Analysis
-
max time kernel
600s -
max time network
600s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 01:07
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win7-20240611-en
General
-
Target
DCRatBuild.exe
-
Size
2.8MB
-
MD5
0a6cd0aed40de98cb0086c11454fc7f5
-
SHA1
364a210567fbff8b8095a09f6d4c8745f44bd82c
-
SHA256
d07d79bfaecfaad730b473aedbedd0b1c49b5361f74aab3a79c7a37c623527eb
-
SHA512
1e90fc51509290d94e96a10c57f681e85a1bb4a28b5e090b20f41567d31123b117a68cff7dead979f3119bc3f2a64cc43fab3194036939c4ec3daf070f6a958a
-
SSDEEP
49152:UbA30Mx6mbB202bRTk7puPi9bOdL/+AmU0FwGkxKYFC19Jm/PKhd:UbYUmbB20sRSuPi9bQL/+AmU0F7LSk
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2520 schtasks.exe -
Processes:
BrokerSvc.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe -
Processes:
resource yara_rule C:\PortFontMonitornetcommon\BrokerSvc.exe dcrat behavioral1/memory/2700-13-0x0000000000CE0000-0x0000000000F5A000-memory.dmp dcrat behavioral1/memory/796-41-0x0000000000E90000-0x000000000110A000-memory.dmp dcrat behavioral1/memory/2396-65-0x0000000140000000-0x00000001405E8000-memory.dmp dcrat behavioral1/memory/2392-71-0x0000000000200000-0x000000000047A000-memory.dmp dcrat behavioral1/memory/2600-74-0x0000000000970000-0x0000000000BEA000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 4 IoCs
Processes:
BrokerSvc.exeexplorer.exeservices.execsrss.exepid process 2700 BrokerSvc.exe 796 explorer.exe 2392 services.exe 2600 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2716 cmd.exe 2716 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
explorer.exeBrokerSvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BrokerSvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
perfmon.exedescription ioc process File opened (read-only) \??\F: perfmon.exe -
Drops file in Program Files directory 1 IoCs
Processes:
BrokerSvc.exedescription ioc process File created C:\Program Files\Windows Media Player\Icons\cmd.exe BrokerSvc.exe -
Drops file in Windows directory 6 IoCs
Processes:
BrokerSvc.exedescription ioc process File created C:\Windows\debug\886983d96e3d3e BrokerSvc.exe File created C:\Windows\es-ES\explorer.exe BrokerSvc.exe File created C:\Windows\es-ES\7a0fd90576e088 BrokerSvc.exe File created C:\Windows\CSC\v2.0.6\lsm.exe BrokerSvc.exe File created C:\Windows\debug\csrss.exe BrokerSvc.exe File opened for modification C:\Windows\debug\csrss.exe BrokerSvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
perfmon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 perfmon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz perfmon.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2580 schtasks.exe 2548 schtasks.exe 2600 schtasks.exe 1084 schtasks.exe 1724 schtasks.exe 2968 schtasks.exe 1888 schtasks.exe 2484 schtasks.exe 2280 schtasks.exe 2332 schtasks.exe 1988 schtasks.exe 2560 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BrokerSvc.exeexplorer.exepid process 2700 BrokerSvc.exe 2700 BrokerSvc.exe 2700 BrokerSvc.exe 2700 BrokerSvc.exe 2700 BrokerSvc.exe 2700 BrokerSvc.exe 2700 BrokerSvc.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe 796 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
perfmon.exeexplorer.exepid process 2396 perfmon.exe 796 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
BrokerSvc.exeexplorer.exeperfmon.exeAUDIODG.EXEservices.execsrss.exedescription pid process Token: SeDebugPrivilege 2700 BrokerSvc.exe Token: SeDebugPrivilege 796 explorer.exe Token: SeDebugPrivilege 2396 perfmon.exe Token: SeSystemProfilePrivilege 2396 perfmon.exe Token: SeCreateGlobalPrivilege 2396 perfmon.exe Token: 33 2396 perfmon.exe Token: SeIncBasePriorityPrivilege 2396 perfmon.exe Token: 33 108 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 108 AUDIODG.EXE Token: 33 108 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 108 AUDIODG.EXE Token: SeDebugPrivilege 2392 services.exe Token: SeDebugPrivilege 2600 csrss.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
DCRatBuild.exeWScript.execmd.exeBrokerSvc.exeresmon.exetaskeng.exedescription pid process target process PID 2936 wrote to memory of 2720 2936 DCRatBuild.exe WScript.exe PID 2936 wrote to memory of 2720 2936 DCRatBuild.exe WScript.exe PID 2936 wrote to memory of 2720 2936 DCRatBuild.exe WScript.exe PID 2936 wrote to memory of 2720 2936 DCRatBuild.exe WScript.exe PID 2720 wrote to memory of 2716 2720 WScript.exe cmd.exe PID 2720 wrote to memory of 2716 2720 WScript.exe cmd.exe PID 2720 wrote to memory of 2716 2720 WScript.exe cmd.exe PID 2720 wrote to memory of 2716 2720 WScript.exe cmd.exe PID 2716 wrote to memory of 2700 2716 cmd.exe BrokerSvc.exe PID 2716 wrote to memory of 2700 2716 cmd.exe BrokerSvc.exe PID 2716 wrote to memory of 2700 2716 cmd.exe BrokerSvc.exe PID 2716 wrote to memory of 2700 2716 cmd.exe BrokerSvc.exe PID 2700 wrote to memory of 796 2700 BrokerSvc.exe explorer.exe PID 2700 wrote to memory of 796 2700 BrokerSvc.exe explorer.exe PID 2700 wrote to memory of 796 2700 BrokerSvc.exe explorer.exe PID 2716 wrote to memory of 2568 2716 cmd.exe reg.exe PID 2716 wrote to memory of 2568 2716 cmd.exe reg.exe PID 2716 wrote to memory of 2568 2716 cmd.exe reg.exe PID 2716 wrote to memory of 2568 2716 cmd.exe reg.exe PID 1616 wrote to memory of 2396 1616 resmon.exe perfmon.exe PID 1616 wrote to memory of 2396 1616 resmon.exe perfmon.exe PID 1616 wrote to memory of 2396 1616 resmon.exe perfmon.exe PID 2820 wrote to memory of 2392 2820 taskeng.exe services.exe PID 2820 wrote to memory of 2392 2820 taskeng.exe services.exe PID 2820 wrote to memory of 2392 2820 taskeng.exe services.exe PID 2820 wrote to memory of 2600 2820 taskeng.exe csrss.exe PID 2820 wrote to memory of 2600 2820 taskeng.exe csrss.exe PID 2820 wrote to memory of 2600 2820 taskeng.exe csrss.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
BrokerSvc.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" BrokerSvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortFontMonitornetcommon\l8BmlyiJVw1zyyh.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortFontMonitornetcommon\WdaIp4pfENVLh3Iemy6UjaXhu.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\PortFontMonitornetcommon\BrokerSvc.exe"C:\PortFontMonitornetcommon\BrokerSvc.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2700 -
C:\Windows\es-ES\explorer.exe"C:\Windows\es-ES\explorer.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:796 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\resmon.exe"C:\Windows\system32\resmon.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\System32\perfmon.exe"C:\Windows\System32\perfmon.exe" /res2⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5941⤵
- Suspicious use of AdjustPrivilegeToken
PID:108
-
C:\Windows\system32\taskeng.exetaskeng.exe {E2411835-5D54-4D74-9591-D65514FE3259} S-1-5-21-2812790648-3157963462-487717889-1000:JAFTUVRJ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exeC:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PortFontMonitornetcommon\BrokerSvc.exeFilesize
2.5MB
MD5fc27116ce1b57a71d7d201e9aae86b01
SHA1ff047b7c918d9ff388b5c4928bfad5dcc818f1d4
SHA256121d462ca9f33798e076d069ec6b84c5ae0573bbaac8df8dd78efbb7041bd30b
SHA51225747516de2d99e6193fc920435ececf1b7ddb8990487d26d03cf6179b7dab0f5172c0dfa5d4db4a29028c00c12a9fb266bc14d6920e864d6a3934af7748618b
-
C:\PortFontMonitornetcommon\WdaIp4pfENVLh3Iemy6UjaXhu.batFilesize
166B
MD5e09688b8cdb47414e341937de481c43d
SHA1e799a6166c872f085d62a5ea580b0798be36835d
SHA256949721b3bf385d01afc6b13e3c3ad7f37d87d29c49f243e2d59d4152925ee31b
SHA512c6a2aa753e0feaf0549cd22ace526a81c219b1b5513bb8a83154d6adeeb3db0536a4c0f0a9cb14373934ce400f8ed4681046e53bd175da5be10c0b7548690017
-
C:\PortFontMonitornetcommon\l8BmlyiJVw1zyyh.vbeFilesize
237B
MD5e2723c4480fd7a7a5d8c46cb7bd7010e
SHA18ece7fa1a4cc39d5d439c13c8670c416ce4da987
SHA2568064029eab99ac1caed8414e03b5e7c981de56a6fcb7bdce3aa3b3438f430a2b
SHA5128ad0e2d16feaf91c9fc016b048721819d0b0ee5b4802371e5317b1b27ff7368fddd8ad6179de024c478d61fba3273727a3d94a59faef36a3b1cd2cdab32f6c51
-
memory/796-41-0x0000000000E90000-0x000000000110A000-memory.dmpFilesize
2.5MB
-
memory/2392-71-0x0000000000200000-0x000000000047A000-memory.dmpFilesize
2.5MB
-
memory/2396-67-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2396-66-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2396-65-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2600-74-0x0000000000970000-0x0000000000BEA000-memory.dmpFilesize
2.5MB
-
memory/2700-20-0x00000000004F0000-0x00000000004F8000-memory.dmpFilesize
32KB
-
memory/2700-26-0x0000000000B00000-0x0000000000B0C000-memory.dmpFilesize
48KB
-
memory/2700-21-0x0000000000510000-0x000000000051C000-memory.dmpFilesize
48KB
-
memory/2700-22-0x0000000000520000-0x000000000052C000-memory.dmpFilesize
48KB
-
memory/2700-23-0x0000000000AD0000-0x0000000000ADC000-memory.dmpFilesize
48KB
-
memory/2700-24-0x0000000000AE0000-0x0000000000AEE000-memory.dmpFilesize
56KB
-
memory/2700-25-0x0000000000AF0000-0x0000000000AFC000-memory.dmpFilesize
48KB
-
memory/2700-19-0x00000000004E0000-0x00000000004EC000-memory.dmpFilesize
48KB
-
memory/2700-18-0x0000000000490000-0x00000000004E6000-memory.dmpFilesize
344KB
-
memory/2700-17-0x0000000000480000-0x000000000048A000-memory.dmpFilesize
40KB
-
memory/2700-16-0x0000000000460000-0x0000000000468000-memory.dmpFilesize
32KB
-
memory/2700-15-0x00000000001D0000-0x00000000001EC000-memory.dmpFilesize
112KB
-
memory/2700-14-0x00000000001C0000-0x00000000001CE000-memory.dmpFilesize
56KB
-
memory/2700-13-0x0000000000CE0000-0x0000000000F5A000-memory.dmpFilesize
2.5MB