Analysis
-
max time kernel
8s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
29-11-2022 17:05
General
-
Target
148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1.exe
-
Size
2.0MB
-
MD5
443880cbb37d23e8c3846e0b3c7f7358
-
SHA1
0824425675beced43463ee3943f745f4dd4f9110
-
SHA256
148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1
-
SHA512
5ca14e9a0ab251e30deb47383f20f8d288e34086bbf2e75438e6907e31e9128a49373dba29cedaef95e5cb228efdd69b39a4e14ef761b7d95dabd3b33ad0c766
-
SSDEEP
24576:CNhI4oUnscbH/4IhUaTkO4yMFBSPQh6PTntnjjgRGVDkkahscbqk9zDRXq6LYsU/:MXHw+UBT6Ld/9Ss8DxxL7dEMZ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1.exe"C:\Users\Admin\AppData\Local\Temp\148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp80D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp80D.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 443⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
-
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\tmp80D.tmp.exe"C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\tmp80D.tmp.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmp250F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp250F.tmp.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 444⤵
- Program crash
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\Dictionaries\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\Dictionaries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\Dictionaries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tmp80D.tmpt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\tmp80D.tmp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tmp80D.tmp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\tmp80D.tmp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tmp80D.tmpt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\tmp80D.tmp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tmp80D.tmpt" /sc MINUTE /mo 5 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\tmp80D.tmp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tmp80D.tmp" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\tmp80D.tmp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tmp80D.tmpt" /sc MINUTE /mo 9 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\tmp80D.tmp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\tmp80D.tmp.exeFilesize
2.0MB
MD5443880cbb37d23e8c3846e0b3c7f7358
SHA10824425675beced43463ee3943f745f4dd4f9110
SHA256148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1
SHA5125ca14e9a0ab251e30deb47383f20f8d288e34086bbf2e75438e6907e31e9128a49373dba29cedaef95e5cb228efdd69b39a4e14ef761b7d95dabd3b33ad0c766
-
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\tmp80D.tmp.exeFilesize
2.0MB
MD5443880cbb37d23e8c3846e0b3c7f7358
SHA10824425675beced43463ee3943f745f4dd4f9110
SHA256148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1
SHA5125ca14e9a0ab251e30deb47383f20f8d288e34086bbf2e75438e6907e31e9128a49373dba29cedaef95e5cb228efdd69b39a4e14ef761b7d95dabd3b33ad0c766
-
C:\Users\Admin\AppData\Local\Temp\tmp250F.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
C:\Users\Admin\AppData\Local\Temp\tmp80D.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57758b23c9176536d09b09a07b44c96af
SHA14127f8cfa233f055fd509039e9c81d07dbcf1777
SHA256ce01d65bda9e4dcd32d4e28e1e66668f9242f02eb3f81cebb5138308fb5a745d
SHA512a012441eca1cff4910b3b28a4f7bd928d36e0e442fef35a7112d4e8bd4a55a1423e210a42c2fa23bf8d9530f9baccb6e30b9c0291752fcd887fd97da763bfc65
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57758b23c9176536d09b09a07b44c96af
SHA14127f8cfa233f055fd509039e9c81d07dbcf1777
SHA256ce01d65bda9e4dcd32d4e28e1e66668f9242f02eb3f81cebb5138308fb5a745d
SHA512a012441eca1cff4910b3b28a4f7bd928d36e0e442fef35a7112d4e8bd4a55a1423e210a42c2fa23bf8d9530f9baccb6e30b9c0291752fcd887fd97da763bfc65
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57758b23c9176536d09b09a07b44c96af
SHA14127f8cfa233f055fd509039e9c81d07dbcf1777
SHA256ce01d65bda9e4dcd32d4e28e1e66668f9242f02eb3f81cebb5138308fb5a745d
SHA512a012441eca1cff4910b3b28a4f7bd928d36e0e442fef35a7112d4e8bd4a55a1423e210a42c2fa23bf8d9530f9baccb6e30b9c0291752fcd887fd97da763bfc65
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57758b23c9176536d09b09a07b44c96af
SHA14127f8cfa233f055fd509039e9c81d07dbcf1777
SHA256ce01d65bda9e4dcd32d4e28e1e66668f9242f02eb3f81cebb5138308fb5a745d
SHA512a012441eca1cff4910b3b28a4f7bd928d36e0e442fef35a7112d4e8bd4a55a1423e210a42c2fa23bf8d9530f9baccb6e30b9c0291752fcd887fd97da763bfc65
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57758b23c9176536d09b09a07b44c96af
SHA14127f8cfa233f055fd509039e9c81d07dbcf1777
SHA256ce01d65bda9e4dcd32d4e28e1e66668f9242f02eb3f81cebb5138308fb5a745d
SHA512a012441eca1cff4910b3b28a4f7bd928d36e0e442fef35a7112d4e8bd4a55a1423e210a42c2fa23bf8d9530f9baccb6e30b9c0291752fcd887fd97da763bfc65
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57758b23c9176536d09b09a07b44c96af
SHA14127f8cfa233f055fd509039e9c81d07dbcf1777
SHA256ce01d65bda9e4dcd32d4e28e1e66668f9242f02eb3f81cebb5138308fb5a745d
SHA512a012441eca1cff4910b3b28a4f7bd928d36e0e442fef35a7112d4e8bd4a55a1423e210a42c2fa23bf8d9530f9baccb6e30b9c0291752fcd887fd97da763bfc65
-
\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\tmp80D.tmp.exeFilesize
2.0MB
MD5443880cbb37d23e8c3846e0b3c7f7358
SHA10824425675beced43463ee3943f745f4dd4f9110
SHA256148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1
SHA5125ca14e9a0ab251e30deb47383f20f8d288e34086bbf2e75438e6907e31e9128a49373dba29cedaef95e5cb228efdd69b39a4e14ef761b7d95dabd3b33ad0c766
-
\Users\Admin\AppData\Local\Temp\tmp250F.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp250F.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp250F.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp250F.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp250F.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp80D.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp80D.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp80D.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp80D.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp80D.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
memory/288-79-0x0000000000000000-mapping.dmp
-
memory/624-75-0x0000000000000000-mapping.dmp
-
memory/820-82-0x0000000000000000-mapping.dmp
-
memory/820-130-0x00000000029B4000-0x00000000029B7000-memory.dmpFilesize
12KB
-
memory/1292-55-0x0000000000000000-mapping.dmp
-
memory/1300-140-0x00000000023B4000-0x00000000023B7000-memory.dmpFilesize
12KB
-
memory/1300-162-0x00000000023BB000-0x00000000023DA000-memory.dmpFilesize
124KB
-
memory/1300-80-0x0000000000000000-mapping.dmp
-
memory/1300-150-0x00000000023BB000-0x00000000023DA000-memory.dmpFilesize
124KB
-
memory/1300-144-0x000000001B9B0000-0x000000001BCAF000-memory.dmpFilesize
3.0MB
-
memory/1300-129-0x00000000023B4000-0x00000000023B7000-memory.dmpFilesize
12KB
-
memory/1300-132-0x000007FEEBBB0000-0x000007FEEC70D000-memory.dmpFilesize
11.4MB
-
memory/1300-161-0x00000000023B4000-0x00000000023B7000-memory.dmpFilesize
12KB
-
memory/1300-117-0x000007FEEC710000-0x000007FEED133000-memory.dmpFilesize
10.1MB
-
memory/1336-58-0x0000000000000000-mapping.dmp
-
memory/1380-76-0x0000000000000000-mapping.dmp
-
memory/1452-78-0x000007FEFC421000-0x000007FEFC423000-memory.dmpFilesize
8KB
-
memory/1452-72-0x0000000000000000-mapping.dmp
-
memory/1452-157-0x00000000029A4000-0x00000000029A7000-memory.dmpFilesize
12KB
-
memory/1452-158-0x00000000029AB000-0x00000000029CA000-memory.dmpFilesize
124KB
-
memory/1452-138-0x00000000029A4000-0x00000000029A7000-memory.dmpFilesize
12KB
-
memory/1452-124-0x000007FEEBBB0000-0x000007FEEC70D000-memory.dmpFilesize
11.4MB
-
memory/1452-142-0x000000001B910000-0x000000001BC0F000-memory.dmpFilesize
3.0MB
-
memory/1452-127-0x00000000029A4000-0x00000000029A7000-memory.dmpFilesize
12KB
-
memory/1452-151-0x00000000029AB000-0x00000000029CA000-memory.dmpFilesize
124KB
-
memory/1452-90-0x000007FEEC710000-0x000007FEED133000-memory.dmpFilesize
10.1MB
-
memory/1580-152-0x000000000289B000-0x00000000028BA000-memory.dmpFilesize
124KB
-
memory/1580-156-0x000000000289B000-0x00000000028BA000-memory.dmpFilesize
124KB
-
memory/1580-93-0x0000000000000000-mapping.dmp
-
memory/1580-118-0x000007FEEC710000-0x000007FEED133000-memory.dmpFilesize
10.1MB
-
memory/1580-155-0x0000000002894000-0x0000000002897000-memory.dmpFilesize
12KB
-
memory/1580-143-0x000000001B800000-0x000000001BAFF000-memory.dmpFilesize
3.0MB
-
memory/1580-136-0x0000000002894000-0x0000000002897000-memory.dmpFilesize
12KB
-
memory/1580-122-0x000007FEEBBB0000-0x000007FEEC70D000-memory.dmpFilesize
11.4MB
-
memory/1580-125-0x0000000002894000-0x0000000002897000-memory.dmpFilesize
12KB
-
memory/1672-121-0x000007FEEC710000-0x000007FEED133000-memory.dmpFilesize
10.1MB
-
memory/1672-126-0x0000000002310000-0x0000000002390000-memory.dmpFilesize
512KB
-
memory/1672-153-0x0000000002310000-0x0000000002390000-memory.dmpFilesize
512KB
-
memory/1672-123-0x000007FEEBBB0000-0x000007FEEC70D000-memory.dmpFilesize
11.4MB
-
memory/1672-145-0x000000001B890000-0x000000001BB8F000-memory.dmpFilesize
3.0MB
-
memory/1672-74-0x0000000000000000-mapping.dmp
-
memory/1672-137-0x0000000002310000-0x0000000002390000-memory.dmpFilesize
512KB
-
memory/1708-81-0x0000000000000000-mapping.dmp
-
memory/1712-149-0x00000000029CB000-0x00000000029EA000-memory.dmpFilesize
124KB
-
memory/1712-135-0x000007FEEBBB0000-0x000007FEEC70D000-memory.dmpFilesize
11.4MB
-
memory/1712-131-0x00000000029C4000-0x00000000029C7000-memory.dmpFilesize
12KB
-
memory/1712-148-0x00000000029C4000-0x00000000029C7000-memory.dmpFilesize
12KB
-
memory/1712-141-0x00000000029C4000-0x00000000029C7000-memory.dmpFilesize
12KB
-
memory/1712-116-0x000007FEEC710000-0x000007FEED133000-memory.dmpFilesize
10.1MB
-
memory/1712-147-0x00000000029CB000-0x00000000029EA000-memory.dmpFilesize
124KB
-
memory/1712-73-0x0000000000000000-mapping.dmp
-
memory/1764-77-0x0000000000000000-mapping.dmp
-
memory/1908-68-0x000000001A940000-0x000000001A94C000-memory.dmpFilesize
48KB
-
memory/1908-65-0x0000000002030000-0x0000000002046000-memory.dmpFilesize
88KB
-
memory/1908-57-0x000000001B6B0000-0x000000001B7B2000-memory.dmpFilesize
1.0MB
-
memory/1908-64-0x0000000001E80000-0x0000000001E9C000-memory.dmpFilesize
112KB
-
memory/1908-54-0x000000013F120000-0x000000013F324000-memory.dmpFilesize
2.0MB
-
memory/1908-69-0x000000001AE80000-0x000000001AE8E000-memory.dmpFilesize
56KB
-
memory/1908-70-0x000000001AE90000-0x000000001AE9E000-memory.dmpFilesize
56KB
-
memory/1908-71-0x000000001AFA0000-0x000000001AFAC000-memory.dmpFilesize
48KB
-
memory/1908-66-0x000000001A4D0000-0x000000001A4DC000-memory.dmpFilesize
48KB
-
memory/1908-67-0x000000001A560000-0x000000001A570000-memory.dmpFilesize
64KB
-
memory/2132-160-0x000000000288B000-0x00000000028AA000-memory.dmpFilesize
124KB
-
memory/2132-128-0x0000000002884000-0x0000000002887000-memory.dmpFilesize
12KB
-
memory/2132-146-0x000000001B840000-0x000000001BB3F000-memory.dmpFilesize
3.0MB
-
memory/2132-133-0x000007FEEBBB0000-0x000007FEEC70D000-memory.dmpFilesize
11.4MB
-
memory/2132-154-0x000000000288B000-0x00000000028AA000-memory.dmpFilesize
124KB
-
memory/2132-139-0x0000000002884000-0x0000000002887000-memory.dmpFilesize
12KB
-
memory/2132-119-0x000007FEEC710000-0x000007FEED133000-memory.dmpFilesize
10.1MB
-
memory/2132-159-0x0000000002884000-0x0000000002887000-memory.dmpFilesize
12KB
-
memory/2132-95-0x0000000000000000-mapping.dmp
-
memory/2240-106-0x000000013FC30000-0x000000013FE34000-memory.dmpFilesize
2.0MB
-
memory/2240-101-0x0000000000000000-mapping.dmp
-
memory/2376-108-0x0000000000000000-mapping.dmp
-
memory/2404-110-0x0000000000000000-mapping.dmp