Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2023 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.2MB

  • MD5

    3e821d4b4af33a23f64c69db57770955

  • SHA1

    019742e345c39bd10f6c9bc4c1af4c2e94a5fca0

  • SHA256

    5ad5f24becf8b8653b7708edc35779128eb8cc84ddebf362121c603fd2caed04

  • SHA512

    6e7f8ea74092bbb4659f24ec629e1483fb95cf682f5eda65300cc38369848cd60512ce79cd7aa5ae70d09fba420e8de6be3841306cf3302317a69d143c114160

  • SSDEEP

    24576:U2G/nvxW3Ww0teLTGJTb/Ka2FVx0Q5eRvuiNLzrejv:UbA30yTGF/KvVd5eTNS7

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\BridgeWin\kBRJ5zb6pFGWil.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:680
        • C:\BridgeWin\containerRuntime.exe
          "C:\BridgeWin\containerRuntime.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\containerRuntime.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\WMIADAP.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1260
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\taskhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:588
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\trehocny9D.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:428
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1776
              • C:\Program Files\Microsoft Office\explorer.exe
                "C:\Program Files\Microsoft Office\explorer.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1104
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\WMIADAP.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1584
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\BridgeWin\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\BridgeWin\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\BridgeWin\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1956

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\BridgeWin\containerRuntime.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit

    • C:\BridgeWin\containerRuntime.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit

    • C:\BridgeWin\kBRJ5zb6pFGWil.bat
      Filesize

      35B

      MD5

      064d44ddf49217a25ad5ec14b334e0f8

      SHA1

      092f4a63df14672e90e8001a9bb6000315fb29d6

      SHA256

      a1962a0cd9c290da9a9d7bb34828fae854a8994127fcbe219e4d6a7b499274c4

      SHA512

      342448a993e8f8713918fe64c15f1c117ee1dd5e80de3ea78a026802895733b5024169ea9daf2eaf102005b27a6b48772b6122d28875d686d305cfd412c17acb

      Download Submit

    • C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbe
      Filesize

      200B

      MD5

      c33c80ec8b8c3cdef3f528ea621be889

      SHA1

      10b010cc2b37daf6fd01031c4d2af8d684cc6953

      SHA256

      a2492c835a66b1e833bfebfa669e8366d66ae7ac9b6aedf35adf5c24b2bd6fdc

      SHA512

      d947f93f0f86d1c02b791c932febe41b2c0e58cc3842ca361d006ad79cffff3b0313be31eaaaa8610216ae936b1a24e680d97e0ad7da0ccf28f6804e63a156af

      Download Submit

    • C:\Program Files\Microsoft Office\explorer.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit

    • C:\Program Files\Microsoft Office\explorer.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\trehocny9D.bat
      Filesize

      211B

      MD5

      ebf9864e1a9bd8e06f2461dffcbb25b8

      SHA1

      6a805a098d1110656032b8a75353f87cf5a22d64

      SHA256

      e62d7a0ad69d0ec06cbb389bbb8ee7cbf04ba20e8dd4d04f5e168c885a3c55eb

      SHA512

      cfbde6dba2004c23fb2d6ba93fd51279cb84f9df5096f953f33e617bf8c85ceb33e0b8fc05cba879a6d50285cc9d951e98a9c76ddde8cf52772b4d92caeae1c0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      e7b56c96c6468a33e30049d2b9a4ca0e

      SHA1

      a361c274b0d105796ae8c1269dcbe5b79d7faf1c

      SHA256

      85ff067add36cddba0cedea2c071d823aa0578f1e8d5a711a91697d40022ee79

      SHA512

      eba676810fceb48ab171f7457f1aa36a248a451938a8a8b2041889c2d4d96f3dd6a152e3d9660fae4b170f62f7e951f7f4a592ca47832a255c8c358be52708e1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      e7b56c96c6468a33e30049d2b9a4ca0e

      SHA1

      a361c274b0d105796ae8c1269dcbe5b79d7faf1c

      SHA256

      85ff067add36cddba0cedea2c071d823aa0578f1e8d5a711a91697d40022ee79

      SHA512

      eba676810fceb48ab171f7457f1aa36a248a451938a8a8b2041889c2d4d96f3dd6a152e3d9660fae4b170f62f7e951f7f4a592ca47832a255c8c358be52708e1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      e7b56c96c6468a33e30049d2b9a4ca0e

      SHA1

      a361c274b0d105796ae8c1269dcbe5b79d7faf1c

      SHA256

      85ff067add36cddba0cedea2c071d823aa0578f1e8d5a711a91697d40022ee79

      SHA512

      eba676810fceb48ab171f7457f1aa36a248a451938a8a8b2041889c2d4d96f3dd6a152e3d9660fae4b170f62f7e951f7f4a592ca47832a255c8c358be52708e1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      e7b56c96c6468a33e30049d2b9a4ca0e

      SHA1

      a361c274b0d105796ae8c1269dcbe5b79d7faf1c

      SHA256

      85ff067add36cddba0cedea2c071d823aa0578f1e8d5a711a91697d40022ee79

      SHA512

      eba676810fceb48ab171f7457f1aa36a248a451938a8a8b2041889c2d4d96f3dd6a152e3d9660fae4b170f62f7e951f7f4a592ca47832a255c8c358be52708e1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      e7b56c96c6468a33e30049d2b9a4ca0e

      SHA1

      a361c274b0d105796ae8c1269dcbe5b79d7faf1c

      SHA256

      85ff067add36cddba0cedea2c071d823aa0578f1e8d5a711a91697d40022ee79

      SHA512

      eba676810fceb48ab171f7457f1aa36a248a451938a8a8b2041889c2d4d96f3dd6a152e3d9660fae4b170f62f7e951f7f4a592ca47832a255c8c358be52708e1

      Download Submit

    • \BridgeWin\containerRuntime.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit

    • \BridgeWin\containerRuntime.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit

    • memory/428-78-0x0000000000000000-mapping.dmp

      Download

    • memory/568-67-0x0000000000440000-0x000000000044C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/568-66-0x00000000001D0000-0x00000000001DC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/568-65-0x00000000001E0000-0x00000000002D0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/568-63-0x0000000000000000-mapping.dmp

      Download

    • memory/588-114-0x000000000240B000-0x000000000242A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/588-113-0x0000000002404000-0x0000000002407000-memory.dmp

      Filesize

      12KB

      Download

    • memory/588-102-0x0000000002404000-0x0000000002407000-memory.dmp

      Filesize

      12KB

      Download

    • memory/588-73-0x0000000000000000-mapping.dmp

      Download

    • memory/588-108-0x000000001B810000-0x000000001BB0F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/588-91-0x000007FEEC200000-0x000007FEECC23000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/588-97-0x000007FEEAE10000-0x000007FEEB96D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/680-59-0x0000000000000000-mapping.dmp

      Download

    • memory/992-74-0x000007FEFBDF1000-0x000007FEFBDF3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/992-107-0x000000001B880000-0x000000001BB7F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/992-112-0x000000000263B000-0x000000000265A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/992-80-0x000007FEEC200000-0x000007FEECC23000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/992-100-0x000007FEEAE10000-0x000007FEEB96D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/992-69-0x0000000000000000-mapping.dmp

      Download

    • memory/992-111-0x0000000002634000-0x0000000002637000-memory.dmp

      Filesize

      12KB

      Download

    • memory/992-105-0x0000000002634000-0x0000000002637000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1072-93-0x0000000000000000-mapping.dmp

      Download

    • memory/1072-95-0x0000000000350000-0x0000000000440000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1260-90-0x000007FEEC200000-0x000007FEECC23000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/1260-110-0x000000001B780000-0x000000001BA7F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1260-104-0x00000000027E4000-0x00000000027E7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1260-120-0x00000000027E4000-0x00000000027E7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1260-99-0x000007FEEAE10000-0x000007FEEB96D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1260-119-0x00000000027EB000-0x000000000280A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1260-72-0x0000000000000000-mapping.dmp

      Download

    • memory/1352-126-0x00000000027EB000-0x000000000280A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1352-71-0x0000000000000000-mapping.dmp

      Download

    • memory/1352-125-0x00000000027E4000-0x00000000027E7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1352-124-0x00000000027E4000-0x00000000027E7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1352-122-0x000007FEEC2C0000-0x000007FEECCE3000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/1352-123-0x000007FEEA2B0000-0x000007FEEAE0D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1704-109-0x000000001B7E0000-0x000000001BADF000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1704-70-0x0000000000000000-mapping.dmp

      Download

    • memory/1704-117-0x0000000002694000-0x0000000002697000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1704-89-0x000007FEEC200000-0x000007FEECC23000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/1704-96-0x000007FEEAE10000-0x000007FEEB96D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1704-101-0x0000000002694000-0x0000000002697000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1704-118-0x000000000269B000-0x00000000026BA000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1720-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1736-55-0x0000000000000000-mapping.dmp

      Download

    • memory/1776-88-0x0000000000000000-mapping.dmp

      Download

    • memory/1952-98-0x000007FEEAE10000-0x000007FEEB96D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1952-68-0x0000000000000000-mapping.dmp

      Download

    • memory/1952-115-0x00000000027B4000-0x00000000027B7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1952-116-0x00000000027BB000-0x00000000027DA000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1952-106-0x000000001B870000-0x000000001BB6F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1952-103-0x00000000027B4000-0x00000000027B7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1952-84-0x000007FEEC200000-0x000007FEECC23000-memory.dmp

      Filesize

      10.1MB

      Download