Analysis

  • max time kernel
    116s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 03:27

General

  • Target

    8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe

  • Size

    1.6MB

  • MD5

    3d1072986b88dc6184e40ba0df6acfc2

  • SHA1

    3dced4443af3c9591c948c827ac5b02bd0d31029

  • SHA256

    8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5

  • SHA512

    6b072f7e1b617a1426faeffdc14b80259f2601f29f5df65953694917cfa9611379976424ec37ffe3d139f5abd1bff02146d968f6a47d96d57ab4de1bb32a626b

  • SSDEEP

    24576:rPKokfY5HGAg4y2oLeeHlQFwSohxt3jIwYg94ZIgUZ8K5BEuww4sXpA5jp9DTS2I:LZWY5mz4yJSfu/9IwYgeJuw7sX0jpd

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 24 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe
    "C:\Users\Admin\AppData\Local\Temp\8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Users\Admin\AppData\Local\Temp\8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe
      "C:\Users\Admin\AppData\Local\Temp\8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2144
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:1152
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:1224
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1688
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4812
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:896
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3228
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:3796
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:4220
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:1180
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:4168
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:2772
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:2764
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:2532
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:3472
    • C:\Windows\system32\spectrum.exe
      C:\Windows\system32\spectrum.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:3668
    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      C:\Windows\System32\OpenSSH\ssh-agent.exe
      1⤵
      • Executes dropped EXE
      PID:4056
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
      1⤵
        PID:2192
      • C:\Windows\system32\TieringEngineService.exe
        C:\Windows\system32\TieringEngineService.exe
        1⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1708
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4680
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Executes dropped EXE
        PID:3000
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3852
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4228
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
        • Executes dropped EXE
        PID:4624
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:2336
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
          2⤵
          • Modifies data under HKEY_USERS
          PID:464

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

              Filesize

              2.1MB

              MD5

              03a8f0cfe02a049f17da6c8ccb98ffdb

              SHA1

              fd8227f7693c652ec0f0f57f15a5d866f71be4a5

              SHA256

              5e02c4c2c9122b1fb5cfbce66c84f4039283e2079de0c3c743eb85041a9ed134

              SHA512

              8dc2883be9a1324a7baca8072018c55b5c6da0057b22bba83d46e4a4177749bd644a05389f487b9c61cc9f8bdc077826fba756cfee5dbd311a0bbd27b07b227b

            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

              Filesize

              1.4MB

              MD5

              022a4a340b37e4d698093ff8bcc463c1

              SHA1

              360ec5ecf42dbc0ce56cf60451db6ca3b308d471

              SHA256

              14c3db6783cc28e3c582d6aa2e9633ce49ea0ebefe229c68e7d3aac3783c8784

              SHA512

              b57e80c46952fec8f5874c80c36031fbff59c7282286bdde882258bcd9afccf94d350efb74a7424c4cb8f06220629ccd2c4a3ea38abadd17a1f56ef58d647ce3

            • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

              Filesize

              1.5MB

              MD5

              6d0840fba8953158d58da9c279331031

              SHA1

              48ca4881a3092e14d270bdb1d7dc70a0377c90e5

              SHA256

              a77df0ebb23bf4f8673eed8d9657dfcc846c70ab1391107edd83b1e04567b460

              SHA512

              54d6a986f8d0e395f34880b2a17ffc62a1eaff0a1e4d92d2e26a357680e00afb57ca42a2ef584ff72a54039a170cdfbd53b30571a5f1feac8c74570488feb507

            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

              Filesize

              2.1MB

              MD5

              03cd76fdd8b0bab7c140a639ca23f7c6

              SHA1

              d823621e00b6981dabc86a9c007dd26c9364d8b8

              SHA256

              5094ca921be6db7ed8835319df3b2f7d0d93acb29bbe577ed18c835590e24d1d

              SHA512

              f247a4f444992bf89e8016472bf4374ed48b1c21bbe26d42f1f0a1a71320c8f5fb82f9e70d9d4eef32e204e40365e1a429aa2398d5d006401def44c0abf72598

            • C:\Windows\SysWOW64\perfhost.exe

              Filesize

              1.2MB

              MD5

              b17b67fce158ebdd8703046a7ef2023c

              SHA1

              29b95f85cb63fa70768212d4b0f5a14b4f8615bd

              SHA256

              6115678f9b214d6a229c377661021b269843a1beab1ff0edc0552f27241861a1

              SHA512

              d4ba917dd06a31a485a7ffc8524e71da023314c40409f610379ee885639f4d290390beccd94a906f094d3a0f3d89af3338470d40b40fe421428490f35ec6f786

            • C:\Windows\System32\AgentService.exe

              Filesize

              1.7MB

              MD5

              0c09a8a1693d630da57f3e5fca5492f3

              SHA1

              ba92cd1225d5e31a0fd3dbc0bcfcd14a633b4123

              SHA256

              d118bbe290fbaf9411492f67903e4008632428944c99fd419d41c12761c6f5b0

              SHA512

              3a7d4f1a3bea2585d846e9b969a196ea2286293249c2aa0e33a9cefb3e3caf4c8af43d6095d29104e5369647cb5a86f1af8cf61e342d79b7e2bad70d71c8dfab

            • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

              Filesize

              1.3MB

              MD5

              f4e8496de60124561451c65da56465ec

              SHA1

              76b65bc514d1036ce0f1e68e4a1812d952d598dc

              SHA256

              f6d46845261f576f77d97a0a2b7bfba02acab2a9e196585612bb4ff0f2067a80

              SHA512

              3daba433de89e5cbd559ce4ae787e40afb4bc4f2f39c9e9d76fa91b1969d2989156a36255890c7befedc078853762ed12f0da41706003bd84bccbb5a00f4a664

            • C:\Windows\System32\FXSSVC.exe

              Filesize

              1.2MB

              MD5

              3dc8d509ce25753943c35b9e66b7e705

              SHA1

              cc8f222264280ac83fb83b72c13cf4bd784b9323

              SHA256

              0a7d3eaf8ed1f232f876474bf7ac226662fb621f458c25f867f75422c4cc42c4

              SHA512

              e40f1e4444f203e2ea2ae3cd242839dee4f2d5ef6f0afbdeedb79202d923931c7fe2625344a970777c09487fceabd58e4606313f9c047e3ecc3b7393ef22f97f

            • C:\Windows\System32\Locator.exe

              Filesize

              1.2MB

              MD5

              1d872cfa85d9b310781d7aef3defc692

              SHA1

              10b95bad9d207fc946b3d8c93faed1a00c42d4e8

              SHA256

              094f3ebe06a89fa7f368c1d672fd5ffff0ff21cc707346a37d5d6a9e5a43784d

              SHA512

              84ee2e50cfeb47f432a8f967dfc03957738ca4e48e24f94de57aadc07a3e60c9fca587758aa717807f051287d6182c6c25eb766ed624ffbe7d5d779c66c2110a

            • C:\Windows\System32\OpenSSH\ssh-agent.exe

              Filesize

              1.6MB

              MD5

              e41a1c4693019f7d25f0a583dd657186

              SHA1

              fa0f49c3851072b72ea69d760165f90866579a6d

              SHA256

              745416ad0f30534e987b2379c599669efe422429356841bb45b722eb3fa4f216

              SHA512

              f059d37e22c87daf6c85740d88a3fe09ed9446334e540e59a12c2de39d3f9ac072f5b46597801f1e41dd78d267270c49cef895fdae422532d003c49315252661

            • C:\Windows\System32\OpenSSH\ssh-agent.exe

              Filesize

              1.6MB

              MD5

              e41a1c4693019f7d25f0a583dd657186

              SHA1

              fa0f49c3851072b72ea69d760165f90866579a6d

              SHA256

              745416ad0f30534e987b2379c599669efe422429356841bb45b722eb3fa4f216

              SHA512

              f059d37e22c87daf6c85740d88a3fe09ed9446334e540e59a12c2de39d3f9ac072f5b46597801f1e41dd78d267270c49cef895fdae422532d003c49315252661

            • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

              Filesize

              1.3MB

              MD5

              f592c51609f9c17d22fe15777a48026a

              SHA1

              73527c68371ce386c1e5874f89336497b6ee8c83

              SHA256

              11ac76cba58ce10a275350f227d809152b1e1248ad4d3ebfee55e95928bd869b

              SHA512

              ea54ed9a064996046c4a7da3dc94659f343021a80fba498ad5167e0d9d45954106bf500bd4dba722345d028dbd6e3861ac9418967205ffd9e695276e68cae4fc

            • C:\Windows\System32\SearchIndexer.exe

              Filesize

              1.4MB

              MD5

              f1556aeb38a116c7185e941bff864dd6

              SHA1

              5af8d76ca9405fa3d36529ec3a374658b552de2d

              SHA256

              a3bdfed958d2e9d86f07e0d83dab5c0a34ee5f351f58fb578bfd3675709e4f9e

              SHA512

              f8f5c81a5b4e253b7fcaecf21a60370895e4f753de15fce279d41458a457b8ba48c66742e7b89317f9abef81b7c5cb3b787cbaa3ce4c42629654633df3230c4c

            • C:\Windows\System32\SensorDataService.exe

              Filesize

              1.8MB

              MD5

              87861acad17b1c86bb3568a3f8bc124b

              SHA1

              63a3322fb692ebf06c1c117c9afbbede26756c36

              SHA256

              cdf095dc20b100733abff923a05e4c7f3b082d385307074be8f027dc728a82b9

              SHA512

              9605d3e7e854d7ac8ff3ff37f8698f42322d9fdbd8c74176f8e36a051d6afd8baaa2e566a6311b3838c6a82e2527cd708272a9fbbe5a158f5f70a5a22517e1a9

            • C:\Windows\System32\Spectrum.exe

              Filesize

              1.4MB

              MD5

              956dba5e34a76e9b4291760e6914c993

              SHA1

              713fa9397187981e491beaa5c2785f759712b5cb

              SHA256

              1d880564d0f0fd80c8939e372006b5e20772b89d5506314b7c13213e459f7d47

              SHA512

              0b728aad01eb10f88ad9cbb7fad60ef4d1411e1e1791ecc6f9d0cf6318e79ea3b22c308277e34d0ef0e9729b3d801559a9d514c23bb2a22a9c7cd46bed04549c

            • C:\Windows\System32\TieringEngineService.exe

              Filesize

              1.5MB

              MD5

              9fd6651d9ed523d569018b723b0c573b

              SHA1

              e024281b2f8bffe7351780e5de204b0ec9a3e09d

              SHA256

              909bf98e9f9c575297460069d8124f6fb302b5c816f854e1eab5eb4c70bd06bd

              SHA512

              b61ac0ae5512a3a978337ff62e81c004e0f7460dfe2d2ebedc758050b58146363f20589a74813ca32daaf090e1c537db8f04275f3df7469d35d1d98118ea4f8c

            • C:\Windows\System32\VSSVC.exe

              Filesize

              2.0MB

              MD5

              7814433dd12ab5f3ab7bb8ec1be61326

              SHA1

              78d926c058f44aceeffa2141677f782cb1e03114

              SHA256

              99adf1b8c247e568f044797a92f3fba19ce5bad01c2afd819d8026cc9e9eab82

              SHA512

              3741274e1a46980d4075f8e73a7417791af32024110fb828f8be9a6a07027d00e009dcfe11cf6a06c967102ca78f0b7b0379f600082a02b562624ab107ef7161

            • C:\Windows\System32\alg.exe

              Filesize

              1.3MB

              MD5

              2d847bdc04fc179746b66fc84d1a4fef

              SHA1

              5790b4c00f7d2b25943f051568775e59012094e2

              SHA256

              801b47cc4d6ef6f4f027390e3ae76ae3f069ebeb76cc5465d0d09036971918a3

              SHA512

              a6b360d570fe643ffebaccdc0bc0be8c5d4345973b4295254d24cd55758cdce01480af6e8f03fb7715564a665d4fa7fcb9353ce83a9765f1aa2fb3f005cce50a

            • C:\Windows\System32\msdtc.exe

              Filesize

              1.4MB

              MD5

              321d57f9bf6da94523db72e4d4476fea

              SHA1

              e0454fe8fefda0d4a6bb47fa576f95da8aaa2592

              SHA256

              91e513656d75c01e0622140f879061d29812fef210c7a5c854ecb7cb71eaac25

              SHA512

              809d2eee5d88b8ce78c9da0fe27e2c73bd7d7c702f49b59b1f60bbb959fba7e875d77288d35cb88d348408ad045fee6435e6c92af531c8314fd9a3812b84376e

            • C:\Windows\System32\snmptrap.exe

              Filesize

              1.2MB

              MD5

              ddb0ce5eb6f443b823778313eb2245cf

              SHA1

              c81b82b27f7f0b5227ffd7400233d9fe155e724c

              SHA256

              5742904a9289f273aedad1f81611539fe6d71bda96a7a3dab5fced8d16ae4181

              SHA512

              2908399517a1f405720146008dd63e79fe48a625a794597478495ff21ebb8e88e771f57c0d42eb3b7e94bc73fa0ab01adb3759998772165e89b9b75d250b1545

            • C:\Windows\System32\vds.exe

              Filesize

              1.3MB

              MD5

              7a2dde3ae34176751cdf0055eb1dd714

              SHA1

              8bb36c87b186fa5662e563729b6af7f8b1e9a97e

              SHA256

              ec9941ec00fc7e4bf6ffb337eeaba52d67dd1fb75cdc358012176d3683551dfc

              SHA512

              241895bcfa7bc1643922fdd2a4ff93d8cc99179d24bebf216595550b2f47fa2d4953ebe1d58abf97440c57cffa27146f43080a5e4348492a232d1a544b14b5c9

            • C:\Windows\System32\wbem\WmiApSrv.exe

              Filesize

              1.4MB

              MD5

              2c88d75ca7bb891d11e78453c0ba986c

              SHA1

              a928b47d8ddc959206a48d539cb8f587b26b9376

              SHA256

              d5ed6a96fee727a5b6d8df245647b369cbc36244ce980a269a1152e767a68f76

              SHA512

              bcfae411672e2f625678d4e385c6f5eb4da8555bbb6b045f1e6c582b4b44631f37b4b1e7350b0b7f11c686b45012d7277d987a27eef48addf3084a0d714adee6

            • C:\Windows\System32\wbengine.exe

              Filesize

              2.1MB

              MD5

              228eca4e9d15644b847de51270b129c7

              SHA1

              fb6f9e271d1a19085b3ff2cd4c5ee52d710c92cf

              SHA256

              0c68cf2dea81f31ce5c97d1f9ad3e692574527d20f2680f35cad2f31c858cca2

              SHA512

              77d5947dd733061e6071bc4a7808911efa53e7f5ffd2ed04ad1d5aae967123ada282d1abc96616fc88e69c8c0baf00f3d3d466d97358988e9d37f02581339084

            • memory/464-662-0x0000027142BD0000-0x0000027142DD0000-memory.dmp

              Filesize

              2.0MB

            • memory/464-663-0x0000027142BD0000-0x0000027142DD0000-memory.dmp

              Filesize

              2.0MB

            • memory/464-647-0x0000027142BD0000-0x0000027142DD0000-memory.dmp

              Filesize

              2.0MB

            • memory/464-616-0x00000271423F0000-0x00000271423F1000-memory.dmp

              Filesize

              4KB

            • memory/464-645-0x0000027142BD0000-0x0000027142DD0000-memory.dmp

              Filesize

              2.0MB

            • memory/464-665-0x0000027142BD0000-0x0000027142DD0000-memory.dmp

              Filesize

              2.0MB

            • memory/464-648-0x0000027142BD0000-0x0000027142DD0000-memory.dmp

              Filesize

              2.0MB

            • memory/464-661-0x0000027142BD0000-0x0000027142BE0000-memory.dmp

              Filesize

              64KB

            • memory/464-646-0x0000027142BD0000-0x0000027142DD0000-memory.dmp

              Filesize

              2.0MB

            • memory/464-615-0x00000271423E0000-0x00000271423F0000-memory.dmp

              Filesize

              64KB

            • memory/464-664-0x0000027142BD0000-0x0000027142DD0000-memory.dmp

              Filesize

              2.0MB

            • memory/896-215-0x0000000140000000-0x0000000140237000-memory.dmp

              Filesize

              2.2MB

            • memory/896-195-0x0000000000860000-0x00000000008C0000-memory.dmp

              Filesize

              384KB

            • memory/896-497-0x0000000140000000-0x0000000140237000-memory.dmp

              Filesize

              2.2MB

            • memory/896-201-0x0000000000860000-0x00000000008C0000-memory.dmp

              Filesize

              384KB

            • memory/1152-172-0x0000000140000000-0x0000000140201000-memory.dmp

              Filesize

              2.0MB

            • memory/1152-162-0x00000000004A0000-0x0000000000500000-memory.dmp

              Filesize

              384KB

            • memory/1152-156-0x00000000004A0000-0x0000000000500000-memory.dmp

              Filesize

              384KB

            • memory/1180-273-0x0000000140000000-0x0000000140226000-memory.dmp

              Filesize

              2.1MB

            • memory/1224-414-0x0000000140000000-0x0000000140200000-memory.dmp

              Filesize

              2.0MB

            • memory/1224-177-0x0000000000550000-0x00000000005B0000-memory.dmp

              Filesize

              384KB

            • memory/1224-168-0x0000000000550000-0x00000000005B0000-memory.dmp

              Filesize

              384KB

            • memory/1224-175-0x0000000140000000-0x0000000140200000-memory.dmp

              Filesize

              2.0MB

            • memory/1708-346-0x0000000140000000-0x0000000140239000-memory.dmp

              Filesize

              2.2MB

            • memory/2144-169-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2144-144-0x0000000002E60000-0x0000000002EC6000-memory.dmp

              Filesize

              408KB

            • memory/2144-140-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2144-143-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2144-149-0x0000000002E60000-0x0000000002EC6000-memory.dmp

              Filesize

              408KB

            • memory/2144-412-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2284-421-0x0000000140000000-0x0000000140179000-memory.dmp

              Filesize

              1.5MB

            • memory/2284-644-0x0000000140000000-0x0000000140179000-memory.dmp

              Filesize

              1.5MB

            • memory/2532-302-0x0000000140000000-0x00000001401D7000-memory.dmp

              Filesize

              1.8MB

            • memory/2532-539-0x0000000140000000-0x00000001401D7000-memory.dmp

              Filesize

              1.8MB

            • memory/2764-300-0x0000000140000000-0x00000001401EC000-memory.dmp

              Filesize

              1.9MB

            • memory/2772-276-0x0000000000400000-0x00000000005EE000-memory.dmp

              Filesize

              1.9MB

            • memory/3000-369-0x0000000140000000-0x0000000140147000-memory.dmp

              Filesize

              1.3MB

            • memory/3228-211-0x0000000000190000-0x00000000001F0000-memory.dmp

              Filesize

              384KB

            • memory/3228-205-0x0000000000190000-0x00000000001F0000-memory.dmp

              Filesize

              384KB

            • memory/3228-213-0x0000000140000000-0x000000014022B000-memory.dmp

              Filesize

              2.2MB

            • memory/3228-496-0x0000000140000000-0x000000014022B000-memory.dmp

              Filesize

              2.2MB

            • memory/3472-565-0x0000000140000000-0x00000001401ED000-memory.dmp

              Filesize

              1.9MB

            • memory/3472-305-0x0000000140000000-0x00000001401ED000-memory.dmp

              Filesize

              1.9MB

            • memory/3668-578-0x0000000140000000-0x0000000140169000-memory.dmp

              Filesize

              1.4MB

            • memory/3668-321-0x0000000140000000-0x0000000140169000-memory.dmp

              Filesize

              1.4MB

            • memory/3796-217-0x0000000001A40000-0x0000000001AA0000-memory.dmp

              Filesize

              384KB

            • memory/3796-223-0x0000000001A40000-0x0000000001AA0000-memory.dmp

              Filesize

              384KB

            • memory/3796-226-0x0000000001A40000-0x0000000001AA0000-memory.dmp

              Filesize

              384KB

            • memory/3796-228-0x0000000140000000-0x0000000140221000-memory.dmp

              Filesize

              2.1MB

            • memory/3852-383-0x0000000140000000-0x00000001401FC000-memory.dmp

              Filesize

              2.0MB

            • memory/3852-611-0x0000000140000000-0x00000001401FC000-memory.dmp

              Filesize

              2.0MB

            • memory/4056-344-0x0000000140000000-0x0000000140259000-memory.dmp

              Filesize

              2.3MB

            • memory/4168-274-0x0000000140000000-0x0000000140202000-memory.dmp

              Filesize

              2.0MB

            • memory/4220-240-0x0000000140000000-0x0000000140210000-memory.dmp

              Filesize

              2.1MB

            • memory/4220-231-0x0000000000720000-0x0000000000780000-memory.dmp

              Filesize

              384KB

            • memory/4228-386-0x0000000140000000-0x0000000140216000-memory.dmp

              Filesize

              2.1MB

            • memory/4228-613-0x0000000140000000-0x0000000140216000-memory.dmp

              Filesize

              2.1MB

            • memory/4280-134-0x0000000005CA0000-0x0000000006244000-memory.dmp

              Filesize

              5.6MB

            • memory/4280-137-0x0000000005A90000-0x0000000005A9A000-memory.dmp

              Filesize

              40KB

            • memory/4280-136-0x00000000055F0000-0x0000000005600000-memory.dmp

              Filesize

              64KB

            • memory/4280-133-0x0000000000AE0000-0x0000000000C7A000-memory.dmp

              Filesize

              1.6MB

            • memory/4280-135-0x0000000005620000-0x00000000056B2000-memory.dmp

              Filesize

              584KB

            • memory/4280-138-0x00000000055F0000-0x0000000005600000-memory.dmp

              Filesize

              64KB

            • memory/4280-139-0x00000000092F0000-0x000000000938C000-memory.dmp

              Filesize

              624KB

            • memory/4624-643-0x0000000140000000-0x000000014021D000-memory.dmp

              Filesize

              2.1MB

            • memory/4624-417-0x0000000140000000-0x000000014021D000-memory.dmp

              Filesize

              2.1MB

            • memory/4680-349-0x0000000140000000-0x00000001401C0000-memory.dmp

              Filesize

              1.8MB

            • memory/4680-358-0x0000000140000000-0x00000001401C0000-memory.dmp

              Filesize

              1.8MB

            • memory/4812-194-0x0000000140000000-0x0000000140135000-memory.dmp

              Filesize

              1.2MB

            • memory/4812-190-0x0000000000500000-0x0000000000560000-memory.dmp

              Filesize

              384KB

            • memory/4812-188-0x0000000000500000-0x0000000000560000-memory.dmp

              Filesize

              384KB

            • memory/4812-184-0x0000000140000000-0x0000000140135000-memory.dmp

              Filesize

              1.2MB

            • memory/4812-181-0x0000000000500000-0x0000000000560000-memory.dmp

              Filesize

              384KB