Analysis
-
max time kernel
68s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-11-2022 08:07
Static task
static1
Behavioral task
behavioral1
Sample
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe
Resource
win10v2004-20220901-en
General
-
Target
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe
-
Size
328KB
-
MD5
07e6b8a7d2cb05fa896ed147d705a6a0
-
SHA1
20b7808356e703890a75ce6de876d6012ce99e06
-
SHA256
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce
-
SHA512
4ca8c159e2d78c739bf22ead3664da8a1dcac41c540d4362a113a6a3ab225980402486a97d9f8d40f061f9a8ff796d93828425ddb34dbafdd983df15d3f7ae96
-
SSDEEP
6144:MyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:MCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process File created C:\Windows\SysWOW64\drivers\62ab45ac.sys 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 928 takeown.exe 752 icacls.exe 1572 takeown.exe 368 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\62ab45ac\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\62ab45ac.sys" 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 960 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1572 takeown.exe 368 icacls.exe 928 takeown.exe 752 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Drops file in System32 directory 4 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe File created C:\Windows\SysWOW64\wshtcpip.dll 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe File created C:\Windows\SysWOW64\midimap.dll 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Modifies registry class 4 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe" 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "HiGfy8Dy.dll" 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exepid process 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exepid process 464 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Token: SeTakeOwnershipPrivilege 1572 takeown.exe Token: SeTakeOwnershipPrivilege 928 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.execmd.execmd.exedescription pid process target process PID 2000 wrote to memory of 976 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2000 wrote to memory of 976 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2000 wrote to memory of 976 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2000 wrote to memory of 976 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 976 wrote to memory of 1572 976 cmd.exe takeown.exe PID 976 wrote to memory of 1572 976 cmd.exe takeown.exe PID 976 wrote to memory of 1572 976 cmd.exe takeown.exe PID 976 wrote to memory of 1572 976 cmd.exe takeown.exe PID 976 wrote to memory of 368 976 cmd.exe icacls.exe PID 976 wrote to memory of 368 976 cmd.exe icacls.exe PID 976 wrote to memory of 368 976 cmd.exe icacls.exe PID 976 wrote to memory of 368 976 cmd.exe icacls.exe PID 2000 wrote to memory of 364 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2000 wrote to memory of 364 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2000 wrote to memory of 364 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2000 wrote to memory of 364 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 364 wrote to memory of 928 364 cmd.exe takeown.exe PID 364 wrote to memory of 928 364 cmd.exe takeown.exe PID 364 wrote to memory of 928 364 cmd.exe takeown.exe PID 364 wrote to memory of 928 364 cmd.exe takeown.exe PID 364 wrote to memory of 752 364 cmd.exe icacls.exe PID 364 wrote to memory of 752 364 cmd.exe icacls.exe PID 364 wrote to memory of 752 364 cmd.exe icacls.exe PID 364 wrote to memory of 752 364 cmd.exe icacls.exe PID 2000 wrote to memory of 960 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2000 wrote to memory of 960 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2000 wrote to memory of 960 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2000 wrote to memory of 960 2000 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe"C:\Users\Admin\AppData\Local\Temp\91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:368 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:928 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:752 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
PID:960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5d05a1fdde4d7cda5b32eede1b364e1b9
SHA1cd298941c1a99c2ec201f64251177a13f01d3908
SHA256f6e56a62b5830145dfd6f758c1674b7c9842f7c1e6e56e0e5a8ddde54391e6c7
SHA512958c64e8026cb1c435d48db7ba8b41082bd1271c75b48f4ccc7b55574a8025ee0dc238cbafc7119469df6d7da5a90ec93ea8e37edf40189a6c98cfed6fce7b90
-
memory/364-61-0x0000000000000000-mapping.dmp
-
memory/368-60-0x0000000000000000-mapping.dmp
-
memory/752-63-0x0000000000000000-mapping.dmp
-
memory/928-62-0x0000000000000000-mapping.dmp
-
memory/960-64-0x0000000000000000-mapping.dmp
-
memory/976-58-0x0000000000000000-mapping.dmp
-
memory/1572-59-0x0000000000000000-mapping.dmp
-
memory/2000-57-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/2000-56-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/2000-54-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/2000-65-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/2000-55-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB