Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en -
submitted
08-09-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe
Resource
win7v20210408
General
-
Target
cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe
-
Size
1.3MB
-
MD5
50889863763dec84072482d72d257a5a
-
SHA1
ee585ed89df214b743ceb8fe2cf85999e6013806
-
SHA256
cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72
-
SHA512
4fb2c1a727d4b703e0e88eef85b4d57f181f9a0658219e493f3a3435c98defb0dc845c3d07b5be1d0bac5357f3e2a5b03e38b696fa846e8e17b4fc50f5c5d5eb
Malware Config
Extracted
darkcomet
m2
127.0.0.1:1604
laylaylom15975300.freeddns.org:1604
DC_MUTEX-J1SBQ5X
-
InstallPath
MSDCSC\iexplorer.exe
-
gencode
bTMSQkMKM11U
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Windows Defender
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
BOARDMT2 TICARET HACK V2.3.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\iexplorer.exe" BOARDMT2 TICARET HACK V2.3.EXE -
Modifies security service 2 TTPs 1 IoCs
Processes:
iexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplorer.exe -
Executes dropped EXE 3 IoCs
Processes:
BOARDMT2 TICARET HACK V2.3.EXESERVER.EXEiexplorer.exepid process 2248 BOARDMT2 TICARET HACK V2.3.EXE 2516 SERVER.EXE 4204 iexplorer.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BOARDMT2 TICARET HACK V2.3.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation BOARDMT2 TICARET HACK V2.3.EXE -
Processes:
SERVER.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" SERVER.EXE -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
BOARDMT2 TICARET HACK V2.3.EXESERVER.EXEiexplorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\Documents\\MSDCSC\\iexplorer.exe" BOARDMT2 TICARET HACK V2.3.EXE Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SERVER.EXE Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run SERVER.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mscvin = "C:\\Windows\\Mscvin.exe" SERVER.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\Documents\\MSDCSC\\iexplorer.exe" iexplorer.exe -
Processes:
SERVER.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SERVER.EXE -
Drops file in Windows directory 2 IoCs
Processes:
SERVER.EXEdescription ioc process File created C:\Windows\Mscvin.exe SERVER.EXE File opened for modification C:\Windows\Mscvin.exe SERVER.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 4 IoCs
Processes:
BOARDMT2 TICARET HACK V2.3.EXESERVER.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance BOARDMT2 TICARET HACK V2.3.EXE Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\MIME\Database SERVER.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset SERVER.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage SERVER.EXE -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplorer.exepid process 4204 iexplorer.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
SERVER.EXEBOARDMT2 TICARET HACK V2.3.EXEiexplorer.exedescription pid process Token: SeBackupPrivilege 2516 SERVER.EXE Token: SeIncreaseQuotaPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeSecurityPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeTakeOwnershipPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeLoadDriverPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeSystemProfilePrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeSystemtimePrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeProfSingleProcessPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeIncBasePriorityPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeCreatePagefilePrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeBackupPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeRestorePrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeShutdownPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeDebugPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeSystemEnvironmentPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeChangeNotifyPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeRemoteShutdownPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeUndockPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeManageVolumePrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeImpersonatePrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeCreateGlobalPrivilege 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: 33 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: 34 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: 35 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: 36 2248 BOARDMT2 TICARET HACK V2.3.EXE Token: SeIncreaseQuotaPrivilege 4204 iexplorer.exe Token: SeSecurityPrivilege 4204 iexplorer.exe Token: SeTakeOwnershipPrivilege 4204 iexplorer.exe Token: SeLoadDriverPrivilege 4204 iexplorer.exe Token: SeSystemProfilePrivilege 4204 iexplorer.exe Token: SeSystemtimePrivilege 4204 iexplorer.exe Token: SeProfSingleProcessPrivilege 4204 iexplorer.exe Token: SeIncBasePriorityPrivilege 4204 iexplorer.exe Token: SeCreatePagefilePrivilege 4204 iexplorer.exe Token: SeBackupPrivilege 4204 iexplorer.exe Token: SeRestorePrivilege 4204 iexplorer.exe Token: SeShutdownPrivilege 4204 iexplorer.exe Token: SeDebugPrivilege 4204 iexplorer.exe Token: SeSystemEnvironmentPrivilege 4204 iexplorer.exe Token: SeChangeNotifyPrivilege 4204 iexplorer.exe Token: SeRemoteShutdownPrivilege 4204 iexplorer.exe Token: SeUndockPrivilege 4204 iexplorer.exe Token: SeManageVolumePrivilege 4204 iexplorer.exe Token: SeImpersonatePrivilege 4204 iexplorer.exe Token: SeCreateGlobalPrivilege 4204 iexplorer.exe Token: 33 4204 iexplorer.exe Token: 34 4204 iexplorer.exe Token: 35 4204 iexplorer.exe Token: 36 4204 iexplorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
SERVER.EXEiexplorer.exepid process 2516 SERVER.EXE 4204 iexplorer.exe 2516 SERVER.EXE -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exeSERVER.EXEBOARDMT2 TICARET HACK V2.3.EXEnet.exenet.execmd.execmd.execmd.exeiexplorer.exeWinMail.exedescription pid process target process PID 3332 wrote to memory of 2248 3332 cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe BOARDMT2 TICARET HACK V2.3.EXE PID 3332 wrote to memory of 2248 3332 cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe BOARDMT2 TICARET HACK V2.3.EXE PID 3332 wrote to memory of 2248 3332 cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe BOARDMT2 TICARET HACK V2.3.EXE PID 3332 wrote to memory of 2516 3332 cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe SERVER.EXE PID 3332 wrote to memory of 2516 3332 cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe SERVER.EXE PID 3332 wrote to memory of 2516 3332 cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe SERVER.EXE PID 2516 wrote to memory of 3740 2516 SERVER.EXE netsh.exe PID 2516 wrote to memory of 3740 2516 SERVER.EXE netsh.exe PID 2516 wrote to memory of 3740 2516 SERVER.EXE netsh.exe PID 2516 wrote to memory of 1444 2516 SERVER.EXE net.exe PID 2516 wrote to memory of 1444 2516 SERVER.EXE net.exe PID 2516 wrote to memory of 1444 2516 SERVER.EXE net.exe PID 2516 wrote to memory of 3272 2516 SERVER.EXE net.exe PID 2516 wrote to memory of 3272 2516 SERVER.EXE net.exe PID 2516 wrote to memory of 3272 2516 SERVER.EXE net.exe PID 2248 wrote to memory of 3812 2248 BOARDMT2 TICARET HACK V2.3.EXE cmd.exe PID 2248 wrote to memory of 3812 2248 BOARDMT2 TICARET HACK V2.3.EXE cmd.exe PID 2248 wrote to memory of 3812 2248 BOARDMT2 TICARET HACK V2.3.EXE cmd.exe PID 2248 wrote to memory of 3864 2248 BOARDMT2 TICARET HACK V2.3.EXE cmd.exe PID 2248 wrote to memory of 3864 2248 BOARDMT2 TICARET HACK V2.3.EXE cmd.exe PID 2248 wrote to memory of 3864 2248 BOARDMT2 TICARET HACK V2.3.EXE cmd.exe PID 2248 wrote to memory of 3848 2248 BOARDMT2 TICARET HACK V2.3.EXE cmd.exe PID 2248 wrote to memory of 3848 2248 BOARDMT2 TICARET HACK V2.3.EXE cmd.exe PID 2248 wrote to memory of 3848 2248 BOARDMT2 TICARET HACK V2.3.EXE cmd.exe PID 1444 wrote to memory of 1868 1444 net.exe net1.exe PID 1444 wrote to memory of 1868 1444 net.exe net1.exe PID 1444 wrote to memory of 1868 1444 net.exe net1.exe PID 3272 wrote to memory of 2244 3272 net.exe net1.exe PID 3272 wrote to memory of 2244 3272 net.exe net1.exe PID 3272 wrote to memory of 2244 3272 net.exe net1.exe PID 3812 wrote to memory of 4124 3812 cmd.exe attrib.exe PID 3812 wrote to memory of 4124 3812 cmd.exe attrib.exe PID 3812 wrote to memory of 4124 3812 cmd.exe attrib.exe PID 3864 wrote to memory of 4164 3864 cmd.exe attrib.exe PID 3864 wrote to memory of 4164 3864 cmd.exe attrib.exe PID 3864 wrote to memory of 4164 3864 cmd.exe attrib.exe PID 3848 wrote to memory of 4184 3848 cmd.exe PING.EXE PID 3848 wrote to memory of 4184 3848 cmd.exe PING.EXE PID 3848 wrote to memory of 4184 3848 cmd.exe PING.EXE PID 2248 wrote to memory of 4204 2248 BOARDMT2 TICARET HACK V2.3.EXE iexplorer.exe PID 2248 wrote to memory of 4204 2248 BOARDMT2 TICARET HACK V2.3.EXE iexplorer.exe PID 2248 wrote to memory of 4204 2248 BOARDMT2 TICARET HACK V2.3.EXE iexplorer.exe PID 4204 wrote to memory of 4280 4204 iexplorer.exe iexplore.exe PID 4204 wrote to memory of 4280 4204 iexplorer.exe iexplore.exe PID 4204 wrote to memory of 4280 4204 iexplorer.exe iexplore.exe PID 4204 wrote to memory of 4288 4204 iexplorer.exe explorer.exe PID 4204 wrote to memory of 4288 4204 iexplorer.exe explorer.exe PID 2516 wrote to memory of 4416 2516 SERVER.EXE WinMail.exe PID 2516 wrote to memory of 4416 2516 SERVER.EXE WinMail.exe PID 2516 wrote to memory of 4416 2516 SERVER.EXE WinMail.exe PID 4416 wrote to memory of 4436 4416 WinMail.exe WinMail.exe PID 4416 wrote to memory of 4436 4416 WinMail.exe WinMail.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
SERVER.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SERVER.EXE -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4124 attrib.exe 4164 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe"C:\Users\Admin\AppData\Local\Temp\cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE"C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\iexplorer.exe"C:\Users\Admin\Documents\MSDCSC\iexplorer.exe"3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"2⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
-
C:\Windows\SysWOW64\net.exenet stop security center3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop security center4⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXEMD5
d0f41de7eda6ce2fb63d6c5ac6001fcb
SHA116abb264aa6b79af9223ae6d7aa81339ca162b5e
SHA256be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061
SHA512d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83
-
C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXEMD5
d0f41de7eda6ce2fb63d6c5ac6001fcb
SHA116abb264aa6b79af9223ae6d7aa81339ca162b5e
SHA256be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061
SHA512d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83
-
C:\Users\Admin\AppData\Local\Temp\SERVER.EXEMD5
a454bd820334bca76e08d2c7cb098a4d
SHA1b18d57bce32f06eb79f9b47e8005d27f8a3dd409
SHA256e0b6ef70abcf5bddf4b078c4e4e2e61ad00b739b10a3658fd257c6ff5186fd91
SHA512519cbbbe7368f625c37ece181b1dbf7614ef5707ba7e4173e465afa712e4b0285add0d3f3d0153146eb0070fc1b5a67d28a49b5ea88cf50342186cd0a9b80ed2
-
C:\Users\Admin\AppData\Local\Temp\SERVER.EXEMD5
a454bd820334bca76e08d2c7cb098a4d
SHA1b18d57bce32f06eb79f9b47e8005d27f8a3dd409
SHA256e0b6ef70abcf5bddf4b078c4e4e2e61ad00b739b10a3658fd257c6ff5186fd91
SHA512519cbbbe7368f625c37ece181b1dbf7614ef5707ba7e4173e465afa712e4b0285add0d3f3d0153146eb0070fc1b5a67d28a49b5ea88cf50342186cd0a9b80ed2
-
C:\Users\Admin\Documents\MSDCSC\iexplorer.exeMD5
d0f41de7eda6ce2fb63d6c5ac6001fcb
SHA116abb264aa6b79af9223ae6d7aa81339ca162b5e
SHA256be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061
SHA512d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83
-
C:\Users\Admin\Documents\MSDCSC\iexplorer.exeMD5
d0f41de7eda6ce2fb63d6c5ac6001fcb
SHA116abb264aa6b79af9223ae6d7aa81339ca162b5e
SHA256be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061
SHA512d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83
-
memory/1444-124-0x0000000000000000-mapping.dmp
-
memory/1868-130-0x0000000000000000-mapping.dmp
-
memory/2244-131-0x0000000000000000-mapping.dmp
-
memory/2248-115-0x0000000000000000-mapping.dmp
-
memory/2248-127-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/2516-118-0x0000000000000000-mapping.dmp
-
memory/3272-125-0x0000000000000000-mapping.dmp
-
memory/3740-123-0x0000000000000000-mapping.dmp
-
memory/3812-126-0x0000000000000000-mapping.dmp
-
memory/3848-129-0x0000000000000000-mapping.dmp
-
memory/3864-128-0x0000000000000000-mapping.dmp
-
memory/4124-132-0x0000000000000000-mapping.dmp
-
memory/4164-133-0x0000000000000000-mapping.dmp
-
memory/4184-134-0x0000000000000000-mapping.dmp
-
memory/4204-135-0x0000000000000000-mapping.dmp
-
memory/4204-138-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/4416-139-0x0000000000000000-mapping.dmp
-
memory/4436-140-0x0000000000000000-mapping.dmp