Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 05:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
-
Size
177KB
-
MD5
4612fbda398e6d7570975a3b122849d8
-
SHA1
0b044922439de8838eb6c0dcf604c47dd36dd4dd
-
SHA256
d7401acbe93358af3649a47f80a178df497f699d8d430b8400b008dec894b1b9
-
SHA512
5f3f223067e4cb5c40b5ded590b877d6644762f5c4ffd14414ad9430721b8418a674b3e74ba7d5fa3e7339c4a73f2eca27370c1f2de51641e721f4f22a15d803
-
SSDEEP
3072:7UtN1FlUqaTkJPFAJwt33qFS2Ac/koKJFfFlo4U7ipdS8TZGVZ+Fbvc97:o1F9EkJPyG3qqchjD7u6OvO
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt
http://cerberhhyed5frqa.onion.to/43EB-397C-B8A2-0072-B56A
http://cerberhhyed5frqa.onion.cab/43EB-397C-B8A2-0072-B56A
http://cerberhhyed5frqa.onion.nu/43EB-397C-B8A2-0072-B56A
http://cerberhhyed5frqa.onion.link/43EB-397C-B8A2-0072-B56A
http://cerberhhyed5frqa.tor2web.org/43EB-397C-B8A2-0072-B56A
http://cerberhhyed5frqa.onion/43EB-397C-B8A2-0072-B56A
Extracted
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html
Signatures
-
Contacts a large (16399) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 12 IoCs
Processes:
resource yara_rule behavioral2/memory/4576-2-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/4576-3-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/4512-16-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/4512-18-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/4512-17-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/4512-15-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/4576-19-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/4512-23-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/4512-25-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/4512-29-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/4512-341-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/4512-360-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects command variations typically used by ransomware 12 IoCs
Processes:
resource yara_rule behavioral2/memory/4576-2-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/4576-3-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/4512-16-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/4512-18-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/4512-17-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/4512-15-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/4576-19-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/4512-23-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/4512-25-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/4512-29-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/4512-341-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/4512-360-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware -
Detects executables referencing many IR and analysis tools 12 IoCs
Processes:
resource yara_rule behavioral2/memory/4576-2-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools behavioral2/memory/4576-3-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools behavioral2/memory/4512-16-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools behavioral2/memory/4512-18-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools behavioral2/memory/4512-17-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools behavioral2/memory/4512-15-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools behavioral2/memory/4576-19-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools behavioral2/memory/4512-23-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools behavioral2/memory/4512-25-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools behavioral2/memory/4512-29-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools behavioral2/memory/4512-341-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools behavioral2/memory/4512-360-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_SUSPICIOUS_References_SecTools -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exesc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\sc.exe\"" 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\sc.exe\"" sc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sc.exe -
Drops startup file 2 IoCs
Processes:
2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exesc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sc.lnk 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sc.lnk sc.exe -
Executes dropped EXE 1 IoCs
Processes:
sc.exepid process 4512 sc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exesc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\sc.exe\"" 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\sc.exe\"" sc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\sc.exe\"" sc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\sc.exe\"" 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ipinfo.io -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 4512 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3272 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1884 taskkill.exe 396 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
sc.exe2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop sc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\sc.exe\"" sc.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{75F6D708-221F-6073-7B3A-46D783DB8929}\\sc.exe\"" 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe -
Modifies registry class 1 IoCs
Processes:
sc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sc.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
sc.exemsedge.exemsedge.exeidentity_helper.exepid process 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4512 sc.exe 4140 msedge.exe 4140 msedge.exe 3692 msedge.exe 3692 msedge.exe 4340 identity_helper.exe 4340 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exesc.exetaskkill.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 4576 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe Token: SeDebugPrivilege 4512 sc.exe Token: SeDebugPrivilege 1884 taskkill.exe Token: SeBackupPrivilege 4580 vssvc.exe Token: SeRestorePrivilege 4580 vssvc.exe Token: SeAuditPrivilege 4580 vssvc.exe Token: SeIncreaseQuotaPrivilege 540 wmic.exe Token: SeSecurityPrivilege 540 wmic.exe Token: SeTakeOwnershipPrivilege 540 wmic.exe Token: SeLoadDriverPrivilege 540 wmic.exe Token: SeSystemProfilePrivilege 540 wmic.exe Token: SeSystemtimePrivilege 540 wmic.exe Token: SeProfSingleProcessPrivilege 540 wmic.exe Token: SeIncBasePriorityPrivilege 540 wmic.exe Token: SeCreatePagefilePrivilege 540 wmic.exe Token: SeBackupPrivilege 540 wmic.exe Token: SeRestorePrivilege 540 wmic.exe Token: SeShutdownPrivilege 540 wmic.exe Token: SeDebugPrivilege 540 wmic.exe Token: SeSystemEnvironmentPrivilege 540 wmic.exe Token: SeRemoteShutdownPrivilege 540 wmic.exe Token: SeUndockPrivilege 540 wmic.exe Token: SeManageVolumePrivilege 540 wmic.exe Token: 33 540 wmic.exe Token: 34 540 wmic.exe Token: 35 540 wmic.exe Token: 36 540 wmic.exe Token: SeIncreaseQuotaPrivilege 540 wmic.exe Token: SeSecurityPrivilege 540 wmic.exe Token: SeTakeOwnershipPrivilege 540 wmic.exe Token: SeLoadDriverPrivilege 540 wmic.exe Token: SeSystemProfilePrivilege 540 wmic.exe Token: SeSystemtimePrivilege 540 wmic.exe Token: SeProfSingleProcessPrivilege 540 wmic.exe Token: SeIncBasePriorityPrivilege 540 wmic.exe Token: SeCreatePagefilePrivilege 540 wmic.exe Token: SeBackupPrivilege 540 wmic.exe Token: SeRestorePrivilege 540 wmic.exe Token: SeShutdownPrivilege 540 wmic.exe Token: SeDebugPrivilege 540 wmic.exe Token: SeSystemEnvironmentPrivilege 540 wmic.exe Token: SeRemoteShutdownPrivilege 540 wmic.exe Token: SeUndockPrivilege 540 wmic.exe Token: SeManageVolumePrivilege 540 wmic.exe Token: 33 540 wmic.exe Token: 34 540 wmic.exe Token: 35 540 wmic.exe Token: 36 540 wmic.exe Token: 33 2412 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2412 AUDIODG.EXE Token: SeDebugPrivilege 396 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exesc.execmd.exemsedge.exedescription pid process target process PID 4576 wrote to memory of 4512 4576 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe sc.exe PID 4576 wrote to memory of 4512 4576 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe sc.exe PID 4576 wrote to memory of 4512 4576 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe sc.exe PID 4576 wrote to memory of 3912 4576 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe cmd.exe PID 4576 wrote to memory of 3912 4576 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe cmd.exe PID 4576 wrote to memory of 3912 4576 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe cmd.exe PID 4512 wrote to memory of 3272 4512 sc.exe vssadmin.exe PID 4512 wrote to memory of 3272 4512 sc.exe vssadmin.exe PID 3912 wrote to memory of 1884 3912 cmd.exe taskkill.exe PID 3912 wrote to memory of 1884 3912 cmd.exe taskkill.exe PID 3912 wrote to memory of 1884 3912 cmd.exe taskkill.exe PID 3912 wrote to memory of 3532 3912 cmd.exe PING.EXE PID 3912 wrote to memory of 3532 3912 cmd.exe PING.EXE PID 3912 wrote to memory of 3532 3912 cmd.exe PING.EXE PID 4512 wrote to memory of 540 4512 sc.exe wmic.exe PID 4512 wrote to memory of 540 4512 sc.exe wmic.exe PID 4512 wrote to memory of 3692 4512 sc.exe msedge.exe PID 4512 wrote to memory of 3692 4512 sc.exe msedge.exe PID 3692 wrote to memory of 4876 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4876 3692 msedge.exe msedge.exe PID 4512 wrote to memory of 556 4512 sc.exe NOTEPAD.EXE PID 4512 wrote to memory of 556 4512 sc.exe NOTEPAD.EXE PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4864 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4140 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4140 3692 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\sc.exe"C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\sc.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Launches sc.exe
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3272 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:540 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9841e46f8,0x7ff9841e4708,0x7ff9841e47184⤵PID:4876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:24⤵PID:4864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4140 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:84⤵PID:2928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:14⤵PID:276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:14⤵PID:4576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:14⤵PID:2328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:14⤵PID:3876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:14⤵PID:2216
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:84⤵PID:3676
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4340 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:14⤵PID:3180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:14⤵PID:2124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:14⤵PID:3236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:14⤵PID:4412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4482376687484579123,4501146177674071396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1692 /prefetch:14⤵PID:4608
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵PID:556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.onion.to/43EB-397C-B8A2-0072-B56A3⤵PID:3600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9841e46f8,0x7ff9841e4708,0x7ff9841e47184⤵PID:3112
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵PID:3156
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "sc.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\sc.exe" > NUL3⤵PID:3336
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "sc.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396 -
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
PID:1640 -
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:3532
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1508
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2368
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x514 0x5101⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5368e0afefde51ed9d6726bfa910e757e
SHA1ecc584f30824b51f8fecbe7ef748bd8276e614ee
SHA2568a6ea86a04acdefe18c25ad20f81dcc7acc5467ea5ce558e5b4cb68f3c650d75
SHA512f3b73c9eeaf580770840fd4c21376d4aebc0b7b6ba08ac9e898e10528f73f73336b2c79c80821faf8866caef163ad2ca704723d3f33bb600352f4a605f25bd1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD535ba3cae3e6a2c2dc2cbbf9b68f8a64d
SHA1c280e320d8e437fc9a68e62946a946df76d84941
SHA25640d9a71cfe7ea80c9fd51d951ef4bfc68c9cb9a7f01736419adfee6f405f41a4
SHA512befca9d5e568cd7c6778d24c16ac8ebe09c09d773b9389eed514755831954a7d4ec826afd88f3ff253114844e6388ab7a4198b6c32ffe69f691cb012b9938de7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD53d11f4a92f148efe400c85b9abc0b9cd
SHA1745e3d3a49dfa8b033108794942f4d6add724bae
SHA2562fd6661fa2b5fadbd64822b2f26b41dc836a0374fecf397a4bbff890fb086cb9
SHA51200f2f2f45d849f6019383863de193b49c916facb3a8d4f8021b76f49b711c2b6480d670f041ea2398b90fe5b321fe72ea8166968a53e540ce41c92163e28f537
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.htmlFilesize
12KB
MD54173aa941bbc085f48c54f95dfd7f7d5
SHA1e8a8d1984936cea3e85ea37ef07239f52c7b2f38
SHA2566e86c4bc7825b3107b95316521c27b6813095ad0c46387329a6b4458135b4a9f
SHA5122ac1d61d2a7b85d10e47361db9d3428996cfc9e3abba9733d6e1befe1da1009220322644e6221d208f8b85dc40ae311e311727e5dc8db74f33c2e109e12df410
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txtFilesize
10KB
MD5483dd2e671e8d27624c32efdce588675
SHA1094007b2a0afc31b2aee5b8977573cef0aa70c5b
SHA256ce0e374755836e7c439fb7546fa0187a01d82dd8a053e3b1a52f86264fe672cd
SHA51267ba60b8d590a0edf43f5b36ad26fcec31589e4d49c5c1233cd21f4f095bdf2fa0a90a850116a90cff33665021555c85f779929688d980532f13e4f73b4be541
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sc.lnkFilesize
1KB
MD59cc72b084692658a102d0dcb6ec6325d
SHA1c184fb84b77c694c496eddfb73042aea183b49f0
SHA256fb7dc922d10c52c6c2b097de86213d4451677a3d9f7aa6ffc67622b825cd6e0f
SHA512202037caf5348528740f956e29a34c83ded5a544cc8a13955821a74419af48ecbbb01ee5284a893e0ecbcd52a097c0f1b5e4f3c969804f25b639b4a5b82839cc
-
C:\Users\Admin\AppData\Roaming\{75F6D708-221F-6073-7B3A-46D783DB8929}\sc.exeFilesize
177KB
MD54612fbda398e6d7570975a3b122849d8
SHA10b044922439de8838eb6c0dcf604c47dd36dd4dd
SHA256d7401acbe93358af3649a47f80a178df497f699d8d430b8400b008dec894b1b9
SHA5125f3f223067e4cb5c40b5ded590b877d6644762f5c4ffd14414ad9430721b8418a674b3e74ba7d5fa3e7339c4a73f2eca27370c1f2de51641e721f4f22a15d803
-
C:\Users\Admin\Music\# DECRYPT MY FILES #.urlFilesize
83B
MD54d48f0f328217e54af5426ebbe692f8b
SHA1b3ea7ec95e42119616312122cd9c0152097e1c36
SHA25672ed7ca3b2d1660519cbf9ebecf1ef6189b16d5848dc2ac5bc0e3c2bd882eda2
SHA5128dc7a4bbd9284410718491e86970d5c94b1c31bb1b3f81811dbc4cef4072ba902455f220ada12d3a75f7f7f8eaffc237ab4f48f8d150d94eb1c8feb140db002e
-
C:\Users\Admin\Music\# DECRYPT MY FILES #.vbsFilesize
210B
MD5e885e348f83d97db3deb82ed43a64eeb
SHA1931f6266326fb778117d52d9e74eb9b8545bb2f2
SHA256bf4b1b2372317eb80d719b452100e9538ea7d44f5e168a7e59d0aecfebf5b660
SHA5124fee5c7cf95a5930062eea507911d172644c73c592291a520230eca5bb27009923cf03f0b6bdc1912eee841dcc561f82b4071265e75787801a07547650d1be44
-
\??\pipe\LOCAL\crashpad_3692_BVPWEAFEVJLZNHCBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4512-16-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4512-18-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4512-360-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4512-23-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4512-25-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4512-29-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4512-14-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4512-15-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4512-17-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4512-20-0x0000000002180000-0x0000000002181000-memory.dmpFilesize
4KB
-
memory/4512-341-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4512-13-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4576-5-0x0000000000401000-0x0000000000413000-memory.dmpFilesize
72KB
-
memory/4576-4-0x0000000002050000-0x000000000206F000-memory.dmpFilesize
124KB
-
memory/4576-0-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4576-2-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4576-1-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4576-3-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4576-19-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB