Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2024 01:35

General

  • Target

    a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe

  • Size

    4.3MB

  • MD5

    898a94f29edc228ce3bd2054f3d5d6dd

  • SHA1

    f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5

  • SHA256

    a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37

  • SHA512

    8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae

  • SSDEEP

    49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1229451067175997500/jIKKpDize9BATyGRwJszp_dngrLcH2ykCNVKA2g8DaU3tS2rFJtimCYVQM10Zmvy_yF-

Signatures

  • DcRat 37 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Umbral payload 3 IoCs
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables attemping to enumerate video devices using WMI 3 IoCs
  • Detects executables containing possible sandbox analysis VM names 3 IoCs
  • Detects executables containing possible sandbox analysis VM usernames 3 IoCs
  • Detects executables containing possible sandbox system UUIDs 3 IoCs
  • Detects executables packed with SmartAssembly 3 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
    "C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"
    1⤵
    • DcRat
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2788
    • C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
      "C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2392
          • C:\MsWinsessiondllNet\driverBrokercommon.exe
            "C:\MsWinsessiondllNet\driverBrokercommon.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2496
            • C:\MsWinsessiondllNet\explorer.exe
              "C:\MsWinsessiondllNet\explorer.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2856
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9f61fe1-f4ea-4e43-982a-81d8c7d765cf.vbs"
                7⤵
                  PID:656
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83ff8856-3281-4735-8c80-bef461d8bc8e.vbs"
                  7⤵
                    PID:2532
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                5⤵
                • Modifies registry key
                PID:2708
        • C:\Users\Admin\AppData\Local\Temp\Inject.exe
          "C:\Users\Admin\AppData\Local\Temp\Inject.exe"
          2⤵
          • Executes dropped EXE
          PID:2580
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1928
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\explorer.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\explorer.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1492
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\explorer.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2252
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\conhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\conhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2164
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\conhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1608
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "driverBrokercommond" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\driverBrokercommon.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "driverBrokercommon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\driverBrokercommon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "driverBrokercommond" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\driverBrokercommon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2828
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3016
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1460
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\csrss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2700
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Application Data\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1904

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat

        Filesize

        158B

        MD5

        ea70d7b0f1a8a1ff2d246efbdcfe1001

        SHA1

        252e762aee8fcc5761e17bb84aa3af8276852f5c

        SHA256

        1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31

        SHA512

        1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86

      • C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe

        Filesize

        218B

        MD5

        7c9bb5fda146efee5ee4a243d6e404b0

        SHA1

        c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd

        SHA256

        1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b

        SHA512

        797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771

      • C:\Users\Admin\AppData\Local\Temp\83ff8856-3281-4735-8c80-bef461d8bc8e.vbs

        Filesize

        486B

        MD5

        13a60c705384ced3f71c16323fd90022

        SHA1

        ddc013ecdfa068a7a9e9c46747029a1aa9667513

        SHA256

        7823c4cd2031175fa3093a75893d974d10b28b15860273fea53c05963fdaaec7

        SHA512

        da79d498723accfa5e3108ba5e6978b1c5147af42d46bcaa87a7221a82f8d08d1879ee04e68a0bc932578b8367da3744a7c999783e0afa2141500aaad036a340

      • C:\Users\Admin\AppData\Local\Temp\f9f61fe1-f4ea-4e43-982a-81d8c7d765cf.vbs

        Filesize

        710B

        MD5

        d3d0f39989e83f2a886def2bdd397268

        SHA1

        6e4cc004e2574625ce68dee4e0963c2fd7c19083

        SHA256

        c9aa5f2c32c9bd4893e16d813f1537a18003ff888e9e9696e63c01ff7cb90f26

        SHA512

        8496a2f2384cf04a79c9d6d0e89ba234d8a50f5dbffc8b64fec15dea10b458d52e696cbc2a8c6833db66f99997d3a28afbc3836728707f3135ffb8435e77ac18

      • C:\Users\Admin\AppData\Local\Temp\stealer.exe

        Filesize

        229KB

        MD5

        8cc1e7cf94fec9bc505ce7411aa28861

        SHA1

        08703de84f3db427c368f16c873664d78bd83264

        SHA256

        cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba

        SHA512

        fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423

      • \MsWinsessiondllNet\driverBrokercommon.exe

        Filesize

        2.3MB

        MD5

        d84e590c3715c79dc5b92c435957d162

        SHA1

        2901580903e4b356448d9fe7bea510261e655363

        SHA256

        d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba

        SHA512

        b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485

      • \Users\Admin\AppData\Local\Temp\Inject.exe

        Filesize

        75KB

        MD5

        d428ddd1b0ce85a6c96765aeaf246320

        SHA1

        d100efdaab5b2ad851fe75a28d0aa95deb920926

        SHA256

        453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb

        SHA512

        3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899

      • \Users\Admin\AppData\Local\Temp\чекер dc.exe

        Filesize

        2.6MB

        MD5

        6216b6bef94c09a40bfa263809b1ae56

        SHA1

        a928120e65199c6aaae6c991aa0466f3f8b06020

        SHA256

        eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b

        SHA512

        0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215

      • memory/1196-0-0x0000000000400000-0x000000000084E000-memory.dmp

        Filesize

        4.3MB

      • memory/1196-16-0x0000000003160000-0x000000000318A000-memory.dmp

        Filesize

        168KB

      • memory/1972-23-0x0000000000BF0000-0x0000000000C30000-memory.dmp

        Filesize

        256KB

      • memory/2496-39-0x00000000003E0000-0x00000000003E8000-memory.dmp

        Filesize

        32KB

      • memory/2496-45-0x0000000000B20000-0x0000000000B28000-memory.dmp

        Filesize

        32KB

      • memory/2496-40-0x00000000003F0000-0x0000000000400000-memory.dmp

        Filesize

        64KB

      • memory/2496-41-0x0000000000AC0000-0x0000000000B16000-memory.dmp

        Filesize

        344KB

      • memory/2496-42-0x00000000005F0000-0x00000000005FC000-memory.dmp

        Filesize

        48KB

      • memory/2496-43-0x0000000000610000-0x000000000061C000-memory.dmp

        Filesize

        48KB

      • memory/2496-44-0x0000000000B10000-0x0000000000B1C000-memory.dmp

        Filesize

        48KB

      • memory/2496-38-0x0000000000350000-0x0000000000358000-memory.dmp

        Filesize

        32KB

      • memory/2496-47-0x0000000000CD0000-0x0000000000CDE000-memory.dmp

        Filesize

        56KB

      • memory/2496-46-0x0000000000B30000-0x0000000000B3A000-memory.dmp

        Filesize

        40KB

      • memory/2496-48-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

        Filesize

        32KB

      • memory/2496-49-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

        Filesize

        40KB

      • memory/2496-50-0x0000000000D00000-0x0000000000D0C000-memory.dmp

        Filesize

        48KB

      • memory/2496-37-0x0000000000FA0000-0x00000000011EA000-memory.dmp

        Filesize

        2.3MB

      • memory/2580-19-0x000000013F120000-0x000000013F14A000-memory.dmp

        Filesize

        168KB

      • memory/2856-81-0x0000000000110000-0x000000000035A000-memory.dmp

        Filesize

        2.3MB