavioral1
Sample
76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe
Resource
win7v20201028
General
-
Target
76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe
-
Size
4.0MB
-
MD5
f454674192c23053843a3b493b3d0e7f
-
SHA1
8cb0d3e35a58ddadfca4dbd87b075058b542092f
-
SHA256
76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c
-
SHA512
655040b6c3a7ad5a61a475db45c34520fdcc296e03b360427c495529a862edb8c74b2b4dcf4a3b590e679c42eab66bc976092d80318407ca4355a2322506336a
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\SysWOW64\vipcatalog\vp8decoder.dll acprotect C:\Windows\SysWOW64\vipcatalog\vp8encoder.dll acprotect -
Processes:
resource yara_rule \Windows\SysWOW64\vipcatalog\rutserv.exe aspack_v212_v242 C:\Windows\SysWOW64\vipcatalog\rutserv.exe aspack_v212_v242 C:\Windows\SysWOW64\vipcatalog\rutserv.exe aspack_v212_v242 \Windows\SysWOW64\vipcatalog\rutserv.exe aspack_v212_v242 C:\Windows\SysWOW64\vipcatalog\rutserv.exe aspack_v212_v242 C:\Windows\SysWOW64\vipcatalog\rutserv.exe aspack_v212_v242 C:\Windows\SysWOW64\vipcatalog\rfusclient.exe aspack_v212_v242 \Windows\SysWOW64\vipcatalog\rfusclient.exe aspack_v212_v242 \Windows\SysWOW64\vipcatalog\rfusclient.exe aspack_v212_v242 C:\Windows\SysWOW64\vipcatalog\rfusclient.exe aspack_v212_v242 C:\Windows\SysWOW64\vipcatalog\rfusclient.exe aspack_v212_v242 C:\Windows\SysWOW64\vipcatalog\rfusclient.exe aspack_v212_v242 -
Executes dropped EXE 6 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exepid process 1924 rutserv.exe 1068 rutserv.exe 1580 rutserv.exe 1960 rfusclient.exe 804 rfusclient.exe 1508 rfusclient.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\vipcatalog\vp8decoder.dll upx C:\Windows\SysWOW64\vipcatalog\vp8encoder.dll upx -
Loads dropped DLL 4 IoCs
Processes:
cmd.exerutserv.exepid process 1436 cmd.exe 1436 cmd.exe 1580 rutserv.exe 1580 rutserv.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 9 IoCs
Processes:
attrib.exe76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exedescription ioc process File opened for modification C:\Windows\SysWOW64\vipcatalog attrib.exe File opened for modification C:\Windows\SysWOW64\vipcatalog\bt.bat 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe File opened for modification C:\Windows\SysWOW64\vipcatalog\vp8decoder.dll 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe File created C:\Windows\SysWOW64\vipcatalog\Uninstall.ini 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe File opened for modification C:\Windows\SysWOW64\vipcatalog\vp8encoder.dll 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe File opened for modification C:\Windows\SysWOW64\vipcatalog\Uninstall.exe 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe File opened for modification C:\Windows\SysWOW64\vipcatalog\regedit.reg 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe File opened for modification C:\Windows\SysWOW64\vipcatalog\rfusclient.exe 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe File opened for modification C:\Windows\SysWOW64\vipcatalog\rutserv.exe 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1960 taskkill.exe 1496 taskkill.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 1624 regedit.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerfusclient.exepid process 1924 rutserv.exe 1924 rutserv.exe 1924 rutserv.exe 1924 rutserv.exe 1068 rutserv.exe 1068 rutserv.exe 1580 rutserv.exe 1580 rutserv.exe 1580 rutserv.exe 1580 rutserv.exe 1960 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid process 1508 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
taskkill.exetaskkill.exerutserv.exerutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 1960 taskkill.exe Token: SeDebugPrivilege 1496 taskkill.exe Token: SeDebugPrivilege 1924 rutserv.exe Token: SeDebugPrivilege 1068 rutserv.exe Token: SeTakeOwnershipPrivilege 1580 rutserv.exe Token: SeTcbPrivilege 1580 rutserv.exe Token: SeTcbPrivilege 1580 rutserv.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
rutserv.exerutserv.exerutserv.exepid process 1924 rutserv.exe 1068 rutserv.exe 1580 rutserv.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.execmd.exerutserv.exerfusclient.exedescription pid process target process PID 1888 wrote to memory of 1436 1888 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe cmd.exe PID 1888 wrote to memory of 1436 1888 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe cmd.exe PID 1888 wrote to memory of 1436 1888 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe cmd.exe PID 1888 wrote to memory of 1436 1888 76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe cmd.exe PID 1436 wrote to memory of 1960 1436 cmd.exe taskkill.exe PID 1436 wrote to memory of 1960 1436 cmd.exe taskkill.exe PID 1436 wrote to memory of 1960 1436 cmd.exe taskkill.exe PID 1436 wrote to memory of 1960 1436 cmd.exe taskkill.exe PID 1436 wrote to memory of 1496 1436 cmd.exe taskkill.exe PID 1436 wrote to memory of 1496 1436 cmd.exe taskkill.exe PID 1436 wrote to memory of 1496 1436 cmd.exe taskkill.exe PID 1436 wrote to memory of 1496 1436 cmd.exe taskkill.exe PID 1436 wrote to memory of 888 1436 cmd.exe reg.exe PID 1436 wrote to memory of 888 1436 cmd.exe reg.exe PID 1436 wrote to memory of 888 1436 cmd.exe reg.exe PID 1436 wrote to memory of 888 1436 cmd.exe reg.exe PID 1436 wrote to memory of 1000 1436 cmd.exe attrib.exe PID 1436 wrote to memory of 1000 1436 cmd.exe attrib.exe PID 1436 wrote to memory of 1000 1436 cmd.exe attrib.exe PID 1436 wrote to memory of 1000 1436 cmd.exe attrib.exe PID 1436 wrote to memory of 1924 1436 cmd.exe rutserv.exe PID 1436 wrote to memory of 1924 1436 cmd.exe rutserv.exe PID 1436 wrote to memory of 1924 1436 cmd.exe rutserv.exe PID 1436 wrote to memory of 1924 1436 cmd.exe rutserv.exe PID 1436 wrote to memory of 1624 1436 cmd.exe regedit.exe PID 1436 wrote to memory of 1624 1436 cmd.exe regedit.exe PID 1436 wrote to memory of 1624 1436 cmd.exe regedit.exe PID 1436 wrote to memory of 1624 1436 cmd.exe regedit.exe PID 1436 wrote to memory of 1068 1436 cmd.exe rutserv.exe PID 1436 wrote to memory of 1068 1436 cmd.exe rutserv.exe PID 1436 wrote to memory of 1068 1436 cmd.exe rutserv.exe PID 1436 wrote to memory of 1068 1436 cmd.exe rutserv.exe PID 1580 wrote to memory of 1960 1580 rutserv.exe rfusclient.exe PID 1580 wrote to memory of 1960 1580 rutserv.exe rfusclient.exe PID 1580 wrote to memory of 1960 1580 rutserv.exe rfusclient.exe PID 1580 wrote to memory of 1960 1580 rutserv.exe rfusclient.exe PID 1580 wrote to memory of 804 1580 rutserv.exe rfusclient.exe PID 1580 wrote to memory of 804 1580 rutserv.exe rfusclient.exe PID 1580 wrote to memory of 804 1580 rutserv.exe rfusclient.exe PID 1580 wrote to memory of 804 1580 rutserv.exe rfusclient.exe PID 1960 wrote to memory of 1508 1960 rfusclient.exe rfusclient.exe PID 1960 wrote to memory of 1508 1960 rfusclient.exe rfusclient.exe PID 1960 wrote to memory of 1508 1960 rfusclient.exe rfusclient.exe PID 1960 wrote to memory of 1508 1960 rfusclient.exe rfusclient.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe"C:\Users\Admin\AppData\Local\Temp\76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c.bin.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\System32\vipcatalog\bt.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\System32\vipcatalog"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\vipcatalog\rutserv.exe"rutserv.exe" /silentinstall3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regedit.exeregedit /s regedit.reg3⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\vipcatalog\rutserv.exe"rutserv.exe" /start3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\vipcatalog\rutserv.exeC:\Windows\SysWOW64\vipcatalog\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vipcatalog\rfusclient.exeC:\Windows\SysWOW64\vipcatalog\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vipcatalog\rfusclient.exeC:\Windows\SysWOW64\vipcatalog\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\vipcatalog\rfusclient.exeC:\Windows\SysWOW64\vipcatalog\rfusclient.exe /tray2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\vipcatalog\bt.batMD5
0ae3ca21abe90b235a4fee83205e9662
SHA1c69a6ecdee793d6225372ea7dc5335b957b5a8d8
SHA256ba9387866f2cfbf9df6bd3dd5f26e0bb811772162848e250587d98932f6698fc
SHA512e43bca33cab32f3b85710795d246862223f4fb5e5e7332dbec83040297ee13fa9bdbbbd5200012741eb11f6cdcfae92de8e115bb2149b6d2abfca8d1438bbda2
-
C:\Windows\SysWOW64\vipcatalog\regedit.regMD5
9df8ff397da814e0ba86a33f6a679add
SHA1d7087bca10b852974300d2bf2d930a734a891b17
SHA256de853a04d2770f00852270f78df9695a3719234048943b84cbfbfb74e8ea7fa7
SHA5129991a3d35b648d6e69bffc6b1ce3585a91f5333b9b61249517ce605393a318b76704a5ceccaf6892a50f5e8ba88db68d024b72eef49376b2c3f891c6cb91ee8c
-
C:\Windows\SysWOW64\vipcatalog\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\Windows\SysWOW64\vipcatalog\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\Windows\SysWOW64\vipcatalog\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\Windows\SysWOW64\vipcatalog\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\Windows\SysWOW64\vipcatalog\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\Windows\SysWOW64\vipcatalog\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\Windows\SysWOW64\vipcatalog\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\Windows\SysWOW64\vipcatalog\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\Windows\SysWOW64\vipcatalog\vp8decoder.dllMD5
88318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
C:\Windows\SysWOW64\vipcatalog\vp8encoder.dllMD5
6298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
\Windows\SysWOW64\vipcatalog\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
\Windows\SysWOW64\vipcatalog\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
\Windows\SysWOW64\vipcatalog\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
\Windows\SysWOW64\vipcatalog\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
memory/804-34-0x0000000000000000-mapping.dmp
-
memory/804-44-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/888-7-0x0000000000000000-mapping.dmp
-
memory/1000-8-0x0000000000000000-mapping.dmp
-
memory/1068-22-0x0000000000000000-mapping.dmp
-
memory/1068-35-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1436-3-0x0000000000000000-mapping.dmp
-
memory/1496-6-0x0000000000000000-mapping.dmp
-
memory/1508-48-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1508-45-0x0000000000000000-mapping.dmp
-
memory/1580-38-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1624-18-0x0000000000000000-mapping.dmp
-
memory/1888-2-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB
-
memory/1924-11-0x0000000000000000-mapping.dmp
-
memory/1924-25-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1924-14-0x00000000034E0000-0x00000000034F1000-memory.dmpFilesize
68KB
-
memory/1924-15-0x00000000038F0000-0x0000000003901000-memory.dmpFilesize
68KB
-
memory/1924-16-0x00000000034E0000-0x00000000034F1000-memory.dmpFilesize
68KB
-
memory/1960-41-0x00000000035F0000-0x0000000003601000-memory.dmpFilesize
68KB
-
memory/1960-42-0x0000000003A00000-0x0000000003A11000-memory.dmpFilesize
68KB
-
memory/1960-43-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1960-5-0x0000000000000000-mapping.dmp
-
memory/1960-33-0x0000000000000000-mapping.dmp