Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 19:05
Behavioral task
behavioral1
Sample
Solara.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Solara.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Solara.zip
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
Solara/SolaraBootstrapper.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
Solara/SolaraBootstrapper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
Solara/SolaraBootstrapper.exe
Resource
win11-20240508-en
General
-
Target
Solara/SolaraBootstrapper.exe
-
Size
1.9MB
-
MD5
8911439914996ec2bd5ba4dc50ffd163
-
SHA1
bed9b04aaab10cf740a5eb07f894c71f62ef88b2
-
SHA256
40488c03efa03bac855bf7195a94dae672bcda3ed2cdf3a004817cad86471a41
-
SHA512
c0be4a292be417838f973e9dd4fb99370473b32c1db731610a468572f2e5557032b8088c70bbb728bd237855d028b5d1f62486855f7d210ee68bc592a98dcd93
-
SSDEEP
24576:U2G/nvxW3Ww0tVOzdE5lXHKtZRqdw0OYdr7OISbKOwQR+BVEBr7Yo4GI4dxEyQTt:UbA30wzCjKopOFbVn+zE1ex4dxE3x
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 2572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 2572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 716 2572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3216 2572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 2572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2572 schtasks.exe -
Processes:
reviewinto.exefontdrvhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewinto.exe -
Processes:
resource yara_rule C:\SavesRuntimecrtmonitorCommon\reviewinto.exe dcrat behavioral5/memory/1004-13-0x00000000004F0000-0x0000000000692000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exereviewinto.exefontdrvhost.exeSolaraBootstrapper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation reviewinto.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation SolaraBootstrapper.exe -
Executes dropped EXE 2 IoCs
Processes:
reviewinto.exefontdrvhost.exepid process 1004 reviewinto.exe 4396 fontdrvhost.exe -
Processes:
reviewinto.exefontdrvhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reviewinto.exe -
Drops file in Program Files directory 2 IoCs
Processes:
reviewinto.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\uk-UA\SearchApp.exe reviewinto.exe File created C:\Program Files (x86)\Windows Defender\uk-UA\38384e6a620884 reviewinto.exe -
Drops file in Windows directory 2 IoCs
Processes:
reviewinto.exedescription ioc process File created C:\Windows\en-US\fontdrvhost.exe reviewinto.exe File created C:\Windows\en-US\5b884080fd4f94 reviewinto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
Processes:
fontdrvhost.exeSolaraBootstrapper.exereviewinto.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings SolaraBootstrapper.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings reviewinto.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4076 schtasks.exe 3648 schtasks.exe 2716 schtasks.exe 716 schtasks.exe 2824 schtasks.exe 2136 schtasks.exe 3336 schtasks.exe 1772 schtasks.exe 3216 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
reviewinto.exefontdrvhost.exepid process 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 1004 reviewinto.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe 4396 fontdrvhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
fontdrvhost.exepid process 4396 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
reviewinto.exefontdrvhost.exevssvc.exedescription pid process Token: SeDebugPrivilege 1004 reviewinto.exe Token: SeDebugPrivilege 4396 fontdrvhost.exe Token: SeBackupPrivilege 2716 vssvc.exe Token: SeRestorePrivilege 2716 vssvc.exe Token: SeAuditPrivilege 2716 vssvc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SolaraBootstrapper.exeWScript.execmd.exereviewinto.execmd.exefontdrvhost.exedescription pid process target process PID 5048 wrote to memory of 3980 5048 SolaraBootstrapper.exe WScript.exe PID 5048 wrote to memory of 3980 5048 SolaraBootstrapper.exe WScript.exe PID 5048 wrote to memory of 3980 5048 SolaraBootstrapper.exe WScript.exe PID 3980 wrote to memory of 368 3980 WScript.exe cmd.exe PID 3980 wrote to memory of 368 3980 WScript.exe cmd.exe PID 3980 wrote to memory of 368 3980 WScript.exe cmd.exe PID 368 wrote to memory of 1004 368 cmd.exe reviewinto.exe PID 368 wrote to memory of 1004 368 cmd.exe reviewinto.exe PID 1004 wrote to memory of 3332 1004 reviewinto.exe cmd.exe PID 1004 wrote to memory of 3332 1004 reviewinto.exe cmd.exe PID 368 wrote to memory of 1860 368 cmd.exe reg.exe PID 368 wrote to memory of 1860 368 cmd.exe reg.exe PID 368 wrote to memory of 1860 368 cmd.exe reg.exe PID 3332 wrote to memory of 4416 3332 cmd.exe w32tm.exe PID 3332 wrote to memory of 4416 3332 cmd.exe w32tm.exe PID 3332 wrote to memory of 4396 3332 cmd.exe fontdrvhost.exe PID 3332 wrote to memory of 4396 3332 cmd.exe fontdrvhost.exe PID 4396 wrote to memory of 436 4396 fontdrvhost.exe WScript.exe PID 4396 wrote to memory of 436 4396 fontdrvhost.exe WScript.exe PID 4396 wrote to memory of 4428 4396 fontdrvhost.exe WScript.exe PID 4396 wrote to memory of 4428 4396 fontdrvhost.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
fontdrvhost.exereviewinto.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewinto.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KKlGe0JO2v.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4416
-
C:\Windows\en-US\fontdrvhost.exe"C:\Windows\en-US\fontdrvhost.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4396 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1882064e-db7e-44de-b67e-c3cccd85c4ce.vbs"7⤵PID:436
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d6cf0c6-385f-4a93-966d-38d02ddc725b.vbs"7⤵PID:4428
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Default\Desktop\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:2424
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.batFilesize
160B
MD5aa1ca164a728084ffd5e22bcf41ef9fb
SHA1a46fc620937abf7e82d6c97e728530549c74805f
SHA256c98facc1c471936575f62d9bdafd6614f5a66477c33c3a53ab41688a4917750d
SHA51271dda5b7b13809823069eada39a0b6c3ebb26377125b6b4f1e7a283dfcee4139732b5b456fcba91bfaaf29a38929fb8adc5c17b18bf7733457e4db878df0a9e4
-
C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbeFilesize
226B
MD54defbf69b7ac7cd48d5d28019164fc15
SHA1475d6ef458c0505261f6e058b84d602dd55a792a
SHA2560b66c2ddaca8e3a1be3a5a7543d480993ab71bf4b8308fff4ebe3754ea22f47f
SHA5126eadacef630be325097a307e115fac9e960b6bdb2460dff8c2058a78d92b46d1a6845d36b2d1ed0794d1b64694bb60cd12f71be2e4f5634f023506962161d2fe
-
C:\SavesRuntimecrtmonitorCommon\reviewinto.exeFilesize
1.6MB
MD5c3d7d94a09a4a29ddc66ba84508d559f
SHA18bdcdd488649b311182622b7b07ea526bfd021c8
SHA256dee994f94e8e98b45fa47215e4593157d13a39f87ca2de6208614a61208c7b5c
SHA512ae1a238b5cbd08a6b4db092390fd22bb3f0970ed1bc744d676e357e38f2ac182025e01abd8d7da9771f154df378e972c27e324608da29d0c0cbb9db606e9e0d0
-
C:\Users\Admin\AppData\Local\Temp\1882064e-db7e-44de-b67e-c3cccd85c4ce.vbsFilesize
708B
MD53e85d8f871cc9b054a968320ba4534b2
SHA115bd42cdd8ef9089e07f3172c95ee58b0f8f013e
SHA25670efb8cb1f8dc8a41f0b62af4b1aa224fa1ffa444603a52a01e2026706d99df8
SHA5129dfcd1c03883e395b4df952268b7e191c552c0fce09872ca635d7ddd1cbab82ee0d480b7228b05ada7c2e213b1bade082028e518db6d8a0991c183fe8714a954
-
C:\Users\Admin\AppData\Local\Temp\7d6cf0c6-385f-4a93-966d-38d02ddc725b.vbsFilesize
484B
MD5e58bbf8a443357deec120118e9012cda
SHA113ccf73017b1c75fb1c195e0eeb1c43a91b27755
SHA2565a5fa79e436ef958414a57805b27386fbc1bff0408daa4ec5eb1c45ce8a9fd6a
SHA5120d9300a67e8f0cf63067f82fd9524d98bbbdeb08ae7e7c4bfb603f05005fedcc5e16bc5d87618dbaf48c6b67af9a2f309c154ba063356acfefe537b91ab8fa1b
-
C:\Users\Admin\AppData\Local\Temp\KKlGe0JO2v.batFilesize
197B
MD5ca588823d919b2c368bbe0abd91b4d4c
SHA1498ce3983860bdf5b7db789aabda875bb829a4e9
SHA256463f9623efa5410bcc500deb60bc7bae514f71e0e204b6cf6ca98b227fb0d2bc
SHA51211b29f7b6c82be653a1f74cfeb6205402ad2900ea4d0615f4b98ef4608bba728cdf8dadd44f39763eedc43bdde29d8f09a1ba3fdc8930f09add24dc959e85349
-
memory/1004-21-0x00000000027F0000-0x00000000027FA000-memory.dmpFilesize
40KB
-
memory/1004-24-0x000000001BF80000-0x000000001C4A8000-memory.dmpFilesize
5.2MB
-
memory/1004-17-0x0000000002720000-0x0000000002728000-memory.dmpFilesize
32KB
-
memory/1004-18-0x0000000002730000-0x0000000002740000-memory.dmpFilesize
64KB
-
memory/1004-19-0x00000000027D0000-0x00000000027D8000-memory.dmpFilesize
32KB
-
memory/1004-20-0x00000000027E0000-0x00000000027F0000-memory.dmpFilesize
64KB
-
memory/1004-15-0x0000000002700000-0x000000000271C000-memory.dmpFilesize
112KB
-
memory/1004-22-0x0000000002800000-0x000000000280C000-memory.dmpFilesize
48KB
-
memory/1004-23-0x0000000002810000-0x0000000002822000-memory.dmpFilesize
72KB
-
memory/1004-16-0x0000000002820000-0x0000000002870000-memory.dmpFilesize
320KB
-
memory/1004-25-0x0000000002890000-0x000000000289C000-memory.dmpFilesize
48KB
-
memory/1004-26-0x00000000028A0000-0x00000000028AC000-memory.dmpFilesize
48KB
-
memory/1004-28-0x000000001B3A0000-0x000000001B3AE000-memory.dmpFilesize
56KB
-
memory/1004-27-0x00000000028B0000-0x00000000028BA000-memory.dmpFilesize
40KB
-
memory/1004-29-0x000000001B3B0000-0x000000001B3B8000-memory.dmpFilesize
32KB
-
memory/1004-14-0x00000000027B0000-0x00000000027BE000-memory.dmpFilesize
56KB
-
memory/1004-12-0x00007FFD76643000-0x00007FFD76645000-memory.dmpFilesize
8KB
-
memory/1004-13-0x00000000004F0000-0x0000000000692000-memory.dmpFilesize
1.6MB
-
memory/4396-45-0x000000001B7F0000-0x000000001B802000-memory.dmpFilesize
72KB
-
memory/4396-55-0x000000001C480000-0x000000001C4CB000-memory.dmpFilesize
300KB