Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 00:17

General

  • Target

    8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe

  • Size

    2.7MB

  • MD5

    332af220a6f8c875312ab0d215ec5ace

  • SHA1

    bccc9805ba77ad03e7bfa6da8166c3feac4839e7

  • SHA256

    8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928

  • SHA512

    964a09ff2bebb8e638d7b66f23cb2f62d833e2d097bf459fc22351bbcb25ecc138411cca552df616f93893f4c396ae918124c993bfe78041256e0476bea133e0

  • SSDEEP

    49152:qH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:qHfE5Ad8Xd295UmGc

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 19 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 38 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 16 IoCs
  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe
    "C:\Users\Admin\AppData\Local\Temp\8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cXKRfm9BNs.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2692
        • C:\Program Files (x86)\Reference Assemblies\lsm.exe
          "C:\Program Files (x86)\Reference Assemblies\lsm.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies system certificate store
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:3040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\services.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\services.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\services.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2456
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1120
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:1696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2356
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:1644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1192
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\lsm.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2408
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:1664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:3000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dwm.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1492
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:1864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\system\wininit.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\Idle.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:1776
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Templates\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1980
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:1608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:3004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\services.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:1344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\services.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\services.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:3036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\sppsvc.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2388
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:356
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\Programs\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\audiodg.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\tracing\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2164
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Reference Assemblies\lsm.exe

      Filesize

      2.7MB

      MD5

      3631f5923b36d1279537333d56ace65e

      SHA1

      b7bef14fb5c64f0c2d3b992a4900916588a324dd

      SHA256

      0740d1e7f41e057c722ea0a2878002e949887880c2d6b1715a881bb2d3e61a78

      SHA512

      e00de8791e119c1ff931b588ee079ddac242ff19348eaa61882249349166623a5a2a26dbb4389395aadc580600ce46b329f0576e9428be08a94f21d649e2566a

    • C:\ProgramData\Microsoft\Windows\Templates\Idle.exe

      Filesize

      2.7MB

      MD5

      0ba383def419fa16fc83c6c0373c50fb

      SHA1

      f28fa07789e10b4575b92685387a34e252d8ee9e

      SHA256

      5fb48c56a761b867ce43fddbf13311ff0358450a859e066f674be158769ff47d

      SHA512

      268a60744f01d8ec37a0365a523d84d6b7700d78996509bb54e2548821d7eca5ded08fe7dc86146d2cc2f1060026717c2af5434b14fed0cbb4013ecda9aa04e0

    • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe

      Filesize

      2.7MB

      MD5

      332af220a6f8c875312ab0d215ec5ace

      SHA1

      bccc9805ba77ad03e7bfa6da8166c3feac4839e7

      SHA256

      8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928

      SHA512

      964a09ff2bebb8e638d7b66f23cb2f62d833e2d097bf459fc22351bbcb25ecc138411cca552df616f93893f4c396ae918124c993bfe78041256e0476bea133e0

    • C:\Users\Admin\AppData\Local\Temp\cXKRfm9BNs.bat

      Filesize

      216B

      MD5

      a5972b14b670381b4e01ebd431dc3dae

      SHA1

      273c88e59fba6dbc62dbdd231bac68dabe7e8673

      SHA256

      2c40e2e377beef094d822fec2c711e2fd3bdec4f4cd1be69688bb813a08e2f4f

      SHA512

      980480c8a713679fd5b8f7738b7b335b4c591393e7841f4e18c0fb7b1142c696b9d05aeffe7a8b7436dded43fcf607560f8196bc96d11ff0f0708b70349d499f

    • memory/2420-11-0x0000000000C70000-0x0000000000C7A000-memory.dmp

      Filesize

      40KB

    • memory/2420-8-0x00000000006F0000-0x00000000006F8000-memory.dmp

      Filesize

      32KB

    • memory/2420-21-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

      Filesize

      48KB

    • memory/2420-20-0x0000000000F90000-0x0000000000F98000-memory.dmp

      Filesize

      32KB

    • memory/2420-19-0x0000000000F80000-0x0000000000F88000-memory.dmp

      Filesize

      32KB

    • memory/2420-18-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

      Filesize

      48KB

    • memory/2420-17-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

      Filesize

      48KB

    • memory/2420-16-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

      Filesize

      32KB

    • memory/2420-15-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

      Filesize

      48KB

    • memory/2420-14-0x0000000000D80000-0x0000000000D88000-memory.dmp

      Filesize

      32KB

    • memory/2420-13-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

      Filesize

      32KB

    • memory/2420-12-0x0000000000C90000-0x0000000000CE6000-memory.dmp

      Filesize

      344KB

    • memory/2420-23-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

      Filesize

      32KB

    • memory/2420-10-0x0000000000C80000-0x0000000000C90000-memory.dmp

      Filesize

      64KB

    • memory/2420-9-0x0000000000C60000-0x0000000000C68000-memory.dmp

      Filesize

      32KB

    • memory/2420-22-0x0000000000FB0000-0x0000000000FBC000-memory.dmp

      Filesize

      48KB

    • memory/2420-7-0x0000000000C40000-0x0000000000C56000-memory.dmp

      Filesize

      88KB

    • memory/2420-6-0x0000000000560000-0x0000000000570000-memory.dmp

      Filesize

      64KB

    • memory/2420-5-0x0000000000360000-0x0000000000368000-memory.dmp

      Filesize

      32KB

    • memory/2420-4-0x0000000000340000-0x000000000035C000-memory.dmp

      Filesize

      112KB

    • memory/2420-3-0x0000000000330000-0x0000000000338000-memory.dmp

      Filesize

      32KB

    • memory/2420-2-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

      Filesize

      9.9MB

    • memory/2420-1-0x0000000001120000-0x00000000013E0000-memory.dmp

      Filesize

      2.8MB

    • memory/2420-0-0x000007FEF5323000-0x000007FEF5324000-memory.dmp

      Filesize

      4KB

    • memory/2420-24-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

      Filesize

      40KB

    • memory/2420-25-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

      Filesize

      48KB

    • memory/2420-206-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

      Filesize

      9.9MB

    • memory/2420-28-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

      Filesize

      9.9MB

    • memory/2816-208-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

    • memory/2816-209-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

      Filesize

      32KB

    • memory/3040-212-0x00000000009E0000-0x0000000000CA0000-memory.dmp

      Filesize

      2.8MB