Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
14-03-2023 08:01
General
-
Target
PO21019612.exe
-
Size
2.0MB
-
MD5
72729cee30402c13712d1522aef2974b
-
SHA1
5e24a49c70260a8cb42469dc41bb6b5f2557ec50
-
SHA256
70cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
-
SHA512
16aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
SSDEEP
49152:FXQBFvAF1FMSNqZVIx9RcRK1HsWYnowZm:FeFIFCG9RcRK2Pntm
Malware Config
Extracted
darkcomet
MARCH 2023
mjosh6995.ddns.net:1754
DC_MUTEX-D2P1SDG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
vlwkQZyi3NSt
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
chrome
Extracted
nanocore
1.2.2.0
mjosh6995.ddns.net:2023
lisajennyjohn.ddns.net:2023
a7795112-1a95-404c-bdfa-d35dc6f40a46
-
activate_away_mode
false
-
backup_connection_host
lisajennyjohn.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-12-22T21:54:57.028602236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2023
-
default_group
MARCH 2023
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a7795112-1a95-404c-bdfa-d35dc6f40a46
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
mjosh6995.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Windows security bypass 2 TTPs 2 IoCs
-
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 5 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SZSALrLiZcPqvl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SZSALrLiZcPqvl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp13A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\PO21019612.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\PO21019612.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXE"C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXE"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SZSALrLiZcPqvl.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SZSALrLiZcPqvl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF345.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXE"C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXE"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
C:\Users\Admin\AppData\Local\Temp\tmp13A.tmpFilesize
1KB
MD5613fb497fd7ac37a51fadaa2bef33d52
SHA191c2b38d13d396d017f4ae911fe9a7f7cbf66b54
SHA2560df202bc5fc5691ab21b8fb0288a673a6e9420948d15155178438125941f2282
SHA5125503dd68d983433294949f87aef8c65a3610e5abb1e8a8c461be72b756cbb5d98063085d723ab76648babb1dba4336bf605f9e4fde67c75a04ffdcbc80eee007
-
C:\Users\Admin\AppData\Local\Temp\tmpF345.tmpFilesize
1KB
MD5613fb497fd7ac37a51fadaa2bef33d52
SHA191c2b38d13d396d017f4ae911fe9a7f7cbf66b54
SHA2560df202bc5fc5691ab21b8fb0288a673a6e9420948d15155178438125941f2282
SHA5125503dd68d983433294949f87aef8c65a3610e5abb1e8a8c461be72b756cbb5d98063085d723ab76648babb1dba4336bf605f9e4fde67c75a04ffdcbc80eee007
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WE1UDR9UK16HYK6G7O02.tempFilesize
7KB
MD5c1e029a770a52248f8d08354025fd0c1
SHA132bdb856fbafbb7e9e91639d97bf325e71831fb9
SHA256274ea5bf755f4990c3d5b969c2f27065002cb10855fcc0596cec64c99262f67f
SHA512728412df296cd15dda5fc1622136e8ce284e55dd04920431ae836af69e1a6d92a9fcd1a42191dad5200bea7ab15a7805fba6006042cfce4e9d4e427fd21d005e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5c1e029a770a52248f8d08354025fd0c1
SHA132bdb856fbafbb7e9e91639d97bf325e71831fb9
SHA256274ea5bf755f4990c3d5b969c2f27065002cb10855fcc0596cec64c99262f67f
SHA512728412df296cd15dda5fc1622136e8ce284e55dd04920431ae836af69e1a6d92a9fcd1a42191dad5200bea7ab15a7805fba6006042cfce4e9d4e427fd21d005e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5c1e029a770a52248f8d08354025fd0c1
SHA132bdb856fbafbb7e9e91639d97bf325e71831fb9
SHA256274ea5bf755f4990c3d5b969c2f27065002cb10855fcc0596cec64c99262f67f
SHA512728412df296cd15dda5fc1622136e8ce284e55dd04920431ae836af69e1a6d92a9fcd1a42191dad5200bea7ab15a7805fba6006042cfce4e9d4e427fd21d005e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5c1e029a770a52248f8d08354025fd0c1
SHA132bdb856fbafbb7e9e91639d97bf325e71831fb9
SHA256274ea5bf755f4990c3d5b969c2f27065002cb10855fcc0596cec64c99262f67f
SHA512728412df296cd15dda5fc1622136e8ce284e55dd04920431ae836af69e1a6d92a9fcd1a42191dad5200bea7ab15a7805fba6006042cfce4e9d4e427fd21d005e
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.0MB
MD572729cee30402c13712d1522aef2974b
SHA15e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA25670cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA51216aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.0MB
MD572729cee30402c13712d1522aef2974b
SHA15e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA25670cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA51216aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.0MB
MD572729cee30402c13712d1522aef2974b
SHA15e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA25670cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA51216aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.0MB
MD572729cee30402c13712d1522aef2974b
SHA15e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA25670cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA51216aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.0MB
MD572729cee30402c13712d1522aef2974b
SHA15e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA25670cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA51216aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.0MB
MD572729cee30402c13712d1522aef2974b
SHA15e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA25670cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA51216aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.0MB
MD572729cee30402c13712d1522aef2974b
SHA15e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA25670cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA51216aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
memory/276-129-0x00000000001E0000-0x00000000003DA000-memory.dmpFilesize
2.0MB
-
memory/276-130-0x0000000005020000-0x0000000005060000-memory.dmpFilesize
256KB
-
memory/604-80-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-104-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-79-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-77-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-87-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-74-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-84-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-83-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/604-78-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-75-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-76-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-81-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/604-109-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/604-131-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/612-107-0x00000000025D0000-0x0000000002610000-memory.dmpFilesize
256KB
-
memory/612-86-0x00000000025D0000-0x0000000002610000-memory.dmpFilesize
256KB
-
memory/612-89-0x00000000025D0000-0x0000000002610000-memory.dmpFilesize
256KB
-
memory/648-105-0x00000000024A0000-0x00000000024E0000-memory.dmpFilesize
256KB
-
memory/648-88-0x00000000024A0000-0x00000000024E0000-memory.dmpFilesize
256KB
-
memory/648-85-0x00000000024A0000-0x00000000024E0000-memory.dmpFilesize
256KB
-
memory/808-156-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/808-162-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/808-193-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/808-191-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/808-190-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/808-160-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/808-161-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/808-166-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/808-163-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1468-189-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/1616-122-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/1616-106-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1652-192-0x0000000000620000-0x0000000000660000-memory.dmpFilesize
256KB
-
memory/1712-165-0x0000000002740000-0x0000000002780000-memory.dmpFilesize
256KB
-
memory/1712-164-0x0000000002740000-0x0000000002780000-memory.dmpFilesize
256KB
-
memory/2024-72-0x0000000004830000-0x0000000004836000-memory.dmpFilesize
24KB
-
memory/2024-56-0x00000000009D0000-0x00000000009EA000-memory.dmpFilesize
104KB
-
memory/2024-55-0x00000000008A0000-0x00000000008E0000-memory.dmpFilesize
256KB
-
memory/2024-57-0x00000000008A0000-0x00000000008E0000-memory.dmpFilesize
256KB
-
memory/2024-58-0x00000000009B0000-0x00000000009BC000-memory.dmpFilesize
48KB
-
memory/2024-59-0x0000000005A70000-0x0000000005BCE000-memory.dmpFilesize
1.4MB
-
memory/2024-54-0x0000000000C20000-0x0000000000E1A000-memory.dmpFilesize
2.0MB
-
memory/2024-73-0x0000000005590000-0x0000000005678000-memory.dmpFilesize
928KB