Analysis
-
max time kernel
153s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 03:25
Static task
static1
Behavioral task
behavioral1
Sample
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe
Resource
win7-20220812-en
General
-
Target
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe
-
Size
611KB
-
MD5
5c898dd2bc147ffad06ac8362d13614c
-
SHA1
8f8fc1e81ee69b12a06e256d7f0cdceea54d25dd
-
SHA256
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80
-
SHA512
fcfb8dca28fe47b61f2b201ce160854a3c865aa0f049020a2e741df271772d3e0fd71ebb30fa85d2ad80bc3c0dc0c57183a977f5f4082afc4c240c9d6b06b650
-
SSDEEP
12288:LTqSnzWHA+m3S0fapaJehb2qTvxpGrLRRWDyw4tw+Unzyn6PPr:/qSn4mCSJS1v7GPUz4tYun6n
Malware Config
Extracted
darkcomet
Guest16
rattedmyfriend.no-ip.biz:8003
DC_MUTEX-CGVK3FE
-
gencode
Z740hakFenqk
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\interpals.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\interpals.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\applaunch.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Executes dropped EXE 2 IoCs
Processes:
Not crypted server.exeTRISTAN SERVER.EXEpid process 4644 Not crypted server.exe 1552 TRISTAN SERVER.EXE -
Processes:
resource yara_rule behavioral2/memory/4184-139-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4184-141-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4184-143-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4184-142-0x0000000000400000-0x000000000045D000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe upx C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe upx behavioral2/memory/4644-160-0x0000000000400000-0x000000000055B000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exeNot crypted server.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Not crypted server.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exedescription pid process target process PID 2700 set thread context of 4184 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 4492 reg.exe 3604 reg.exe 4712 reg.exe 4716 reg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
applaunch.exeNot crypted server.exeTRISTAN SERVER.EXEdescription pid process Token: 1 4184 applaunch.exe Token: SeCreateTokenPrivilege 4184 applaunch.exe Token: SeAssignPrimaryTokenPrivilege 4184 applaunch.exe Token: SeLockMemoryPrivilege 4184 applaunch.exe Token: SeIncreaseQuotaPrivilege 4184 applaunch.exe Token: SeMachineAccountPrivilege 4184 applaunch.exe Token: SeTcbPrivilege 4184 applaunch.exe Token: SeSecurityPrivilege 4184 applaunch.exe Token: SeTakeOwnershipPrivilege 4184 applaunch.exe Token: SeLoadDriverPrivilege 4184 applaunch.exe Token: SeSystemProfilePrivilege 4184 applaunch.exe Token: SeSystemtimePrivilege 4184 applaunch.exe Token: SeProfSingleProcessPrivilege 4184 applaunch.exe Token: SeIncBasePriorityPrivilege 4184 applaunch.exe Token: SeCreatePagefilePrivilege 4184 applaunch.exe Token: SeCreatePermanentPrivilege 4184 applaunch.exe Token: SeBackupPrivilege 4184 applaunch.exe Token: SeRestorePrivilege 4184 applaunch.exe Token: SeShutdownPrivilege 4184 applaunch.exe Token: SeDebugPrivilege 4184 applaunch.exe Token: SeAuditPrivilege 4184 applaunch.exe Token: SeSystemEnvironmentPrivilege 4184 applaunch.exe Token: SeChangeNotifyPrivilege 4184 applaunch.exe Token: SeRemoteShutdownPrivilege 4184 applaunch.exe Token: SeUndockPrivilege 4184 applaunch.exe Token: SeSyncAgentPrivilege 4184 applaunch.exe Token: SeEnableDelegationPrivilege 4184 applaunch.exe Token: SeManageVolumePrivilege 4184 applaunch.exe Token: SeImpersonatePrivilege 4184 applaunch.exe Token: SeCreateGlobalPrivilege 4184 applaunch.exe Token: 31 4184 applaunch.exe Token: 32 4184 applaunch.exe Token: 33 4184 applaunch.exe Token: 34 4184 applaunch.exe Token: 35 4184 applaunch.exe Token: SeIncreaseQuotaPrivilege 4644 Not crypted server.exe Token: SeSecurityPrivilege 4644 Not crypted server.exe Token: SeTakeOwnershipPrivilege 4644 Not crypted server.exe Token: SeLoadDriverPrivilege 4644 Not crypted server.exe Token: SeSystemProfilePrivilege 4644 Not crypted server.exe Token: SeSystemtimePrivilege 4644 Not crypted server.exe Token: SeProfSingleProcessPrivilege 4644 Not crypted server.exe Token: SeIncBasePriorityPrivilege 4644 Not crypted server.exe Token: SeCreatePagefilePrivilege 4644 Not crypted server.exe Token: SeBackupPrivilege 4644 Not crypted server.exe Token: SeRestorePrivilege 4644 Not crypted server.exe Token: SeShutdownPrivilege 4644 Not crypted server.exe Token: SeDebugPrivilege 4644 Not crypted server.exe Token: SeSystemEnvironmentPrivilege 4644 Not crypted server.exe Token: SeChangeNotifyPrivilege 4644 Not crypted server.exe Token: SeRemoteShutdownPrivilege 4644 Not crypted server.exe Token: SeUndockPrivilege 4644 Not crypted server.exe Token: SeManageVolumePrivilege 4644 Not crypted server.exe Token: SeImpersonatePrivilege 4644 Not crypted server.exe Token: SeCreateGlobalPrivilege 4644 Not crypted server.exe Token: 33 4644 Not crypted server.exe Token: 34 4644 Not crypted server.exe Token: 35 4644 Not crypted server.exe Token: 36 4644 Not crypted server.exe Token: SeIncreaseQuotaPrivilege 1552 TRISTAN SERVER.EXE Token: SeSecurityPrivilege 1552 TRISTAN SERVER.EXE Token: SeTakeOwnershipPrivilege 1552 TRISTAN SERVER.EXE Token: SeLoadDriverPrivilege 1552 TRISTAN SERVER.EXE Token: SeSystemProfilePrivilege 1552 TRISTAN SERVER.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
applaunch.exeTRISTAN SERVER.EXENot crypted server.exepid process 4184 applaunch.exe 4184 applaunch.exe 4184 applaunch.exe 1552 TRISTAN SERVER.EXE 4644 Not crypted server.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exeapplaunch.execmd.execmd.execmd.execmd.exeNot crypted server.exedescription pid process target process PID 2700 wrote to memory of 4184 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 2700 wrote to memory of 4184 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 2700 wrote to memory of 4184 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 2700 wrote to memory of 4184 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 2700 wrote to memory of 4184 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 2700 wrote to memory of 4184 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 2700 wrote to memory of 4184 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 2700 wrote to memory of 4184 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 4184 wrote to memory of 776 4184 applaunch.exe cmd.exe PID 4184 wrote to memory of 776 4184 applaunch.exe cmd.exe PID 4184 wrote to memory of 776 4184 applaunch.exe cmd.exe PID 4184 wrote to memory of 3132 4184 applaunch.exe cmd.exe PID 4184 wrote to memory of 3132 4184 applaunch.exe cmd.exe PID 4184 wrote to memory of 3132 4184 applaunch.exe cmd.exe PID 4184 wrote to memory of 2832 4184 applaunch.exe cmd.exe PID 4184 wrote to memory of 2832 4184 applaunch.exe cmd.exe PID 4184 wrote to memory of 2832 4184 applaunch.exe cmd.exe PID 4184 wrote to memory of 2848 4184 applaunch.exe cmd.exe PID 4184 wrote to memory of 2848 4184 applaunch.exe cmd.exe PID 4184 wrote to memory of 2848 4184 applaunch.exe cmd.exe PID 2848 wrote to memory of 4716 2848 cmd.exe reg.exe PID 2848 wrote to memory of 4716 2848 cmd.exe reg.exe PID 2848 wrote to memory of 4716 2848 cmd.exe reg.exe PID 776 wrote to memory of 4712 776 cmd.exe reg.exe PID 776 wrote to memory of 4712 776 cmd.exe reg.exe PID 776 wrote to memory of 4712 776 cmd.exe reg.exe PID 2832 wrote to memory of 3604 2832 cmd.exe reg.exe PID 2832 wrote to memory of 3604 2832 cmd.exe reg.exe PID 2832 wrote to memory of 3604 2832 cmd.exe reg.exe PID 3132 wrote to memory of 4492 3132 cmd.exe reg.exe PID 3132 wrote to memory of 4492 3132 cmd.exe reg.exe PID 3132 wrote to memory of 4492 3132 cmd.exe reg.exe PID 2700 wrote to memory of 3192 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe WScript.exe PID 2700 wrote to memory of 3192 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe WScript.exe PID 2700 wrote to memory of 3192 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe WScript.exe PID 2700 wrote to memory of 4644 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe Not crypted server.exe PID 2700 wrote to memory of 4644 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe Not crypted server.exe PID 2700 wrote to memory of 4644 2700 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe Not crypted server.exe PID 4644 wrote to memory of 1552 4644 Not crypted server.exe TRISTAN SERVER.EXE PID 4644 wrote to memory of 1552 4644 Not crypted server.exe TRISTAN SERVER.EXE PID 4644 wrote to memory of 1552 4644 Not crypted server.exe TRISTAN SERVER.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe"C:\Users\Admin\AppData\Local\Temp\e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\interpals.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\interpals.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\interpals.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\interpals.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cwKCo.vbs"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe"C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE"C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exeFilesize
419KB
MD5108c042c7a7d40744942dad445481774
SHA14a03259aa4599c027f12da0d3379216496ef0655
SHA256ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb
SHA512c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f
-
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exeFilesize
419KB
MD5108c042c7a7d40744942dad445481774
SHA14a03259aa4599c027f12da0d3379216496ef0655
SHA256ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb
SHA512c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f
-
C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXEFilesize
658KB
MD590050eb20b33f4f0155a98008aee0bf7
SHA13047729097f0979e87b1403333c384ae4e5c645c
SHA256b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60
SHA51280c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe
-
C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXEFilesize
658KB
MD590050eb20b33f4f0155a98008aee0bf7
SHA13047729097f0979e87b1403333c384ae4e5c645c
SHA256b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60
SHA51280c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe
-
C:\Users\Admin\AppData\Local\Temp\cwKCo.vbsFilesize
394B
MD5f52500f8ed2a5563b54286f1127195a4
SHA1ce3615fffedcad20d348e7a501f68f61c8da186b
SHA2561e4f06a679a3fac8a4b667bad3a4b3a728cc611f2db9988e85ca6f9acded8104
SHA512e94ee1d6c6d00c873f8f73b4b7acb1b3e95a3278f08851465d32ce560bb29cc158b0e861b57045fb14c25e1d273c3426f976edf3398153517e586b9ea3d8d9ab
-
memory/776-147-0x0000000000000000-mapping.dmp
-
memory/1552-161-0x0000000000000000-mapping.dmp
-
memory/2700-136-0x0000000005280000-0x000000000528A000-memory.dmpFilesize
40KB
-
memory/2700-137-0x0000000005490000-0x00000000054E6000-memory.dmpFilesize
344KB
-
memory/2700-132-0x0000000000780000-0x0000000000822000-memory.dmpFilesize
648KB
-
memory/2700-135-0x0000000005300000-0x0000000005392000-memory.dmpFilesize
584KB
-
memory/2700-134-0x0000000005810000-0x0000000005DB4000-memory.dmpFilesize
5.6MB
-
memory/2700-133-0x00000000051C0000-0x000000000525C000-memory.dmpFilesize
624KB
-
memory/2832-149-0x0000000000000000-mapping.dmp
-
memory/2848-150-0x0000000000000000-mapping.dmp
-
memory/3132-148-0x0000000000000000-mapping.dmp
-
memory/3192-155-0x0000000000000000-mapping.dmp
-
memory/3604-153-0x0000000000000000-mapping.dmp
-
memory/4184-138-0x0000000000000000-mapping.dmp
-
memory/4184-139-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/4184-141-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/4184-142-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/4184-143-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/4492-154-0x0000000000000000-mapping.dmp
-
memory/4644-160-0x0000000000400000-0x000000000055B000-memory.dmpFilesize
1.4MB
-
memory/4644-156-0x0000000000000000-mapping.dmp
-
memory/4712-152-0x0000000000000000-mapping.dmp
-
memory/4716-151-0x0000000000000000-mapping.dmp