Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 17:40
Static task
static1
Behavioral task
behavioral1
Sample
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe
Resource
win10v2004-20220812-en
General
-
Target
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe
-
Size
347KB
-
MD5
eefcea17c245d722fcfe515970a99b24
-
SHA1
100f1fa0224e1ae4b79fb661e29a7b22cf0e47fa
-
SHA256
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500
-
SHA512
23c08bc35f8e3c6e28173f0e6eadabe11638e40c3ec68ef0a6448a70739d340d29a3c3b75f887ed7aa807cfe40cc78b34c1f040fffa51cea87ba14553d4e08bb
-
SSDEEP
6144:CUPCHaSrGCFGMQZhKYWqdRBYn58JOBGmtMCANkRfX90OO1+JC5mfT4Neu:G62GiGMBHqhYOJONtMCesfXlKXk7A
Malware Config
Extracted
darkcomet
13.07.12 Crypter
leetaka1337.no-ip.org:1604
DC_MUTEX-JFX5RP1
-
InstallPath
MSDCSC\winhost.exe
-
gencode
lCnq6VNbar2M
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe" c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe -
Executes dropped EXE 3 IoCs
Processes:
STUB.EXEwinhost.exewinhost.exepid process 1732 STUB.EXE 784 winhost.exe 1396 winhost.exe -
Processes:
resource yara_rule behavioral1/memory/1748-57-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1748-59-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1748-60-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1748-62-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1748-65-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1748-66-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1748-67-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exepid process 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\winhost.exe" c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe -
Drops file in System32 directory 3 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\winhost.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\winhost.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exewinhost.exedescription pid process target process PID 1812 set thread context of 1748 1812 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 784 set thread context of 1396 784 winhost.exe winhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winhost.exepid process 1396 winhost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exec4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exewinhost.exewinhost.exedescription pid process Token: SeDebugPrivilege 1812 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeIncreaseQuotaPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeSecurityPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeTakeOwnershipPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeLoadDriverPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeSystemProfilePrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeSystemtimePrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeProfSingleProcessPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeIncBasePriorityPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeCreatePagefilePrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeBackupPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeRestorePrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeShutdownPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeDebugPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeSystemEnvironmentPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeChangeNotifyPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeRemoteShutdownPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeUndockPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeManageVolumePrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeImpersonatePrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeCreateGlobalPrivilege 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: 33 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: 34 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: 35 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeDebugPrivilege 784 winhost.exe Token: SeIncreaseQuotaPrivilege 1396 winhost.exe Token: SeSecurityPrivilege 1396 winhost.exe Token: SeTakeOwnershipPrivilege 1396 winhost.exe Token: SeLoadDriverPrivilege 1396 winhost.exe Token: SeSystemProfilePrivilege 1396 winhost.exe Token: SeSystemtimePrivilege 1396 winhost.exe Token: SeProfSingleProcessPrivilege 1396 winhost.exe Token: SeIncBasePriorityPrivilege 1396 winhost.exe Token: SeCreatePagefilePrivilege 1396 winhost.exe Token: SeBackupPrivilege 1396 winhost.exe Token: SeRestorePrivilege 1396 winhost.exe Token: SeShutdownPrivilege 1396 winhost.exe Token: SeDebugPrivilege 1396 winhost.exe Token: SeSystemEnvironmentPrivilege 1396 winhost.exe Token: SeChangeNotifyPrivilege 1396 winhost.exe Token: SeRemoteShutdownPrivilege 1396 winhost.exe Token: SeUndockPrivilege 1396 winhost.exe Token: SeManageVolumePrivilege 1396 winhost.exe Token: SeImpersonatePrivilege 1396 winhost.exe Token: SeCreateGlobalPrivilege 1396 winhost.exe Token: 33 1396 winhost.exe Token: 34 1396 winhost.exe Token: 35 1396 winhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winhost.exepid process 1396 winhost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exec4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exewinhost.exedescription pid process target process PID 1812 wrote to memory of 1748 1812 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 1812 wrote to memory of 1748 1812 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 1812 wrote to memory of 1748 1812 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 1812 wrote to memory of 1748 1812 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 1812 wrote to memory of 1748 1812 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 1812 wrote to memory of 1748 1812 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 1812 wrote to memory of 1748 1812 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 1812 wrote to memory of 1748 1812 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 1748 wrote to memory of 1732 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe STUB.EXE PID 1748 wrote to memory of 1732 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe STUB.EXE PID 1748 wrote to memory of 1732 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe STUB.EXE PID 1748 wrote to memory of 1732 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe STUB.EXE PID 1748 wrote to memory of 784 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe winhost.exe PID 1748 wrote to memory of 784 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe winhost.exe PID 1748 wrote to memory of 784 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe winhost.exe PID 1748 wrote to memory of 784 1748 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe winhost.exe PID 784 wrote to memory of 1396 784 winhost.exe winhost.exe PID 784 wrote to memory of 1396 784 winhost.exe winhost.exe PID 784 wrote to memory of 1396 784 winhost.exe winhost.exe PID 784 wrote to memory of 1396 784 winhost.exe winhost.exe PID 784 wrote to memory of 1396 784 winhost.exe winhost.exe PID 784 wrote to memory of 1396 784 winhost.exe winhost.exe PID 784 wrote to memory of 1396 784 winhost.exe winhost.exe PID 784 wrote to memory of 1396 784 winhost.exe winhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe"C:\Users\Admin\AppData\Local\Temp\c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exeC:\Users\Admin\AppData\Local\Temp\c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXE"C:\Users\Admin\AppData\Local\Temp\STUB.EXE"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\winhost.exe"C:\Windows\system32\MSDCSC\winhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeC:\Windows\SysWOW64\MSDCSC\winhost.exe4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
347KB
MD5eefcea17c245d722fcfe515970a99b24
SHA1100f1fa0224e1ae4b79fb661e29a7b22cf0e47fa
SHA256c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500
SHA51223c08bc35f8e3c6e28173f0e6eadabe11638e40c3ec68ef0a6448a70739d340d29a3c3b75f887ed7aa807cfe40cc78b34c1f040fffa51cea87ba14553d4e08bb
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
347KB
MD5eefcea17c245d722fcfe515970a99b24
SHA1100f1fa0224e1ae4b79fb661e29a7b22cf0e47fa
SHA256c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500
SHA51223c08bc35f8e3c6e28173f0e6eadabe11638e40c3ec68ef0a6448a70739d340d29a3c3b75f887ed7aa807cfe40cc78b34c1f040fffa51cea87ba14553d4e08bb
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
347KB
MD5eefcea17c245d722fcfe515970a99b24
SHA1100f1fa0224e1ae4b79fb661e29a7b22cf0e47fa
SHA256c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500
SHA51223c08bc35f8e3c6e28173f0e6eadabe11638e40c3ec68ef0a6448a70739d340d29a3c3b75f887ed7aa807cfe40cc78b34c1f040fffa51cea87ba14553d4e08bb
-
\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
347KB
MD5eefcea17c245d722fcfe515970a99b24
SHA1100f1fa0224e1ae4b79fb661e29a7b22cf0e47fa
SHA256c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500
SHA51223c08bc35f8e3c6e28173f0e6eadabe11638e40c3ec68ef0a6448a70739d340d29a3c3b75f887ed7aa807cfe40cc78b34c1f040fffa51cea87ba14553d4e08bb
-
\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
347KB
MD5eefcea17c245d722fcfe515970a99b24
SHA1100f1fa0224e1ae4b79fb661e29a7b22cf0e47fa
SHA256c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500
SHA51223c08bc35f8e3c6e28173f0e6eadabe11638e40c3ec68ef0a6448a70739d340d29a3c3b75f887ed7aa807cfe40cc78b34c1f040fffa51cea87ba14553d4e08bb
-
memory/784-90-0x0000000072EB0000-0x000000007345B000-memory.dmpFilesize
5.7MB
-
memory/784-78-0x0000000000000000-mapping.dmp
-
memory/1396-87-0x00000000004C05C0-mapping.dmp
-
memory/1396-96-0x000000000047E000-0x00000000004C1000-memory.dmpFilesize
268KB
-
memory/1396-97-0x000000000047E000-0x00000000004C1000-memory.dmpFilesize
268KB
-
memory/1732-70-0x0000000000000000-mapping.dmp
-
memory/1732-75-0x0000000073EF0000-0x000000007449B000-memory.dmpFilesize
5.7MB
-
memory/1748-60-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1748-61-0x00000000004C05C0-mapping.dmp
-
memory/1748-67-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1748-66-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1748-65-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1748-55-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1748-62-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1748-74-0x000000000047E000-0x00000000004C1000-memory.dmpFilesize
268KB
-
memory/1748-95-0x000000000047E000-0x00000000004C1000-memory.dmpFilesize
268KB
-
memory/1748-59-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1748-57-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1812-54-0x0000000076091000-0x0000000076093000-memory.dmpFilesize
8KB
-
memory/1812-63-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB
-
memory/1812-56-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB