Analysis
-
max time kernel
125s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 06:06
Static task
static1
Behavioral task
behavioral1
Sample
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Resource
win10v2004-20220721-en
General
-
Target
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
-
Size
382KB
-
MD5
432ad4941c057927786e3b6646ecf2f3
-
SHA1
45babe449954544219054e327523de5812597eaa
-
SHA256
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100
-
SHA512
8b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3
Malware Config
Signatures
-
Cerber 2 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exedescription ioc process Mutant opened shell.{FBDF6928-0741-9A42-4148-F6231E486DF1} 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Mutant created shell.{FBDF6928-0741-9A42-4148-F6231E486DF1} RunLegacyCPLElevated.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Set value (int) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" RunLegacyCPLElevated.exe -
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1504 bcdedit.exe 1456 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\"" 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\"" RunLegacyCPLElevated.exe -
Contacts a large (514) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
RunLegacyCPLElevated.exepid process 472 RunLegacyCPLElevated.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 580 cmd.exe -
Drops startup file 1 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\RunLegacyCPLElevated.lnk 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe -
Loads dropped DLL 2 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exepid process 1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe 472 RunLegacyCPLElevated.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
RunLegacyCPLElevated.exe5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run RunLegacyCPLElevated.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunLegacyCPLElevated = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\"" RunLegacyCPLElevated.exe Key created \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce RunLegacyCPLElevated.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RunLegacyCPLElevated = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\"" RunLegacyCPLElevated.exe Key created \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunLegacyCPLElevated = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\"" 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Key created \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RunLegacyCPLElevated = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\"" 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1664 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1156 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Control Panel\Desktop 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\"" 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Key created \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Control Panel\Desktop RunLegacyCPLElevated.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\"" RunLegacyCPLElevated.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exetaskkill.exeRunLegacyCPLElevated.exevssvc.exewmic.exedescription pid process Token: SeDebugPrivilege 1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Token: SeDebugPrivilege 1156 taskkill.exe Token: SeDebugPrivilege 472 RunLegacyCPLElevated.exe Token: SeBackupPrivilege 1868 vssvc.exe Token: SeRestorePrivilege 1868 vssvc.exe Token: SeAuditPrivilege 1868 vssvc.exe Token: SeIncreaseQuotaPrivilege 1764 wmic.exe Token: SeSecurityPrivilege 1764 wmic.exe Token: SeTakeOwnershipPrivilege 1764 wmic.exe Token: SeLoadDriverPrivilege 1764 wmic.exe Token: SeSystemProfilePrivilege 1764 wmic.exe Token: SeSystemtimePrivilege 1764 wmic.exe Token: SeProfSingleProcessPrivilege 1764 wmic.exe Token: SeIncBasePriorityPrivilege 1764 wmic.exe Token: SeCreatePagefilePrivilege 1764 wmic.exe Token: SeBackupPrivilege 1764 wmic.exe Token: SeRestorePrivilege 1764 wmic.exe Token: SeShutdownPrivilege 1764 wmic.exe Token: SeDebugPrivilege 1764 wmic.exe Token: SeSystemEnvironmentPrivilege 1764 wmic.exe Token: SeRemoteShutdownPrivilege 1764 wmic.exe Token: SeUndockPrivilege 1764 wmic.exe Token: SeManageVolumePrivilege 1764 wmic.exe Token: 33 1764 wmic.exe Token: 34 1764 wmic.exe Token: 35 1764 wmic.exe Token: SeIncreaseQuotaPrivilege 1764 wmic.exe Token: SeSecurityPrivilege 1764 wmic.exe Token: SeTakeOwnershipPrivilege 1764 wmic.exe Token: SeLoadDriverPrivilege 1764 wmic.exe Token: SeSystemProfilePrivilege 1764 wmic.exe Token: SeSystemtimePrivilege 1764 wmic.exe Token: SeProfSingleProcessPrivilege 1764 wmic.exe Token: SeIncBasePriorityPrivilege 1764 wmic.exe Token: SeCreatePagefilePrivilege 1764 wmic.exe Token: SeBackupPrivilege 1764 wmic.exe Token: SeRestorePrivilege 1764 wmic.exe Token: SeShutdownPrivilege 1764 wmic.exe Token: SeDebugPrivilege 1764 wmic.exe Token: SeSystemEnvironmentPrivilege 1764 wmic.exe Token: SeRemoteShutdownPrivilege 1764 wmic.exe Token: SeUndockPrivilege 1764 wmic.exe Token: SeManageVolumePrivilege 1764 wmic.exe Token: 33 1764 wmic.exe Token: 34 1764 wmic.exe Token: 35 1764 wmic.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exepid process 1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe 472 RunLegacyCPLElevated.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.execmd.exeRunLegacyCPLElevated.exedescription pid process target process PID 1564 wrote to memory of 472 1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe RunLegacyCPLElevated.exe PID 1564 wrote to memory of 472 1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe RunLegacyCPLElevated.exe PID 1564 wrote to memory of 472 1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe RunLegacyCPLElevated.exe PID 1564 wrote to memory of 472 1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe RunLegacyCPLElevated.exe PID 1564 wrote to memory of 580 1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe cmd.exe PID 1564 wrote to memory of 580 1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe cmd.exe PID 1564 wrote to memory of 580 1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe cmd.exe PID 1564 wrote to memory of 580 1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe cmd.exe PID 580 wrote to memory of 1156 580 cmd.exe taskkill.exe PID 580 wrote to memory of 1156 580 cmd.exe taskkill.exe PID 580 wrote to memory of 1156 580 cmd.exe taskkill.exe PID 580 wrote to memory of 1156 580 cmd.exe taskkill.exe PID 580 wrote to memory of 636 580 cmd.exe PING.EXE PID 580 wrote to memory of 636 580 cmd.exe PING.EXE PID 580 wrote to memory of 636 580 cmd.exe PING.EXE PID 580 wrote to memory of 636 580 cmd.exe PING.EXE PID 472 wrote to memory of 1664 472 RunLegacyCPLElevated.exe vssadmin.exe PID 472 wrote to memory of 1664 472 RunLegacyCPLElevated.exe vssadmin.exe PID 472 wrote to memory of 1664 472 RunLegacyCPLElevated.exe vssadmin.exe PID 472 wrote to memory of 1664 472 RunLegacyCPLElevated.exe vssadmin.exe PID 472 wrote to memory of 1764 472 RunLegacyCPLElevated.exe wmic.exe PID 472 wrote to memory of 1764 472 RunLegacyCPLElevated.exe wmic.exe PID 472 wrote to memory of 1764 472 RunLegacyCPLElevated.exe wmic.exe PID 472 wrote to memory of 1764 472 RunLegacyCPLElevated.exe wmic.exe PID 472 wrote to memory of 1504 472 RunLegacyCPLElevated.exe bcdedit.exe PID 472 wrote to memory of 1504 472 RunLegacyCPLElevated.exe bcdedit.exe PID 472 wrote to memory of 1504 472 RunLegacyCPLElevated.exe bcdedit.exe PID 472 wrote to memory of 1504 472 RunLegacyCPLElevated.exe bcdedit.exe PID 472 wrote to memory of 1456 472 RunLegacyCPLElevated.exe bcdedit.exe PID 472 wrote to memory of 1456 472 RunLegacyCPLElevated.exe bcdedit.exe PID 472 wrote to memory of 1456 472 RunLegacyCPLElevated.exe bcdedit.exe PID 472 wrote to memory of 1456 472 RunLegacyCPLElevated.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe"C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe"1⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exe"C:\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exe"2⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /f /im "5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UANRNN0F\json[1].jsonFilesize
302B
MD58e05f3c0db548fd239a695579aee88d5
SHA161bca21b1c2ca5e1f381d78e700750b5b70e4232
SHA256c8e544e4519ee3dcfbebd98b060c640bd9d5327ac9b263ecae5449e0e502adc3
SHA512e352dd9dc53f9fdb226a5bc79ccbd1d741fa36e1c151f9169b585de9629bb94637ed1f6da158998b44556f07bd54a3a1673aeff340c87248e142204ee8ddb9cb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\RunLegacyCPLElevated.lnkFilesize
1KB
MD5a35cf85f1370b6b5da9949bc4c31c246
SHA1a680ec09d12d64edc716ae3b8346f9cf026f77dc
SHA2565adbcbc225fb4da7bcdc889b5409474ce9046f888379e921d9438b9b9fabe91a
SHA51246510626ea3e968fa0c198644fe3c3e100a09fad934ebe1ad2b14b53c9325b9b2ff75662510f57c35033ab991de70387e030946fc9e10ab130bf808bd38f0470
-
C:\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exeFilesize
382KB
MD5432ad4941c057927786e3b6646ecf2f3
SHA145babe449954544219054e327523de5812597eaa
SHA2565607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100
SHA5128b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3
-
C:\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exeFilesize
382KB
MD5432ad4941c057927786e3b6646ecf2f3
SHA145babe449954544219054e327523de5812597eaa
SHA2565607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100
SHA5128b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3
-
\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exeFilesize
382KB
MD5432ad4941c057927786e3b6646ecf2f3
SHA145babe449954544219054e327523de5812597eaa
SHA2565607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100
SHA5128b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3
-
\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exeFilesize
382KB
MD5432ad4941c057927786e3b6646ecf2f3
SHA145babe449954544219054e327523de5812597eaa
SHA2565607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100
SHA5128b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3
-
memory/472-74-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/472-58-0x0000000000000000-mapping.dmp
-
memory/472-67-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/580-62-0x0000000000000000-mapping.dmp
-
memory/636-66-0x0000000000000000-mapping.dmp
-
memory/1156-65-0x0000000000000000-mapping.dmp
-
memory/1456-72-0x0000000000000000-mapping.dmp
-
memory/1504-71-0x0000000000000000-mapping.dmp
-
memory/1564-54-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/1564-63-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1564-55-0x0000000000270000-0x00000000002A5000-memory.dmpFilesize
212KB
-
memory/1564-56-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/1664-69-0x0000000000000000-mapping.dmp
-
memory/1764-70-0x0000000000000000-mapping.dmp