Analysis

  • max time kernel
    43s
  • max time network
    19s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22-07-2024 22:43

General

  • Target

    ROBLOXFARMER.exe

  • Size

    1.9MB

  • MD5

    0cdc894447aa85d4b2c744c6825a2e0e

  • SHA1

    a4fcb12fcfaa38c8656964749962c9cdc2b9d82d

  • SHA256

    d89a9ab35a2173a4ec62cc98d54e2ffbff2f0d985386f98a8e11c5dc905bcb83

  • SHA512

    b8be16d455166089c7463ea876bfc293cbb851a86bb0846427c0ad1e70e1e978531031e04064c1287d1aafebf01da32b605d6039ef1f33dc4a48a49ddca7dedd

  • SSDEEP

    24576:u2G/nvxW3WieCgbyFbFdG74xU/FmYd3y7uQyBOueO9SEU5/UpdnrZ4Ef2w18:ubA3jgCgW+jxy79uz9SEWBCC

Malware Config

Signatures

  • DcRat 16 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe
    "C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe"
    1⤵
    • DcRat
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\DriverintoPerfMonitor\rBZTKR2mYRfNEbvt9Nbq33ykB0q3.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:164
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\DriverintoPerfMonitor\7tBtpkweNP1.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3532
        • C:\DriverintoPerfMonitor\driverdll.exe
          "C:\DriverintoPerfMonitor\driverdll.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2204
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverintoPerfMonitor/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4560
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lxd1LPk0iB.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4148
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1148
              • C:\Users\Admin\sysmon.exe
                "C:\Users\Admin\sysmon.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • System policy modification
                PID:1884
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:1840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\DriverintoPerfMonitor\Idle.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\DriverintoPerfMonitor\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\DriverintoPerfMonitor\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\Offline\Idle.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\Offline\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\Offline\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\DriverintoPerfMonitor\ApplicationFrameHost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\DriverintoPerfMonitor\ApplicationFrameHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4488
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 9 /tr "'C:\DriverintoPerfMonitor\ApplicationFrameHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\sysmon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3244
    • C:\Windows\system32\notepad.exe
      "C:\Windows\system32\notepad.exe"
      1⤵
        PID:992

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\DriverintoPerfMonitor\7tBtpkweNP1.bat

        Filesize

        152B

        MD5

        e6cdcd7d35111e728abce425b094d0c3

        SHA1

        6aafefc2fc9aac870765642ce3e0c6baaf973a87

        SHA256

        0adb99738e12fc866bee55a4ad3aa614fe819fface03af273743e377c41899a5

        SHA512

        5d4b93d3aed63d68281406568344c76478a2a98e65c94c1eb7acd3b51715d458651c9c7fc70908c56c90a45e2d0480f78d621ac494655d00bbcae7c63fe8fd7c

      • C:\DriverintoPerfMonitor\driverdll.exe

        Filesize

        1.6MB

        MD5

        0bdab38cf92a980d9682c00c384690fb

        SHA1

        fb9b9bed33eef416f594a9afee0721315295b12d

        SHA256

        e1d82f52161a36132915a860388b430bb8a1a129140ec03c3cab417593706032

        SHA512

        3a793187a4ae93b2a10102893e5095d3a8b48acd33e802c35974aa68a10758db6057a2e623d35c3d9cc07f0c1ff1a72c0bc24b399d5dcb7d496f49db7de69790

      • C:\DriverintoPerfMonitor\rBZTKR2mYRfNEbvt9Nbq33ykB0q3.vbe

        Filesize

        209B

        MD5

        529296e248ff3230c9b1ced537b7bf5d

        SHA1

        e5d534cb4125e530f4428b24483ec970e3d7f563

        SHA256

        53fdb76d26b6e3e3d9e6438bf42e21f96564cbb316b3addd781e6fd628199779

        SHA512

        7a197e20c4af21cfae6b0f628afa2be7d4a9b1acb19d1dab8bc5198f2b514ed5dcbdc54ce8d013a538f1d00c21f9fce93293aebab51fd256dd1ed507824437a7

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        3KB

        MD5

        8592ba100a78835a6b94d5949e13dfc1

        SHA1

        63e901200ab9a57c7dd4c078d7f75dcd3b357020

        SHA256

        fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

        SHA512

        87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        0049d3f6418af68942fe70d66df26cc0

        SHA1

        77f4aa1ddf54d284d25a109366a2ad49c20ca9cd

        SHA256

        668805a11935c70be46aa9a20e37f43ed77b7920a8aaa97f6878889fdb1ffe57

        SHA512

        72d2cbd69695a526002defe0daca4f5e1b456976a0baa53ece1afa3091b7364474c3cb0636c23551bff621c069e950f5da26e18d992f3fc92a5993aa7cc7c2b3

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        127e9623b9a9a064b66f89901266ae4a

        SHA1

        a6f74bc3306fc0d5eafd7f1e74f827cd0ac88757

        SHA256

        bcf03f938569c0c4fa25aa0eb80547975b9c73040e2642c6cf93fc7efe1c5d98

        SHA512

        c49cf11d2131ed0cb379a663e6207ba73fcbfa0c6698262d1eb25ce5804fe73a5b1c80ee2a5d478541c2418d013ba9e685aa243c90b97e5c9db6d66e5944fc66

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        954472ae77869f2907b924f8e496fa70

        SHA1

        d27b2e528d53e4f56fdd1542ad5f67cea5a19251

        SHA256

        b3cb4c4c083c4d605541899fbd41d09f3efb32ff6ae1c980fcb060bda2cb9304

        SHA512

        9d7afaad76cdc20117c8fe1da118bc80549d14d53fbfd15ea6d7439e9dce9e35659b397bbd25f846fd2623136f2ed8b6ed65c4ab87fbafc823a179956ed47768

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        f3acd17c5c0e091e64df0fd4294e9fbf

        SHA1

        88d8cfb391dd7249ce9f43e7b1027f120bec7c0c

        SHA256

        9a08bc360227dd00b57415902dbf35eaf65e0940ae87734775f04513534eca08

        SHA512

        69d8f732b04dff27a26e11c4cc8aa4c8c8b38e115efcb9ad8e3b3c5abfd5538498bf6dff1a1e2cf7ca4b09bbd7d4f94cbc0644ddc6d0c839fac2bc06b3aa9862

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        cd61dc8f9f145bb85d2c406fc6c34ded

        SHA1

        365987e5acc5d25cd33a12b29f2ad12decaa8330

        SHA256

        0647cf7307c472144500797e8f4938aeaf2c78550956445a3b200d13c795ab12

        SHA512

        33192f01e00f34fbd2c03a5334ced4791af20a0032d7bb62d7f2221770f64b2312d975a6c6e3406f041ef517592b882e41f02e0c2844547f896cb18c9e47a23c

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        cca714f154d362fe9bf0aac437b9f979

        SHA1

        3310322b74a5cff769aff7b0b421c1d688633be1

        SHA256

        6c0fde4a1d14c75cbf6cae68617191384d1c9c0f75ca7659b98361b93d17ba70

        SHA512

        2c1712c4dd670993f15a24b9ec7e35c78ad1bf95075807977e47d1774ee9887202cb954c84c011c63c6cd3f17fdf1782329b6309bb36424519b3688365652f59

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        1d5ea3b46362261e127a3b54bebc4f22

        SHA1

        99b5e2c60722b40951cffdf24b7630364cdf6475

        SHA256

        5de9c52f11d80c46db18c0238415d11a1f088bb1ef9c5942fa02627c72efe117

        SHA512

        50f4f0fee0e4966a7d2c3f038ea2985c7cbd9e6a68aca40173b67e89e7f66bc417574b95ad98aca596c9f5146749517b3a3775cbf0013a7959a23139687eed1f

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        25bb2c187db92c38cfc6333ccc1ad710

        SHA1

        bb27ee06b75535aa1d7ea44c49cde588c67122b0

        SHA256

        0bcc971fa7c59ec061b228ab04f6c37428978b4ad3958fb9e33eb1fa5ae7b1b5

        SHA512

        f3e07248ad1cb20ad26f0ccf7037460e47e67c408269b0250cb3839a840e5df3069a74062058df56be4e1b55e905a1508df2683f21fbaa29b493898a189f4b00

      • C:\Users\Admin\AppData\Local\Temp\Lxd1LPk0iB.bat

        Filesize

        190B

        MD5

        6b692839e7e2e39f71c80bbdbe1dd86d

        SHA1

        40d52afdae5500bf275eb5e93ca1e6a10b892ed1

        SHA256

        5186abdced10702f2d837a5b90f0ebeb6a6ab50ec362d946e3b3b6ca9910edf7

        SHA512

        e3ada85f4118e73ff80fcc325452266f1c53bb53bb3dbc5ffda797b0b0e7caf4c4a925f93faeecc27498113232cea2a9681e806da313b21143ae1551cce4222b

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xlv5k3td.df4.ps1

        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      • memory/2452-100-0x00000223EC010000-0x00000223EC086000-memory.dmp

        Filesize

        472KB

      • memory/3984-19-0x000000001B2C0000-0x000000001B2D6000-memory.dmp

        Filesize

        88KB

      • memory/3984-24-0x000000001C080000-0x000000001C5A6000-memory.dmp

        Filesize

        5.1MB

      • memory/3984-28-0x000000001B410000-0x000000001B418000-memory.dmp

        Filesize

        32KB

      • memory/3984-31-0x000000001BB50000-0x000000001BB5C000-memory.dmp

        Filesize

        48KB

      • memory/3984-30-0x000000001B430000-0x000000001B438000-memory.dmp

        Filesize

        32KB

      • memory/3984-29-0x000000001B420000-0x000000001B428000-memory.dmp

        Filesize

        32KB

      • memory/3984-26-0x000000001B3B0000-0x000000001B3BC000-memory.dmp

        Filesize

        48KB

      • memory/3984-14-0x0000000000620000-0x00000000007C0000-memory.dmp

        Filesize

        1.6MB

      • memory/3984-25-0x000000001B390000-0x000000001B39C000-memory.dmp

        Filesize

        48KB

      • memory/3984-27-0x000000001B3C0000-0x000000001B3CC000-memory.dmp

        Filesize

        48KB

      • memory/3984-23-0x000000001B360000-0x000000001B372000-memory.dmp

        Filesize

        72KB

      • memory/3984-22-0x000000001B300000-0x000000001B30C000-memory.dmp

        Filesize

        48KB

      • memory/3984-18-0x00000000029C0000-0x00000000029C8000-memory.dmp

        Filesize

        32KB

      • memory/3984-21-0x000000001B2F0000-0x000000001B2FA000-memory.dmp

        Filesize

        40KB

      • memory/3984-20-0x000000001B2E0000-0x000000001B2E8000-memory.dmp

        Filesize

        32KB

      • memory/3984-17-0x000000001B310000-0x000000001B360000-memory.dmp

        Filesize

        320KB

      • memory/3984-16-0x00000000029A0000-0x00000000029BC000-memory.dmp

        Filesize

        112KB

      • memory/3984-15-0x0000000002990000-0x000000000299E000-memory.dmp

        Filesize

        56KB

      • memory/4684-95-0x0000025C20B20000-0x0000025C20B42000-memory.dmp

        Filesize

        136KB