Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 15:02
Behavioral task
behavioral1
Sample
e1f41131a5909b59e2126a98b5a15139.exe
Resource
win7-20240221-en
General
-
Target
e1f41131a5909b59e2126a98b5a15139.exe
-
Size
807KB
-
MD5
e1f41131a5909b59e2126a98b5a15139
-
SHA1
407ebacb446a1eb6e688b5f4a2290c12d9dc7a31
-
SHA256
14d44c2ac475e13bbe43de5ac7e1bd3ffb45c4d7886d4429949ab57e7eefaa98
-
SHA512
08e1ee1ba8ff96cfaf024e35dd43110eb42ab95d8ec4fbcd8adbfcb330bf5afc70c1a48d0ffe48bcaf8c76e3d2a0ca18911e30b79a9a92d9c6ca10235e140e10
-
SSDEEP
12288:HepGUR5k59o1Ihp13OnTPsmhZ9RE5pHUk7vL6vgxOu6oy8w/F/Kk9tfo:6H5kTOIhgTPs09RE7HUGXwEM/Ft9tg
Malware Config
Extracted
darkcomet
Guest16
amanj.no-ip.biz:1604
DC_MUTEX-NEE0M4Q
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
qXkrSF0LD23D
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
e1f41131a5909b59e2126a98b5a15139.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" e1f41131a5909b59e2126a98b5a15139.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e1f41131a5909b59e2126a98b5a15139.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e1f41131a5909b59e2126a98b5a15139.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1436 notepad.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4664 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 568 MsiExec.exe 568 MsiExec.exe -
Processes:
resource yara_rule behavioral2/memory/2084-0-0x0000000000400000-0x00000000005DD000-memory.dmp upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral2/memory/2084-80-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-82-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-83-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-84-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-85-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-86-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-87-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-89-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-90-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-91-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-92-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-93-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-94-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-95-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-96-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4664-97-0x0000000000400000-0x00000000005DD000-memory.dmp upx -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e1f41131a5909b59e2126a98b5a15139.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" e1f41131a5909b59e2126a98b5a15139.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
e1f41131a5909b59e2126a98b5a15139.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings e1f41131a5909b59e2126a98b5a15139.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e1f41131a5909b59e2126a98b5a15139.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 4664 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e1f41131a5909b59e2126a98b5a15139.exemsiexec.exemsiexec.exedescription pid process Token: SeIncreaseQuotaPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeSecurityPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeTakeOwnershipPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeLoadDriverPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeSystemProfilePrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeSystemtimePrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeProfSingleProcessPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeIncBasePriorityPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeCreatePagefilePrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeBackupPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeRestorePrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeShutdownPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeDebugPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeSystemEnvironmentPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeChangeNotifyPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeRemoteShutdownPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeUndockPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeManageVolumePrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeImpersonatePrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeCreateGlobalPrivilege 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: 33 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: 34 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: 35 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: 36 2084 e1f41131a5909b59e2126a98b5a15139.exe Token: SeShutdownPrivilege 2364 msiexec.exe Token: SeIncreaseQuotaPrivilege 2364 msiexec.exe Token: SeSecurityPrivilege 2268 msiexec.exe Token: SeCreateTokenPrivilege 2364 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2364 msiexec.exe Token: SeLockMemoryPrivilege 2364 msiexec.exe Token: SeIncreaseQuotaPrivilege 2364 msiexec.exe Token: SeMachineAccountPrivilege 2364 msiexec.exe Token: SeTcbPrivilege 2364 msiexec.exe Token: SeSecurityPrivilege 2364 msiexec.exe Token: SeTakeOwnershipPrivilege 2364 msiexec.exe Token: SeLoadDriverPrivilege 2364 msiexec.exe Token: SeSystemProfilePrivilege 2364 msiexec.exe Token: SeSystemtimePrivilege 2364 msiexec.exe Token: SeProfSingleProcessPrivilege 2364 msiexec.exe Token: SeIncBasePriorityPrivilege 2364 msiexec.exe Token: SeCreatePagefilePrivilege 2364 msiexec.exe Token: SeCreatePermanentPrivilege 2364 msiexec.exe Token: SeBackupPrivilege 2364 msiexec.exe Token: SeRestorePrivilege 2364 msiexec.exe Token: SeShutdownPrivilege 2364 msiexec.exe Token: SeDebugPrivilege 2364 msiexec.exe Token: SeAuditPrivilege 2364 msiexec.exe Token: SeSystemEnvironmentPrivilege 2364 msiexec.exe Token: SeChangeNotifyPrivilege 2364 msiexec.exe Token: SeRemoteShutdownPrivilege 2364 msiexec.exe Token: SeUndockPrivilege 2364 msiexec.exe Token: SeSyncAgentPrivilege 2364 msiexec.exe Token: SeEnableDelegationPrivilege 2364 msiexec.exe Token: SeManageVolumePrivilege 2364 msiexec.exe Token: SeImpersonatePrivilege 2364 msiexec.exe Token: SeCreateGlobalPrivilege 2364 msiexec.exe Token: SeCreateTokenPrivilege 2364 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2364 msiexec.exe Token: SeLockMemoryPrivilege 2364 msiexec.exe Token: SeIncreaseQuotaPrivilege 2364 msiexec.exe Token: SeMachineAccountPrivilege 2364 msiexec.exe Token: SeTcbPrivilege 2364 msiexec.exe Token: SeSecurityPrivilege 2364 msiexec.exe Token: SeTakeOwnershipPrivilege 2364 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 2364 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 4664 msdcsc.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
e1f41131a5909b59e2126a98b5a15139.exemsiexec.exemsdcsc.exedescription pid process target process PID 2084 wrote to memory of 2364 2084 e1f41131a5909b59e2126a98b5a15139.exe msiexec.exe PID 2084 wrote to memory of 2364 2084 e1f41131a5909b59e2126a98b5a15139.exe msiexec.exe PID 2084 wrote to memory of 2364 2084 e1f41131a5909b59e2126a98b5a15139.exe msiexec.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2084 wrote to memory of 1436 2084 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2268 wrote to memory of 568 2268 msiexec.exe MsiExec.exe PID 2268 wrote to memory of 568 2268 msiexec.exe MsiExec.exe PID 2268 wrote to memory of 568 2268 msiexec.exe MsiExec.exe PID 2084 wrote to memory of 4664 2084 e1f41131a5909b59e2126a98b5a15139.exe msdcsc.exe PID 2084 wrote to memory of 4664 2084 e1f41131a5909b59e2126a98b5a15139.exe msdcsc.exe PID 2084 wrote to memory of 4664 2084 e1f41131a5909b59e2126a98b5a15139.exe msdcsc.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe PID 4664 wrote to memory of 1084 4664 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1f41131a5909b59e2126a98b5a15139.exe"C:\Users\Admin\AppData\Local\Temp\e1f41131a5909b59e2126a98b5a15139.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\POOL5.0 SETUP.MSI"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6A13D1E41B3EA56BEDCDBDE8D18373C8 C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI7407.tmpFilesize
231KB
MD50a2626fc9e4e0ca18386c029e9efffd9
SHA1ac5576497afac2456f485cdb14bf52d895769651
SHA25697a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3
SHA51240b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da
-
C:\Users\Admin\AppData\Local\Temp\POOL5.0 SETUP.MSIFilesize
914KB
MD5af4969ab784240fedaf4e45848493844
SHA1f485db967765bf6d0a8340555371727c2da47c67
SHA2562b1f51b8c023d74ff9078dcd30b89777345d9154cd2a14e6c4b69252e24165fc
SHA512f274b05449588fef86a5ad9eda42a9a4cc83479502d8e03b82209e27dd5b44751b4f4e8ab1702f0f00d49211ee60c61dfab319c28e8c33f02e1f02607cea7dd3
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
807KB
MD5e1f41131a5909b59e2126a98b5a15139
SHA1407ebacb446a1eb6e688b5f4a2290c12d9dc7a31
SHA25614d44c2ac475e13bbe43de5ac7e1bd3ffb45c4d7886d4429949ab57e7eefaa98
SHA51208e1ee1ba8ff96cfaf024e35dd43110eb42ab95d8ec4fbcd8adbfcb330bf5afc70c1a48d0ffe48bcaf8c76e3d2a0ca18911e30b79a9a92d9c6ca10235e140e10
-
memory/1084-79-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/1436-10-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/2084-80-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/2084-1-0x0000000002620000-0x0000000002621000-memory.dmpFilesize
4KB
-
memory/2084-0-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-85-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-89-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-83-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-84-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-78-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/4664-86-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-87-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-82-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-90-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-91-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-92-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-93-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-94-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-95-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-96-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/4664-97-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB