Overview

overview

10

Static

static

10

0a0a64f3c4...e8.exe

windows7-x64

10

0a0a64f3c4...e8.exe

windows10-2004-x64

10

Resubmissions

12-01-2023 20:01

230112-yrh6hsae52 10

07-01-2023 04:41

230107-fa3jqagb8t 10

07-01-2023 04:21

230107-eynj2acf87 10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2023 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

  • Size

    3.8MB

  • MD5

    0a0a64f3c4fa7d960be983aa0a7d0ce8

  • SHA1

    b597c7397ecaff7c5c1aa27f5124fc7b8a94e643

  • SHA256

    6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1

  • SHA512

    ef04e3eb8f2b10dae6845b97fa66086c3d02c5508adcd1923a93975c88f1ad0f80f984b563c36c4868276670b1dee9e11ae3c57faf7b0509118d121d920df7d4

  • SSDEEP

    98304:F7b3a0t2TiPhx6Sp+ybfnDA4qo34n1oO:FH3Z8cp+gDZ4n1

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 23 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 7 IoCs
    persistence
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
    "C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:260
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\Registry.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\explorer.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\smss.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\smss.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\lsass.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4156
    • C:\Program Files\Uninstall Information\System.exe
      "C:\Program Files\Uninstall Information\System.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3092
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\453d52b7-942c-45b2-92b8-4ec4d3e64db0.vbs"
        3⤵
          PID:4668
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba3150a8-e2f4-46a1-9023-aad34c8cfd05.vbs"
          3⤵
            PID:1712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4416
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3200
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1196
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1916
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\wininit.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2528
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1224
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2248
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\smss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4460
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\smss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1212
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Searches\lsass.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1972
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Searches\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4972
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2760
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3280

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      4
      T1112

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      1
      T1089

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Uninstall Information\System.exe
        Filesize

        3.8MB

        MD5

        e128ebfa9ef32b6a105535f3618f7d49

        SHA1

        410d347537ef1797ed8098525418a6611b7a6378

        SHA256

        c8e5d3077b9f0e1dac0a5c89fa8cf80cbb29d478516793f161cfb0b80de4a565

        SHA512

        f0557eec178748412ebb2b5fd2053868f32c2aba11602f719c05dd998203a0815f4b8b3599b1f4d3d2ba79fa7bf059fc70cd412435e8b9f8c4b2c4975bbdd9c7

        Download Submit
      • C:\Program Files\Uninstall Information\System.exe
        Filesize

        3.8MB

        MD5

        e128ebfa9ef32b6a105535f3618f7d49

        SHA1

        410d347537ef1797ed8098525418a6611b7a6378

        SHA256

        c8e5d3077b9f0e1dac0a5c89fa8cf80cbb29d478516793f161cfb0b80de4a565

        SHA512

        f0557eec178748412ebb2b5fd2053868f32c2aba11602f719c05dd998203a0815f4b8b3599b1f4d3d2ba79fa7bf059fc70cd412435e8b9f8c4b2c4975bbdd9c7

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        59d97011e091004eaffb9816aa0b9abd

        SHA1

        1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

        SHA256

        18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

        SHA512

        d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        59d97011e091004eaffb9816aa0b9abd

        SHA1

        1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

        SHA256

        18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

        SHA512

        d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3a6bad9528f8e23fb5c77fbd81fa28e8

        SHA1

        f127317c3bc6407f536c0f0600dcbcf1aabfba36

        SHA256

        986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

        SHA512

        846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3a6bad9528f8e23fb5c77fbd81fa28e8

        SHA1

        f127317c3bc6407f536c0f0600dcbcf1aabfba36

        SHA256

        986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

        SHA512

        846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3a6bad9528f8e23fb5c77fbd81fa28e8

        SHA1

        f127317c3bc6407f536c0f0600dcbcf1aabfba36

        SHA256

        986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

        SHA512

        846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e243a38635ff9a06c87c2a61a2200656

        SHA1

        ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

        SHA256

        af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

        SHA512

        4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        17fbfbe3f04595e251287a6bfcdc35de

        SHA1

        b576aabfd5e6d5799d487011506ed1ae70688987

        SHA256

        2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

        SHA512

        449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\453d52b7-942c-45b2-92b8-4ec4d3e64db0.vbs
        Filesize

        725B

        MD5

        03d35bbd14a8d231a3936a3d35817b39

        SHA1

        5e8a38fe92810cf960ae12fe6ca6b6efa06ffb32

        SHA256

        1f156c6e127d5c3a07f6c2ef9d173b35abbd967b3e0c1125bde762364a2b2cf9

        SHA512

        c0d22673ee34ed7e32370baaa83c6edcd4123d923a1b73bff044b8aedca41143009d9922bc26a24de4a04a1c9ca77686c5745182f57c6d0deabbd201a58ad5fa

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ba3150a8-e2f4-46a1-9023-aad34c8cfd05.vbs
        Filesize

        501B

        MD5

        d970a257712241e191b56e98e6589c51

        SHA1

        ca26a14d5e3da4b497cd5af6c062e14cf22edd0a

        SHA256

        d133cb86d5b9a779749771ebc035c50e6f0860b556c4f1a8b4627d9bd647723e

        SHA512

        63ad5cd1977bd22966963d3928d68877e99624f2037d40d623d2c1c21ecdaa42753b3a97825921fa63a5ebfcf79f948ecd1f59351dc790a1cfdecb4a3ddaa946

        Download Submit
      • memory/212-147-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/212-166-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/212-137-0x0000000000000000-mapping.dmp
        Download
      • memory/224-148-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/224-169-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/224-138-0x0000000000000000-mapping.dmp
        Download
      • memory/260-144-0x0000028941110000-0x0000028941132000-memory.dmp
        Filesize

        136KB

        Download
      • memory/260-146-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/260-136-0x0000000000000000-mapping.dmp
        Download
      • memory/260-162-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1712-177-0x0000000000000000-mapping.dmp
        Download
      • memory/1932-139-0x0000000000000000-mapping.dmp
        Download
      • memory/1932-163-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1932-149-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3092-164-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3092-155-0x00000000004B0000-0x000000000087A000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/3092-150-0x0000000000000000-mapping.dmp
        Download
      • memory/3092-180-0x000000001E1D0000-0x000000001E392000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/3092-181-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3688-151-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3688-140-0x0000000000000000-mapping.dmp
        Download
      • memory/3688-170-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3780-157-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3780-172-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3780-142-0x0000000000000000-mapping.dmp
        Download
      • memory/3964-154-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3964-174-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3964-141-0x0000000000000000-mapping.dmp
        Download
      • memory/4156-175-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4156-158-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4156-143-0x0000000000000000-mapping.dmp
        Download
      • memory/4316-156-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4316-132-0x0000000000770000-0x0000000000B3A000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/4316-145-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4316-135-0x000000001CDE0000-0x000000001D308000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/4316-134-0x000000001C860000-0x000000001C8B0000-memory.dmp
        Filesize

        320KB

        Download
      • memory/4316-133-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4668-176-0x0000000000000000-mapping.dmp
        Download