Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 06:46

General

  • Target

    5D474E6A5232B3D3DD5576111A2B22A1.exe

  • Size

    8.4MB

  • MD5

    5d474e6a5232b3d3dd5576111a2b22a1

  • SHA1

    60923eeaaf6334dde034a338302bcc25a2552618

  • SHA256

    942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc

  • SHA512

    93794f9a4548c55ab64bdf0a72a5aa08271e7ca58793de0c20c34dbff679638c22a6515e8c402ed8cf41c0a8db25f2aea33a2552fb633f43fc1bcfd7d22fdfae

  • SSDEEP

    98304:tVDbpZYm4jCCC08mudOK+rdYsL9mJ+C01l96Y:tVDbpZYxBC0wWrdYB+tl9B

Malware Config

Signatures

  • DcRat 35 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe
    "C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5000
          • C:\surrogatedriverbroker\runtimeDhcpCommon.exe
            "C:\surrogatedriverbroker\runtimeDhcpCommon.exe"
            5⤵
            • DcRat
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1884
            • C:\Recovery\WindowsRE\RuntimeBroker.exe
              "C:\Recovery\WindowsRE\RuntimeBroker.exe"
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:116
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5818b527-3acb-4b64-87cd-c66639d6b2bc.vbs"
                7⤵
                  PID:2168
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de2055f3-e164-4113-b290-2f1dbd3e7d8f.vbs"
                  7⤵
                    PID:3884
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\file.vbs"
            3⤵
              PID:2428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2028
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1532
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3884
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\msedge.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\msedge.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\msedge.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3332
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3180
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2700
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3244
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5100
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3804
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3612
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\unsecapp.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4072
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1504
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2280
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1764
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1684
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4028
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2708
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3720
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4132
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:968
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\MoUsoCoreWorker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4592
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\MoUsoCoreWorker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5116
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\actionqueue\MoUsoCoreWorker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3556
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4384
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:2600
          • C:\Windows\system32\wbem\WmiApSrv.exe
            C:\Windows\system32\wbem\WmiApSrv.exe
            1⤵
              PID:2484

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\5818b527-3acb-4b64-87cd-c66639d6b2bc.vbs

              Filesize

              714B

              MD5

              4e15524f8b033743777c8e4ad4dc52d2

              SHA1

              0a68acee4cb664c216d29ab53608a5ade93d1c2d

              SHA256

              cfadfce390c151520a2169937ad25950549a673c50f56fb7aedd04c495d5cd9c

              SHA512

              82a4f47dd0acb933fc90be1ddbc740bbc74fcaada74fca0a49730a2f6ffb913447ca881d281a433422103db50644280e87ec88d4904cdfeb69031cd603fdd2b7

            • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

              Filesize

              3.7MB

              MD5

              d26ea8a9103b82d0e4f80b687f0c1adc

              SHA1

              811bc8c8b6fcca69882e483ed0d59d45e7851f1a

              SHA256

              50548a8353e5f24e36e11a4dfa2beb766b1adc1d358c54202447c8d389212eb5

              SHA512

              68583d1f11ff00baebc5271e852848c7df76ff32df4788f91792d98728cbd69ccd04e4814265ecbb12b79ddd46bad35aafe1192551f526ff616df3e97ea7884e

            • C:\Users\Admin\AppData\Local\Temp\New Project 1.exe

              Filesize

              1KB

              MD5

              bba499baa7c430d4f0bac0b231e75b82

              SHA1

              743a8a70bae9478061103d668b0d000371fd1840

              SHA256

              418b1fb225defe29d9605e560757d93048210818c49dce49f62a1f7f5e02f2fc

              SHA512

              17c745b9919405a6243564b7f44c7b9e3ae586dec6a2947572072b2c45a65e020cbcaf54f0761393cf088f7f4006492cda22ae3e9d19d416fd35a66f49e6cdeb

            • C:\Users\Admin\AppData\Local\Temp\channels4_profile.ico

              Filesize

              264KB

              MD5

              18cc2b457a795b627b37dda9cfd355c5

              SHA1

              5778d3f45a662a681788e16426afdd266707f672

              SHA256

              c94678aff77a06737177b585f5c4139d5c67d41711754f055e9bed480522b7b1

              SHA512

              cd68c7304443aa951898fef5a45da3fb689f7c61bf1c468f2d19a8e929bc1c8b5f0c90caac630457ba27114a131fb80e5dc3ad3e4886fce91ca82a3ffcbfd75d

            • C:\Users\Admin\AppData\Local\Temp\de2055f3-e164-4113-b290-2f1dbd3e7d8f.vbs

              Filesize

              491B

              MD5

              3140200c003251e08c20020e1a2c02f1

              SHA1

              aff58ce17aceb2d23942b4e10bc57213a2bc78b4

              SHA256

              2e2f7e09d19bc15153ede1505b4f66f62cf620534112ebea6ea065745b60db89

              SHA512

              e66a19cb49a1f7f4841a90a2dfde172a0c0c00d559b3c007b69d30cd09861185c0bff45a1182d1b8cb873f8d1ebebe2c5fa01b5884d34a416c9b64d3f74a6a47

            • C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe

              Filesize

              226B

              MD5

              d9095993dc975aad0602ba66b32dad3d

              SHA1

              8c26fd1ad732827301e5af7de044420f0c06fbbe

              SHA256

              3329d6bb2e9c7115fb8ac58881e94796069d0b7874abccc4a0bc7718731de27e

              SHA512

              2c7adbd664c8ee7aa84c12eea0e7685f5e2275c9cd19f9a1dece9f9e3f958f9b05339be799b643fe1a0e20d8fb74ca3df0fcb9903d830137fa774b13281d7d3a

            • C:\surrogatedriverbroker\file.vbs

              Filesize

              34B

              MD5

              677cc4360477c72cb0ce00406a949c61

              SHA1

              b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

              SHA256

              f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

              SHA512

              7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

            • C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat

              Filesize

              48B

              MD5

              85cfb82d14d95349f280e53f0764fbfc

              SHA1

              645a8f36343a8e4b88966ab70a4a24f49b9ca2b9

              SHA256

              3628bedd47e43459572a27570f4cf9c4ef2083703c2fbc32f3f7a67b7a109371

              SHA512

              02cb06aa443a044f0f1a492a2e30e3d9521902a9fefba54a829bffbb37eed07e4e1c9753cd8cca71baa1a1229343ecbd05940389165e35fc71b90f48fc1191e8

            • C:\surrogatedriverbroker\runtimeDhcpCommon.exe

              Filesize

              3.4MB

              MD5

              dc167730759f4877ed79888e1f365249

              SHA1

              5ce03602609fa90f26b3a6774519c006a9c20bf6

              SHA256

              0704d02dd6f8b50b3b60652096539fe51cd5ae2d3b4092763245dfcf8dc68316

              SHA512

              d027f85c981d182b2f4bc359d86e1093c2a2ab72a78dc5d408bbb103c0626e0da3063173710ffbf2c94e2080aefe56154d371f39f09a9e6e1f4a1cd62e20140b

            • memory/116-194-0x000000001F160000-0x000000001F322000-memory.dmp

              Filesize

              1.8MB

            • memory/1884-130-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

              Filesize

              48KB

            • memory/1884-135-0x000000001C530000-0x000000001CA58000-memory.dmp

              Filesize

              5.2MB

            • memory/1884-118-0x0000000002E20000-0x0000000002E3C000-memory.dmp

              Filesize

              112KB

            • memory/1884-119-0x000000001BE30000-0x000000001BE80000-memory.dmp

              Filesize

              320KB

            • memory/1884-121-0x0000000002E70000-0x0000000002E80000-memory.dmp

              Filesize

              64KB

            • memory/1884-120-0x0000000002E60000-0x0000000002E68000-memory.dmp

              Filesize

              32KB

            • memory/1884-123-0x000000001B770000-0x000000001B778000-memory.dmp

              Filesize

              32KB

            • memory/1884-124-0x000000001B780000-0x000000001B792000-memory.dmp

              Filesize

              72KB

            • memory/1884-122-0x000000001B750000-0x000000001B766000-memory.dmp

              Filesize

              88KB

            • memory/1884-125-0x000000001B790000-0x000000001B79C000-memory.dmp

              Filesize

              48KB

            • memory/1884-126-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

              Filesize

              32KB

            • memory/1884-127-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

              Filesize

              64KB

            • memory/1884-128-0x000000001B7C0000-0x000000001B7CA000-memory.dmp

              Filesize

              40KB

            • memory/1884-129-0x000000001BF80000-0x000000001BFD6000-memory.dmp

              Filesize

              344KB

            • memory/1884-114-0x00000000007C0000-0x0000000000B2A000-memory.dmp

              Filesize

              3.4MB

            • memory/1884-131-0x000000001B7F0000-0x000000001B7F8000-memory.dmp

              Filesize

              32KB

            • memory/1884-132-0x000000001B800000-0x000000001B80C000-memory.dmp

              Filesize

              48KB

            • memory/1884-133-0x000000001B810000-0x000000001B818000-memory.dmp

              Filesize

              32KB

            • memory/1884-134-0x000000001BFD0000-0x000000001BFE2000-memory.dmp

              Filesize

              72KB

            • memory/1884-117-0x0000000002E10000-0x0000000002E18000-memory.dmp

              Filesize

              32KB

            • memory/1884-136-0x000000001C000000-0x000000001C00C000-memory.dmp

              Filesize

              48KB

            • memory/1884-137-0x000000001C010000-0x000000001C01C000-memory.dmp

              Filesize

              48KB

            • memory/1884-138-0x000000001C020000-0x000000001C028000-memory.dmp

              Filesize

              32KB

            • memory/1884-139-0x000000001C030000-0x000000001C03C000-memory.dmp

              Filesize

              48KB

            • memory/1884-140-0x000000001C040000-0x000000001C04C000-memory.dmp

              Filesize

              48KB

            • memory/1884-142-0x000000001C260000-0x000000001C26C000-memory.dmp

              Filesize

              48KB

            • memory/1884-141-0x000000001C250000-0x000000001C258000-memory.dmp

              Filesize

              32KB

            • memory/1884-143-0x000000001C270000-0x000000001C27A000-memory.dmp

              Filesize

              40KB

            • memory/1884-146-0x000000001C2A0000-0x000000001C2AE000-memory.dmp

              Filesize

              56KB

            • memory/1884-145-0x000000001C290000-0x000000001C298000-memory.dmp

              Filesize

              32KB

            • memory/1884-148-0x000000001C2C0000-0x000000001C2CC000-memory.dmp

              Filesize

              48KB

            • memory/1884-147-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

              Filesize

              32KB

            • memory/1884-149-0x000000001C2D0000-0x000000001C2D8000-memory.dmp

              Filesize

              32KB

            • memory/1884-144-0x000000001C280000-0x000000001C28E000-memory.dmp

              Filesize

              56KB

            • memory/1884-151-0x000000001C2F0000-0x000000001C2FC000-memory.dmp

              Filesize

              48KB

            • memory/1884-150-0x000000001C2E0000-0x000000001C2EA000-memory.dmp

              Filesize

              40KB

            • memory/1884-116-0x0000000002E00000-0x0000000002E0E000-memory.dmp

              Filesize

              56KB

            • memory/1884-115-0x0000000002E50000-0x0000000002E5E000-memory.dmp

              Filesize

              56KB

            • memory/2236-0-0x0000000000400000-0x0000000000C6C000-memory.dmp

              Filesize

              8.4MB