Analysis
-
max time kernel
2s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
01-07-2024 02:10
General
-
Target
258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exe
-
Size
1.7MB
-
MD5
6a8dc0383ff9426d3cd10e686ea8af6e
-
SHA1
bee7864ec1d04b30f37d46da8e7ec5fe240ae3fc
-
SHA256
258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa
-
SHA512
f0d96a682995d5d8e965aea6efc041ea26d57b50de7e8d8c36d03a5b74c68321574ac955a7be70d1436cdeba94dacee41e0269308e799770aa064a0d7d29ddfa
-
SSDEEP
24576:WwtlgjpoyMl1W9Rl/3XF9R95g9f53Lv+6gJUHGHhuf9QkGuW+4HcWb1JB4nS:xtyotW9RN+f53i1JUHG4xGuDkcY1JB
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 5 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exe"C:\Users\Admin\AppData\Local\Temp\258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eFR6a9mIY7.bat"2⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Users\Admin\AppData\Local\Temp\258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exe"C:\Users\Admin\AppData\Local\Temp\258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exe"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\audiodg.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3sv2RA7Y5G.bat"4⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe"5⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Documents\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa2" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa2" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Favorites\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Favorites\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Portable Devices\258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa.exeFilesize
1.7MB
MD56a8dc0383ff9426d3cd10e686ea8af6e
SHA1bee7864ec1d04b30f37d46da8e7ec5fe240ae3fc
SHA256258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa
SHA512f0d96a682995d5d8e965aea6efc041ea26d57b50de7e8d8c36d03a5b74c68321574ac955a7be70d1436cdeba94dacee41e0269308e799770aa064a0d7d29ddfa
-
C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exeFilesize
1.7MB
MD5e007b3f78e57188672a1e8d3c66fa555
SHA14264d60b38c31dc8231622b1b58aa2f5e3e312e7
SHA256cded48fdb6587ea32158132bf407bcb359907d289646597d7d1fdb1e2a3dc517
SHA512be7d98b96f60e8a449a0592fec2d59d947bd34eaadef6bd7ddce989012a584464708ca3333ab385411dca6dc62472f331b09ca659f830b8df98914a596d56d38
-
C:\Users\Admin\AppData\Local\Temp\3sv2RA7Y5G.batFilesize
240B
MD5630b6cdfeb2d384222dc8f1b63d6cbc3
SHA12d9c003074966ffeb09be2606958165b98af493b
SHA256ebe1ac6ed26c619bdedf6fb7929b5536f7f2b899712219b9b45ec072dfe50c27
SHA51281578963ac7390f01154e8c9608a9cb429b10a97005b3d94ce7231fa19ad16d470c2ad98fd6b3fc185c82d0d78a2bb340ee8bca6b2b377608480c61563f76a83
-
C:\Users\Admin\AppData\Local\Temp\eFR6a9mIY7.batFilesize
267B
MD527c25826977cd6a38b949b8feb3ebed1
SHA129713100c56f6715d7b8a1f13c105b2d3009680a
SHA256b0af117270765a82ca262459817a83179cb8d70b1dcb6a01777e30382b9dfea9
SHA5125ad5b5ab9f81c6cc66bb007c8887bf663e9ef37cb0ddef49c2aa3fab7745a561e7fafd69ad01e67e187226ab22637a5171c80d5eef375b7610c7e509dcd8d69d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5606d6edeb5f15040b61e028eaed2abd8
SHA1528ed4a3880f58ddf79337d40f1ddc1ff618c74e
SHA25637914e59d6fbf3b070d4b7b8391d440299af45890e9bf76b8c1d26866301e8c3
SHA512569234550ca940d79b0a22b99a0c1707b114b255dae35fca3c9b3901372182cb5ab59f34a18a5b33a97682cd6fe11746051b619d4ebc08bb286f33d3f16682bc
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1072-146-0x0000000002490000-0x0000000002498000-memory.dmpFilesize
32KB
-
memory/1084-188-0x000000001B130000-0x000000001B412000-memory.dmpFilesize
2.9MB
-
memory/1084-189-0x0000000002620000-0x0000000002628000-memory.dmpFilesize
32KB
-
memory/1136-7-0x0000000000510000-0x0000000000526000-memory.dmpFilesize
88KB
-
memory/1136-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmpFilesize
4KB
-
memory/1136-17-0x0000000000940000-0x000000000094C000-memory.dmpFilesize
48KB
-
memory/1136-15-0x0000000000680000-0x0000000000688000-memory.dmpFilesize
32KB
-
memory/1136-14-0x0000000000710000-0x000000000071E000-memory.dmpFilesize
56KB
-
memory/1136-20-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmpFilesize
9.9MB
-
memory/1136-12-0x0000000000660000-0x000000000066C000-memory.dmpFilesize
48KB
-
memory/1136-9-0x0000000000640000-0x0000000000648000-memory.dmpFilesize
32KB
-
memory/1136-13-0x0000000000670000-0x000000000067C000-memory.dmpFilesize
48KB
-
memory/1136-4-0x0000000000150000-0x000000000016C000-memory.dmpFilesize
112KB
-
memory/1136-11-0x0000000000650000-0x000000000065C000-memory.dmpFilesize
48KB
-
memory/1136-16-0x0000000000930000-0x000000000093E000-memory.dmpFilesize
56KB
-
memory/1136-8-0x0000000000290000-0x000000000029C000-memory.dmpFilesize
48KB
-
memory/1136-152-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmpFilesize
9.9MB
-
memory/1136-5-0x0000000000270000-0x0000000000278000-memory.dmpFilesize
32KB
-
memory/1136-1-0x0000000000E90000-0x0000000001042000-memory.dmpFilesize
1.7MB
-
memory/1136-2-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmpFilesize
9.9MB
-
memory/1136-6-0x0000000000280000-0x0000000000290000-memory.dmpFilesize
64KB
-
memory/1136-3-0x0000000000140000-0x000000000014E000-memory.dmpFilesize
56KB
-
memory/1568-169-0x0000000000FE0000-0x0000000001192000-memory.dmpFilesize
1.7MB
-
memory/2032-140-0x000000001B310000-0x000000001B5F2000-memory.dmpFilesize
2.9MB
-
memory/2524-203-0x0000000000B30000-0x0000000000CE2000-memory.dmpFilesize
1.7MB