Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 06:46

General

  • Target

    5D474E6A5232B3D3DD5576111A2B22A1.exe

  • Size

    8.4MB

  • MD5

    5d474e6a5232b3d3dd5576111a2b22a1

  • SHA1

    60923eeaaf6334dde034a338302bcc25a2552618

  • SHA256

    942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc

  • SHA512

    93794f9a4548c55ab64bdf0a72a5aa08271e7ca58793de0c20c34dbff679638c22a6515e8c402ed8cf41c0a8db25f2aea33a2552fb633f43fc1bcfd7d22fdfae

  • SSDEEP

    98304:tVDbpZYm4jCCC08mudOK+rdYsL9mJ+C01l96Y:tVDbpZYxBC0wWrdYB+tl9B

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe
    "C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:892
          • C:\surrogatedriverbroker\runtimeDhcpCommon.exe
            "C:\surrogatedriverbroker\runtimeDhcpCommon.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1684
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wEAw5fePeK.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2496
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2908
                • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe
                  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2680
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdde1f05-25f0-4f3b-8286-a67ed628be8b.vbs"
                    8⤵
                      PID:1812
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc21b449-0c5d-46d5-b20e-b84948135605.vbs"
                      8⤵
                        PID:2572
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\file.vbs"
              3⤵
                PID:2520
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
            1⤵
            • Suspicious use of FindShellTrayWindow
            PID:2668
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1260
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1528
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1192
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2360
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2172
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2052
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3060
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2116
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1500
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:588
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:656
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2480
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2132
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\wscript.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2392
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Default\Desktop\wscript.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2348
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\wscript.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2916
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\surrogatedriverbroker\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1540
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\surrogatedriverbroker\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1360
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\surrogatedriverbroker\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1644
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1056
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1508
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\surrogatedriverbroker\wscript.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:496
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:376
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\surrogatedriverbroker\wscript.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1188
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2260
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2160
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1708
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1956
          • C:\Windows\system32\wbem\WmiApSrv.exe
            C:\Windows\system32\wbem\WmiApSrv.exe
            1⤵
              PID:540

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\cc21b449-0c5d-46d5-b20e-b84948135605.vbs

              Filesize

              529B

              MD5

              5e7ecb8756527036eadb12a07fe7919c

              SHA1

              38f20ec0ed2cf1816f9009d15e6ac8b2c08f590d

              SHA256

              1f42c9faa1e8296c4d047969e4c3df52fd9e455cac491d484706bd3459bdbe9b

              SHA512

              8d607b858d47ccafb1f2054a8d6603d83b1f24e91e09f66f9039f89f14903cdd45dbdf29ac80403f1d41cbeee1491bf82165bc89e33fd2b22f133f633eaef91b

            • C:\Users\Admin\AppData\Local\Temp\channels4_profile.ico

              Filesize

              264KB

              MD5

              18cc2b457a795b627b37dda9cfd355c5

              SHA1

              5778d3f45a662a681788e16426afdd266707f672

              SHA256

              c94678aff77a06737177b585f5c4139d5c67d41711754f055e9bed480522b7b1

              SHA512

              cd68c7304443aa951898fef5a45da3fb689f7c61bf1c468f2d19a8e929bc1c8b5f0c90caac630457ba27114a131fb80e5dc3ad3e4886fce91ca82a3ffcbfd75d

            • C:\Users\Admin\AppData\Local\Temp\fdde1f05-25f0-4f3b-8286-a67ed628be8b.vbs

              Filesize

              753B

              MD5

              60ee6fdffdfbf1c445f6a990edbd6ac6

              SHA1

              9fc056698afe56ffe76996072d0a47fc90f2b9c4

              SHA256

              561f451479dd8e03813a9c8b3988afa10290b87f14c4e64ebb83c8af83fea29a

              SHA512

              f106a35af15a706412247f6c7ee2c93bcbc50bf8caa942a33dfe06a31e5828d3138034577384aefa4253c35909ecc199424828140522ae0b536995ca53c7ab19

            • C:\Users\Admin\AppData\Local\Temp\wEAw5fePeK.bat

              Filesize

              242B

              MD5

              c917e531752b5b07a1c347de12a08364

              SHA1

              758e058e83718803e55b77ef435483adbbe3ddfd

              SHA256

              58d5500f03873d1903839047ac576934e33a539dadaaeb67e42b9d018ce15ed1

              SHA512

              0d9e661bbdc7b41061cbc7830af192bf2404ae2dc6ec1d340d0033de87ca8cf0e4dbb62ca286b785c12419390d66a858a1e30318d562b945333f3c1ba591f771

            • C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe

              Filesize

              226B

              MD5

              d9095993dc975aad0602ba66b32dad3d

              SHA1

              8c26fd1ad732827301e5af7de044420f0c06fbbe

              SHA256

              3329d6bb2e9c7115fb8ac58881e94796069d0b7874abccc4a0bc7718731de27e

              SHA512

              2c7adbd664c8ee7aa84c12eea0e7685f5e2275c9cd19f9a1dece9f9e3f958f9b05339be799b643fe1a0e20d8fb74ca3df0fcb9903d830137fa774b13281d7d3a

            • C:\surrogatedriverbroker\file.vbs

              Filesize

              34B

              MD5

              677cc4360477c72cb0ce00406a949c61

              SHA1

              b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

              SHA256

              f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

              SHA512

              7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

            • C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat

              Filesize

              48B

              MD5

              85cfb82d14d95349f280e53f0764fbfc

              SHA1

              645a8f36343a8e4b88966ab70a4a24f49b9ca2b9

              SHA256

              3628bedd47e43459572a27570f4cf9c4ef2083703c2fbc32f3f7a67b7a109371

              SHA512

              02cb06aa443a044f0f1a492a2e30e3d9521902a9fefba54a829bffbb37eed07e4e1c9753cd8cca71baa1a1229343ecbd05940389165e35fc71b90f48fc1191e8

            • \Users\Admin\AppData\Local\Temp\DCRatBuild.exe

              Filesize

              3.7MB

              MD5

              d26ea8a9103b82d0e4f80b687f0c1adc

              SHA1

              811bc8c8b6fcca69882e483ed0d59d45e7851f1a

              SHA256

              50548a8353e5f24e36e11a4dfa2beb766b1adc1d358c54202447c8d389212eb5

              SHA512

              68583d1f11ff00baebc5271e852848c7df76ff32df4788f91792d98728cbd69ccd04e4814265ecbb12b79ddd46bad35aafe1192551f526ff616df3e97ea7884e

            • \surrogatedriverbroker\runtimeDhcpCommon.exe

              Filesize

              3.4MB

              MD5

              dc167730759f4877ed79888e1f365249

              SHA1

              5ce03602609fa90f26b3a6774519c006a9c20bf6

              SHA256

              0704d02dd6f8b50b3b60652096539fe51cd5ae2d3b4092763245dfcf8dc68316

              SHA512

              d027f85c981d182b2f4bc359d86e1093c2a2ab72a78dc5d408bbb103c0626e0da3063173710ffbf2c94e2080aefe56154d371f39f09a9e6e1f4a1cd62e20140b

            • memory/1684-49-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

              Filesize

              48KB

            • memory/1684-53-0x000000001AA90000-0x000000001AAA2000-memory.dmp

              Filesize

              72KB

            • memory/1684-36-0x0000000000590000-0x000000000059E000-memory.dmp

              Filesize

              56KB

            • memory/1684-37-0x00000000005A0000-0x00000000005A8000-memory.dmp

              Filesize

              32KB

            • memory/1684-38-0x0000000000A70000-0x0000000000A8C000-memory.dmp

              Filesize

              112KB

            • memory/1684-39-0x00000000005B0000-0x00000000005B8000-memory.dmp

              Filesize

              32KB

            • memory/1684-40-0x0000000000A90000-0x0000000000AA0000-memory.dmp

              Filesize

              64KB

            • memory/1684-41-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

              Filesize

              88KB

            • memory/1684-42-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

              Filesize

              32KB

            • memory/1684-43-0x0000000000AF0000-0x0000000000B02000-memory.dmp

              Filesize

              72KB

            • memory/1684-44-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

              Filesize

              48KB

            • memory/1684-45-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

              Filesize

              32KB

            • memory/1684-46-0x0000000000B00000-0x0000000000B10000-memory.dmp

              Filesize

              64KB

            • memory/1684-47-0x0000000000B10000-0x0000000000B1A000-memory.dmp

              Filesize

              40KB

            • memory/1684-48-0x0000000000BA0000-0x0000000000BF6000-memory.dmp

              Filesize

              344KB

            • memory/1684-34-0x0000000001210000-0x000000000157A000-memory.dmp

              Filesize

              3.4MB

            • memory/1684-50-0x0000000000C00000-0x0000000000C08000-memory.dmp

              Filesize

              32KB

            • memory/1684-51-0x0000000000D70000-0x0000000000D7C000-memory.dmp

              Filesize

              48KB

            • memory/1684-52-0x0000000000D80000-0x0000000000D88000-memory.dmp

              Filesize

              32KB

            • memory/1684-35-0x0000000000580000-0x000000000058E000-memory.dmp

              Filesize

              56KB

            • memory/1684-54-0x000000001AAC0000-0x000000001AACC000-memory.dmp

              Filesize

              48KB

            • memory/1684-55-0x000000001AAD0000-0x000000001AADC000-memory.dmp

              Filesize

              48KB

            • memory/1684-56-0x000000001AAE0000-0x000000001AAE8000-memory.dmp

              Filesize

              32KB

            • memory/1684-57-0x000000001AB70000-0x000000001AB7C000-memory.dmp

              Filesize

              48KB

            • memory/1684-58-0x000000001AB80000-0x000000001AB8C000-memory.dmp

              Filesize

              48KB

            • memory/1684-59-0x000000001AB90000-0x000000001AB98000-memory.dmp

              Filesize

              32KB

            • memory/1684-60-0x000000001ABA0000-0x000000001ABAC000-memory.dmp

              Filesize

              48KB

            • memory/1684-61-0x000000001ABB0000-0x000000001ABBA000-memory.dmp

              Filesize

              40KB

            • memory/1684-62-0x000000001ABC0000-0x000000001ABCE000-memory.dmp

              Filesize

              56KB

            • memory/1684-63-0x000000001ABD0000-0x000000001ABD8000-memory.dmp

              Filesize

              32KB

            • memory/1684-64-0x000000001ABE0000-0x000000001ABEE000-memory.dmp

              Filesize

              56KB

            • memory/1684-65-0x000000001ABF0000-0x000000001ABF8000-memory.dmp

              Filesize

              32KB

            • memory/1684-66-0x000000001AC00000-0x000000001AC0C000-memory.dmp

              Filesize

              48KB

            • memory/1684-67-0x000000001AC10000-0x000000001AC18000-memory.dmp

              Filesize

              32KB

            • memory/1684-68-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

              Filesize

              40KB

            • memory/1684-69-0x000000001B000000-0x000000001B00C000-memory.dmp

              Filesize

              48KB

            • memory/2668-6-0x00000000001A0000-0x00000000001A2000-memory.dmp

              Filesize

              8KB

            • memory/2680-99-0x0000000000E20000-0x000000000118A000-memory.dmp

              Filesize

              3.4MB

            • memory/3008-0-0x0000000000400000-0x0000000000C6C000-memory.dmp

              Filesize

              8.4MB

            • memory/3008-5-0x0000000004050000-0x0000000004052000-memory.dmp

              Filesize

              8KB