Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 02:33

General

  • Target

    b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe

  • Size

    2.7MB

  • MD5

    9508912e063cac5e940efba1f85ce86f

  • SHA1

    e6d15f29a811c4470f4b7a245207e9f2d1051e62

  • SHA256

    b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf

  • SHA512

    2581361c9c99904ff11beb75208e3689ef310cdb98fd8a0d71a3f0a3d5480f696fc14a5b8e42075d3df79b89bb2623114763ff75820fa454e053f5f72b875f27

  • SSDEEP

    49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 14 IoCs
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 28 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe
    "C:\Users\Admin\AppData\Local\Temp\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqRQWcHBD3.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2824
        • C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe
          "C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:2292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2900
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2660
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2420
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2584
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2128
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1956
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1216
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cfb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cfb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\csrss.exe

      Filesize

      2.7MB

      MD5

      b01f37b221c11bf17d0be1bef5b54d33

      SHA1

      dfd6fa201d1a0098dd1e90af5e022c756bbe3ea0

      SHA256

      5a6d8f3511d0c88b5b204f54947bef6d0eec7400736dd44f32721f2cf39ca4a3

      SHA512

      765556be3f0f4244d513ecbc51b0ac0cd5f755d90662892bbe3b847fabe1a637545e58dbc36bafd657996515868fbe368dac58b2ae4e8d7634f60503cd45159b

    • C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe

      Filesize

      2.7MB

      MD5

      1ce38ff49efb4696119cce588b715961

      SHA1

      cd2fca147874920af1843046feace4b6c860402e

      SHA256

      41ab8be52aa3c82d66069e6b15418e7600ee975c755f70a12576def5738899d4

      SHA512

      21ca4dd3ae0e1d2afec92528f670582b5528257b681b514b897db88390c9e86b4012d7c4d6b18287104762a0e3668bb8a02da56e52c263ca6eee84701f351efc

    • C:\Program Files\Microsoft Games\wininit.exe

      Filesize

      2.7MB

      MD5

      9508912e063cac5e940efba1f85ce86f

      SHA1

      e6d15f29a811c4470f4b7a245207e9f2d1051e62

      SHA256

      b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf

      SHA512

      2581361c9c99904ff11beb75208e3689ef310cdb98fd8a0d71a3f0a3d5480f696fc14a5b8e42075d3df79b89bb2623114763ff75820fa454e053f5f72b875f27

    • C:\Users\Admin\AppData\Local\Temp\QqRQWcHBD3.bat

      Filesize

      273B

      MD5

      80c8c5b8baa87e463738d4f0a692736c

      SHA1

      064f007b823e12cc6fdbf7fc56bb7f1a513f65e0

      SHA256

      ce21e6134e73f59e94372981aae55e3a2b7cbb7791a1e392d5e38fef612312fb

      SHA512

      38e6d2811ddb1f324c0fad835c5e22d1c1dc84d9ba062497a1f24f61beef0b76c51202114a3ae1c83151cf75c90b0c87182f87f5a8666fd34a2af2e1ac9b7240

    • memory/2180-18-0x00000000023F0000-0x00000000023FC000-memory.dmp

      Filesize

      48KB

    • memory/2180-19-0x0000000002420000-0x0000000002428000-memory.dmp

      Filesize

      32KB

    • memory/2180-6-0x0000000000360000-0x0000000000370000-memory.dmp

      Filesize

      64KB

    • memory/2180-8-0x0000000000B40000-0x0000000000B48000-memory.dmp

      Filesize

      32KB

    • memory/2180-7-0x0000000000580000-0x0000000000596000-memory.dmp

      Filesize

      88KB

    • memory/2180-9-0x0000000000B50000-0x0000000000B58000-memory.dmp

      Filesize

      32KB

    • memory/2180-10-0x0000000000B60000-0x0000000000B70000-memory.dmp

      Filesize

      64KB

    • memory/2180-11-0x0000000000B70000-0x0000000000B7A000-memory.dmp

      Filesize

      40KB

    • memory/2180-12-0x0000000000B80000-0x0000000000BD6000-memory.dmp

      Filesize

      344KB

    • memory/2180-13-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

      Filesize

      32KB

    • memory/2180-14-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

      Filesize

      32KB

    • memory/2180-15-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

      Filesize

      48KB

    • memory/2180-16-0x0000000000C00000-0x0000000000C08000-memory.dmp

      Filesize

      32KB

    • memory/2180-17-0x00000000023E0000-0x00000000023EC000-memory.dmp

      Filesize

      48KB

    • memory/2180-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

      Filesize

      4KB

    • memory/2180-5-0x0000000000260000-0x0000000000268000-memory.dmp

      Filesize

      32KB

    • memory/2180-21-0x0000000002410000-0x000000000241C000-memory.dmp

      Filesize

      48KB

    • memory/2180-20-0x0000000002400000-0x0000000002408000-memory.dmp

      Filesize

      32KB

    • memory/2180-22-0x0000000002430000-0x000000000243C000-memory.dmp

      Filesize

      48KB

    • memory/2180-23-0x0000000002440000-0x0000000002448000-memory.dmp

      Filesize

      32KB

    • memory/2180-24-0x0000000002450000-0x000000000245A000-memory.dmp

      Filesize

      40KB

    • memory/2180-25-0x0000000002460000-0x000000000246C000-memory.dmp

      Filesize

      48KB

    • memory/2180-28-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

    • memory/2180-31-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

    • memory/2180-4-0x0000000000560000-0x000000000057C000-memory.dmp

      Filesize

      112KB

    • memory/2180-3-0x0000000000250000-0x0000000000258000-memory.dmp

      Filesize

      32KB

    • memory/2180-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

    • memory/2180-1-0x0000000000C10000-0x0000000000ED0000-memory.dmp

      Filesize

      2.8MB

    • memory/2180-164-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

    • memory/2292-168-0x0000000001180000-0x0000000001440000-memory.dmp

      Filesize

      2.8MB

    • memory/2520-163-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

      Filesize

      2.9MB

    • memory/2520-165-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

      Filesize

      32KB