Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2024 08:51

General

  • Target

    56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe

  • Size

    6.5MB

  • MD5

    56a5b0a28bb4b14956977dfe6def40a9

  • SHA1

    59095e7afd64c91cc8f6d8a9eed3230d960f361e

  • SHA256

    24c7ce219369223dada0233930938d06b805f45b7062fdcbc1bcef643a337b8d

  • SHA512

    dd7803df4fd0b874b7239b28ff789b1e61fe3c62aab82a8c86489c4db3982bfebc371a5519412551a70996bffbd8e9d75ffcde0522229854e7431a21ea9a4d05

  • SSDEEP

    196608:+ohfVGzTVG5ymVr66MJblv/FkYiJqr5UH:Nf+TVG5xrVMJhv/bxu

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 25 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart3.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Temp\sonspam3.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam3.bat" any_word
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Temp\Sonar Solution bps.exe
            "Sonar Solution bps.exe" -p123908VDS -dC:\Temp
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2824
            • C:\Temp\Sonar Solution.exe
              "C:\Temp\Sonar Solution.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2880
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1136
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Temp\sonspam.bat" "
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1356
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam.bat" any_word
                    9⤵
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1952
                    • C:\Temp\installer.sfx.exe
                      "installer.sfx.exe" -p123908VDS -dC:\Temp
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:1928
                      • C:\Temp\installer.exe
                        "C:\Temp\installer.exe"
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:2408
                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
                          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"
                          12⤵
                          • Executes dropped EXE
                          PID:2776
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe"
                            13⤵
                              PID:2216
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat" "
                                14⤵
                                • Loads dropped DLL
                                PID:1688
                                • C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
                                  wAxlVMFS3VFYmsuYtMNI.exe -p172e198e773020af341caa2dc63175b338442b45
                                  15⤵
                                  • Executes dropped EXE
                                  PID:1620
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe"
                                    16⤵
                                      PID:1540
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat" "
                                        17⤵
                                        • Loads dropped DLL
                                        PID:880
                                        • C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
                                          "C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"
                                          18⤵
                                          • Executes dropped EXE
                                          • Drops file in Program Files directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2992
                                          • C:\Windows\system32\schtasks.exe
                                            "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
                                            19⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:708
                                          • C:\Windows\system32\schtasks.exe
                                            "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /rl HIGHEST /f
                                            19⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2680
                                          • C:\Windows\system32\schtasks.exe
                                            "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
                                            19⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2884
                                          • C:\Windows\system32\schtasks.exe
                                            "schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Temp\audiodg.exe'" /rl HIGHEST /f
                                            19⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2492
                                          • C:\Temp\audiodg.exe
                                            "C:\Temp\audiodg.exe"
                                            19⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2868
                        • C:\Windows\SysWOW64\attrib.exe
                          ATTRIB +S +H -R C:\Temp
                          10⤵
                          • Sets file to hidden
                          • Views/modifies file attributes
                          PID:2236
                • C:\Temp\Sonar Build.exe
                  "C:\Temp\Sonar Build.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2600
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart2.vbs"
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:840
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c ""C:\Temp\sonspam2.bat" "
                      8⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1980
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam2.bat" any_word
                        9⤵
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:1692
                        • C:\Temp\SonarSolutionsBuild.sfx.exe
                          "SonarSolutionsBuild.sfx.exe" -p123908VDS -dC:\Temp
                          10⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of WriteProcessMemory
                          PID:2516
                          • C:\Temp\SonarSolutionsBuild.exe
                            "C:\Temp\SonarSolutionsBuild.exe"
                            11⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:2804
                            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe
                              "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe"
                              12⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:2108
                        • C:\Windows\SysWOW64\attrib.exe
                          ATTRIB +S +H -R C:\Temp
                          10⤵
                          • Sets file to hidden
                          • Views/modifies file attributes
                          PID:2672
              • C:\Windows\SysWOW64\attrib.exe
                ATTRIB +S +H -R C:\Temp
                5⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:2844

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Temp\Sonar Solution bps.exe

        Filesize

        6.3MB

        MD5

        042e5cb5d7b65e74dccd2e353058bb4f

        SHA1

        e91f4bfd50dbf648a6c90799615d177fa4bdc9a9

        SHA256

        e36d1de190713bf60677894938ec31b1115f106cb3155eea129bab9f7ab15674

        SHA512

        36d39fe0287a43377ac479049e9e91d5cc2d78fcd620e1b95c26440b62ff70abfe9fc8180bfd0e630d53472d22a75888063cb67228680554ffe246232335f247

      • C:\Temp\SonarSolutionsBuild.sfx.exe

        Filesize

        4.6MB

        MD5

        3174874c54ba496c13faeaf3c9a89e57

        SHA1

        2b871e0e3540eb0ecfe2288777b9e7dc76c3cce7

        SHA256

        3810a8fdb92b8a253d858772c0d34796b9b326a01820d1ca6afb2dfe777d2541

        SHA512

        52f9df197394057a5fb495ac662c942b6177462f8ae952fedc507ab60e8ff5828fb4a439f2cb20e22dfdfd336e7290337f043da3e93be7d1a06a3dfcc80caf36

      • C:\Temp\installer.exe

        Filesize

        1.2MB

        MD5

        849eb64e16678f93dab5d31e6f62eb95

        SHA1

        ee92d61555b766921daa006a56c62d2e43e01fb5

        SHA256

        3724cd2e908f3a69f1f55c41d6e6e1cfb2bad3fcba3557138e0eadd5e5e9e058

        SHA512

        d9cded5e8d425f5528981d1faa5820f1f2330f00c80d2699947a5eedb3895a24d9f6cf4b2c8a9fec523d9746131f608f270a717baf4b5631eeb0d1ce8aab6c8a

      • C:\Temp\installer.sfx.exe

        Filesize

        1.4MB

        MD5

        eb3b0596ae7cb54396a1815beaede97f

        SHA1

        f5116c7e301dd50b0c2eeb3c4459ed75321a603e

        SHA256

        c6f2cf9b85b2ffe92ba9e2f525f024b953fa325f024c8801e3ac9523490fcf10

        SHA512

        ce004159f8080278db308d8046e1616e997631617fd7c8928709e2fb8a4d8ded04de4bc3321d8cdf78a8f538726adb1e56c1bc4b1279d9454ace8ba257fba231

      • C:\Temp\sonspam.bat

        Filesize

        167B

        MD5

        b85cf59bcba86d882ff114d44ce2789d

        SHA1

        efdd4b718ed0d0f8af4caabad936afb03a5447df

        SHA256

        e26d9dec5f2cd1a0d4975da2976923c258b3edde78af028e65bd58129199a597

        SHA512

        e466ff1c1ee7ccecaa8dcd00e1ebe809bcb51df412e25c4bf06a940f72a29105485effe7789b152ba85048882c32438ebc8cca6c06df23d8b172d96bdc70e2ef

      • C:\Temp\sonspam2.bat

        Filesize

        178B

        MD5

        397b15d0dc10df35388eeaabf030bff1

        SHA1

        6d4c5835723063203fe43bd5cd5872acf5b84e47

        SHA256

        7cfb2f6ab63ab48188df3066b3a537273b77271dbfd5f22480f2f503e338adb9

        SHA512

        2147a3a9248873e87dd97555b33672f33d36c661460ebda1bfbd08cbd6066274f03b7969323ce94c205f557bdbe7a743bb938e95eedd484069dfb7c6df757e97

      • C:\Temp\sonspam3.bat

        Filesize

        173B

        MD5

        d03ef1a5b47192022b84cf3cbe846746

        SHA1

        69fe029ecc4b2b54668cac671327f47898a16098

        SHA256

        01fb9348f5ac22ba4c66238383e0f3282afb73426e58a008d982c796115ca43f

        SHA512

        b8cb805dffc485f0b83f18d801454f7e1b5bf04266d3685a0da5c0ad3d22cc3e81329a5e03b2f3b1c125220b5653418112b7239138eb3e6b423517b7cf29711a

      • C:\Temp\sonspamstart.vbs

        Filesize

        98B

        MD5

        68f47f42c9c8df4f547695c0060f7663

        SHA1

        01e85ff16492d39879958fa9471a9fd0e0013206

        SHA256

        cb9f11054febd994ffc33d95139a5f3dc11cd6cb7ab8f87c02452854eae8081e

        SHA512

        7ddc5350f703ca3dfa1791fdcb36475a1cf7385864e97ada728f56803e5d3fa8d4b73235241734c3dbcccb9030fb89bb0cca356a3baa9b173c6060bfd95c200d

      • C:\Temp\sonspamstart2.vbs

        Filesize

        99B

        MD5

        1f44ba5ac2e01f3db75315c14585b636

        SHA1

        3ae7ef5ec39345c7d25fbbe5e225f8fbdc4b019d

        SHA256

        16d9996f0ee8e527a6bc5304581d8a4761b1e93edc7f8fb52074219c00c6a1f2

        SHA512

        4fa90f5e97ad9e31c34229bc03b21ccc7a0a203246d2c7c7690b110ee2b8cf89c5d484f01150a43998481f2ad4879f3e83fbf5a06fe3b298f52a7e14a718aabd

      • C:\Temp\sonspamstart3.vbs

        Filesize

        99B

        MD5

        2bbf5501471e1aac194788329d51c1f6

        SHA1

        d6567dac174a790c4c9c0260ebc26f1e907e11c6

        SHA256

        b30b02a7f47e28833f61fae076a6f5d4f65ad8be8a2f7e149823f16865f24c84

        SHA512

        2ef72434ac17b1b5f9cd6acb75bba79694b8b07707a4f8627f32b490e0c28c85a4aecc96af0888e0e3783478d91d5de96ae6d08a380a26b5b5bc36e70f7ce2c5

      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe

        Filesize

        1.8MB

        MD5

        0bb0a48942451a8258bc7087fd24a2a7

        SHA1

        b69aa2a06e26754ea43a4763dd300b358331e29c

        SHA256

        dedeee5bb27b2884138832f38f2e93298224cca0ed6fae80b4b08de9c24c2cd7

        SHA512

        b41318045fddc4c113a1ff30021a2f1ea442f72ed1eac8946d5b5e598b94b31ffb18e32fcfcf4fe3c097a5258c4bf72a5abf2048b83fbc2b54151d7e3b4fd585

      • C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe

        Filesize

        153B

        MD5

        1b9c939adc33ae74ac644998287149cc

        SHA1

        633bd684184d9e12d13aa6c3267d80bd5d87393c

        SHA256

        5af62663f4979b00b469cbe2f54205027a61198207ed9ac673edbc3a818e55cb

        SHA512

        142da58ffa84e6a849247c6c593e70a405e944a171e9b1247af633fc2272a0c15b6d1fef20f35a757d8d0a6a49da8d4b9a2b0e9585288b9af1acabdb7e0fd3ae

      • C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat

        Filesize

        484B

        MD5

        68dc7eb71a7f95c046a63052c8331e92

        SHA1

        77224c83ad1398efab03ccfca520a83460e16d03

        SHA256

        1d300057e2e7b1d5452d2a1eda0f95ec44b81909c02f9b3e21f86fa9001299e7

        SHA512

        9aa8970385ba3f8e5356699486304c54432d9535b67cef37e670ae611897c2abad58fcee6e665906c62d962fc9f773363ebe36d66666cbef1e8c35aea4ccc128

      • C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat

        Filesize

        34B

        MD5

        8c56e629a1aec270a35c4e9958b43bfb

        SHA1

        aa0b74c4d84fecdc34556bd4c7713bb618a5ba92

        SHA256

        ec8e5b756c10b043930c325e6765e969aa54609b8caba84f3f2d67430d1ae7bc

        SHA512

        a9e50c407c5c5cb621ee9aab8124bf38707d103aa21875a5fd07c7cdb7c4bce1a049ce70d0bbc75ce8008526cc3fe02a48165dcf4cb124a7ab69784b2750c43a

      • C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe

        Filesize

        229B

        MD5

        3d85f3996a95493013590846632e86f6

        SHA1

        9b9e935e3ae296a16d0fb08b7809d39d17f715e5

        SHA256

        b19f5cce6fe7ac54964e3dc373a4c54020ca89f9f7eb602a06f830c9be70f00a

        SHA512

        bcaf9930653a75640daec31a839c9a38fc1678abf8e2c96ffb56fbe05dfb15abbbb3040ac066003e5bd485c56aac9d3ee89f689d49b72a5fc328d64f13b8df65

      • C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe

        Filesize

        1.2MB

        MD5

        a1f2423f375be02b22175a9de219a17e

        SHA1

        d3f0dcee37bce0952a8841dea578ba431588f621

        SHA256

        d7da0aa06c6167b3d04faa2c808b1b68adacfb5fdd4475df76f0c75eb47eac71

        SHA512

        e10e3be553e698edb5ef10ecac0b132203248e9b3792a3749f78c46acea0d9d4932ac07c874eb6ffd46d837bdf580d8f8778245f97c8efe7bb1fd975375537a4

      • C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe

        Filesize

        908KB

        MD5

        31e8f1b92ffcdd66676fcb134b225e15

        SHA1

        5c5e5795a4671c0dd1702fc4e7d1ad63f9643c58

        SHA256

        3dd4b0cb1041bc1948404df23c0d2d362da355a90c1d2ef472a7b298cda39110

        SHA512

        fcb0dc3b0b9893fe954fda85f36a1aae77ecc290d95db4e7844b73061f6364e1e3a5fe4ea8054185f54116052fc6ab6c0e05a1a3c31136bb904febc43c2c542f

      • \Temp\Sonar Build.exe

        Filesize

        4.7MB

        MD5

        b4b602c182251256d93cd3ac38c80ea1

        SHA1

        702caa8790a2dc43302bf4a837f1a1ffda558121

        SHA256

        dd0ac90dc00a212e95eb4ec74475cdde57e1575195a369335cbbdbe8a367927c

        SHA512

        947e661d7a8af1ac6a0cc5eb98826d56aeb6048458c1db0891e5d00fe34ed9aad1d0bdddb31d84a12ef2b6585efd4ef08842c5a1fb0b086afc9d4982a7d693e0

      • \Temp\Sonar Solution.exe

        Filesize

        1.5MB

        MD5

        557d4c09c4da24b8d5c59a91c3033093

        SHA1

        d0a604bbfe5638138cc76644c8762563762eedb0

        SHA256

        b33051a22664cdea693fbc3d6f6fa017505e6a40a65f5ebe484281d6bf661de3

        SHA512

        0aeff6d7376dafd0bcb04e62921ad4333cbaa792b81ec8a748bf9c198c43fccfc7534e6309335f1e66b50bcbb43729e6f53dc711163113e4ffc9e628b045206e

      • \Temp\SonarSolutionsBuild.exe

        Filesize

        4.4MB

        MD5

        9b8723149c4c4aee50f53a2f08be3a02

        SHA1

        a06614bd0e1bb8856b8fdc1b941b3adad9e58194

        SHA256

        db0b39d546fdbfe699c81dbf6f14b705bd00314102438ee5d101a2918cfc38bd

        SHA512

        26cc5abcc47d46a756fa489eb1237b6af420c8a6167372d6789be96a8b833c4a9814882bb07d829b21139e000b2ef59058422c89641fa0b3893f8eb8a150abe2

      • \Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe

        Filesize

        944KB

        MD5

        b44452a72e44157f12e331bd4623052e

        SHA1

        e02b7cfd576c64938827925fe215f9fce6075ac4

        SHA256

        8f0cfa70cb8e16d2ea45230505617978bf044940cb7fd66c9ddac41c7929dd7c

        SHA512

        698a36fb6347013ac827d3930b0d570e36870b9f40910653e72b50fec536c8429bcdcb31e9b1a7cd37bc4626402da564507307114ee2b07ba32ef701f3c27aa4

      • \Users\Admin\AppData\Local\Temp\RarSFX1\php5ts.dll

        Filesize

        6.5MB

        MD5

        c9aff68f6673fae7580527e8c76805b6

        SHA1

        bb62cc1db82cfe07a8c08a36446569dfc9c76d10

        SHA256

        9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

        SHA512

        c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

      • memory/2108-155-0x0000000000400000-0x0000000000664000-memory.dmp

        Filesize

        2.4MB

      • memory/2108-178-0x0000000000400000-0x0000000000664000-memory.dmp

        Filesize

        2.4MB

      • memory/2408-107-0x0000000003480000-0x0000000003501000-memory.dmp

        Filesize

        516KB

      • memory/2776-108-0x0000000001060000-0x00000000010E1000-memory.dmp

        Filesize

        516KB

      • memory/2776-118-0x0000000001060000-0x00000000010E1000-memory.dmp

        Filesize

        516KB

      • memory/2804-149-0x0000000003AB0000-0x0000000003D14000-memory.dmp

        Filesize

        2.4MB

      • memory/2804-152-0x0000000003AB0000-0x0000000003D14000-memory.dmp

        Filesize

        2.4MB

      • memory/2804-153-0x0000000003AB0000-0x0000000003D14000-memory.dmp

        Filesize

        2.4MB

      • memory/2804-151-0x0000000003AB0000-0x0000000003D14000-memory.dmp

        Filesize

        2.4MB

      • memory/2868-177-0x0000000001340000-0x0000000001478000-memory.dmp

        Filesize

        1.2MB

      • memory/2992-165-0x00000000002F0000-0x0000000000428000-memory.dmp

        Filesize

        1.2MB