Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
02-07-2024 13:04
General
-
Target
1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
-
Size
748KB
-
MD5
1f68ac4cea5976b8c89dbb2a6a16bf75
-
SHA1
506d7d46319a116e7106c1379423d9ce16b854f9
-
SHA256
9eea21de124f6cca492e675bd88c96edbc0685d772221d8d0b88dbb1967072f3
-
SHA512
cfd134a813aee19a8cc63127a232d09d1beff9f5fcf56a73f3df7b3ba0fb6c2e11d9c37b2e80dd2e7ebb19753d09b7fe7c22f684c6c0eed67369a35e3d7bea1c
-
SSDEEP
12288:dEogJC6YLIWhNdOPzUoHT3pM/hjX3iFGkBpgHSheFlfkYJvh5OznUNv0JuSajV4:dEogIkWhNdO1HT3pMZFkBplMXfk0vhW5
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
darkcomet2013.no-ip.biz:1500
192.168.1.71:1500
Mutex
DC_MUTEX-EL0EZ2Q
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
avRlhtZvzGeQ
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 20 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 18 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Drops file in System32 directory 62 IoCs
-
Suspicious use of SetThreadContext 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\msdcsc.exe4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\msdcsc.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad9⤵
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\msdcsc.exe10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad11⤵
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\msdcsc.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe"13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad15⤵
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\msdcsc.exe16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h17⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad17⤵
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\msdcsc.exe"17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad19⤵
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe"19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe20⤵
- Modifies WinLogon for persistence
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad21⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
748KB
MD51f68ac4cea5976b8c89dbb2a6a16bf75
SHA1506d7d46319a116e7106c1379423d9ce16b854f9
SHA2569eea21de124f6cca492e675bd88c96edbc0685d772221d8d0b88dbb1967072f3
SHA512cfd134a813aee19a8cc63127a232d09d1beff9f5fcf56a73f3df7b3ba0fb6c2e11d9c37b2e80dd2e7ebb19753d09b7fe7c22f684c6c0eed67369a35e3d7bea1c
-
memory/596-208-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/700-5-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/700-9-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/700-4-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/700-68-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/700-3-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/700-2-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/748-417-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/1464-645-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/1464-643-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/1464-644-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/1464-641-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/1464-647-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/2096-278-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/2308-488-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/2308-425-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/3144-10-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/3940-495-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/3940-558-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/3964-137-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/3964-75-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4620-348-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/5056-627-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/5092-642-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB