Analysis

  • max time kernel
    108s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 00:53

General

  • Target

    a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe

  • Size

    3.2MB

  • MD5

    1553f67a0859a3057cde01f77db9dbc0

  • SHA1

    2cfe40d1fea16093e16c96a35f3240b98da9a5e1

  • SHA256

    a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152

  • SHA512

    4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5

  • SSDEEP

    49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
    "C:\Users\Admin\AppData\Local\Temp\a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Program Files\Windows Defender\ja-JP\wininit.exe
      "C:\Program Files\Windows Defender\ja-JP\wininit.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2112
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\413a7cb5-67b4-4ea0-9043-e78841d3455f.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Program Files\Windows Defender\ja-JP\wininit.exe
          "C:\Program Files\Windows Defender\ja-JP\wininit.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2468
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e4a79a4-97f5-4228-9d1e-19e4bc5360bc.vbs"
            5⤵
              PID:2616
              • C:\Program Files\Windows Defender\ja-JP\wininit.exe
                "C:\Program Files\Windows Defender\ja-JP\wininit.exe"
                6⤵
                  PID:1972
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\944a39d5-f21c-4b7a-bef9-31a0bc9d583a.vbs"
                    7⤵
                      PID:2912
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6e809e3-bf87-42bd-be61-bc83425e4c22.vbs"
                      7⤵
                        PID:2556
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\235315e5-9449-4144-8b12-fcc8ec65657f.vbs"
                    5⤵
                      PID:2936
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\328c5629-bcf3-4a59-a127-5cd78f32a355.vbs"
                  3⤵
                    PID:1556
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2632
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2764
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2452
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2524
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2952
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2064
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2720
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2796
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3016
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2268
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2528
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2716
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1324
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2340
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1996
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:616
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1712
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1588
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\de-DE\lsm.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2704
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\de-DE\lsm.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2012
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\de-DE\lsm.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1528
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1440
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1312
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2240
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\audiodg.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2832
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\audiodg.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2840
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\audiodg.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2960

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Windows Defender\csrss.exe

                Filesize

                3.2MB

                MD5

                e5bd2eb74017da8167f8190df2b5e160

                SHA1

                dd2339931cb2532176aa1947c3763677c8e5e0b2

                SHA256

                070bd4093b734e38ee715ade0573757e8933049fd737b5594ff7026c395836a1

                SHA512

                ce530140fd05949a3fd2878494cfc81cbd570952154b913cc8ca1dfa0e715d708ced9fde50dde70b5b8739f94430b7ebcf7c3e06f72e6b18f497d73c0817d437

              • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe

                Filesize

                3.2MB

                MD5

                1553f67a0859a3057cde01f77db9dbc0

                SHA1

                2cfe40d1fea16093e16c96a35f3240b98da9a5e1

                SHA256

                a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152

                SHA512

                4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5

              • C:\Users\Admin\AppData\Local\Temp\2e4a79a4-97f5-4228-9d1e-19e4bc5360bc.vbs

                Filesize

                727B

                MD5

                e6641cecc7df2e5ae458afda9c4fd78a

                SHA1

                30df669f217fbcd40bfed4f5912524194265327a

                SHA256

                259bf7c565830e2589c8169f5da1913e560df5735937fa9c377f7c175261e68b

                SHA512

                dbbaf6ed2b85f4a3433f69b3dc35049bf4e913365bb68f0b9aa340a3b7d351337fcb9b69d6fa074f5fb83beaafd41317fb500e63b984dfa815052cbbdeb8299b

              • C:\Users\Admin\AppData\Local\Temp\328c5629-bcf3-4a59-a127-5cd78f32a355.vbs

                Filesize

                503B

                MD5

                22c912a581a28f7ebef81ce8f813f61e

                SHA1

                20208a75c7c370bc2a0bf36fa3003eb8ea690aea

                SHA256

                8aa801d4f61c232eeb0b315ef960423059dd6f2276a4e9912313b8ff4399eaa7

                SHA512

                b5dc83f882f662f9469c4be3b39ba6a2d5344f67c85da9952947535dceb8d54e48926ed95b2adddb66de6d49b71b50e34bc161c23ded0cc535ebeff601b2a379

              • C:\Users\Admin\AppData\Local\Temp\413a7cb5-67b4-4ea0-9043-e78841d3455f.vbs

                Filesize

                727B

                MD5

                a9f7f6f135657dd13e62e8d4305683ac

                SHA1

                092bbd9563e5dad679d8098d058eea0431654b25

                SHA256

                c85b7ae082ac0fd2883f890ff3a81d5ce638e78732872264ba61c871653885db

                SHA512

                547222653c37c045af04c1871f5050fbf0b26958ed0aa5a073c6ef2a4224ccd83dbd28d286301cb0de84663d6fa0ec081ee35ed0bf001521a4f50589ca234828

              • C:\Users\Admin\AppData\Local\Temp\944a39d5-f21c-4b7a-bef9-31a0bc9d583a.vbs

                Filesize

                727B

                MD5

                1771326029e08d890f137cb3823b37ae

                SHA1

                2b90a83128fe95d45a535824a7d44fb6a2bba0b3

                SHA256

                0c0980cbf6d04742dc5f59dfbdfd84224bdd81a43843c80c8d049567a272040a

                SHA512

                12c147535ec289002eaa47ecbde4cfbf500b59005e1468dc8d2163d61831caf13811802f37a9e38cac695ef98422ca5210f8e21496263463fa0fa59c958883e5

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                Filesize

                7KB

                MD5

                87879bfc037e4d31bbc4309bec1d430f

                SHA1

                33d379a1946874cf41eb86cd508a6a73ce52c307

                SHA256

                62da0975e1527a9973e1e3504cf89a44cca5b0dc76060a7e9dfe288386afd2ac

                SHA512

                b70378282a1e1146009fd013b50179040f6557baa42365bc4e01dbd46a00e10ae9710d98863c84355bed0ca4419298ef49745b248ea636109afdcaa16301a703

              • memory/1720-11-0x00000000026A0000-0x00000000026B0000-memory.dmp

                Filesize

                64KB

              • memory/1720-27-0x000000001AEB0000-0x000000001AEBE000-memory.dmp

                Filesize

                56KB

              • memory/1720-9-0x0000000000E10000-0x0000000000E26000-memory.dmp

                Filesize

                88KB

              • memory/1720-10-0x0000000000E30000-0x0000000000E38000-memory.dmp

                Filesize

                32KB

              • memory/1720-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

                Filesize

                4KB

              • memory/1720-12-0x0000000002680000-0x000000000268A000-memory.dmp

                Filesize

                40KB

              • memory/1720-13-0x00000000026B0000-0x0000000002706000-memory.dmp

                Filesize

                344KB

              • memory/1720-14-0x0000000002690000-0x000000000269C000-memory.dmp

                Filesize

                48KB

              • memory/1720-15-0x0000000002700000-0x0000000002708000-memory.dmp

                Filesize

                32KB

              • memory/1720-16-0x0000000002710000-0x000000000271C000-memory.dmp

                Filesize

                48KB

              • memory/1720-17-0x0000000002720000-0x0000000002728000-memory.dmp

                Filesize

                32KB

              • memory/1720-18-0x0000000002730000-0x0000000002742000-memory.dmp

                Filesize

                72KB

              • memory/1720-19-0x0000000002740000-0x000000000274C000-memory.dmp

                Filesize

                48KB

              • memory/1720-20-0x000000001AE40000-0x000000001AE4C000-memory.dmp

                Filesize

                48KB

              • memory/1720-21-0x000000001AE50000-0x000000001AE5C000-memory.dmp

                Filesize

                48KB

              • memory/1720-22-0x000000001AE60000-0x000000001AE6C000-memory.dmp

                Filesize

                48KB

              • memory/1720-23-0x000000001AE70000-0x000000001AE78000-memory.dmp

                Filesize

                32KB

              • memory/1720-24-0x000000001AE80000-0x000000001AE8A000-memory.dmp

                Filesize

                40KB

              • memory/1720-25-0x000000001AE90000-0x000000001AE9E000-memory.dmp

                Filesize

                56KB

              • memory/1720-8-0x0000000000E00000-0x0000000000E10000-memory.dmp

                Filesize

                64KB

              • memory/1720-26-0x000000001AEA0000-0x000000001AEA8000-memory.dmp

                Filesize

                32KB

              • memory/1720-28-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

                Filesize

                48KB

              • memory/1720-30-0x000000001AFE0000-0x000000001AFEA000-memory.dmp

                Filesize

                40KB

              • memory/1720-29-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

                Filesize

                32KB

              • memory/1720-31-0x000000001AFF0000-0x000000001AFFC000-memory.dmp

                Filesize

                48KB

              • memory/1720-32-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

                Filesize

                9.9MB

              • memory/1720-7-0x0000000000D90000-0x0000000000D98000-memory.dmp

                Filesize

                32KB

              • memory/1720-6-0x0000000000DE0000-0x0000000000DFC000-memory.dmp

                Filesize

                112KB

              • memory/1720-1-0x0000000000E40000-0x000000000117C000-memory.dmp

                Filesize

                3.2MB

              • memory/1720-5-0x0000000000C00000-0x0000000000C08000-memory.dmp

                Filesize

                32KB

              • memory/1720-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

                Filesize

                9.9MB

              • memory/1720-3-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

                Filesize

                56KB

              • memory/1720-227-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

                Filesize

                9.9MB

              • memory/1720-4-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

                Filesize

                56KB

              • memory/1972-251-0x0000000000150000-0x000000000048C000-memory.dmp

                Filesize

                3.2MB

              • memory/2112-226-0x0000000000BE0000-0x0000000000F1C000-memory.dmp

                Filesize

                3.2MB

              • memory/2468-238-0x0000000000F70000-0x00000000012AC000-memory.dmp

                Filesize

                3.2MB

              • memory/2468-239-0x0000000000B80000-0x0000000000B92000-memory.dmp

                Filesize

                72KB

              • memory/2864-175-0x0000000001F30000-0x0000000001F38000-memory.dmp

                Filesize

                32KB

              • memory/2968-169-0x000000001B770000-0x000000001BA52000-memory.dmp

                Filesize

                2.9MB