Analysis
-
max time kernel
122s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 01:16
Behavioral task
behavioral1
Sample
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe
Resource
win7-20240419-en
General
-
Target
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe
-
Size
3.1MB
-
MD5
18f5a3194d73e08d7d66b7a3b42568b3
-
SHA1
86d424c8a86ec2f20407f9f2db9133a0a2b314f7
-
SHA256
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1
-
SHA512
3f14d5b896cdba1ea41516a3c1f9b2745bd403a57bb66bf6c2016ee5dde2f2bab8560822975848f4920502a4ae94975891846d8249ab401054655482964bcb11
-
SSDEEP
49152:UbA30w1VlUYYDF62IumHbysKqLb5yHfCbShsA3z42d7U8rUc1uHToN/:UbgJWF6ymHbRzLb5ya2hsUz4c7W9K/
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2632 schtasks.exe -
Processes:
audiodg.exeintoHostDhcp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intoHostDhcp.exe -
Processes:
resource yara_rule C:\BlockproviderComponentweb\intoHostDhcp.exe dcrat behavioral1/memory/2660-13-0x00000000008E0000-0x0000000000BBA000-memory.dmp dcrat behavioral1/memory/2200-56-0x0000000000EA0000-0x000000000117A000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2660-18-0x0000000000490000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2660-24-0x0000000000830000-0x000000000083C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2660-33-0x000000001A9D0000-0x000000001A9DA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2660-32-0x000000001A9C0000-0x000000001A9CC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2660-30-0x00000000023C0000-0x00000000023CA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2660-29-0x00000000023B0000-0x00000000023BC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2660-27-0x00000000022A0000-0x00000000022AC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 328 powershell.exe 2388 powershell.exe 1856 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
intoHostDhcp.exeaudiodg.exepid process 2660 intoHostDhcp.exe 2200 audiodg.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2676 cmd.exe 2676 cmd.exe -
Processes:
intoHostDhcp.exeaudiodg.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intoHostDhcp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe -
Drops file in Windows directory 3 IoCs
Processes:
intoHostDhcp.exedescription ioc process File created C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe intoHostDhcp.exe File opened for modification C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe intoHostDhcp.exe File created C:\Windows\SoftwareDistribution\ScanFile\42af1c969fbb7b intoHostDhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1636 schtasks.exe 2708 schtasks.exe 1896 schtasks.exe 2520 schtasks.exe 108 schtasks.exe 1732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
intoHostDhcp.exepowershell.exepowershell.exepowershell.exeaudiodg.exepid process 2660 intoHostDhcp.exe 2660 intoHostDhcp.exe 2660 intoHostDhcp.exe 2388 powershell.exe 1856 powershell.exe 328 powershell.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe 2200 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
intoHostDhcp.exepowershell.exepowershell.exepowershell.exeaudiodg.exedescription pid process Token: SeDebugPrivilege 2660 intoHostDhcp.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 328 powershell.exe Token: SeDebugPrivilege 2200 audiodg.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exeWScript.execmd.exeintoHostDhcp.execmd.exeaudiodg.exedescription pid process target process PID 3028 wrote to memory of 2080 3028 a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe WScript.exe PID 3028 wrote to memory of 2080 3028 a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe WScript.exe PID 3028 wrote to memory of 2080 3028 a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe WScript.exe PID 3028 wrote to memory of 2080 3028 a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe WScript.exe PID 2080 wrote to memory of 2676 2080 WScript.exe cmd.exe PID 2080 wrote to memory of 2676 2080 WScript.exe cmd.exe PID 2080 wrote to memory of 2676 2080 WScript.exe cmd.exe PID 2080 wrote to memory of 2676 2080 WScript.exe cmd.exe PID 2676 wrote to memory of 2660 2676 cmd.exe intoHostDhcp.exe PID 2676 wrote to memory of 2660 2676 cmd.exe intoHostDhcp.exe PID 2676 wrote to memory of 2660 2676 cmd.exe intoHostDhcp.exe PID 2676 wrote to memory of 2660 2676 cmd.exe intoHostDhcp.exe PID 2660 wrote to memory of 1856 2660 intoHostDhcp.exe powershell.exe PID 2660 wrote to memory of 1856 2660 intoHostDhcp.exe powershell.exe PID 2660 wrote to memory of 1856 2660 intoHostDhcp.exe powershell.exe PID 2660 wrote to memory of 2388 2660 intoHostDhcp.exe powershell.exe PID 2660 wrote to memory of 2388 2660 intoHostDhcp.exe powershell.exe PID 2660 wrote to memory of 2388 2660 intoHostDhcp.exe powershell.exe PID 2660 wrote to memory of 328 2660 intoHostDhcp.exe powershell.exe PID 2660 wrote to memory of 328 2660 intoHostDhcp.exe powershell.exe PID 2660 wrote to memory of 328 2660 intoHostDhcp.exe powershell.exe PID 2660 wrote to memory of 1664 2660 intoHostDhcp.exe cmd.exe PID 2660 wrote to memory of 1664 2660 intoHostDhcp.exe cmd.exe PID 2660 wrote to memory of 1664 2660 intoHostDhcp.exe cmd.exe PID 1664 wrote to memory of 2808 1664 cmd.exe w32tm.exe PID 1664 wrote to memory of 2808 1664 cmd.exe w32tm.exe PID 1664 wrote to memory of 2808 1664 cmd.exe w32tm.exe PID 1664 wrote to memory of 2200 1664 cmd.exe audiodg.exe PID 1664 wrote to memory of 2200 1664 cmd.exe audiodg.exe PID 1664 wrote to memory of 2200 1664 cmd.exe audiodg.exe PID 2200 wrote to memory of 1720 2200 audiodg.exe WScript.exe PID 2200 wrote to memory of 1720 2200 audiodg.exe WScript.exe PID 2200 wrote to memory of 1720 2200 audiodg.exe WScript.exe PID 2200 wrote to memory of 1532 2200 audiodg.exe WScript.exe PID 2200 wrote to memory of 1532 2200 audiodg.exe WScript.exe PID 2200 wrote to memory of 1532 2200 audiodg.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
intoHostDhcp.exeaudiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe"C:\Users\Admin\AppData\Local\Temp\a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockproviderComponentweb\no2eZG6mwS0.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\BlockproviderComponentweb\QGmdpYGOg.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\BlockproviderComponentweb\intoHostDhcp.exe"C:\BlockproviderComponentweb\intoHostDhcp.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\intoHostDhcp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xKZCuHzSJ5.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe"C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6c77471-6193-4b87-810b-b3f5f36f56fa.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c72ba46-5185-4851-bbb8-47109446ceda.vbs"7⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\BlockproviderComponentweb\QGmdpYGOg.batFilesize
58B
MD5924b1ca537cd105768edbcd1fe0cf3ca
SHA1968648854cb40f3b55d3c30aa809ffb2545dd9e2
SHA256ff9548c5810351eea938a04cc4b47dbb3cece7e555c16968edca4c140485f456
SHA512bf8157c56bdeadc32183c681f28f33e26d1e1ee6bf3053493666163ce639cd60942e543c600cd1cb70539739155c2539ba306da5557fabc9c5dc06a3fb37ec38
-
C:\BlockproviderComponentweb\intoHostDhcp.exeFilesize
2.8MB
MD593615053d95e46026ed276c2b258c306
SHA12b1c428f05fa18718c3f92a1afe6d800c9bf4191
SHA2563098b5044a048fc12aa27784d29635bbba89bac9c184cfbecd34c62c8a29987d
SHA51282fd306cbdebcd406d769bf511721daba7478fd7fb3a6035636f0da2a8de629a31644f22bd047ab57603127a7f636f331c9e2d0d1cfcb0020fe75fb07dcce3e1
-
C:\BlockproviderComponentweb\no2eZG6mwS0.vbeFilesize
222B
MD5b237326af75ea09be7db779654da38d4
SHA15b8b54c44d6dc2ddac14ed9a3feb56d088bc377e
SHA256f636ad5bfab3cacd97532396ade77867a5e198445385ce0f18128a87c2c599e0
SHA512beb445b3bac73675b70fd28e1a026096f9cb34f19be1b88f487a2b2b1452eacbc13c64a32a6b8b0b2e1d53121964ec35e8131627cb6cc7a7cbd6cb6dd1a47617
-
C:\Users\Admin\AppData\Local\Temp\2c72ba46-5185-4851-bbb8-47109446ceda.vbsFilesize
504B
MD52cf50d8f55af93f29c7f33127e93c17f
SHA119b6a178ee1f53aeb263990a53b21d8fcdba2bd0
SHA256a834a8496b65baa5432bd96c3bb4b1bae56ac14c17268ec9cef964f72763c662
SHA512c71e962e71b05f3329537c85acfdd9c948fcd733077d79c3c4f589534c9855af2d1c8db6feecdcef75d2ec548e523f456fa904c4d2eb012322e4bf3f8663dbbe
-
C:\Users\Admin\AppData\Local\Temp\d6c77471-6193-4b87-810b-b3f5f36f56fa.vbsFilesize
728B
MD505a0e68d5dcdf86ce5290842a3154d5a
SHA1c59eca2104caa71d1017129793d108c388caa43b
SHA256741fbc239b88e7464ace208c4eec9e49858d4d6bd3d26bdd23a7a9ad5f3b1922
SHA5124695cb3fabb8302ca9a45a353d9e328fded7b6ffae6ff817714aebe75963881c52ccc733737924eeb066047103e84eb5cfe521f69181965b8f855666f6f1fa70
-
C:\Users\Admin\AppData\Local\Temp\xKZCuHzSJ5.batFilesize
217B
MD53285e3837764055bd8beb08c6520a73b
SHA138e24fd5723379bff6d255a30d27382aa41109f1
SHA256995c32beaefc780eedcc53c6ff5d29ce81fc0a14aad4912860cbc4fa0e1eb265
SHA5124bcb8790928b900dff2084b67c1be8e2bc1cbe67a581a4715e8093c2852ac84923045017dd7528f57400c458ed6d0d0f1b3b94fb61bb1641aa21366121dd4b3c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GRAK832B710FV3B25Q8D.tempFilesize
7KB
MD559477c5e1491f38cbd0a5897d6c72a7a
SHA10b038dd4509f1cd47f8b0b330590ed848de9c818
SHA256cf4321cfab10a2c4f374530162b844c0eb25d553302608877a5b218cb77ffa8b
SHA512e604355ffe8b89edda6ea1af5cb34c333b661d223bf09019c03a467501cef3c2fd30cebd8a44dcfc9a4e7b8601ec98246113cb42beb38157d1315c2f098b67b6
-
memory/328-52-0x000000001B5F0000-0x000000001B8D2000-memory.dmpFilesize
2.9MB
-
memory/2200-58-0x000000001AE90000-0x000000001AEE6000-memory.dmpFilesize
344KB
-
memory/2200-57-0x0000000000B20000-0x0000000000B32000-memory.dmpFilesize
72KB
-
memory/2200-56-0x0000000000EA0000-0x000000000117A000-memory.dmpFilesize
2.9MB
-
memory/2200-59-0x000000001A970000-0x000000001A982000-memory.dmpFilesize
72KB
-
memory/2388-53-0x0000000001F40000-0x0000000001F48000-memory.dmpFilesize
32KB
-
memory/2660-34-0x000000001AB50000-0x000000001AB5C000-memory.dmpFilesize
48KB
-
memory/2660-29-0x00000000023B0000-0x00000000023BC000-memory.dmpFilesize
48KB
-
memory/2660-31-0x00000000025B0000-0x00000000025BE000-memory.dmpFilesize
56KB
-
memory/2660-26-0x00000000008D0000-0x00000000008DC000-memory.dmpFilesize
48KB
-
memory/2660-33-0x000000001A9D0000-0x000000001A9DA000-memory.dmpFilesize
40KB
-
memory/2660-32-0x000000001A9C0000-0x000000001A9CC000-memory.dmpFilesize
48KB
-
memory/2660-24-0x0000000000830000-0x000000000083C000-memory.dmpFilesize
48KB
-
memory/2660-23-0x0000000000560000-0x0000000000572000-memory.dmpFilesize
72KB
-
memory/2660-20-0x00000000004B0000-0x00000000004BC000-memory.dmpFilesize
48KB
-
memory/2660-19-0x0000000002250000-0x00000000022A6000-memory.dmpFilesize
344KB
-
memory/2660-30-0x00000000023C0000-0x00000000023CA000-memory.dmpFilesize
40KB
-
memory/2660-25-0x00000000008C0000-0x00000000008C8000-memory.dmpFilesize
32KB
-
memory/2660-28-0x0000000002560000-0x0000000002568000-memory.dmpFilesize
32KB
-
memory/2660-27-0x00000000022A0000-0x00000000022AC000-memory.dmpFilesize
48KB
-
memory/2660-22-0x00000000004D0000-0x00000000004DC000-memory.dmpFilesize
48KB
-
memory/2660-21-0x00000000004C0000-0x00000000004C8000-memory.dmpFilesize
32KB
-
memory/2660-18-0x0000000000490000-0x000000000049A000-memory.dmpFilesize
40KB
-
memory/2660-17-0x00000000004A0000-0x00000000004B0000-memory.dmpFilesize
64KB
-
memory/2660-16-0x0000000000480000-0x0000000000492000-memory.dmpFilesize
72KB
-
memory/2660-15-0x00000000003F0000-0x00000000003F8000-memory.dmpFilesize
32KB
-
memory/2660-14-0x00000000003D0000-0x00000000003EC000-memory.dmpFilesize
112KB
-
memory/2660-13-0x00000000008E0000-0x0000000000BBA000-memory.dmpFilesize
2.9MB