Analysis
-
max time kernel
134s -
max time network
34s -
platform
windows7_x64 -
resource
win7 -
submitted
30-07-2020 05:57
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Resource
win7
General
-
Target
SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
-
Size
1.1MB
-
MD5
9940b1d4284582df2342b9c394b34d20
-
SHA1
ffe310f517cc7e6e7dc6ca10007338b2c1d09f66
-
SHA256
087df168d78dcfd730fb669aad4b848c054f08cbab3c722c87a0be0aa5c598a7
-
SHA512
b578d6c3a27f56d85ddeadcc8f96a40c3aa4c64684d9d0451769233997c2d0c0521ec7497d63d2da2686b227a9e6714492f1f6dc5ea2b280d08bf27608f491dd
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Executes dropped EXE 1 IoCs
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.tmppid process 1448 SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp -
Processes:
resource yara_rule behavioral1/memory/1204-0-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.exepid process 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.exedescription ioc process File opened (read-only) \??\Y: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\Z: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\K: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\M: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\N: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\P: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\S: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\T: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\F: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\L: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\O: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\I: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\Q: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\W: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\X: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\E: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\G: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\H: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\V: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\J: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\R: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\U: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 7 IoCs
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\DW\DW20.EXE SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\DW\DWTRIG20.EXE SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\EQUATION\EQNEDT32.EXE SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Drops file in Windows directory 1 IoCs
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.exepid process 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.tmppid process 1448 SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.exedescription pid process Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.exedescription pid process target process PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe taskhost.exe PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Dwm.exe PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win32.Sector.30.16924.15564.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Sector.30.16924.15564.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Sector.30.16924.15564.exe"2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\is-CROUK.tmp\SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp"C:\Users\Admin\AppData\Local\Temp\is-CROUK.tmp\SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp" /SL5="$50132,805193,53248,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Sector.30.16924.15564.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-CROUK.tmp\SecuriteInfo.com.Win32.Sector.30.16924.15564.tmpFilesize
669KB
MD552950ac9e2b481453082f096120e355a
SHA1159c09db1abcee9114b4f792ffba255c78a6e6c3
SHA25625fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd
SHA5125b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba
-
C:\Users\Admin\AppData\Local\Temp\is-CROUK.tmp\SecuriteInfo.com.Win32.Sector.30.16924.15564.tmpFilesize
669KB
MD552950ac9e2b481453082f096120e355a
SHA1159c09db1abcee9114b4f792ffba255c78a6e6c3
SHA25625fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd
SHA5125b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba
-
\Users\Admin\AppData\Local\Temp\is-CROUK.tmp\SecuriteInfo.com.Win32.Sector.30.16924.15564.tmpFilesize
669KB
MD552950ac9e2b481453082f096120e355a
SHA1159c09db1abcee9114b4f792ffba255c78a6e6c3
SHA25625fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd
SHA5125b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba
-
memory/1204-0-0x0000000001EC0000-0x0000000002F4E000-memory.dmpFilesize
16.6MB
-
memory/1448-2-0x0000000000000000-mapping.dmp
-
memory/1448-5-0x0000000000000000-mapping.dmp
-
memory/1448-6-0x0000000000000000-mapping.dmp