Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22-04-2024 21:03
General
-
Target
3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
-
Size
3.2MB
-
MD5
7ec98ffb225893aeee999179ca43380a
-
SHA1
d9ad6d24e771b5c2ebc4b4a70534329abfffe871
-
SHA256
3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad
-
SHA512
9b8e4d9123b1b1686fc88e17e02aa3d05b998ad21f9314cd15b2da8751906bc04c2f749e279d04f3a1a5b40074ed89b33bae749b8e0546f7e665b32ce6dbca05
-
SSDEEP
49152:nC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:nC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 12 IoCs
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Detects executables packed with SmartAssembly 8 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe"C:\Users\Admin\AppData\Local\Temp\3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMYZ5DmT2.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Program Files (x86)\Windows Defender\audiodg.exe"C:\Program Files (x86)\Windows Defender\audiodg.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40469aec-22a3-47b5-832b-c7a16d699758.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\audiodg.exe"C:\Program Files (x86)\Windows Defender\audiodg.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\745ee968-13ad-463b-8abe-9a79bdf283eb.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\audiodg.exe"C:\Program Files (x86)\Windows Defender\audiodg.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\411915e5-4792-4b68-a2bf-b2f4294c429e.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06c2bb4f-c5aa-4b8e-b233-aa0dd7f2363f.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b277ca58-d53f-4d00-a962-0965f5ee166a.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\377dc1cb-08e3-41fe-800b-7b3950b6c762.vbs"4⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad3" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad" /sc ONLOGON /tr "'C:\Users\Default\SendTo\3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad3" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\lib\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Defender\audiodg.exeFilesize
3.2MB
MD5cf29d8ca465ff6812aa95db04090a9c0
SHA1716464024376e14db08a4d150313692eb6fea476
SHA2566f549320053ad85f9bbf44afba7686872407b6883b23936d7629940a7f307f2a
SHA51246b83baf26d1eee55d039cae12df62550d894851604049613580ce7a6d1f4168440378a1e135071244fabdf8fadc004cb48be3f4ade42fab5d7af22730c630af
-
C:\Users\Admin\AppData\Local\Temp\377dc1cb-08e3-41fe-800b-7b3950b6c762.vbsFilesize
503B
MD5900d612f362613eb51f76c4280e4ba5e
SHA10adf5fdf96e9755b150e0ce979eb3279f734bb90
SHA2569a79724b0436ef44d26b7f997d582bc4f7b472c7eb4548e939be933f4d2ac18e
SHA512bdaad89ff608516f149cae0ed177ddf7184ec1a211e39cc70898024d1dbec654db2e482a1d7beb493b1558608494e99bae7e1b2c658a9779b09a8d6daddce72c
-
C:\Users\Admin\AppData\Local\Temp\40469aec-22a3-47b5-832b-c7a16d699758.vbsFilesize
727B
MD5f536f1d2953cc8478f0f333dbdea536b
SHA1bc2df5ed5d7afb0596954d8c2612eda1a1d559f7
SHA25689662301cfca9c3a36bb4a78c7f5fa8ceafd8fa419b6c36b2bb638d0be93614f
SHA512d052aff4ae4889781430aba6d255d93d93dbb5697c3958d82820b373b35d7ba9ef7962343017d61ec559f9867313728c7e0ff5518404ae50cb9f0de645800905
-
C:\Users\Admin\AppData\Local\Temp\411915e5-4792-4b68-a2bf-b2f4294c429e.vbsFilesize
727B
MD55f6d3b2ac11b838e2f3ce06d6dc25047
SHA18dc7612934245faf7ebad9e1463255939246e507
SHA2565903918f0db2d399e886b7031f37d21a28f26b6737689a67343bae76da3f7b8a
SHA51295ed675f88d1c4f818ce24c0559fb49e34f2d56e9938afd4b292a9af29333fcf51424c41dd4d040461e9a5cc809622ca15c3a67dff1ee3795db6d44973b9aa75
-
C:\Users\Admin\AppData\Local\Temp\6uMYZ5DmT2.batFilesize
216B
MD5e8418630f40929229009f89a126d485c
SHA1ecc6c50d074e840577e25dd6f43db1d09b0e1b2b
SHA25654157c8e880d9610a97da6955271f0865ad749e678563a429c174055dd6d732d
SHA5121d568d12fac63af7bbafd38f9caa2ff5e71daeaa3b20426ce4a6f6348b63c23c113fb383de74628f53464843850a086d77b4e06c24281ab15a60fa8933d56068
-
C:\Users\Admin\AppData\Local\Temp\745ee968-13ad-463b-8abe-9a79bdf283eb.vbsFilesize
727B
MD57bfa5da8b09793c86230d054912f6a23
SHA1ab5b42055dc96430cc2c22e3d72e247168f7b87d
SHA25695be8bd53af92b0ab959c0b2a99b23f098684d09139dde0f122c63ba338e12fe
SHA5122504d43be4754b9eba6017d327f69ce8baff3968476ffd111983475fe3b458aacfd9286fbed8da721d30a061a17da50989a18879fb95117f3c170ab4aed2e2f8
-
C:\Users\Admin\AppData\Local\Temp\RCX1D9F.tmpFilesize
3.2MB
MD57ec98ffb225893aeee999179ca43380a
SHA1d9ad6d24e771b5c2ebc4b4a70534329abfffe871
SHA2563b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad
SHA5129b8e4d9123b1b1686fc88e17e02aa3d05b998ad21f9314cd15b2da8751906bc04c2f749e279d04f3a1a5b40074ed89b33bae749b8e0546f7e665b32ce6dbca05
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55edce2ebf135ad3a5f738b2a741e44f2
SHA14527fbc3dbf7c591e7b9a0d131454fe5a60b9947
SHA25666b98c6ad60e67e1bc4b40b7e668bd24b5c09bbbca3f905ed1098ac54588c6fb
SHA512a22f2e53e3d2d2cd39d7dbfe8383a63366648a75e9fca26ba53fedac2b722f9c57a13565409dbc3fe8ab9f5ccd5b892928899a197304b77559cc8162a9ae6dad
-
C:\Users\Default\dllhost.exeFilesize
3.2MB
MD54d447f188928957c24fd574d5311818b
SHA17ea3fa4da1dbdb40e03cc69983f8937c3d0e67d2
SHA256d498bda55d78ada61a1b83ddd5c23f64acb4246ba8ae9e12d5798363af4672d8
SHA512152db28c9a04404ea15b3464be8f477739b223edcb5b9cb507219e4b235af2445a31a638b44bc84e85231b03b6c94ac967add1683245a310a063497e3cb8c91c
-
memory/1200-171-0x000007FEECAF0000-0x000007FEED48D000-memory.dmpFilesize
9.6MB
-
memory/1200-101-0x000000001B800000-0x000000001BAE2000-memory.dmpFilesize
2.9MB
-
memory/1200-167-0x000000000297B000-0x00000000029E2000-memory.dmpFilesize
412KB
-
memory/1200-158-0x000007FEECAF0000-0x000007FEED48D000-memory.dmpFilesize
9.6MB
-
memory/1200-161-0x000007FEECAF0000-0x000007FEED48D000-memory.dmpFilesize
9.6MB
-
memory/1200-164-0x0000000002974000-0x0000000002977000-memory.dmpFilesize
12KB
-
memory/1200-159-0x0000000002970000-0x00000000029F0000-memory.dmpFilesize
512KB
-
memory/1200-162-0x0000000002970000-0x00000000029F0000-memory.dmpFilesize
512KB
-
memory/1252-183-0x0000000002D7B000-0x0000000002DE2000-memory.dmpFilesize
412KB
-
memory/1292-185-0x000007FEECAF0000-0x000007FEED48D000-memory.dmpFilesize
9.6MB
-
memory/1292-182-0x0000000002E2B000-0x0000000002E92000-memory.dmpFilesize
412KB
-
memory/1920-177-0x000007FEECAF0000-0x000007FEED48D000-memory.dmpFilesize
9.6MB
-
memory/1920-181-0x0000000002830000-0x00000000028B0000-memory.dmpFilesize
512KB
-
memory/2036-165-0x000007FEECAF0000-0x000007FEED48D000-memory.dmpFilesize
9.6MB
-
memory/2036-169-0x0000000002304000-0x0000000002307000-memory.dmpFilesize
12KB
-
memory/2036-172-0x000000000230B000-0x0000000002372000-memory.dmpFilesize
412KB
-
memory/2280-176-0x0000000002C60000-0x0000000002CE0000-memory.dmpFilesize
512KB
-
memory/2280-107-0x0000000002220000-0x0000000002228000-memory.dmpFilesize
32KB
-
memory/2280-173-0x000007FEECAF0000-0x000007FEED48D000-memory.dmpFilesize
9.6MB
-
memory/2280-179-0x000007FEECAF0000-0x000007FEED48D000-memory.dmpFilesize
9.6MB
-
memory/2280-184-0x0000000002C6B000-0x0000000002CD2000-memory.dmpFilesize
412KB
-
memory/2280-175-0x0000000002C60000-0x0000000002CE0000-memory.dmpFilesize
512KB
-
memory/2280-168-0x0000000002C60000-0x0000000002CE0000-memory.dmpFilesize
512KB
-
memory/2280-163-0x000007FEECAF0000-0x000007FEED48D000-memory.dmpFilesize
9.6MB
-
memory/2308-166-0x000007FEECAF0000-0x000007FEED48D000-memory.dmpFilesize
9.6MB
-
memory/2308-174-0x0000000001F2B000-0x0000000001F92000-memory.dmpFilesize
412KB
-
memory/2308-170-0x0000000001F24000-0x0000000001F27000-memory.dmpFilesize
12KB
-
memory/2868-22-0x0000000000C60000-0x0000000000C6C000-memory.dmpFilesize
48KB
-
memory/2868-1-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmpFilesize
9.9MB
-
memory/2868-21-0x0000000000C50000-0x0000000000C5C000-memory.dmpFilesize
48KB
-
memory/2868-20-0x0000000000C40000-0x0000000000C4C000-memory.dmpFilesize
48KB
-
memory/2868-19-0x0000000000C30000-0x0000000000C3C000-memory.dmpFilesize
48KB
-
memory/2868-18-0x0000000000B80000-0x0000000000B92000-memory.dmpFilesize
72KB
-
memory/2868-17-0x0000000000B70000-0x0000000000B78000-memory.dmpFilesize
32KB
-
memory/2868-16-0x0000000000B60000-0x0000000000B6C000-memory.dmpFilesize
48KB
-
memory/2868-15-0x00000000006D0000-0x00000000006D8000-memory.dmpFilesize
32KB
-
memory/2868-23-0x0000000000D20000-0x0000000000D28000-memory.dmpFilesize
32KB
-
memory/2868-25-0x0000000000C80000-0x0000000000C8E000-memory.dmpFilesize
56KB
-
memory/2868-14-0x00000000006B0000-0x00000000006BC000-memory.dmpFilesize
48KB
-
memory/2868-13-0x0000000000B10000-0x0000000000B66000-memory.dmpFilesize
344KB
-
memory/2868-12-0x00000000006A0000-0x00000000006AA000-memory.dmpFilesize
40KB
-
memory/2868-53-0x000000001B3F0000-0x000000001B470000-memory.dmpFilesize
512KB
-
memory/2868-24-0x0000000000C70000-0x0000000000C7A000-memory.dmpFilesize
40KB
-
memory/2868-11-0x00000000006C0000-0x00000000006D0000-memory.dmpFilesize
64KB
-
memory/2868-32-0x000000001ABA0000-0x000000001ABAC000-memory.dmpFilesize
48KB
-
memory/2868-31-0x0000000001260000-0x000000000126A000-memory.dmpFilesize
40KB
-
memory/2868-26-0x0000000000D10000-0x0000000000D18000-memory.dmpFilesize
32KB
-
memory/2868-0-0x0000000001270000-0x00000000015AC000-memory.dmpFilesize
3.2MB
-
memory/2868-10-0x0000000000690000-0x0000000000698000-memory.dmpFilesize
32KB
-
memory/2868-9-0x0000000000670000-0x0000000000686000-memory.dmpFilesize
88KB
-
memory/2868-30-0x0000000001250000-0x0000000001258000-memory.dmpFilesize
32KB
-
memory/2868-8-0x0000000000660000-0x0000000000670000-memory.dmpFilesize
64KB
-
memory/2868-7-0x0000000000650000-0x0000000000658000-memory.dmpFilesize
32KB
-
memory/2868-2-0x000000001B3F0000-0x000000001B470000-memory.dmpFilesize
512KB
-
memory/2868-29-0x000000001B3F0000-0x000000001B470000-memory.dmpFilesize
512KB
-
memory/2868-6-0x0000000000630000-0x000000000064C000-memory.dmpFilesize
112KB
-
memory/2868-28-0x0000000001240000-0x000000000124C000-memory.dmpFilesize
48KB
-
memory/2868-5-0x0000000000620000-0x0000000000628000-memory.dmpFilesize
32KB
-
memory/2868-112-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmpFilesize
9.9MB
-
memory/2868-27-0x0000000000DB0000-0x0000000000DBE000-memory.dmpFilesize
56KB
-
memory/2868-4-0x0000000000500000-0x000000000050E000-memory.dmpFilesize
56KB
-
memory/2868-3-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2980-180-0x000007FEECAF0000-0x000007FEED48D000-memory.dmpFilesize
9.6MB
-
memory/2980-178-0x00000000027FB000-0x0000000002862000-memory.dmpFilesize
412KB