Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 08:31
Behavioral task
behavioral1
Sample
33ab5cbb351fa75f5d4f3e3b5aa064a9.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
33ab5cbb351fa75f5d4f3e3b5aa064a9.exe
Resource
win10v2004-20240508-en
General
-
Target
33ab5cbb351fa75f5d4f3e3b5aa064a9.exe
-
Size
827KB
-
MD5
33ab5cbb351fa75f5d4f3e3b5aa064a9
-
SHA1
ac9bcf69aecff1ff5d4108df204a4a2b572e1eef
-
SHA256
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17
-
SHA512
4e62650b49ae86c152463742a04980627d54dc8efc7dd3443625210d13db815f279989d846bbca4376cd127595403cfd53160c0fa78f3d198bf400da5655a98e
-
SSDEEP
12288:6HggW+CSPHjaphInx+6XlRitt/tNRWCkQu:6AgW+C4jaqZlR4/jRWCkT
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4100 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 1572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 1572 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4720-1-0x0000000000590000-0x0000000000666000-memory.dmp dcrat C:\Recovery\WindowsRE\Idle.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
33ab5cbb351fa75f5d4f3e3b5aa064a9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe -
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 3796 sihost.exe -
Drops file in Program Files directory 13 IoCs
Processes:
33ab5cbb351fa75f5d4f3e3b5aa064a9.exedescription ioc process File created C:\Program Files\Uninstall Information\69ddcba757bf72 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\Windows Multimedia Platform\taskhostw.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files (x86)\Windows Multimedia Platform\e1ef82546f0b02 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\Windows Multimedia Platform\ea9f0e6c9e2dcd 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files (x86)\MSBuild\66fc9ff0ee96c2 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files (x86)\Google\b91cc0d9432579 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\Uninstall Information\smss.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files (x86)\Google\33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File opened for modification C:\Program Files (x86)\Google\33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\MSBuild\unsecapp.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\MSBuild\29c1c3cc0f7685 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files (x86)\MSBuild\sihost.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
33ab5cbb351fa75f5d4f3e3b5aa064a9.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4080 schtasks.exe 3156 schtasks.exe 5096 schtasks.exe 372 schtasks.exe 832 schtasks.exe 4884 schtasks.exe 1820 schtasks.exe 3548 schtasks.exe 2572 schtasks.exe 4592 schtasks.exe 876 schtasks.exe 3488 schtasks.exe 4244 schtasks.exe 3360 schtasks.exe 2580 schtasks.exe 1296 schtasks.exe 4144 schtasks.exe 1240 schtasks.exe 1336 schtasks.exe 4056 schtasks.exe 532 schtasks.exe 2316 schtasks.exe 4100 schtasks.exe 4612 schtasks.exe 4248 schtasks.exe 4988 schtasks.exe 3720 schtasks.exe 2076 schtasks.exe 2456 schtasks.exe 4956 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
33ab5cbb351fa75f5d4f3e3b5aa064a9.exesihost.exepid process 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 3796 sihost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
33ab5cbb351fa75f5d4f3e3b5aa064a9.exesihost.exedescription pid process Token: SeDebugPrivilege 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe Token: SeDebugPrivilege 3796 sihost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
33ab5cbb351fa75f5d4f3e3b5aa064a9.execmd.exedescription pid process target process PID 4720 wrote to memory of 4016 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe cmd.exe PID 4720 wrote to memory of 4016 4720 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe cmd.exe PID 4016 wrote to memory of 2004 4016 cmd.exe w32tm.exe PID 4016 wrote to memory of 2004 4016 cmd.exe w32tm.exe PID 4016 wrote to memory of 3796 4016 cmd.exe sihost.exe PID 4016 wrote to memory of 3796 4016 cmd.exe sihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\33ab5cbb351fa75f5d4f3e3b5aa064a9.exe"C:\Users\Admin\AppData\Local\Temp\33ab5cbb351fa75f5d4f3e3b5aa064a9.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NzfeIQJKLM.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2004
-
C:\Program Files (x86)\MSBuild\sihost.exe"C:\Program Files (x86)\MSBuild\sihost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "33ab5cbb351fa75f5d4f3e3b5aa064a93" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\33ab5cbb351fa75f5d4f3e3b5aa064a9.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "33ab5cbb351fa75f5d4f3e3b5aa064a9" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\33ab5cbb351fa75f5d4f3e3b5aa064a9.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "33ab5cbb351fa75f5d4f3e3b5aa064a93" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\33ab5cbb351fa75f5d4f3e3b5aa064a9.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Downloads\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\MSBuild\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\Idle.exeFilesize
827KB
MD533ab5cbb351fa75f5d4f3e3b5aa064a9
SHA1ac9bcf69aecff1ff5d4108df204a4a2b572e1eef
SHA2562e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17
SHA5124e62650b49ae86c152463742a04980627d54dc8efc7dd3443625210d13db815f279989d846bbca4376cd127595403cfd53160c0fa78f3d198bf400da5655a98e
-
C:\Users\Admin\AppData\Local\Temp\NzfeIQJKLM.batFilesize
206B
MD557dadad59cdbb598aced10d11a37cedd
SHA1857c335207ceab35f63f971c230a2e49c4a1727f
SHA256fd9f67b8666840756aabce333733630f4abe3c3330ddcb94ca9f0a2b67ac452e
SHA512330fa33105071e8608bf30bfb970854278c0de0980632ff0bd3c72fb99d44f891dfacf576456cff69ba88d97a97f949981263f8fa52d50b0e92ce3a6b1cc3158
-
memory/4720-0-0x00007FFE80DA3000-0x00007FFE80DA5000-memory.dmpFilesize
8KB
-
memory/4720-1-0x0000000000590000-0x0000000000666000-memory.dmpFilesize
856KB
-
memory/4720-2-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmpFilesize
10.8MB
-
memory/4720-29-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmpFilesize
10.8MB