Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
14-03-2023 08:01
General
-
Target
PO21019612.exe
-
Size
2.0MB
-
MD5
72729cee30402c13712d1522aef2974b
-
SHA1
5e24a49c70260a8cb42469dc41bb6b5f2557ec50
-
SHA256
70cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
-
SHA512
16aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
SSDEEP
49152:FXQBFvAF1FMSNqZVIx9RcRK1HsWYnowZm:FeFIFCG9RcRK2Pntm
Malware Config
Extracted
darkcomet
MARCH 2023
mjosh6995.ddns.net:1754
DC_MUTEX-D2P1SDG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
vlwkQZyi3NSt
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
chrome
Extracted
nanocore
1.2.2.0
mjosh6995.ddns.net:2023
lisajennyjohn.ddns.net:2023
a7795112-1a95-404c-bdfa-d35dc6f40a46
-
activate_away_mode
false
-
backup_connection_host
lisajennyjohn.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-12-22T21:54:57.028602236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2023
-
default_group
MARCH 2023
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a7795112-1a95-404c-bdfa-d35dc6f40a46
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
mjosh6995.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Windows security bypass 2 TTPs 2 IoCs
-
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 55 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SZSALrLiZcPqvl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SZSALrLiZcPqvl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C6A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"C:\Users\Admin\AppData\Local\Temp\PO21019612.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\PO21019612.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\PO21019612.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXE"C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXE"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SZSALrLiZcPqvl.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SZSALrLiZcPqvl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3795.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXE"C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXE"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD535b3413a0229d396ccb902113a3bdc65
SHA168e541fe674b4800eba6a026e0f8d53b235ea697
SHA2566cd7334364a7b746bc4548e3d9bbfc9af893b0760fd21594b5f04265d377cb8b
SHA51282157ae783e12e01561edb157711c703e3eaf5a7f30295ae1339bdac9a60996c6fcc3280e3fd6ade1af4c7398526e59f655e3aa6511c964fccb965b594d0539a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD535b3413a0229d396ccb902113a3bdc65
SHA168e541fe674b4800eba6a026e0f8d53b235ea697
SHA2566cd7334364a7b746bc4548e3d9bbfc9af893b0760fd21594b5f04265d377cb8b
SHA51282157ae783e12e01561edb157711c703e3eaf5a7f30295ae1339bdac9a60996c6fcc3280e3fd6ade1af4c7398526e59f655e3aa6511c964fccb965b594d0539a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5abddd94c56865fae5f5effa356191351
SHA1931eaa5fe9f30729900d35fae79b66e79f5ac55f
SHA2569cce1dc9eada773bd003523b316e840972a437f8b8c5acfa045c5c2c85b74058
SHA5123b05d3cd1fd61160eac35cbee5a37a0f0e0cd2e13e3eb280083ac08ea04cec78a0aa2b0f13a31b56ecebc5ded5238ab1dacdfae6dd1b9f0f822d5fd44a232d88
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
C:\Users\Admin\AppData\Local\Temp\MARCH STUB.EXEFilesize
202KB
MD593f8ecd07909f71d55f6cdc163395503
SHA15e1d71119d8911d697120fdf07c5d7c52a335028
SHA256bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
SHA512bfbb0afeb2b0cfcd039fc0016d647500ff9a2e93bdaedc80147aa86cb0ea994b56dad10ad80d126332fd9c4850a011db3a20e8a2ca6ca67365970dc4e9b89af4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmlnc12i.sgl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp3795.tmpFilesize
1KB
MD56e48d3f11670805752a0349bf7521755
SHA1cd51679ad0d3e9e40412aef41873ddb5416903b1
SHA2562276989004bc426b641a46f32a9bda222f44e6533214b82b48f9e189212dc4d4
SHA512e7a541895272e61a11f78d96e09dc2f31e8c80424d0a39d531ce846b02ceb2e52e7892941d96d5599a2dae08afa411c0a36a72e4418dadd9b2b990b5a29cc3b4
-
C:\Users\Admin\AppData\Local\Temp\tmp4C6A.tmpFilesize
1KB
MD56e48d3f11670805752a0349bf7521755
SHA1cd51679ad0d3e9e40412aef41873ddb5416903b1
SHA2562276989004bc426b641a46f32a9bda222f44e6533214b82b48f9e189212dc4d4
SHA512e7a541895272e61a11f78d96e09dc2f31e8c80424d0a39d531ce846b02ceb2e52e7892941d96d5599a2dae08afa411c0a36a72e4418dadd9b2b990b5a29cc3b4
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.0MB
MD572729cee30402c13712d1522aef2974b
SHA15e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA25670cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA51216aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.0MB
MD572729cee30402c13712d1522aef2974b
SHA15e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA25670cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA51216aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.0MB
MD572729cee30402c13712d1522aef2974b
SHA15e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA25670cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA51216aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.0MB
MD572729cee30402c13712d1522aef2974b
SHA15e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA25670cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA51216aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
-
memory/1328-185-0x0000000002E90000-0x0000000002E91000-memory.dmpFilesize
4KB
-
memory/1328-172-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1328-173-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1328-175-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1328-282-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1328-180-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1384-294-0x0000000000D50000-0x0000000000D60000-memory.dmpFilesize
64KB
-
memory/1384-293-0x0000000000D50000-0x0000000000D60000-memory.dmpFilesize
64KB
-
memory/1384-242-0x0000000000D50000-0x0000000000D60000-memory.dmpFilesize
64KB
-
memory/1384-240-0x0000000000D50000-0x0000000000D60000-memory.dmpFilesize
64KB
-
memory/1512-285-0x0000000007240000-0x000000000724E000-memory.dmpFilesize
56KB
-
memory/1512-256-0x00000000062C0000-0x00000000062DE000-memory.dmpFilesize
120KB
-
memory/1512-150-0x0000000004CD0000-0x0000000004D36000-memory.dmpFilesize
408KB
-
memory/1512-153-0x00000000056A0000-0x0000000005706000-memory.dmpFilesize
408KB
-
memory/1512-151-0x0000000004880000-0x0000000004890000-memory.dmpFilesize
64KB
-
memory/1512-283-0x0000000007290000-0x0000000007326000-memory.dmpFilesize
600KB
-
memory/1512-178-0x0000000005D10000-0x0000000005D2E000-memory.dmpFilesize
120KB
-
memory/1512-243-0x0000000004880000-0x0000000004890000-memory.dmpFilesize
64KB
-
memory/1512-152-0x0000000004880000-0x0000000004890000-memory.dmpFilesize
64KB
-
memory/1512-245-0x00000000713E0000-0x000000007142C000-memory.dmpFilesize
304KB
-
memory/1512-280-0x000000007F3D0000-0x000000007F3E0000-memory.dmpFilesize
64KB
-
memory/1512-287-0x0000000007330000-0x0000000007338000-memory.dmpFilesize
32KB
-
memory/1512-278-0x0000000007080000-0x000000000708A000-memory.dmpFilesize
40KB
-
memory/1512-276-0x0000000007650000-0x0000000007CCA000-memory.dmpFilesize
6.5MB
-
memory/2112-189-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/2212-329-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/2212-325-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/2212-322-0x0000000002D70000-0x0000000002D71000-memory.dmpFilesize
4KB
-
memory/2212-323-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/2212-352-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/2212-320-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/2212-353-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/2212-362-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/3164-144-0x0000000002A90000-0x0000000002AC6000-memory.dmpFilesize
216KB
-
memory/3164-277-0x00000000076C0000-0x00000000076DA000-memory.dmpFilesize
104KB
-
memory/3164-241-0x0000000002BA0000-0x0000000002BB0000-memory.dmpFilesize
64KB
-
memory/3164-147-0x0000000002BA0000-0x0000000002BB0000-memory.dmpFilesize
64KB
-
memory/3164-148-0x0000000002BA0000-0x0000000002BB0000-memory.dmpFilesize
64KB
-
memory/3164-244-0x0000000006990000-0x00000000069C2000-memory.dmpFilesize
200KB
-
memory/3164-246-0x00000000713E0000-0x000000007142C000-memory.dmpFilesize
304KB
-
memory/3164-145-0x00000000055D0000-0x0000000005BF8000-memory.dmpFilesize
6.2MB
-
memory/3164-149-0x0000000005300000-0x0000000005322000-memory.dmpFilesize
136KB
-
memory/3164-286-0x0000000007A00000-0x0000000007A1A000-memory.dmpFilesize
104KB
-
memory/3164-279-0x000000007F420000-0x000000007F430000-memory.dmpFilesize
64KB
-
memory/3540-354-0x0000000000F80000-0x0000000000F90000-memory.dmpFilesize
64KB
-
memory/3756-328-0x0000000002670000-0x0000000002680000-memory.dmpFilesize
64KB
-
memory/3756-341-0x0000000070DD0000-0x0000000070E1C000-memory.dmpFilesize
304KB
-
memory/3756-327-0x0000000002670000-0x0000000002680000-memory.dmpFilesize
64KB
-
memory/3756-356-0x0000000002670000-0x0000000002680000-memory.dmpFilesize
64KB
-
memory/4532-281-0x00000000055B0000-0x00000000055C0000-memory.dmpFilesize
64KB
-
memory/4532-295-0x00000000055B0000-0x00000000055C0000-memory.dmpFilesize
64KB
-
memory/4784-351-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/4868-324-0x0000000004760000-0x0000000004770000-memory.dmpFilesize
64KB
-
memory/4868-331-0x0000000070DD0000-0x0000000070E1C000-memory.dmpFilesize
304KB
-
memory/4868-326-0x0000000004760000-0x0000000004770000-memory.dmpFilesize
64KB
-
memory/4868-357-0x000000007F6F0000-0x000000007F700000-memory.dmpFilesize
64KB
-
memory/4868-355-0x0000000004760000-0x0000000004770000-memory.dmpFilesize
64KB
-
memory/4988-135-0x0000000004C80000-0x0000000004D12000-memory.dmpFilesize
584KB
-
memory/4988-137-0x0000000004E70000-0x0000000004E80000-memory.dmpFilesize
64KB
-
memory/4988-136-0x0000000004C60000-0x0000000004C6A000-memory.dmpFilesize
40KB
-
memory/4988-138-0x0000000004E70000-0x0000000004E80000-memory.dmpFilesize
64KB
-
memory/4988-133-0x00000000000B0000-0x00000000002AA000-memory.dmpFilesize
2.0MB
-
memory/4988-134-0x0000000005230000-0x00000000057D4000-memory.dmpFilesize
5.6MB
-
memory/4988-139-0x00000000069D0000-0x0000000006A6C000-memory.dmpFilesize
624KB