Resubmissions
26-12-2022 00:04
221226-acrmcafe2y 1026-12-2022 00:03
221226-acfvvafe2x 1026-12-2022 00:03
221226-ab851acc75 1026-12-2022 00:03
221226-ab3m8afe2w 1026-12-2022 00:02
221226-abs4sacc74 1026-12-2022 00:01
221226-abb59scc72 10Analysis
-
max time kernel
14s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
26-12-2022 00:04
General
-
Target
0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
-
Size
1.3MB
-
MD5
e1e945f04fbbeab2efa06d16d21e4c22
-
SHA1
54037b5b03272d255ab875b5791f87902c5b9457
-
SHA256
0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69
-
SHA512
61dfbe4d1803ba11f7318b1338343529be925bd84ba107bccb9d7c3f8175a012ea877a613946419f8486cd1c1606d7433c07342278a8c670a5013e999308ae41
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 5 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe"C:\Users\Admin\AppData\Local\Temp\0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dwm.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\lsass.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\Idle.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\en-US\csrss.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\csrss.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\lsm.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\spoolsv.exe'5⤵
-
C:\Users\Admin\SendTo\Idle.exe"C:\Users\Admin\SendTo\Idle.exe"5⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\Aero\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\Aero\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\WIA\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\debug\WIA\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD51e70334627f1cd70cee45d20ff830719
SHA15d2693fc3cb4dfccaa76e86ee8ea59a3eecbe8af
SHA2561c473e8036cf6e69ffbdeb1554f0f981018aa22b53e14b9ee1847b86e9903448
SHA5124965874cd29ac13abba76c716c9a7acc3a6892d5a8c123b4a965dabec66b4dc31d8aeb48464800b27fddc80c7c147c3ed78aa196e980fee15714b5bad38cb89e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD51e70334627f1cd70cee45d20ff830719
SHA15d2693fc3cb4dfccaa76e86ee8ea59a3eecbe8af
SHA2561c473e8036cf6e69ffbdeb1554f0f981018aa22b53e14b9ee1847b86e9903448
SHA5124965874cd29ac13abba76c716c9a7acc3a6892d5a8c123b4a965dabec66b4dc31d8aeb48464800b27fddc80c7c147c3ed78aa196e980fee15714b5bad38cb89e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD51e70334627f1cd70cee45d20ff830719
SHA15d2693fc3cb4dfccaa76e86ee8ea59a3eecbe8af
SHA2561c473e8036cf6e69ffbdeb1554f0f981018aa22b53e14b9ee1847b86e9903448
SHA5124965874cd29ac13abba76c716c9a7acc3a6892d5a8c123b4a965dabec66b4dc31d8aeb48464800b27fddc80c7c147c3ed78aa196e980fee15714b5bad38cb89e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD51e70334627f1cd70cee45d20ff830719
SHA15d2693fc3cb4dfccaa76e86ee8ea59a3eecbe8af
SHA2561c473e8036cf6e69ffbdeb1554f0f981018aa22b53e14b9ee1847b86e9903448
SHA5124965874cd29ac13abba76c716c9a7acc3a6892d5a8c123b4a965dabec66b4dc31d8aeb48464800b27fddc80c7c147c3ed78aa196e980fee15714b5bad38cb89e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD51e70334627f1cd70cee45d20ff830719
SHA15d2693fc3cb4dfccaa76e86ee8ea59a3eecbe8af
SHA2561c473e8036cf6e69ffbdeb1554f0f981018aa22b53e14b9ee1847b86e9903448
SHA5124965874cd29ac13abba76c716c9a7acc3a6892d5a8c123b4a965dabec66b4dc31d8aeb48464800b27fddc80c7c147c3ed78aa196e980fee15714b5bad38cb89e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD51e70334627f1cd70cee45d20ff830719
SHA15d2693fc3cb4dfccaa76e86ee8ea59a3eecbe8af
SHA2561c473e8036cf6e69ffbdeb1554f0f981018aa22b53e14b9ee1847b86e9903448
SHA5124965874cd29ac13abba76c716c9a7acc3a6892d5a8c123b4a965dabec66b4dc31d8aeb48464800b27fddc80c7c147c3ed78aa196e980fee15714b5bad38cb89e
-
C:\providercommon\1zu9dW.batFilesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
C:\providercommon\DllCommonsvc.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\providercommon\DllCommonsvc.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbeFilesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
\providercommon\DllCommonsvc.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
\providercommon\DllCommonsvc.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
memory/268-59-0x0000000000000000-mapping.dmp
-
memory/328-77-0x000007FEFC201000-0x000007FEFC203000-memory.dmpFilesize
8KB
-
memory/328-111-0x000007FEEBB50000-0x000007FEEC6AD000-memory.dmpFilesize
11.4MB
-
memory/328-113-0x000000001B820000-0x000000001BB1F000-memory.dmpFilesize
3.0MB
-
memory/328-116-0x00000000022BB000-0x00000000022DA000-memory.dmpFilesize
124KB
-
memory/328-108-0x00000000022B4000-0x00000000022B7000-memory.dmpFilesize
12KB
-
memory/328-71-0x0000000000000000-mapping.dmp
-
memory/328-82-0x000007FEEC6B0000-0x000007FEED0D3000-memory.dmpFilesize
10.1MB
-
memory/528-75-0x0000000000000000-mapping.dmp
-
memory/764-63-0x0000000000000000-mapping.dmp
-
memory/764-69-0x0000000000480000-0x000000000048C000-memory.dmpFilesize
48KB
-
memory/764-68-0x0000000000470000-0x000000000047C000-memory.dmpFilesize
48KB
-
memory/764-67-0x0000000000460000-0x000000000046C000-memory.dmpFilesize
48KB
-
memory/764-66-0x0000000000450000-0x0000000000462000-memory.dmpFilesize
72KB
-
memory/764-65-0x0000000001380000-0x0000000001490000-memory.dmpFilesize
1.1MB
-
memory/948-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1136-105-0x0000000002784000-0x0000000002787000-memory.dmpFilesize
12KB
-
memory/1136-115-0x0000000002784000-0x0000000002787000-memory.dmpFilesize
12KB
-
memory/1136-102-0x000007FEEBB50000-0x000007FEEC6AD000-memory.dmpFilesize
11.4MB
-
memory/1136-114-0x000000000278B000-0x00000000027AA000-memory.dmpFilesize
124KB
-
memory/1136-101-0x000007FEEC6B0000-0x000007FEED0D3000-memory.dmpFilesize
10.1MB
-
memory/1136-78-0x0000000000000000-mapping.dmp
-
memory/1140-55-0x0000000000000000-mapping.dmp
-
memory/1280-97-0x000007FEEC6B0000-0x000007FEED0D3000-memory.dmpFilesize
10.1MB
-
memory/1280-125-0x00000000023CB000-0x00000000023EA000-memory.dmpFilesize
124KB
-
memory/1280-70-0x0000000000000000-mapping.dmp
-
memory/1280-124-0x00000000023C4000-0x00000000023C7000-memory.dmpFilesize
12KB
-
memory/1280-118-0x000000001B890000-0x000000001BB8F000-memory.dmpFilesize
3.0MB
-
memory/1280-109-0x000007FEEBB50000-0x000007FEEC6AD000-memory.dmpFilesize
11.4MB
-
memory/1312-128-0x0000000002404000-0x0000000002407000-memory.dmpFilesize
12KB
-
memory/1312-112-0x000007FEEBB50000-0x000007FEEC6AD000-memory.dmpFilesize
11.4MB
-
memory/1312-119-0x000000001B8A0000-0x000000001BB9F000-memory.dmpFilesize
3.0MB
-
memory/1312-99-0x000007FEEC6B0000-0x000007FEED0D3000-memory.dmpFilesize
10.1MB
-
memory/1312-81-0x0000000000000000-mapping.dmp
-
memory/1312-130-0x000000000240B000-0x000000000242A000-memory.dmpFilesize
124KB
-
memory/1380-73-0x0000000000000000-mapping.dmp
-
memory/1380-107-0x00000000021D4000-0x00000000021D7000-memory.dmpFilesize
12KB
-
memory/1380-126-0x00000000021D4000-0x00000000021D7000-memory.dmpFilesize
12KB
-
memory/1380-127-0x00000000021DB000-0x00000000021FA000-memory.dmpFilesize
124KB
-
memory/1380-104-0x000007FEEBB50000-0x000007FEEC6AD000-memory.dmpFilesize
11.4MB
-
memory/1380-98-0x000007FEEC6B0000-0x000007FEED0D3000-memory.dmpFilesize
10.1MB
-
memory/1380-120-0x000000001B7B0000-0x000000001BAAF000-memory.dmpFilesize
3.0MB
-
memory/1592-121-0x000000001B990000-0x000000001BC8F000-memory.dmpFilesize
3.0MB
-
memory/1592-129-0x00000000028F4000-0x00000000028F7000-memory.dmpFilesize
12KB
-
memory/1592-106-0x00000000028F4000-0x00000000028F7000-memory.dmpFilesize
12KB
-
memory/1592-103-0x000007FEEBB50000-0x000007FEEC6AD000-memory.dmpFilesize
11.4MB
-
memory/1592-100-0x000007FEEC6B0000-0x000007FEED0D3000-memory.dmpFilesize
10.1MB
-
memory/1592-76-0x0000000000000000-mapping.dmp
-
memory/1592-131-0x00000000028FB000-0x000000000291A000-memory.dmpFilesize
124KB
-
memory/1724-74-0x0000000000000000-mapping.dmp
-
memory/2012-123-0x00000000025B4000-0x00000000025B7000-memory.dmpFilesize
12KB
-
memory/2012-117-0x000000001BA00000-0x000000001BCFF000-memory.dmpFilesize
3.0MB
-
memory/2012-122-0x00000000025BB000-0x00000000025DA000-memory.dmpFilesize
124KB
-
memory/2012-110-0x000007FEEBB50000-0x000007FEEC6AD000-memory.dmpFilesize
11.4MB
-
memory/2012-84-0x000007FEEC6B0000-0x000007FEED0D3000-memory.dmpFilesize
10.1MB
-
memory/2012-72-0x0000000000000000-mapping.dmp
-
memory/2184-89-0x0000000000000000-mapping.dmp