Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 05:25

General

  • Target

    857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    857ee271fe97719273d3a7df9586c7b0

  • SHA1

    a815a6730abd1044c011e71a142e7d2aa370ba81

  • SHA256

    ba26bbdfefe435d7ccf3bed77eeacdb9078a87468bce53916a05e6ed62091d77

  • SHA512

    1bc69d4932d44fcaff533257d9b0ffca80714ec766bd676052d84a2b0e3ae2d71fbb936420d2a243d288a3ee468e9f41667a192ccd4ebd846e7595dbcfea0186

  • SSDEEP

    49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 18 IoCs
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 12 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:528
    • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe
      "C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:784
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ba83656-d12f-4f89-916d-15242e1c09fa.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe
          C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:436
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8183a161-d181-4e1e-8579-30fcc550ae17.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2808
            • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe
              C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2948
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76526ae5-a288-45b6-92bd-ca80efa389f3.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:944
                • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe
                  C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:1348
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a6b5df9-73d8-42d8-8823-557bb8097d02.vbs"
                    9⤵
                      PID:1676
                      • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe
                        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2024
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30081e1a-09b9-43b8-8b67-e4ffcf574cb3.vbs"
                          11⤵
                            PID:1556
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\303c278f-9933-4efa-9b7e-a2dd17928cd5.vbs"
                            11⤵
                              PID:2480
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb8584f1-d6b6-4443-b82a-a7feafc25815.vbs"
                          9⤵
                            PID:2156
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73543e1e-e29b-4e60-b64e-23182db324ae.vbs"
                        7⤵
                          PID:3008
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dde5a6f7-1060-4b33-8610-a623bd6d932d.vbs"
                      5⤵
                        PID:1960
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d2de0ec-336c-4417-be36-975c01f98375.vbs"
                    3⤵
                      PID:2164
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2416
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2364
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2412
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics8" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2912
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Windows\it-IT\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2268
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics8" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:548
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1380
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1372
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2344
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1348
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2588
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2744
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics8" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2760
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2756
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics8" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2764

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Mozilla Firefox\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe

                  Filesize

                  3.2MB

                  MD5

                  857ee271fe97719273d3a7df9586c7b0

                  SHA1

                  a815a6730abd1044c011e71a142e7d2aa370ba81

                  SHA256

                  ba26bbdfefe435d7ccf3bed77eeacdb9078a87468bce53916a05e6ed62091d77

                  SHA512

                  1bc69d4932d44fcaff533257d9b0ffca80714ec766bd676052d84a2b0e3ae2d71fbb936420d2a243d288a3ee468e9f41667a192ccd4ebd846e7595dbcfea0186

                • C:\Users\Admin\AppData\Local\Temp\2a6b5df9-73d8-42d8-8823-557bb8097d02.vbs

                  Filesize

                  732B

                  MD5

                  13eb8398ea280a2b6527d03727749577

                  SHA1

                  cae7f040045bc207fcc765563d79f9b849f471f2

                  SHA256

                  684e12a6039fecc7c7843373900aab598eab1472d989a739f2a6af3be11d3347

                  SHA512

                  28fa5faafba064aadf6e1e0c4d5b0c328751fa94c970f6d0eb835bdd4769f432ef6220470dc4f5ad7a09a9f523453e4ae5bddba4e5bbf3fe86c1bae5e837fdae

                • C:\Users\Admin\AppData\Local\Temp\2d2de0ec-336c-4417-be36-975c01f98375.vbs

                  Filesize

                  508B

                  MD5

                  b8a44a700a807942fdd0b7d7007281b3

                  SHA1

                  217d970ece8d9492784e7bff22cff68aef56813a

                  SHA256

                  f40b86e35c085a21bffc410f07907620b64faa904cb70937d51850bfef097921

                  SHA512

                  fcd7f678e058d3ad83472c42b7932166b42c7cd1208475afd80baa391d55e032dfd7be59639d9d54b968d174504c1ad1f95bcb9df71a8c4c640bcb54f0744cf5

                • C:\Users\Admin\AppData\Local\Temp\30081e1a-09b9-43b8-8b67-e4ffcf574cb3.vbs

                  Filesize

                  732B

                  MD5

                  715447dd0bf26df95d96a7b6bd3f7ef4

                  SHA1

                  dc1ac461b8adfbf339be251c16498d09475d7abe

                  SHA256

                  7a1f4bba94e7f98db374a24250cc3a6673fa558b2970fd874f4e1592305c5dda

                  SHA512

                  10a8a368832013a05e24e745ffef7e850156f23e49afda4900101c27ee2ae259925dac65c5d9b2d59a776b11df5cc35d35054d0d1e92919860d935a76cdaed94

                • C:\Users\Admin\AppData\Local\Temp\4ba83656-d12f-4f89-916d-15242e1c09fa.vbs

                  Filesize

                  731B

                  MD5

                  fb2a80e7b7c83d87b3181d9fc5d9c793

                  SHA1

                  50c3271cde25d5faad4422cfb0e9063be8572ede

                  SHA256

                  22a63e097c57ce9b4ac33c120b83615d6b79ef9f9f74328ece04427f1c9f3842

                  SHA512

                  a7b592def6d66fc0668e6e3f1ece73ba4c22d90ae5c9afd0ebd2c86675a35a6d56e280daf3e2dc73f92ab513d6adaa6aca9845486de3473d055da34a48dc4a21

                • C:\Users\Admin\AppData\Local\Temp\76526ae5-a288-45b6-92bd-ca80efa389f3.vbs

                  Filesize

                  732B

                  MD5

                  a4ece57f95de0cac0da5614b08fed98e

                  SHA1

                  6f0129aae9fbbbfaaa81c9e900c4b875339d6781

                  SHA256

                  d80a27e001fcff844e4cefa349b5616588562a6a18ad9933a19992af863c09fd

                  SHA512

                  62539a9a83d2d74a9ff7841896d2e5e86e213db2fe3d991c2d7854603f8a23dfc07755aa90112824105e736654c21c8646d01152b29b12cbad45cdfed298e799

                • C:\Users\Admin\AppData\Local\Temp\8183a161-d181-4e1e-8579-30fcc550ae17.vbs

                  Filesize

                  731B

                  MD5

                  241c8397cc593e71bb6a60c2d902bc2b

                  SHA1

                  e74b5cb96fc6c5ce9eff60ab03f0981d6183991c

                  SHA256

                  152a3dd814220bd88d5ec0f96da8594c2e9159211e7d1a114e687e6bbb56a595

                  SHA512

                  0bda382286d43d44215e0ea0ab5d0891dcb54dc0f9bd482f41faa67d9fa752b947dbdde5d3419df8f4219ffbd335fcbc7d87663dd3b216fb6c75129d01b44e78

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  68358a40558030737fa4da427a622a9b

                  SHA1

                  437dd3419c0857abd7ca35638f56064d4a0f0265

                  SHA256

                  af01e205540fd58b868b502e8abfd9454ebb45e29d6da558711f63651016e416

                  SHA512

                  7bb10fbdcedeb863514feca8c984c808b3d7e4ea1f26c9f435e333500cb0b55a0233a5e2df556b2cc989c01e2102dded765f1735e7941400f7ffe875cbaf3792

                • C:\Windows\it-IT\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe

                  Filesize

                  3.2MB

                  MD5

                  18e8e8a4bfa52b6c17f325dac752e749

                  SHA1

                  55a46737e5861a159a2b8fe86699301a13bc6fe9

                  SHA256

                  6f88202002f9b3da982358b5a816250c189f6539ee986e8c6dbd1834bcc57b86

                  SHA512

                  4e3b5d4d778e849f0d7488bb8f5e3ee0dcb453bdc02ae80abee58832d5f91570eaedac306d632bb3a5b02817aef10192134fd25f6df8b6013cadb8048bd6fe2e

                • memory/784-143-0x00000000010C0000-0x00000000013FC000-memory.dmp

                  Filesize

                  3.2MB

                • memory/2024-220-0x0000000001130000-0x000000000146C000-memory.dmp

                  Filesize

                  3.2MB

                • memory/2024-221-0x00000000010E0000-0x0000000001136000-memory.dmp

                  Filesize

                  344KB

                • memory/2280-133-0x000000001B250000-0x000000001B532000-memory.dmp

                  Filesize

                  2.9MB

                • memory/2820-132-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

                  Filesize

                  32KB

                • memory/2904-12-0x0000000000660000-0x000000000066A000-memory.dmp

                  Filesize

                  40KB

                • memory/2904-32-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2904-16-0x00000000006A0000-0x00000000006AC000-memory.dmp

                  Filesize

                  48KB

                • memory/2904-17-0x00000000006B0000-0x00000000006B8000-memory.dmp

                  Filesize

                  32KB

                • memory/2904-18-0x0000000000B40000-0x0000000000B52000-memory.dmp

                  Filesize

                  72KB

                • memory/2904-19-0x0000000000B70000-0x0000000000B7C000-memory.dmp

                  Filesize

                  48KB

                • memory/2904-20-0x0000000000B80000-0x0000000000B8C000-memory.dmp

                  Filesize

                  48KB

                • memory/2904-21-0x0000000000B90000-0x0000000000B9C000-memory.dmp

                  Filesize

                  48KB

                • memory/2904-22-0x0000000000C20000-0x0000000000C2C000-memory.dmp

                  Filesize

                  48KB

                • memory/2904-23-0x0000000000C30000-0x0000000000C38000-memory.dmp

                  Filesize

                  32KB

                • memory/2904-24-0x0000000000C40000-0x0000000000C4A000-memory.dmp

                  Filesize

                  40KB

                • memory/2904-25-0x0000000000C50000-0x0000000000C5E000-memory.dmp

                  Filesize

                  56KB

                • memory/2904-26-0x0000000000C60000-0x0000000000C68000-memory.dmp

                  Filesize

                  32KB

                • memory/2904-27-0x0000000000C70000-0x0000000000C7E000-memory.dmp

                  Filesize

                  56KB

                • memory/2904-28-0x0000000000C80000-0x0000000000C8C000-memory.dmp

                  Filesize

                  48KB

                • memory/2904-29-0x0000000000C90000-0x0000000000C98000-memory.dmp

                  Filesize

                  32KB

                • memory/2904-30-0x0000000000D20000-0x0000000000D2A000-memory.dmp

                  Filesize

                  40KB

                • memory/2904-15-0x0000000000690000-0x0000000000698000-memory.dmp

                  Filesize

                  32KB

                • memory/2904-31-0x0000000000D30000-0x0000000000D3C000-memory.dmp

                  Filesize

                  48KB

                • memory/2904-14-0x0000000000670000-0x000000000067C000-memory.dmp

                  Filesize

                  48KB

                • memory/2904-13-0x0000000000AF0000-0x0000000000B46000-memory.dmp

                  Filesize

                  344KB

                • memory/2904-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

                  Filesize

                  4KB

                • memory/2904-11-0x0000000000680000-0x0000000000690000-memory.dmp

                  Filesize

                  64KB

                • memory/2904-9-0x0000000000640000-0x0000000000656000-memory.dmp

                  Filesize

                  88KB

                • memory/2904-10-0x00000000004B0000-0x00000000004B8000-memory.dmp

                  Filesize

                  32KB

                • memory/2904-174-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2904-8-0x0000000000420000-0x0000000000430000-memory.dmp

                  Filesize

                  64KB

                • memory/2904-7-0x0000000000410000-0x0000000000418000-memory.dmp

                  Filesize

                  32KB

                • memory/2904-6-0x00000000003F0000-0x000000000040C000-memory.dmp

                  Filesize

                  112KB

                • memory/2904-1-0x0000000000F60000-0x000000000129C000-memory.dmp

                  Filesize

                  3.2MB

                • memory/2904-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2904-5-0x00000000003E0000-0x00000000003E8000-memory.dmp

                  Filesize

                  32KB

                • memory/2904-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

                  Filesize

                  56KB

                • memory/2904-3-0x00000000001C0000-0x00000000001CE000-memory.dmp

                  Filesize

                  56KB

                • memory/2948-197-0x0000000000650000-0x0000000000662000-memory.dmp

                  Filesize

                  72KB

                • memory/2948-196-0x0000000000CB0000-0x0000000000D06000-memory.dmp

                  Filesize

                  344KB