Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 01:08
Behavioral task
behavioral1
Sample
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe
Resource
win10v2004-20240611-en
General
-
Target
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe
-
Size
2.5MB
-
MD5
0dfb562500251ae8c085e6e8db7fe3d1
-
SHA1
00a1c6bb0bd7d99d54e96b714592f4a070b81641
-
SHA256
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a
-
SHA512
05578a1553b38cd22570cb5b8bc6e3d4064ab6cf5d05a8537a5a4dd849aac4eda933ccf94d7f765ed03c40b67c6cd89412e15bdbad3a493681cad17387270004
-
SSDEEP
49152:aozCQ2xc1knReFIs/2M0HVcg+Fk1gMO9:aozCQ31YK+HKvH
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2772 schtasks.exe -
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exetaskhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe -
Processes:
resource yara_rule behavioral1/memory/2072-1-0x00000000012D0000-0x0000000001556000-memory.dmp dcrat C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dllhost.exe dcrat behavioral1/memory/1740-32-0x0000000000BC0000-0x0000000000E46000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2072-7-0x0000000000D20000-0x0000000000D2A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2072-12-0x0000000000B40000-0x0000000000B4C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Executes dropped EXE 1 IoCs
Processes:
taskhost.exepid process 1740 taskhost.exe -
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exetaskhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe -
Drops file in Program Files directory 5 IoCs
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exedescription ioc process File created C:\Program Files\VideoLAN\lsm.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File opened for modification C:\Program Files\VideoLAN\lsm.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files\VideoLAN\101b941d020240 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Internet Explorer\fr-FR\lsass.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Internet Explorer\fr-FR\6203df4a6bafc7 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe -
Drops file in Windows directory 3 IoCs
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exedescription ioc process File created C:\Windows\rescache\rc0000\System.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Windows\Migration\WTR\taskhost.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Windows\Migration\WTR\b75386f1303e64 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2592 schtasks.exe 3000 schtasks.exe 432 schtasks.exe 1648 schtasks.exe 580 schtasks.exe 2820 schtasks.exe 1764 schtasks.exe 2844 schtasks.exe 2456 schtasks.exe 668 schtasks.exe 576 schtasks.exe 1596 schtasks.exe 2828 schtasks.exe 2476 schtasks.exe 2524 schtasks.exe 1900 schtasks.exe 2576 schtasks.exe 1976 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exetaskhost.exepid process 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe 1740 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exetaskhost.exedescription pid process Token: SeDebugPrivilege 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Token: SeDebugPrivilege 1740 taskhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exedescription pid process target process PID 2072 wrote to memory of 1740 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe taskhost.exe PID 2072 wrote to memory of 1740 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe taskhost.exe PID 2072 wrote to memory of 1740 2072 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe taskhost.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
taskhost.exe29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe"C:\Users\Admin\AppData\Local\Temp\29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2072 -
C:\Windows\Migration\WTR\taskhost.exe"C:\Windows\Migration\WTR\taskhost.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dllhost.exeFilesize
2.5MB
MD50dfb562500251ae8c085e6e8db7fe3d1
SHA100a1c6bb0bd7d99d54e96b714592f4a070b81641
SHA25629c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a
SHA51205578a1553b38cd22570cb5b8bc6e3d4064ab6cf5d05a8537a5a4dd849aac4eda933ccf94d7f765ed03c40b67c6cd89412e15bdbad3a493681cad17387270004
-
memory/1740-34-0x0000000000490000-0x00000000004A2000-memory.dmpFilesize
72KB
-
memory/1740-32-0x0000000000BC0000-0x0000000000E46000-memory.dmpFilesize
2.5MB
-
memory/2072-8-0x0000000000D30000-0x0000000000D86000-memory.dmpFilesize
344KB
-
memory/2072-11-0x0000000000D80000-0x0000000000D92000-memory.dmpFilesize
72KB
-
memory/2072-5-0x0000000000440000-0x0000000000452000-memory.dmpFilesize
72KB
-
memory/2072-6-0x00000000005D0000-0x00000000005D8000-memory.dmpFilesize
32KB
-
memory/2072-7-0x0000000000D20000-0x0000000000D2A000-memory.dmpFilesize
40KB
-
memory/2072-0-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmpFilesize
4KB
-
memory/2072-9-0x0000000000BA0000-0x0000000000BAC000-memory.dmpFilesize
48KB
-
memory/2072-4-0x0000000000B80000-0x0000000000B96000-memory.dmpFilesize
88KB
-
memory/2072-10-0x0000000000D10000-0x0000000000D18000-memory.dmpFilesize
32KB
-
memory/2072-12-0x0000000000B40000-0x0000000000B4C000-memory.dmpFilesize
48KB
-
memory/2072-13-0x0000000000B50000-0x0000000000B5C000-memory.dmpFilesize
48KB
-
memory/2072-3-0x0000000000B60000-0x0000000000B7C000-memory.dmpFilesize
112KB
-
memory/2072-2-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmpFilesize
9.9MB
-
memory/2072-33-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmpFilesize
9.9MB
-
memory/2072-1-0x00000000012D0000-0x0000000001556000-memory.dmpFilesize
2.5MB