Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-07-2021 13:24
Static task
static1
Behavioral task
behavioral1
Sample
F-Launcher.exe
Resource
win7v20210410
General
-
Target
F-Launcher.exe
-
Size
1.1MB
-
MD5
6c592736cf6ae24c1d7e5d051234fdbd
-
SHA1
dcfddb9aed55a79e38287ddd4e849728d61b67c7
-
SHA256
846d82f6f9d6b965ef683cd91724d72917263cf21e9f0f7e4ed2cb4f1ceacce8
-
SHA512
e5d7692eec1fbdf05c87164951d93a911c0c2308e700d5b7543852c98d31fddfc2c2ed043a514def3a1d9e5fe7317b3771f148dad2c900a3e58e3454e1e6fad1
Malware Config
Extracted
darkcomet
GG
secret92.ddns.net:82
DC_MUTEX-A6ET8RQ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
oqyLUmi211Cb
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Extracted
njrat
0.7NC
NYAN CAT
secret92.ddns.net:8082
0c3398f1458
-
reg_key
0c3398f1458
-
splitter
@!#&^%$
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
darknj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" darknj.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 4 IoCs
Processes:
darknj.exeR-Launcher.exeNJ.EXEmsdcsc.exepid process 2524 darknj.exe 2660 R-Launcher.exe 200 NJ.EXE 3312 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
darknj.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation darknj.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
darknj.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" darknj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2576 3248 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
darknj.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance darknj.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1296 vlc.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
vlc.exemsdcsc.exepid process 1296 vlc.exe 3312 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
darknj.exeWerFault.exemsdcsc.exeNJ.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 2524 darknj.exe Token: SeSecurityPrivilege 2524 darknj.exe Token: SeTakeOwnershipPrivilege 2524 darknj.exe Token: SeLoadDriverPrivilege 2524 darknj.exe Token: SeSystemProfilePrivilege 2524 darknj.exe Token: SeSystemtimePrivilege 2524 darknj.exe Token: SeProfSingleProcessPrivilege 2524 darknj.exe Token: SeIncBasePriorityPrivilege 2524 darknj.exe Token: SeCreatePagefilePrivilege 2524 darknj.exe Token: SeBackupPrivilege 2524 darknj.exe Token: SeRestorePrivilege 2524 darknj.exe Token: SeShutdownPrivilege 2524 darknj.exe Token: SeDebugPrivilege 2524 darknj.exe Token: SeSystemEnvironmentPrivilege 2524 darknj.exe Token: SeChangeNotifyPrivilege 2524 darknj.exe Token: SeRemoteShutdownPrivilege 2524 darknj.exe Token: SeUndockPrivilege 2524 darknj.exe Token: SeManageVolumePrivilege 2524 darknj.exe Token: SeImpersonatePrivilege 2524 darknj.exe Token: SeCreateGlobalPrivilege 2524 darknj.exe Token: 33 2524 darknj.exe Token: 34 2524 darknj.exe Token: 35 2524 darknj.exe Token: 36 2524 darknj.exe Token: SeDebugPrivilege 2576 WerFault.exe Token: SeIncreaseQuotaPrivilege 3312 msdcsc.exe Token: SeSecurityPrivilege 3312 msdcsc.exe Token: SeTakeOwnershipPrivilege 3312 msdcsc.exe Token: SeLoadDriverPrivilege 3312 msdcsc.exe Token: SeSystemProfilePrivilege 3312 msdcsc.exe Token: SeSystemtimePrivilege 3312 msdcsc.exe Token: SeProfSingleProcessPrivilege 3312 msdcsc.exe Token: SeIncBasePriorityPrivilege 3312 msdcsc.exe Token: SeCreatePagefilePrivilege 3312 msdcsc.exe Token: SeBackupPrivilege 3312 msdcsc.exe Token: SeRestorePrivilege 3312 msdcsc.exe Token: SeShutdownPrivilege 3312 msdcsc.exe Token: SeDebugPrivilege 3312 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3312 msdcsc.exe Token: SeChangeNotifyPrivilege 3312 msdcsc.exe Token: SeRemoteShutdownPrivilege 3312 msdcsc.exe Token: SeUndockPrivilege 3312 msdcsc.exe Token: SeManageVolumePrivilege 3312 msdcsc.exe Token: SeImpersonatePrivilege 3312 msdcsc.exe Token: SeCreateGlobalPrivilege 3312 msdcsc.exe Token: 33 3312 msdcsc.exe Token: 34 3312 msdcsc.exe Token: 35 3312 msdcsc.exe Token: 36 3312 msdcsc.exe Token: SeDebugPrivilege 200 NJ.EXE Token: 33 200 NJ.EXE Token: SeIncBasePriorityPrivilege 200 NJ.EXE Token: 33 200 NJ.EXE Token: SeIncBasePriorityPrivilege 200 NJ.EXE Token: 33 200 NJ.EXE Token: SeIncBasePriorityPrivilege 200 NJ.EXE Token: 33 200 NJ.EXE Token: SeIncBasePriorityPrivilege 200 NJ.EXE Token: 33 200 NJ.EXE Token: SeIncBasePriorityPrivilege 200 NJ.EXE Token: 33 200 NJ.EXE Token: SeIncBasePriorityPrivilege 200 NJ.EXE Token: 33 200 NJ.EXE Token: SeIncBasePriorityPrivilege 200 NJ.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
vlc.exepid process 1296 vlc.exe 1296 vlc.exe 1296 vlc.exe 1296 vlc.exe 1296 vlc.exe 1296 vlc.exe 1296 vlc.exe 1296 vlc.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
vlc.exepid process 1296 vlc.exe 1296 vlc.exe 1296 vlc.exe 1296 vlc.exe 1296 vlc.exe 1296 vlc.exe 1296 vlc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
msdcsc.exevlc.exepid process 3312 msdcsc.exe 1296 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
F-Launcher.exeR-Launcher.exedarknj.execmd.execmd.exemsdcsc.exedescription pid process target process PID 3492 wrote to memory of 2524 3492 F-Launcher.exe darknj.exe PID 3492 wrote to memory of 2524 3492 F-Launcher.exe darknj.exe PID 3492 wrote to memory of 2524 3492 F-Launcher.exe darknj.exe PID 3492 wrote to memory of 2660 3492 F-Launcher.exe R-Launcher.exe PID 3492 wrote to memory of 2660 3492 F-Launcher.exe R-Launcher.exe PID 3492 wrote to memory of 2660 3492 F-Launcher.exe R-Launcher.exe PID 2660 wrote to memory of 3248 2660 R-Launcher.exe javaw.exe PID 2660 wrote to memory of 3248 2660 R-Launcher.exe javaw.exe PID 2524 wrote to memory of 3224 2524 darknj.exe cmd.exe PID 2524 wrote to memory of 3224 2524 darknj.exe cmd.exe PID 2524 wrote to memory of 3224 2524 darknj.exe cmd.exe PID 2524 wrote to memory of 3464 2524 darknj.exe cmd.exe PID 2524 wrote to memory of 3464 2524 darknj.exe cmd.exe PID 2524 wrote to memory of 3464 2524 darknj.exe cmd.exe PID 2524 wrote to memory of 200 2524 darknj.exe NJ.EXE PID 2524 wrote to memory of 200 2524 darknj.exe NJ.EXE PID 2524 wrote to memory of 200 2524 darknj.exe NJ.EXE PID 3464 wrote to memory of 2836 3464 cmd.exe attrib.exe PID 3464 wrote to memory of 2836 3464 cmd.exe attrib.exe PID 3464 wrote to memory of 2836 3464 cmd.exe attrib.exe PID 3224 wrote to memory of 2988 3224 cmd.exe attrib.exe PID 3224 wrote to memory of 2988 3224 cmd.exe attrib.exe PID 3224 wrote to memory of 2988 3224 cmd.exe attrib.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3612 2524 darknj.exe notepad.exe PID 2524 wrote to memory of 3312 2524 darknj.exe msdcsc.exe PID 2524 wrote to memory of 3312 2524 darknj.exe msdcsc.exe PID 2524 wrote to memory of 3312 2524 darknj.exe msdcsc.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe PID 3312 wrote to memory of 1308 3312 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2836 attrib.exe 2988 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\F-Launcher.exe"C:\Users\Admin\AppData\Local\Temp\F-Launcher.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\darknj.exe"C:\Users\Admin\AppData\Local\Temp\darknj.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\darknj.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\darknj.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\NJ.EXE"C:\Users\Admin\AppData\Local\Temp\NJ.EXE"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe"C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3248 -s 3604⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\DenyUndo.mpe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeMD5
2308cedb77f66e4a821d57e8ee1e08a5
SHA142ddaf9aef498e366fecdad6b2acbbe9d9d0d47c
SHA2568eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b
SHA512ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeMD5
2308cedb77f66e4a821d57e8ee1e08a5
SHA142ddaf9aef498e366fecdad6b2acbbe9d9d0d47c
SHA2568eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b
SHA512ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77
-
C:\Users\Admin\AppData\Local\Temp\NJ.EXEMD5
7033b44842fd35925e857497f9cb1653
SHA10db1543f4af1b37e9d3d93b75f5d8329d6337b3f
SHA256381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f
SHA512f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f
-
C:\Users\Admin\AppData\Local\Temp\NJ.EXEMD5
7033b44842fd35925e857497f9cb1653
SHA10db1543f4af1b37e9d3d93b75f5d8329d6337b3f
SHA256381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f
SHA512f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f
-
C:\Users\Admin\AppData\Local\Temp\R-Launcher.exeMD5
f09f583748cb26682f60279b8bba14c8
SHA1caf750a85d3abd708c080ebfa995bc2cc0b4cafd
SHA2567f5b29de3370f01b63bcdf4fc7939728f2b11428462d0e2ba77a2bb62b7698dc
SHA512cf8c278f297e250966ce2302191718dae3e7b09f5f9e2da2efb2bfe87ba87196f69be5c0fe52bf7048230ce616bee76d005a11fa646986fa8b33688d95861ae9
-
C:\Users\Admin\AppData\Local\Temp\R-Launcher.exeMD5
f09f583748cb26682f60279b8bba14c8
SHA1caf750a85d3abd708c080ebfa995bc2cc0b4cafd
SHA2567f5b29de3370f01b63bcdf4fc7939728f2b11428462d0e2ba77a2bb62b7698dc
SHA512cf8c278f297e250966ce2302191718dae3e7b09f5f9e2da2efb2bfe87ba87196f69be5c0fe52bf7048230ce616bee76d005a11fa646986fa8b33688d95861ae9
-
C:\Users\Admin\AppData\Local\Temp\darknj.exeMD5
2308cedb77f66e4a821d57e8ee1e08a5
SHA142ddaf9aef498e366fecdad6b2acbbe9d9d0d47c
SHA2568eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b
SHA512ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77
-
C:\Users\Admin\AppData\Local\Temp\darknj.exeMD5
2308cedb77f66e4a821d57e8ee1e08a5
SHA142ddaf9aef498e366fecdad6b2acbbe9d9d0d47c
SHA2568eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b
SHA512ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77
-
memory/200-130-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/200-123-0x0000000000000000-mapping.dmp
-
memory/1308-137-0x0000000001090000-0x0000000001091000-memory.dmpFilesize
4KB
-
memory/1308-136-0x0000000000000000-mapping.dmp
-
memory/2524-125-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/2524-114-0x0000000000000000-mapping.dmp
-
memory/2660-117-0x0000000000000000-mapping.dmp
-
memory/2836-127-0x0000000000000000-mapping.dmp
-
memory/2988-128-0x0000000000000000-mapping.dmp
-
memory/3224-121-0x0000000000000000-mapping.dmp
-
memory/3248-120-0x0000000000000000-mapping.dmp
-
memory/3312-132-0x0000000000000000-mapping.dmp
-
memory/3312-135-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/3464-122-0x0000000000000000-mapping.dmp
-
memory/3612-131-0x00000000006F0000-0x000000000079E000-memory.dmpFilesize
696KB
-
memory/3612-129-0x0000000000000000-mapping.dmp