Analysis
-
max time kernel
173s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
19-02-2022 09:03
Static task
static1
Behavioral task
behavioral1
Sample
3248338f08f0a3316dd06a3893ff4a38459eb812d2463265deb73eef4dfcddb3.ps1
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3248338f08f0a3316dd06a3893ff4a38459eb812d2463265deb73eef4dfcddb3.ps1
Resource
win10v2004-en-20220112
General
-
Target
3248338f08f0a3316dd06a3893ff4a38459eb812d2463265deb73eef4dfcddb3.ps1
-
Size
45KB
-
MD5
61daa29f8789c8955145c4fd95d082a2
-
SHA1
92277533be60b333f4e79b1f6e5d821cfa9f818e
-
SHA256
3248338f08f0a3316dd06a3893ff4a38459eb812d2463265deb73eef4dfcddb3
-
SHA512
21dc0806c3337121cb68ed5a4d552fac992371b02fbbb664dd703c6cf586082d02c74db82261405e1af6acab3524c0b48eed12d1270cdfa5c9fc0a3faa2757b3
Malware Config
Extracted
revengerat
Client
kimjoy.ddns.net:2021
RXQLV8XYTDNHNSA
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3484 set thread context of 3084 3484 powershell.exe InstallUtil.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899118005743351" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.173887" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4296" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.333642" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4068" svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepid process 3484 powershell.exe 3484 powershell.exe 3484 powershell.exe 3484 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 3484 powershell.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
powershell.execsc.exedescription pid process target process PID 3484 wrote to memory of 3604 3484 powershell.exe csc.exe PID 3484 wrote to memory of 3604 3484 powershell.exe csc.exe PID 3604 wrote to memory of 3788 3604 csc.exe cvtres.exe PID 3604 wrote to memory of 3788 3604 csc.exe cvtres.exe PID 3484 wrote to memory of 3116 3484 powershell.exe InstallUtil.exe PID 3484 wrote to memory of 3116 3484 powershell.exe InstallUtil.exe PID 3484 wrote to memory of 3116 3484 powershell.exe InstallUtil.exe PID 3484 wrote to memory of 3084 3484 powershell.exe InstallUtil.exe PID 3484 wrote to memory of 3084 3484 powershell.exe InstallUtil.exe PID 3484 wrote to memory of 3084 3484 powershell.exe InstallUtil.exe PID 3484 wrote to memory of 3084 3484 powershell.exe InstallUtil.exe PID 3484 wrote to memory of 3084 3484 powershell.exe InstallUtil.exe PID 3484 wrote to memory of 3084 3484 powershell.exe InstallUtil.exe PID 3484 wrote to memory of 3084 3484 powershell.exe InstallUtil.exe PID 3484 wrote to memory of 3084 3484 powershell.exe InstallUtil.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3248338f08f0a3316dd06a3893ff4a38459eb812d2463265deb73eef4dfcddb3.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jv4lwnfs\jv4lwnfs.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES845B.tmp" "c:\Users\Admin\AppData\Local\Temp\jv4lwnfs\CSC7A2DEC3B425F460EA466ECAE35C934A.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES845B.tmpMD5
f43be45ed30c946b7b23fcffb695afe3
SHA109beb91c2c735a8d0dfb8377eb8d1ee63b0755c3
SHA2567168e8f1a9d4e5de0584b30ca436bdcddfc04a0a9bddf4423dd90a942ad3cc2e
SHA5125e579c598902abda273c95cfbc646b047ecb47ee55ed471e2bfa2253472dd88157829eec06f4548e67de4bc5e06f15e2fc416d728e168ddc0b7621a9d29314c5
-
C:\Users\Admin\AppData\Local\Temp\jv4lwnfs\jv4lwnfs.dllMD5
db5f8d4cda0c38c2d0631e058a13451d
SHA12c8997052f5ab06870ea9d31d3d2fe374661a984
SHA2563bcaeb220a1cf288ebbb95e2b260697af385640b208e60a018f8ce75c5cc86fc
SHA51215dd23ee78de13dc1f9d29d24a2af4203e27eee77b9469673089038ff2007af9bcd855b189e43357b82d9d39f24ce468b9127b9a2b19648bacff96bf29648688
-
\??\c:\Users\Admin\AppData\Local\Temp\jv4lwnfs\CSC7A2DEC3B425F460EA466ECAE35C934A.TMPMD5
6e1a3ffdc44c3d786c21d6d2d227f184
SHA1bdc6ae4c1aabb1c66b36ee08b61197c4be5c4cbc
SHA2566af0c2f3c54cc48d4fed3adb6ce83e4c6d1a33627fb53d7d6685dca0bb598bfb
SHA512ac122afc20bc53e4884ee3506981bc0484abf083667a97dfccae37f3937d0e679fb6e95bad3c5091a5a29e7ff5818bd0daaf4513c19005324ccee2be16b026c1
-
\??\c:\Users\Admin\AppData\Local\Temp\jv4lwnfs\jv4lwnfs.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\jv4lwnfs\jv4lwnfs.cmdlineMD5
a90583aad62603a5d5e408360173651d
SHA122d9ac4bf2aeb535d10ed05cc4c5e9142043f208
SHA25681a6a5e97920d59b013606355faf3a4d9b2622ecdd72c7b4ceacb1cce370280a
SHA51214007e61b2c917447c5e81598fb4e22ad8cbddc29287c717659997dfe060223c8a955eba7cbb8d25f6494ad00fe39a166e7cbba9bd1c9c0749b3d65934b7597a
-
memory/3084-150-0x000000007479E000-0x000000007479F000-memory.dmpFilesize
4KB
-
memory/3084-148-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3084-151-0x0000000005E60000-0x0000000006404000-memory.dmpFilesize
5.6MB
-
memory/3084-152-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/3084-153-0x0000000005D40000-0x0000000005DDC000-memory.dmpFilesize
624KB
-
memory/3484-141-0x0000012476FB0000-0x0000012477026000-memory.dmpFilesize
472KB
-
memory/3484-140-0x0000012476AB6000-0x0000012476AB8000-memory.dmpFilesize
8KB
-
memory/3484-137-0x0000012476AB3000-0x0000012476AB5000-memory.dmpFilesize
8KB
-
memory/3484-136-0x0000012476A40000-0x0000012476A62000-memory.dmpFilesize
136KB
-
memory/3484-135-0x0000012476AB0000-0x0000012476AB2000-memory.dmpFilesize
8KB
-
memory/3484-134-0x00007FFB05963000-0x00007FFB05965000-memory.dmpFilesize
8KB