Analysis
-
max time kernel
146s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
11-02-2022 18:35
Static task
static1
Behavioral task
behavioral1
Sample
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
Resource
win10v2004-en-20220112
General
-
Target
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
-
Size
107KB
-
MD5
40c01e02dd940c2b3ca1466799da68fd
-
SHA1
daa2b8467edff06bf3f8cc926534bc088049a092
-
SHA256
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96
-
SHA512
831b89e00addfbd4e78d90e61ae6874ad6fbe4482099dbd894c4f23236edf72b5d0c86dec72a4f592f84b60e3d3f0797c1f1ae86aaa78d62a5d96ab6070ab2c5
Malware Config
Extracted
C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt
sodinokibi
http://wwylgcvegp33t2ytnsqa6klroq3kz643q5ceinkqb7x6232g3guit2id.onion
http://decryptor.top/913AED0B5FE1497D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\a8hadofi = "C: \\Users\\Admin\\AppData\\Local\\Temp\\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe" b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exedescription ioc process File opened for modification C:\Users\Admin\Documents\desktop.ini b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies Control Panel 2 IoCs
Processes:
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\WallpaperStyle = "1" b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\TileWallpaper = "0" b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe -
Modifies data under HKEY_USERS 55 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "11.667237" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4032" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006544" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4268" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.692334" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4052" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892545282479776" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exedescription pid process target process PID 1588 wrote to memory of 2324 1588 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1588 wrote to memory of 2324 1588 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1588 wrote to memory of 2324 1588 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1588 wrote to memory of 792 1588 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1588 wrote to memory of 792 1588 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1588 wrote to memory of 792 1588 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe"C:\Users\Admin\AppData\Local\Temp\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" netsh advfirewall firewall set rule group==”Network Discovery” new enable=Yes”2⤵PID:2324
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:792
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:548
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:2804
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt1⤵PID:1264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txtMD5
f36e3f7740af03ffd0e55e87c507219f
SHA157f70fd951cfd232b955478eca8ac0d7d1d0c6ad
SHA2568cd2c35f118ae6995f0f09d3ec1e19ba25b4ca846255a491cce9d5310a9b2f66
SHA512552d0b8ad4ee664f7c35c015e2788938f5650d4cff2065f033a7f668f10a0e2564a633669cfefbc0fcb4b8fba63cc0c1a91d9a68f84a6ec63d057531decde108
-
memory/1588-130-0x0000000074B4E000-0x0000000074B4F000-memory.dmpFilesize
4KB
-
memory/1588-131-0x00000000002C0000-0x00000000002E0000-memory.dmpFilesize
128KB
-
memory/1588-132-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/1588-133-0x0000000004C50000-0x0000000004CE2000-memory.dmpFilesize
584KB