Analysis
-
max time kernel
151s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
a38644ca86517d5e5a4ab9d45ff0e842daadded68d0f6be076c1c32418bcde03.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a38644ca86517d5e5a4ab9d45ff0e842daadded68d0f6be076c1c32418bcde03.dll
Resource
win10v2004-20220812-en
General
-
Target
a38644ca86517d5e5a4ab9d45ff0e842daadded68d0f6be076c1c32418bcde03.dll
-
Size
296KB
-
MD5
d141217011b3736d1a43ed80edafe186
-
SHA1
bd85a807296c6c3da7b395e0bb10084f7a24a63e
-
SHA256
a38644ca86517d5e5a4ab9d45ff0e842daadded68d0f6be076c1c32418bcde03
-
SHA512
77c6bbfe7eaabafc621ab00a96ab2f44e6fc19fb7c50e79a396b9b679d63c692aa0c5f1cd9e6afc9ff88ce9001524292d0413d544b267dbc4feeb3b53d37f463
-
SSDEEP
6144:DJFR4knNGeq+yDX9UNotBpkMfay5PjP9pw3X:DJgknf3yDXQozNay5L+
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\jphbmxnl\\rrnlyrky.exe" svchost.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
svchost.exejbwicavi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe -
Modifies security service 2 TTPs 8 IoCs
Processes:
jbwicavi.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" svchost.exe -
Processes:
svchost.exejbwicavi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jbwicavi.exe -
Processes:
jbwicavi.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jbwicavi.exe -
Executes dropped EXE 3 IoCs
Processes:
uVoPhHEgmjbwicavi.exejbwicavi.exepid process 2004 uVoPhHEgm 324 jbwicavi.exe 1788 jbwicavi.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rrnlyrky.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rrnlyrky.exe svchost.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exeuVoPhHEgmcmd.exepid process 884 rundll32.exe 884 rundll32.exe 2004 uVoPhHEgm 2004 uVoPhHEgm 1672 cmd.exe 1672 cmd.exe -
Processes:
jbwicavi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" jbwicavi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jbwicavi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\RrnLyrky = "C:\\Users\\Admin\\AppData\\Local\\jphbmxnl\\rrnlyrky.exe" svchost.exe -
Processes:
jbwicavi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jbwicavi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
svchost.exejbwicavi.exepid process 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1788 jbwicavi.exe 1788 jbwicavi.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe 1412 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
uVoPhHEgmsvchost.exesvchost.exejbwicavi.exejbwicavi.exedescription pid process Token: SeSecurityPrivilege 2004 uVoPhHEgm Token: SeDebugPrivilege 2004 uVoPhHEgm Token: SeSecurityPrivilege 1280 svchost.exe Token: SeSecurityPrivilege 1412 svchost.exe Token: SeDebugPrivilege 1412 svchost.exe Token: SeDebugPrivilege 1412 svchost.exe Token: SeRestorePrivilege 1412 svchost.exe Token: SeBackupPrivilege 1412 svchost.exe Token: SeDebugPrivilege 1412 svchost.exe Token: SeSecurityPrivilege 324 jbwicavi.exe Token: SeSecurityPrivilege 1788 jbwicavi.exe Token: SeLoadDriverPrivilege 1788 jbwicavi.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
rundll32.exerundll32.exeuVoPhHEgmjbwicavi.execmd.exedescription pid process target process PID 816 wrote to memory of 884 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 884 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 884 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 884 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 884 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 884 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 884 816 rundll32.exe rundll32.exe PID 884 wrote to memory of 2004 884 rundll32.exe uVoPhHEgm PID 884 wrote to memory of 2004 884 rundll32.exe uVoPhHEgm PID 884 wrote to memory of 2004 884 rundll32.exe uVoPhHEgm PID 884 wrote to memory of 2004 884 rundll32.exe uVoPhHEgm PID 2004 wrote to memory of 1280 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1280 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1280 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1280 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1280 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1280 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1280 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1280 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1280 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1280 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1280 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1412 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1412 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1412 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1412 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1412 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1412 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1412 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1412 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1412 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1412 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 1412 2004 uVoPhHEgm svchost.exe PID 2004 wrote to memory of 324 2004 uVoPhHEgm jbwicavi.exe PID 2004 wrote to memory of 324 2004 uVoPhHEgm jbwicavi.exe PID 2004 wrote to memory of 324 2004 uVoPhHEgm jbwicavi.exe PID 2004 wrote to memory of 324 2004 uVoPhHEgm jbwicavi.exe PID 324 wrote to memory of 1672 324 jbwicavi.exe cmd.exe PID 324 wrote to memory of 1672 324 jbwicavi.exe cmd.exe PID 324 wrote to memory of 1672 324 jbwicavi.exe cmd.exe PID 324 wrote to memory of 1672 324 jbwicavi.exe cmd.exe PID 1672 wrote to memory of 1788 1672 cmd.exe jbwicavi.exe PID 1672 wrote to memory of 1788 1672 cmd.exe jbwicavi.exe PID 1672 wrote to memory of 1788 1672 cmd.exe jbwicavi.exe PID 1672 wrote to memory of 1788 1672 cmd.exe jbwicavi.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
jbwicavi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jbwicavi.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a38644ca86517d5e5a4ab9d45ff0e842daadded68d0f6be076c1c32418bcde03.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a38644ca86517d5e5a4ab9d45ff0e842daadded68d0f6be076c1c32418bcde03.dll,#12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uVoPhHEgm"uVoPhHEgm"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jbwicavi.exe"C:\Users\Admin\AppData\Local\Temp\jbwicavi.exe" elevate4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\jbwicavi.exe"" admin5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jbwicavi.exe"C:\Users\Admin\AppData\Local\Temp\jbwicavi.exe" admin6⤵
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jbwicavi.exeFilesize
92KB
MD569b702ec5b32f2cf025e9961bee612a0
SHA1e4ceb28f770d0397a64492d0e400b56e29beb898
SHA2568801635867cae2bb98c1c080d3a1c007a66d88be1532534cb58293f333510e3a
SHA51231a239d36263d8c7032848c1be844a455208e330ddf62dfe080a74901ff64838e6f3ce6e5efc5f8a85a69c257471fea3d30feef795440cba4991662393ae4182
-
C:\Users\Admin\AppData\Local\Temp\jbwicavi.exeFilesize
92KB
MD569b702ec5b32f2cf025e9961bee612a0
SHA1e4ceb28f770d0397a64492d0e400b56e29beb898
SHA2568801635867cae2bb98c1c080d3a1c007a66d88be1532534cb58293f333510e3a
SHA51231a239d36263d8c7032848c1be844a455208e330ddf62dfe080a74901ff64838e6f3ce6e5efc5f8a85a69c257471fea3d30feef795440cba4991662393ae4182
-
C:\Users\Admin\AppData\Local\Temp\jbwicavi.exeFilesize
92KB
MD569b702ec5b32f2cf025e9961bee612a0
SHA1e4ceb28f770d0397a64492d0e400b56e29beb898
SHA2568801635867cae2bb98c1c080d3a1c007a66d88be1532534cb58293f333510e3a
SHA51231a239d36263d8c7032848c1be844a455208e330ddf62dfe080a74901ff64838e6f3ce6e5efc5f8a85a69c257471fea3d30feef795440cba4991662393ae4182
-
C:\Users\Admin\AppData\Local\Temp\uVoPhHEgmFilesize
92KB
MD569b702ec5b32f2cf025e9961bee612a0
SHA1e4ceb28f770d0397a64492d0e400b56e29beb898
SHA2568801635867cae2bb98c1c080d3a1c007a66d88be1532534cb58293f333510e3a
SHA51231a239d36263d8c7032848c1be844a455208e330ddf62dfe080a74901ff64838e6f3ce6e5efc5f8a85a69c257471fea3d30feef795440cba4991662393ae4182
-
C:\Users\Admin\AppData\Local\Temp\uVoPhHEgmFilesize
92KB
MD569b702ec5b32f2cf025e9961bee612a0
SHA1e4ceb28f770d0397a64492d0e400b56e29beb898
SHA2568801635867cae2bb98c1c080d3a1c007a66d88be1532534cb58293f333510e3a
SHA51231a239d36263d8c7032848c1be844a455208e330ddf62dfe080a74901ff64838e6f3ce6e5efc5f8a85a69c257471fea3d30feef795440cba4991662393ae4182
-
\Users\Admin\AppData\Local\Temp\jbwicavi.exeFilesize
92KB
MD569b702ec5b32f2cf025e9961bee612a0
SHA1e4ceb28f770d0397a64492d0e400b56e29beb898
SHA2568801635867cae2bb98c1c080d3a1c007a66d88be1532534cb58293f333510e3a
SHA51231a239d36263d8c7032848c1be844a455208e330ddf62dfe080a74901ff64838e6f3ce6e5efc5f8a85a69c257471fea3d30feef795440cba4991662393ae4182
-
\Users\Admin\AppData\Local\Temp\jbwicavi.exeFilesize
92KB
MD569b702ec5b32f2cf025e9961bee612a0
SHA1e4ceb28f770d0397a64492d0e400b56e29beb898
SHA2568801635867cae2bb98c1c080d3a1c007a66d88be1532534cb58293f333510e3a
SHA51231a239d36263d8c7032848c1be844a455208e330ddf62dfe080a74901ff64838e6f3ce6e5efc5f8a85a69c257471fea3d30feef795440cba4991662393ae4182
-
\Users\Admin\AppData\Local\Temp\jbwicavi.exeFilesize
92KB
MD569b702ec5b32f2cf025e9961bee612a0
SHA1e4ceb28f770d0397a64492d0e400b56e29beb898
SHA2568801635867cae2bb98c1c080d3a1c007a66d88be1532534cb58293f333510e3a
SHA51231a239d36263d8c7032848c1be844a455208e330ddf62dfe080a74901ff64838e6f3ce6e5efc5f8a85a69c257471fea3d30feef795440cba4991662393ae4182
-
\Users\Admin\AppData\Local\Temp\jbwicavi.exeFilesize
92KB
MD569b702ec5b32f2cf025e9961bee612a0
SHA1e4ceb28f770d0397a64492d0e400b56e29beb898
SHA2568801635867cae2bb98c1c080d3a1c007a66d88be1532534cb58293f333510e3a
SHA51231a239d36263d8c7032848c1be844a455208e330ddf62dfe080a74901ff64838e6f3ce6e5efc5f8a85a69c257471fea3d30feef795440cba4991662393ae4182
-
\Users\Admin\AppData\Local\Temp\uVoPhHEgmFilesize
92KB
MD569b702ec5b32f2cf025e9961bee612a0
SHA1e4ceb28f770d0397a64492d0e400b56e29beb898
SHA2568801635867cae2bb98c1c080d3a1c007a66d88be1532534cb58293f333510e3a
SHA51231a239d36263d8c7032848c1be844a455208e330ddf62dfe080a74901ff64838e6f3ce6e5efc5f8a85a69c257471fea3d30feef795440cba4991662393ae4182
-
\Users\Admin\AppData\Local\Temp\uVoPhHEgmFilesize
92KB
MD569b702ec5b32f2cf025e9961bee612a0
SHA1e4ceb28f770d0397a64492d0e400b56e29beb898
SHA2568801635867cae2bb98c1c080d3a1c007a66d88be1532534cb58293f333510e3a
SHA51231a239d36263d8c7032848c1be844a455208e330ddf62dfe080a74901ff64838e6f3ce6e5efc5f8a85a69c257471fea3d30feef795440cba4991662393ae4182
-
memory/324-86-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/324-83-0x0000000000000000-mapping.dmp
-
memory/884-54-0x0000000000000000-mapping.dmp
-
memory/884-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1280-66-0x0000000020010000-0x000000002001D000-memory.dmpFilesize
52KB
-
memory/1280-65-0x0000000000000000-mapping.dmp
-
memory/1280-63-0x0000000020010000-0x000000002001D000-memory.dmpFilesize
52KB
-
memory/1412-74-0x0000000000000000-mapping.dmp
-
memory/1412-72-0x0000000020010000-0x000000002002E000-memory.dmpFilesize
120KB
-
memory/1412-76-0x0000000020010000-0x000000002002E000-memory.dmpFilesize
120KB
-
memory/1672-87-0x0000000000000000-mapping.dmp
-
memory/1788-91-0x0000000000000000-mapping.dmp
-
memory/1788-94-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2004-80-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2004-58-0x0000000000000000-mapping.dmp