Overview

overview

10

Static

static

10

bdf85a0d4d...da.exe

windows7-x64

10

bdf85a0d4d...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2023 00:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdf85a0d4de087264aa6fd089375adda.exe

  • Size

    1.3MB

  • MD5

    bdf85a0d4de087264aa6fd089375adda

  • SHA1

    c1e0b04c84419d3364148835d67ba9bf98c55b7c

  • SHA256

    7235f8a24a197b99d55e124472f7689509057074e00efe0a3ed18feb26b3a88c

  • SHA512

    22ff8d54b814e0412acbc5ac5a44af1088ee558460cf8effd148860543b37c0daf1cda8d45b202a49fe00946d8e8e40b403163079452e0968a89c62f1735df80

  • SSDEEP

    24576:/2G/nvxW3WF36YW5Mna4CGWoyJmZ+3uBWMjDhN:/bA3pYsM4GmDMDb

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdf85a0d4de087264aa6fd089375adda.exe
    "C:\Users\Admin\AppData\Local\Temp\bdf85a0d4de087264aa6fd089375adda.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\bridgeserverref\OISo0jBwHBn4xoiWAh.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\bridgeserverref\qUFNDlasPyhJt.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:448
        • C:\bridgeserverref\portbrowserDriver.exe
          "C:\bridgeserverref\portbrowserDriver.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\bridgeserverref\services.exe
            "C:\bridgeserverref\services.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4252
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:212
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2836
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3784
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3832
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\bridgeserverref\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\bridgeserverref\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\bridgeserverref\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5104
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3468
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5084
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3380
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2164
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2376
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2888
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4072
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\bridgeserverref\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4416
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\bridgeserverref\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\bridgeserverref\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1444
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4404
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4184
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\odt\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1516
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1784
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4516
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2860
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3388
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4292
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\bridgeserverref\SearchApp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\bridgeserverref\SearchApp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\bridgeserverref\SearchApp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\WaaSMedicAgent.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1320
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\Fonts\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3192
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1252
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4796
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1616

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\bridgeserverref\OISo0jBwHBn4xoiWAh.vbe
    Filesize

    205B

    MD5

    106e933e48535c5b58d189fc8621b36c

    SHA1

    89887d3c7bbadd8d3d734860b9792371e29a7a60

    SHA256

    0c8b5357c376b682596e01bf0f7abe28ae100785bb1e57e489bc89b95fcc6e71

    SHA512

    f0e01329517b6a48b50a91855307c0b36cee24858e580996caaf5b7ec190261d9a37f672ec9fa965e703734ac6d971d15cd394f474543f72371817cc65ff5e86

    Download Submit
  • C:\bridgeserverref\portbrowserDriver.exe
    Filesize

    1002KB

    MD5

    78b6a1e77f422124b9df2cf52ece8637

    SHA1

    75b68997249ae9ca134dc8e311f20d8767e2fee4

    SHA256

    9c05f54d304337ea176229198d04f5f4b92d7f66d6d8c65214b8ec98e3d8365e

    SHA512

    1d4896b00350acc6bd4d1cd799d7555af5a84902c2f5d933ec076a076a12bdfa395359ff1c4b9e7443c3d07566059f2d9f515b661d2a870ba8d602f211b0938d

    Download Submit
  • C:\bridgeserverref\portbrowserDriver.exe
    Filesize

    1002KB

    MD5

    78b6a1e77f422124b9df2cf52ece8637

    SHA1

    75b68997249ae9ca134dc8e311f20d8767e2fee4

    SHA256

    9c05f54d304337ea176229198d04f5f4b92d7f66d6d8c65214b8ec98e3d8365e

    SHA512

    1d4896b00350acc6bd4d1cd799d7555af5a84902c2f5d933ec076a076a12bdfa395359ff1c4b9e7443c3d07566059f2d9f515b661d2a870ba8d602f211b0938d

    Download Submit
  • C:\bridgeserverref\qUFNDlasPyhJt.bat
    Filesize

    42B

    MD5

    93da5536b5cc60dadec6683e833b7295

    SHA1

    929ed3502470546fdceca2342f64ae6ad196ef73

    SHA256

    97894eb0076b938a1fb93bab0fc17bbe170affadd3af8e7c68730eb4e29d3d17

    SHA512

    afad9760d5786f8b09468b66433488a52f4e23736d4b730fcee3328e56289845583ac464c28e07d0750bb5edb3594e230ee2f2ffb1f2f9d325b4172500a74b43

    Download Submit
  • C:\bridgeserverref\services.exe
    Filesize

    1002KB

    MD5

    78b6a1e77f422124b9df2cf52ece8637

    SHA1

    75b68997249ae9ca134dc8e311f20d8767e2fee4

    SHA256

    9c05f54d304337ea176229198d04f5f4b92d7f66d6d8c65214b8ec98e3d8365e

    SHA512

    1d4896b00350acc6bd4d1cd799d7555af5a84902c2f5d933ec076a076a12bdfa395359ff1c4b9e7443c3d07566059f2d9f515b661d2a870ba8d602f211b0938d

    Download Submit
  • C:\bridgeserverref\services.exe
    Filesize

    1002KB

    MD5

    78b6a1e77f422124b9df2cf52ece8637

    SHA1

    75b68997249ae9ca134dc8e311f20d8767e2fee4

    SHA256

    9c05f54d304337ea176229198d04f5f4b92d7f66d6d8c65214b8ec98e3d8365e

    SHA512

    1d4896b00350acc6bd4d1cd799d7555af5a84902c2f5d933ec076a076a12bdfa395359ff1c4b9e7443c3d07566059f2d9f515b661d2a870ba8d602f211b0938d

    Download Submit
  • memory/448-135-0x0000000000000000-mapping.dmp
    Download
  • memory/736-147-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/736-146-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/736-142-0x0000000000000000-mapping.dmp
    Download
  • memory/1620-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2032-136-0x0000000000000000-mapping.dmp
    Download
  • memory/2032-141-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2032-145-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2032-140-0x0000000003120000-0x0000000003170000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2032-139-0x0000000000EC0000-0x0000000000FC2000-memory.dmp
    Filesize

    1.0MB

    Download