Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-04-2021 10:55
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe
Resource
win10v20210410
General
-
Target
SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe
-
Size
215KB
-
MD5
9487de43f88f7e89bb5d3999f58bff15
-
SHA1
22a28e5379c3ae3da581cf4f1412cc8b73557c5c
-
SHA256
d01b6d2461b4616969a7e688acf91fdc20ae37b51c0b67fed700e0a42365ccda
-
SHA512
f68ea1054503f149c209117344cc4f2ab2304acf33bbc092815eb6082e8e1fd7cb2658396a41f9524f8a4aef128f692c9ffb926f53c5677907c53a2ba23273b4
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
51196.exefileDL821.exefileDL821.exefileDL821.exepid process 3784 51196.exe 3808 fileDL821.exe 3408 fileDL821.exe 3468 fileDL821.exe -
Drops startup file 2 IoCs
Processes:
SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe51196.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exe SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exe 51196.exe -
Loads dropped DLL 2 IoCs
Processes:
51196.exeEhStorAuthn.exepid process 3784 51196.exe 3948 EhStorAuthn.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
EhStorAuthn.exefileDL821.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\z_Admin\\Admin.vbs" EhStorAuthn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\syscheck = "C:\\ProgramData\\fileDL821.exe" fileDL821.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ip-api.com -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe51196.exeEhStorAuthn.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 51196.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 51196.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 EhStorAuthn.exe -
Drops file in System32 directory 1 IoCs
Processes:
EhStorAuthn.exedescription ioc process File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe EhStorAuthn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EhStorAuthn.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EhStorAuthn.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
fileDL821.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fileDL821.vshost.exe = "11001" fileDL821.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fileDL821.vshost.exe = "11001" fileDL821.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.exe = "11001" fileDL821.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.exe = "11" fileDL821.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.vshost.exe = "11" fileDL821.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.vshost.exe = "11" fileDL821.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fileDL821.exe = "11001" fileDL821.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fileDL821.exe = "11001" fileDL821.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.exe = "11001" fileDL821.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.vshost.exe = "11001" fileDL821.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.vshost.exe = "11001" fileDL821.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.exe = "11" fileDL821.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
51196.exefileDL821.exepid process 3784 51196.exe 3784 51196.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe 3808 fileDL821.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fileDL821.exedescription pid process Token: SeDebugPrivilege 3808 fileDL821.exe Token: SeDebugPrivilege 3808 fileDL821.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
SecuriteInfo.com.Variant.Graftor.941749.26444.23114.execmd.exe51196.exeEhStorAuthn.exefileDL821.exedescription pid process target process PID 2204 wrote to memory of 3784 2204 SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe 51196.exe PID 2204 wrote to memory of 3784 2204 SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe 51196.exe PID 2204 wrote to memory of 3784 2204 SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe 51196.exe PID 2204 wrote to memory of 1296 2204 SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe cmd.exe PID 2204 wrote to memory of 1296 2204 SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe cmd.exe PID 2204 wrote to memory of 1296 2204 SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe cmd.exe PID 1296 wrote to memory of 4008 1296 cmd.exe PING.EXE PID 1296 wrote to memory of 4008 1296 cmd.exe PING.EXE PID 1296 wrote to memory of 4008 1296 cmd.exe PING.EXE PID 1296 wrote to memory of 4076 1296 cmd.exe cmd.exe PID 1296 wrote to memory of 4076 1296 cmd.exe cmd.exe PID 1296 wrote to memory of 4076 1296 cmd.exe cmd.exe PID 3784 wrote to memory of 3948 3784 51196.exe EhStorAuthn.exe PID 3784 wrote to memory of 3948 3784 51196.exe EhStorAuthn.exe PID 3784 wrote to memory of 3948 3784 51196.exe EhStorAuthn.exe PID 3784 wrote to memory of 3948 3784 51196.exe EhStorAuthn.exe PID 3948 wrote to memory of 1956 3948 EhStorAuthn.exe schtasks.exe PID 3948 wrote to memory of 1956 3948 EhStorAuthn.exe schtasks.exe PID 3948 wrote to memory of 1956 3948 EhStorAuthn.exe schtasks.exe PID 3948 wrote to memory of 3808 3948 EhStorAuthn.exe fileDL821.exe PID 3948 wrote to memory of 3808 3948 EhStorAuthn.exe fileDL821.exe PID 3948 wrote to memory of 3808 3948 EhStorAuthn.exe fileDL821.exe PID 3808 wrote to memory of 768 3808 fileDL821.exe schtasks.exe PID 3808 wrote to memory of 768 3808 fileDL821.exe schtasks.exe PID 3808 wrote to memory of 768 3808 fileDL821.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe"1⤵
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\EhStorAuthn.exe"C:\Windows\System32\EhStorAuthn.exe"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F4⤵
- Creates scheduled task(s)
PID:1956 -
C:\ProgramData\fileDL821.exe"C:\ProgramData\fileDL821.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /sc minute /mo 1 /tn "DecAdmin" /tr "C:\ProgramData\fileDL821.exe"5⤵
- Creates scheduled task(s)
PID:768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 33⤵
- Runs ping.exe
PID:4008 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"3⤵PID:4076
-
C:\ProgramData\fileDL821.exeC:\ProgramData\fileDL821.exe1⤵
- Executes dropped EXE
PID:3408
-
C:\ProgramData\fileDL821.exeC:\ProgramData\fileDL821.exe1⤵
- Executes dropped EXE
PID:3468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\fileDL821.exeMD5
775029e6ac5944e85432fe39daf93ad7
SHA1430398ff667aa4576a3f8273e0317ad7d6a4c870
SHA25627e1bf195d2ecf398aa03f64a1f77c94f0a3d9ce9ec882ca2ea80742b73ec92b
SHA51253946a952896ebbd0b77d20196408aa4da3ee33c718dd219a3f71e07e99691eb7659de45f3f072a813669b9df6c0547465981b4e6a25bd276746add3758e5210
-
C:\ProgramData\fileDL821.exeMD5
775029e6ac5944e85432fe39daf93ad7
SHA1430398ff667aa4576a3f8273e0317ad7d6a4c870
SHA25627e1bf195d2ecf398aa03f64a1f77c94f0a3d9ce9ec882ca2ea80742b73ec92b
SHA51253946a952896ebbd0b77d20196408aa4da3ee33c718dd219a3f71e07e99691eb7659de45f3f072a813669b9df6c0547465981b4e6a25bd276746add3758e5210
-
C:\ProgramData\fileDL821.exeMD5
775029e6ac5944e85432fe39daf93ad7
SHA1430398ff667aa4576a3f8273e0317ad7d6a4c870
SHA25627e1bf195d2ecf398aa03f64a1f77c94f0a3d9ce9ec882ca2ea80742b73ec92b
SHA51253946a952896ebbd0b77d20196408aa4da3ee33c718dd219a3f71e07e99691eb7659de45f3f072a813669b9df6c0547465981b4e6a25bd276746add3758e5210
-
C:\ProgramData\fileDL821.exeMD5
775029e6ac5944e85432fe39daf93ad7
SHA1430398ff667aa4576a3f8273e0317ad7d6a4c870
SHA25627e1bf195d2ecf398aa03f64a1f77c94f0a3d9ce9ec882ca2ea80742b73ec92b
SHA51253946a952896ebbd0b77d20196408aa4da3ee33c718dd219a3f71e07e99691eb7659de45f3f072a813669b9df6c0547465981b4e6a25bd276746add3758e5210
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fileDL821.exe.logMD5
6e1b08ede4d07113f8a126abbf6db2a8
SHA16aa7bfa1133ff30d8367507595d1a89550a7b279
SHA25645e7b1100a2d79e789bb3e10fba2af5381f7651cbf32eb188d1dd625bbe7095e
SHA512330bee9d8d285898686cea5e052ff50b07f358d6508e5337dda804d7caeca24d6b7aebad68ba3f53803519a8b74bb92542fcf8db1838944ef55181587bbec38b
-
C:\Users\Admin\AppData\Local\Temp\evb37AC.tmpMD5
6ec701ca4746fe93b6610e41ca09f949
SHA1c9bd06d55ae2827d73f2750f4f49426e0449d900
SHA2566c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d
SHA51232f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c
-
C:\Users\Admin\AppData\Local\Temp\evb37CC.tmpMD5
6ec701ca4746fe93b6610e41ca09f949
SHA1c9bd06d55ae2827d73f2750f4f49426e0449d900
SHA2566c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d
SHA51232f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c
-
C:\Users\Admin\AppData\Local\Temp\evb37FC.tmpMD5
6ec701ca4746fe93b6610e41ca09f949
SHA1c9bd06d55ae2827d73f2750f4f49426e0449d900
SHA2566c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d
SHA51232f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c
-
C:\Users\Admin\AppData\Local\Temp\evb71FA.tmpMD5
6ec701ca4746fe93b6610e41ca09f949
SHA1c9bd06d55ae2827d73f2750f4f49426e0449d900
SHA2566c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d
SHA51232f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c
-
C:\Users\Admin\AppData\Local\Temp\evb720B.tmpMD5
6ec701ca4746fe93b6610e41ca09f949
SHA1c9bd06d55ae2827d73f2750f4f49426e0449d900
SHA2566c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d
SHA51232f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c
-
C:\Users\Admin\AppData\Local\Temp\evb721C.tmpMD5
6ec701ca4746fe93b6610e41ca09f949
SHA1c9bd06d55ae2827d73f2750f4f49426e0449d900
SHA2566c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d
SHA51232f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c
-
C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4MD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exeMD5
9487de43f88f7e89bb5d3999f58bff15
SHA122a28e5379c3ae3da581cf4f1412cc8b73557c5c
SHA256d01b6d2461b4616969a7e688acf91fdc20ae37b51c0b67fed700e0a42365ccda
SHA512f68ea1054503f149c209117344cc4f2ab2304acf33bbc092815eb6082e8e1fd7cb2658396a41f9524f8a4aef128f692c9ffb926f53c5677907c53a2ba23273b4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exeMD5
9487de43f88f7e89bb5d3999f58bff15
SHA122a28e5379c3ae3da581cf4f1412cc8b73557c5c
SHA256d01b6d2461b4616969a7e688acf91fdc20ae37b51c0b67fed700e0a42365ccda
SHA512f68ea1054503f149c209117344cc4f2ab2304acf33bbc092815eb6082e8e1fd7cb2658396a41f9524f8a4aef128f692c9ffb926f53c5677907c53a2ba23273b4
-
C:\Users\Admin\AppData\Roaming\del.batMD5
4dfcfe7e645f22c7d94c15a545e039b1
SHA19acebcdac98cea209d15b582d6680cbb503dd24d
SHA256e3cff07167a88ab608d74e1efa95646fe44dccadaa064ad5dc6cd491447c3c75
SHA512f61d0e772d9b3958ea36d3d105aff067265559c565763cb50962cc2d78b40b992b4f92f483b69766a2563b0c34a08c583173b079b70c7f1034da2d5bebff920c
-
\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4MD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4MD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/768-139-0x0000000000000000-mapping.dmp
-
memory/1296-119-0x0000000000000000-mapping.dmp
-
memory/1956-129-0x0000000000000000-mapping.dmp
-
memory/2204-114-0x0000000003FD0000-0x0000000003FD9000-memory.dmpFilesize
36KB
-
memory/2204-115-0x0000000000400000-0x0000000003D9C000-memory.dmpFilesize
57.6MB
-
memory/3408-152-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3468-163-0x0000000002E80000-0x0000000002E81000-memory.dmpFilesize
4KB
-
memory/3784-123-0x0000000000400000-0x0000000003D9C000-memory.dmpFilesize
57.6MB
-
memory/3784-116-0x0000000000000000-mapping.dmp
-
memory/3808-133-0x0000000000400000-0x0000000000402000-memory.dmpFilesize
8KB
-
memory/3808-143-0x0000000000A18000-0x0000000000A19000-memory.dmpFilesize
4KB
-
memory/3808-142-0x0000000000A17000-0x0000000000A18000-memory.dmpFilesize
4KB
-
memory/3808-141-0x0000000000A16000-0x0000000000A17000-memory.dmpFilesize
4KB
-
memory/3808-140-0x0000000000A15000-0x0000000000A16000-memory.dmpFilesize
4KB
-
memory/3808-138-0x0000000000A13000-0x0000000000A15000-memory.dmpFilesize
8KB
-
memory/3808-153-0x0000000000A19000-0x0000000000A1A000-memory.dmpFilesize
4KB
-
memory/3808-137-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/3808-134-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/3808-130-0x0000000000000000-mapping.dmp
-
memory/3948-127-0x0000000002750000-0x000000000275B000-memory.dmpFilesize
44KB
-
memory/4008-121-0x0000000000000000-mapping.dmp
-
memory/4076-124-0x0000000000000000-mapping.dmp