Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
13-06-2023 11:51
General
-
Target
02965599.exe
-
Size
2.6MB
-
MD5
372cc839865083adf0f65df5328bd899
-
SHA1
c0b501e644a12cd28957359f81e984b669c630a4
-
SHA256
147e07c4f900dbd2c64b3bf60502937838a2b2afed76ada94ef8705a12b5b6a6
-
SHA512
09ca0793b79583178f2aa9de209adaa73e4ca3c898bf732ee4874adea070caacebaec961772feca62816c0c45de0acc7ca940e08862c14b7b01178649eabc36e
-
SSDEEP
49152:UbA30qPDl0T7HdZNFvKiUy2CDnVjT6f3XFmI2:UbcJ0T7jvL+2BTsHFmI2
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 10 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\02965599.exe"C:\Users\Admin\AppData\Local\Temp\02965599.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\reviewdhcpsvc\mUKdghzpqGHjXShI5nXTcwIxK1c.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\reviewdhcpsvc\LlPAERN42DMwqf5ax8R7gZ.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\reviewdhcpsvc\AgentCommon.exe"C:\reviewdhcpsvc\AgentCommon.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\de-DE\taskhost.exe"C:\Program Files (x86)\Internet Explorer\de-DE\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\reviewdhcpsvc\file.vbs"2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\reviewdhcpsvc\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\reviewdhcpsvc\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\reviewdhcpsvc\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\reviewdhcpsvc\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\reviewdhcpsvc\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\reviewdhcpsvc\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\fr-FR\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\fr-FR\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Downloads\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\WIA\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\debug\WIA\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\WIA\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\debug\WIA\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\tracing\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exeFilesize
2.3MB
MD5c12e4a53dc571ccce79abefd054c2424
SHA1e673e215b3ac6d550ab8a10e4978f81494e50e81
SHA256fa1cd5896935e6be20825665599a1bd7ea09c82830cd18c303c1fa38eefac315
SHA5120a5e4b1a1c6964ae9538ca7139133e605d89ea9e501ef7642bf2dbf9bd39c798b6811c09016a525331e8ebffa9604b3e6e32bc82a150bcc8f40353170a9296ce
-
C:\Program Files (x86)\Internet Explorer\de-DE\taskhost.exeFilesize
2.3MB
MD5c12e4a53dc571ccce79abefd054c2424
SHA1e673e215b3ac6d550ab8a10e4978f81494e50e81
SHA256fa1cd5896935e6be20825665599a1bd7ea09c82830cd18c303c1fa38eefac315
SHA5120a5e4b1a1c6964ae9538ca7139133e605d89ea9e501ef7642bf2dbf9bd39c798b6811c09016a525331e8ebffa9604b3e6e32bc82a150bcc8f40353170a9296ce
-
C:\Program Files (x86)\Internet Explorer\de-DE\taskhost.exeFilesize
2.3MB
MD5c12e4a53dc571ccce79abefd054c2424
SHA1e673e215b3ac6d550ab8a10e4978f81494e50e81
SHA256fa1cd5896935e6be20825665599a1bd7ea09c82830cd18c303c1fa38eefac315
SHA5120a5e4b1a1c6964ae9538ca7139133e605d89ea9e501ef7642bf2dbf9bd39c798b6811c09016a525331e8ebffa9604b3e6e32bc82a150bcc8f40353170a9296ce
-
C:\reviewdhcpsvc\AgentCommon.exeFilesize
2.3MB
MD5c12e4a53dc571ccce79abefd054c2424
SHA1e673e215b3ac6d550ab8a10e4978f81494e50e81
SHA256fa1cd5896935e6be20825665599a1bd7ea09c82830cd18c303c1fa38eefac315
SHA5120a5e4b1a1c6964ae9538ca7139133e605d89ea9e501ef7642bf2dbf9bd39c798b6811c09016a525331e8ebffa9604b3e6e32bc82a150bcc8f40353170a9296ce
-
C:\reviewdhcpsvc\AgentCommon.exeFilesize
2.3MB
MD5c12e4a53dc571ccce79abefd054c2424
SHA1e673e215b3ac6d550ab8a10e4978f81494e50e81
SHA256fa1cd5896935e6be20825665599a1bd7ea09c82830cd18c303c1fa38eefac315
SHA5120a5e4b1a1c6964ae9538ca7139133e605d89ea9e501ef7642bf2dbf9bd39c798b6811c09016a525331e8ebffa9604b3e6e32bc82a150bcc8f40353170a9296ce
-
C:\reviewdhcpsvc\LlPAERN42DMwqf5ax8R7gZ.batFilesize
146B
MD5ca5ae6a576781a9f77124addb764d81f
SHA106f28caf056efc0aa8426006415db979ae2016fe
SHA2562776f5470fce110bfb8d847ac112564ddbe69e0bfa43f597e117ba382667b5a4
SHA5120e131d0f0f4e583e64ea4c9c3478f5ab8818f8dce8046f329d7e1bd40db09200c6c22f5846ce30fa2f8a5c018eba92deb5bcbbab7a6032ec51282fe75db608fa
-
C:\reviewdhcpsvc\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\reviewdhcpsvc\mUKdghzpqGHjXShI5nXTcwIxK1c.vbeFilesize
212B
MD59af3f91f678eb5dbee799914975f15aa
SHA1f5ae5e45d49b48c271a5a51f8eee634b0a2751b4
SHA25611307e00ec4f82cd159f6a4abba62fd6424e49860da33e0465635339781dd72f
SHA5120648786d03057b9c16d8ddedca83a7ab4ac317e638d8f82939711f658f78b999788c9e9f9c308ab49cd168ed9a76fa03c8d7375de1a0550d558fc10032e886fb
-
\reviewdhcpsvc\AgentCommon.exeFilesize
2.3MB
MD5c12e4a53dc571ccce79abefd054c2424
SHA1e673e215b3ac6d550ab8a10e4978f81494e50e81
SHA256fa1cd5896935e6be20825665599a1bd7ea09c82830cd18c303c1fa38eefac315
SHA5120a5e4b1a1c6964ae9538ca7139133e605d89ea9e501ef7642bf2dbf9bd39c798b6811c09016a525331e8ebffa9604b3e6e32bc82a150bcc8f40353170a9296ce
-
\reviewdhcpsvc\AgentCommon.exeFilesize
2.3MB
MD5c12e4a53dc571ccce79abefd054c2424
SHA1e673e215b3ac6d550ab8a10e4978f81494e50e81
SHA256fa1cd5896935e6be20825665599a1bd7ea09c82830cd18c303c1fa38eefac315
SHA5120a5e4b1a1c6964ae9538ca7139133e605d89ea9e501ef7642bf2dbf9bd39c798b6811c09016a525331e8ebffa9604b3e6e32bc82a150bcc8f40353170a9296ce
-
memory/1004-120-0x0000000002390000-0x0000000002410000-memory.dmpFilesize
512KB
-
memory/1004-121-0x00000000001F0000-0x0000000000202000-memory.dmpFilesize
72KB
-
memory/1004-119-0x0000000000C20000-0x0000000000E72000-memory.dmpFilesize
2.3MB
-
memory/1004-122-0x0000000002390000-0x0000000002410000-memory.dmpFilesize
512KB
-
memory/1040-75-0x0000000000C50000-0x0000000000CA6000-memory.dmpFilesize
344KB
-
memory/1040-80-0x0000000000B10000-0x0000000000B18000-memory.dmpFilesize
32KB
-
memory/1040-79-0x0000000000A80000-0x0000000000A88000-memory.dmpFilesize
32KB
-
memory/1040-78-0x0000000000A70000-0x0000000000A7E000-memory.dmpFilesize
56KB
-
memory/1040-77-0x000000001B050000-0x000000001B0D0000-memory.dmpFilesize
512KB
-
memory/1040-76-0x0000000000510000-0x0000000000522000-memory.dmpFilesize
72KB
-
memory/1040-74-0x00000000004F0000-0x0000000000506000-memory.dmpFilesize
88KB
-
memory/1040-73-0x0000000000240000-0x000000000025C000-memory.dmpFilesize
112KB
-
memory/1040-72-0x0000000001330000-0x0000000001582000-memory.dmpFilesize
2.3MB