Analysis
-
max time kernel
82s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 14:24
Static task
static1
Behavioral task
behavioral1
Sample
setup_super.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
setup_super.exe
Resource
win10v2004-20220414-en
General
-
Target
setup_super.exe
-
Size
15KB
-
MD5
8d4fcd244f393513976aea570df1ffdd
-
SHA1
af02515f2b9693f0920f57b6fcbc304743d5f16b
-
SHA256
c7f353c4ca722da712da454317e9d00b77c9b6cf6194b47009dbd67517cf2abc
-
SHA512
485f361c7f09d3ff51e537124dd342e5358551f18de09c7184360dcac0a4f9225d0a267d7be1e2f908980aad743eb5faab68a824bfd1b0282d6bab5a29676b32
Malware Config
Extracted
C:\program files\7-zip\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1136 bcdedit.exe 2060 bcdedit.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
super.exescreensaver.exepid process 844 super.exe 560 screensaver.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
super.exedescription ioc process File renamed C:\Users\Admin\Pictures\PublishWait.raw => C:\users\admin\pictures\publishwait.raw.lockbit super.exe File renamed C:\Users\Admin\Pictures\FindUndo.tif => C:\users\admin\pictures\findundo.tif.lockbit super.exe File renamed C:\Users\Admin\Pictures\FormatGet.tif => C:\users\admin\pictures\formatget.tif.lockbit super.exe File renamed C:\Users\Admin\Pictures\RenameExit.tif => C:\users\admin\pictures\renameexit.tif.lockbit super.exe File renamed C:\Users\Admin\Pictures\RestoreUndo.crw => C:\users\admin\pictures\restoreundo.crw.lockbit super.exe File renamed C:\Users\Admin\Pictures\RestoreLimit.crw => C:\users\admin\pictures\restorelimit.crw.lockbit super.exe File renamed C:\Users\Admin\Pictures\WriteSkip.raw => C:\users\admin\pictures\writeskip.raw.lockbit super.exe File renamed C:\Users\Admin\Pictures\ProtectMeasure.png => C:\users\admin\pictures\protectmeasure.png.lockbit super.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\screensaver.exe upx C:\Users\Admin\AppData\Local\Temp\screensaver.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 980 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
super.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run super.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\{5135B3C8-0E0E-7421-33D0-33788123B203} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\super.exe\"" super.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
super.exedescription ioc process File created C:\windows\SysWOW64\A63564.ico super.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
Processes:
super.exepid process 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe 844 super.exe -
Drops file in Program Files directory 64 IoCs
Processes:
super.exedescription ioc process File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\zpdir33f.gif super.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms5\formsbrowserupgrade.html super.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\systemv\cst6 super.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar super.exe File opened for modification C:\program files\java\jre7\lib\zi\etc\gmt+5 super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\bs00100_.wmf super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0195788.wmf super.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\bd21342_.gif super.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar super.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0107148.wmf super.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\bg_casual.gif super.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\springgreen\tab_off.gif super.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\en-us\picturepuzzle.html super.exe File opened for modification C:\program files\7-zip\lang\kaa.txt super.exe File opened for modification C:\program files\java\jre7\lib\zi\america\swift_current super.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\undocked_black_thunderstorm.png super.exe File opened for modification C:\program files (x86)\microsoft office\stationery\1033\offisupp.gif super.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_blue_partly-cloudy.png super.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\catalog.dpv super.exe File opened for modification C:\program files\java\jre7\lib\zi\pacific\auckland super.exe File opened for modification C:\program files\microsoft games\multiplayer\checkers\es-es\chkrzm.exe.mui super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\pe02285_.wmf super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\safri_01.mid super.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\bd21365_.gif super.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\bd21448_.gif super.exe File opened for modification C:\program files\java\jdk1.7.0_80\db\bin\setnetworkservercp super.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so00917_.wmf super.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\adobe.css super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so00168_.wmf super.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0195534.wmf super.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\full\dotsdarkoverlay.png super.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\dt.jar super.exe File opened for modification C:\program files\microsoft games\spidersolitaire\spidersolitairemce.png super.exe File created C:\program files\videolan\vlc\locale\gd\lc_messages\Restore-My-Files.txt super.exe File opened for modification C:\program files\windows sidebar\de-de\sbdrop.dll.mui super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ag00139_.gif super.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\autoshap\bd18208_.wmf super.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\ja-jp\js\timezones.js super.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\push\push_item.png super.exe File opened for modification C:\program files\java\jre7\lib\zi\america\grand_turk super.exe File opened for modification C:\program files\windows sidebar\gadgets\slideshow.gadget\logo.png super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0182902.wmf super.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\toolbmps\calendartooliconimagesmask.bmp super.exe File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pglbl095.xml super.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\currency.gadget\es-es\gadget.xml super.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0239063.wmf super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\pe00668_.wmf super.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme colors\origin.xml super.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms5\submit.js super.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\projecttool\project report type\fancy\hierarchy.js super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\pe03459_.wmf super.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\j0115875.gif super.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_gray_snow.png super.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\beirut super.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\an01084_.wmf super.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\bg_olivegreen.gif super.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\ja-jp\js\settings.js super.exe File created C:\program files\java\jdk1.7.0_80\include\win32\bridge\Restore-My-Files.txt super.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\africa\johannesburg super.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar super.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\es-es\css\weather.css super.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2400 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
super.exedescription ioc process Key created \Registry\Machine\Software\Classes\.lockbit super.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon super.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\A63564.ico" super.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
setup_super.exesuper.exepid process 884 setup_super.exe 884 setup_super.exe 844 super.exe 844 super.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
screensaver.exepid process 560 screensaver.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
setup_super.exesuper.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 884 setup_super.exe Token: SeTakeOwnershipPrivilege 844 super.exe Token: SeDebugPrivilege 844 super.exe Token: SeBackupPrivilege 2448 vssvc.exe Token: SeRestorePrivilege 2448 vssvc.exe Token: SeAuditPrivilege 2448 vssvc.exe Token: SeIncreaseQuotaPrivilege 1752 WMIC.exe Token: SeSecurityPrivilege 1752 WMIC.exe Token: SeTakeOwnershipPrivilege 1752 WMIC.exe Token: SeLoadDriverPrivilege 1752 WMIC.exe Token: SeSystemProfilePrivilege 1752 WMIC.exe Token: SeSystemtimePrivilege 1752 WMIC.exe Token: SeProfSingleProcessPrivilege 1752 WMIC.exe Token: SeIncBasePriorityPrivilege 1752 WMIC.exe Token: SeCreatePagefilePrivilege 1752 WMIC.exe Token: SeBackupPrivilege 1752 WMIC.exe Token: SeRestorePrivilege 1752 WMIC.exe Token: SeShutdownPrivilege 1752 WMIC.exe Token: SeDebugPrivilege 1752 WMIC.exe Token: SeSystemEnvironmentPrivilege 1752 WMIC.exe Token: SeRemoteShutdownPrivilege 1752 WMIC.exe Token: SeUndockPrivilege 1752 WMIC.exe Token: SeManageVolumePrivilege 1752 WMIC.exe Token: 33 1752 WMIC.exe Token: 34 1752 WMIC.exe Token: 35 1752 WMIC.exe Token: SeIncreaseQuotaPrivilege 1752 WMIC.exe Token: SeSecurityPrivilege 1752 WMIC.exe Token: SeTakeOwnershipPrivilege 1752 WMIC.exe Token: SeLoadDriverPrivilege 1752 WMIC.exe Token: SeSystemProfilePrivilege 1752 WMIC.exe Token: SeSystemtimePrivilege 1752 WMIC.exe Token: SeProfSingleProcessPrivilege 1752 WMIC.exe Token: SeIncBasePriorityPrivilege 1752 WMIC.exe Token: SeCreatePagefilePrivilege 1752 WMIC.exe Token: SeBackupPrivilege 1752 WMIC.exe Token: SeRestorePrivilege 1752 WMIC.exe Token: SeShutdownPrivilege 1752 WMIC.exe Token: SeDebugPrivilege 1752 WMIC.exe Token: SeSystemEnvironmentPrivilege 1752 WMIC.exe Token: SeRemoteShutdownPrivilege 1752 WMIC.exe Token: SeUndockPrivilege 1752 WMIC.exe Token: SeManageVolumePrivilege 1752 WMIC.exe Token: 33 1752 WMIC.exe Token: 34 1752 WMIC.exe Token: 35 1752 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
setup_super.exepid process 884 setup_super.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
setup_super.exepid process 884 setup_super.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
setup_super.execmd.exesuper.execmd.exedescription pid process target process PID 884 wrote to memory of 844 884 setup_super.exe super.exe PID 884 wrote to memory of 844 884 setup_super.exe super.exe PID 884 wrote to memory of 844 884 setup_super.exe super.exe PID 884 wrote to memory of 844 884 setup_super.exe super.exe PID 884 wrote to memory of 560 884 setup_super.exe screensaver.exe PID 884 wrote to memory of 560 884 setup_super.exe screensaver.exe PID 884 wrote to memory of 560 884 setup_super.exe screensaver.exe PID 884 wrote to memory of 560 884 setup_super.exe screensaver.exe PID 884 wrote to memory of 980 884 setup_super.exe cmd.exe PID 884 wrote to memory of 980 884 setup_super.exe cmd.exe PID 884 wrote to memory of 980 884 setup_super.exe cmd.exe PID 980 wrote to memory of 1736 980 cmd.exe choice.exe PID 980 wrote to memory of 1736 980 cmd.exe choice.exe PID 980 wrote to memory of 1736 980 cmd.exe choice.exe PID 844 wrote to memory of 2308 844 super.exe cmd.exe PID 844 wrote to memory of 2308 844 super.exe cmd.exe PID 844 wrote to memory of 2308 844 super.exe cmd.exe PID 844 wrote to memory of 2308 844 super.exe cmd.exe PID 2308 wrote to memory of 2400 2308 cmd.exe vssadmin.exe PID 2308 wrote to memory of 2400 2308 cmd.exe vssadmin.exe PID 2308 wrote to memory of 2400 2308 cmd.exe vssadmin.exe PID 2308 wrote to memory of 1752 2308 cmd.exe WMIC.exe PID 2308 wrote to memory of 1752 2308 cmd.exe WMIC.exe PID 2308 wrote to memory of 1752 2308 cmd.exe WMIC.exe PID 2308 wrote to memory of 1136 2308 cmd.exe bcdedit.exe PID 2308 wrote to memory of 1136 2308 cmd.exe bcdedit.exe PID 2308 wrote to memory of 1136 2308 cmd.exe bcdedit.exe PID 2308 wrote to memory of 2060 2308 cmd.exe bcdedit.exe PID 2308 wrote to memory of 2060 2308 cmd.exe bcdedit.exe PID 2308 wrote to memory of 2060 2308 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_super.exe"C:\Users\Admin\AppData\Local\Temp\setup_super.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\super.exe"C:\Users\Admin\AppData\Local\Temp\super.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\super.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\super.exe"3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\super.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\screensaver.exe"C:\Users\Admin\AppData\Local\Temp\screensaver.exe" 7C28913B6F1CE6E452678F117954BF4EJ7521E2B4A224740AAF64D5FAD08520ACDF9F8912E7DE2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\setup_super.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\screensaver.exeFilesize
272KB
MD5f9073cc6566ba11318b425a761f1ce17
SHA1d378ce237e83314c9844b4e6ce4867e2783737db
SHA256c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68
SHA5122a64e17e37a612f8126d9aaee3286d9ca8efa2e2a83a1185766adb73af7c9dc6cfce19ff186efea8bce8fcafc15e0f886bc94fd1ee38b08af292f76faa10a5f2
-
C:\Users\Admin\AppData\Local\Temp\screensaver.exeFilesize
272KB
MD5f9073cc6566ba11318b425a761f1ce17
SHA1d378ce237e83314c9844b4e6ce4867e2783737db
SHA256c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68
SHA5122a64e17e37a612f8126d9aaee3286d9ca8efa2e2a83a1185766adb73af7c9dc6cfce19ff186efea8bce8fcafc15e0f886bc94fd1ee38b08af292f76faa10a5f2
-
C:\Users\Admin\AppData\Local\Temp\super.exeFilesize
959KB
MD5ca4d6c1d508d4add675edb0cf206b1ea
SHA1a5c36dc1b1c307de822004f166829dc02f742f45
SHA25670f85be780b095baa52deda576e4fd2898c3216809a28c396097f9a719f7558e
SHA512c4a3d35914b9d43062188889341437a0c8e293f3b86a18aeff08468d1425f19f368fd0db3aa4511b9dbe91bec405c491f92b414a25e462cf124afa2d6c0bc824
-
C:\Users\Admin\AppData\Local\Temp\super.exeFilesize
959KB
MD5ca4d6c1d508d4add675edb0cf206b1ea
SHA1a5c36dc1b1c307de822004f166829dc02f742f45
SHA25670f85be780b095baa52deda576e4fd2898c3216809a28c396097f9a719f7558e
SHA512c4a3d35914b9d43062188889341437a0c8e293f3b86a18aeff08468d1425f19f368fd0db3aa4511b9dbe91bec405c491f92b414a25e462cf124afa2d6c0bc824
-
memory/560-59-0x0000000000000000-mapping.dmp
-
memory/844-58-0x0000000075741000-0x0000000075743000-memory.dmpFilesize
8KB
-
memory/844-56-0x0000000000000000-mapping.dmp
-
memory/884-54-0x0000000001190000-0x000000000119A000-memory.dmpFilesize
40KB
-
memory/884-55-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmpFilesize
8KB
-
memory/956-73-0x0000000000000000-mapping.dmp
-
memory/980-61-0x0000000000000000-mapping.dmp
-
memory/1136-68-0x0000000000000000-mapping.dmp
-
memory/1664-71-0x0000000000000000-mapping.dmp
-
memory/1736-63-0x0000000000000000-mapping.dmp
-
memory/1752-67-0x0000000000000000-mapping.dmp
-
memory/2060-69-0x0000000000000000-mapping.dmp
-
memory/2176-72-0x0000000000000000-mapping.dmp
-
memory/2308-65-0x0000000000000000-mapping.dmp
-
memory/2400-66-0x0000000000000000-mapping.dmp