Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

36b4c1632f...20.exe

windows7-x64

10

36b4c1632f...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe

  • Size

    3.4MB

  • MD5

    1b57989c5c9ef0b64db6fbc2c88b346b

  • SHA1

    75818e0eedd98f90c338edbc2ad6882f6a11fb06

  • SHA256

    36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20

  • SHA512

    269cc8c6918a00a1df3e932ca3c7aec08913dfe2d545bc7bdcb9ced00b1038ada214ed167619b96a38a0c865889c0a590d3b8be1aaaa3c036db3ba0c9d65be7a

  • SSDEEP

    49152:h7/RbqaJqrkG24yhaf1hD3uR4S1o+NO6QolF2YpwCgOGE2/xB/r/4ri:F1t5Qa4YowtJwCHG5xBj/4

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 29 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 9 IoCs
    persistence
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Detects executables packed with SmartAssembly 9 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 18 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe
    "C:\Users\Admin\AppData\Local\Temp\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2988
    • C:\Windows\inf\SMSvcHost 3.0.0.0\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe
      "C:\Windows\inf\SMSvcHost 3.0.0.0\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1972
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb921c5e-74aa-4dd2-bb6e-ef6c9f986fd1.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Windows\inf\SMSvcHost 3.0.0.0\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe
          "C:\Windows\inf\SMSvcHost 3.0.0.0\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2788
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\426f933c-95e3-46db-8c3d-916a09cc9a7c.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2488
            • C:\Windows\inf\SMSvcHost 3.0.0.0\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe
              "C:\Windows\inf\SMSvcHost 3.0.0.0\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:576
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\511efb76-9f08-4113-b8fc-48c5d486c57f.vbs"
                7⤵
                  PID:1824
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d964749f-ab84-4060-9d8f-f1a19b145b35.vbs"
                  7⤵
                    PID:844
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dca64d19-b427-4542-b1b6-ed210b30245d.vbs"
                5⤵
                  PID:1876
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c51d683-3d22-45c6-8246-dfe1f1711452.vbs"
              3⤵
                PID:1808
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c203" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\SMSvcHost 3.0.0.0\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2468
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20" /sc ONLOGON /tr "'C:\Windows\inf\SMSvcHost 3.0.0.0\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2528
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c203" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\SMSvcHost 3.0.0.0\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2076
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2964
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2972
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:268
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\spoolsv.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1320
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2340
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1752
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:860
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1340
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\services.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2216
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\services.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2244
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Pictures\services.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2380
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\services.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1212
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\services.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2368
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\services.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1824
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:816
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1200
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1500
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c203" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20" /sc ONLOGON /tr "'C:\Windows\tracing\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1968
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c203" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1652
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\smss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1568
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1604

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          4
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\2c51d683-3d22-45c6-8246-dfe1f1711452.vbs
            Filesize

            553B

            MD5

            89806cd4cccdaf69344e4e7f87e0ad7a

            SHA1

            8a838d2dbb337faa3a2f086ac877e9371ab155ca

            SHA256

            ce1319b22608c7ad79494b71a0bb11edf78cd559e5ea90f75d0387740d12e2cb

            SHA512

            627999e2ab3451123481fc8bc5ffcc1fab646844bcb52cf3928b6c60e106eadf4f3425dc99e5ac75e752018ff201a747b12184e269e7275e820cb54a1591fd4b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\426f933c-95e3-46db-8c3d-916a09cc9a7c.vbs
            Filesize

            777B

            MD5

            fad7eb04925fd630618d594f619b0087

            SHA1

            196f3e1c705b23ed4671bf217e5b4033da8ddc45

            SHA256

            650e295418327e069ac3afde888268c9ca65d0b4417dd39920a53d9ddfa86b06

            SHA512

            8754f6b52d5fc74e6d86127e62c1f1c93bdf3d4b06e3e59d7deff7aff46ccc79770bcd7f85b75934bb28d3ea3a6c678bb9bb6a7ffd7c294c1b204b920cb26330

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\511efb76-9f08-4113-b8fc-48c5d486c57f.vbs
            Filesize

            776B

            MD5

            efdecae2f924138f4d8a8936461149b8

            SHA1

            e4b543bc9d7f5ab448df549cd7dbb2b5c26e92e9

            SHA256

            d262730ccbabb86b6e9eaa4f973858cb21409d41346d6b2f0199ed81363f9142

            SHA512

            61e501a6af8c8b0a3bb0a08f14a452fac81dd7839ffa970c1c6bfe394b39fd03cd0117c7c3057a93336604c3c8426c262331115c5ce9f1c00df5c83a22280c90

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\cb921c5e-74aa-4dd2-bb6e-ef6c9f986fd1.vbs
            Filesize

            777B

            MD5

            4c8b81660e2c27671dbd7950baf14e66

            SHA1

            32fb23c067c7a956005a2e0c9c865c755d23ad07

            SHA256

            f967d8d168562aa27832cb4e6667bf72b3114eb0f2b7c6c71aa47cc2b6366066

            SHA512

            73ce59d1066989c9595ae932d61932c2c55e9f0c33dc6eb788b152c5b54db86e37f7dbc6e15d5b165e66da5c8d1e69f86c3b973bd545ae20647d26edbd11a98b

            Download Submit

          • C:\Users\Public\Pictures\services.exe
            Filesize

            3.4MB

            MD5

            1b57989c5c9ef0b64db6fbc2c88b346b

            SHA1

            75818e0eedd98f90c338edbc2ad6882f6a11fb06

            SHA256

            36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20

            SHA512

            269cc8c6918a00a1df3e932ca3c7aec08913dfe2d545bc7bdcb9ced00b1038ada214ed167619b96a38a0c865889c0a590d3b8be1aaaa3c036db3ba0c9d65be7a

            Download Submit

          • memory/1972-63-0x0000000000390000-0x00000000006FA000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/2788-76-0x0000000000AE0000-0x0000000000B36000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2788-75-0x00000000011E0000-0x000000000154A000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/2988-22-0x0000000002450000-0x000000000245C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2988-27-0x000000001AAD0000-0x000000001AAD8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-9-0x0000000000650000-0x0000000000666000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2988-11-0x0000000000670000-0x0000000000682000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2988-12-0x0000000000680000-0x000000000068C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2988-13-0x0000000000690000-0x0000000000698000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-14-0x00000000006A0000-0x00000000006B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2988-15-0x00000000023A0000-0x00000000023AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2988-16-0x00000000023B0000-0x0000000002406000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2988-17-0x0000000002400000-0x000000000240C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2988-18-0x0000000002410000-0x0000000002418000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-19-0x0000000002420000-0x000000000242C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2988-20-0x0000000002430000-0x0000000002438000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-21-0x0000000002440000-0x0000000002452000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2988-0-0x000007FEF50F3000-0x000007FEF50F4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2988-23-0x000000001AA90000-0x000000001AA9C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2988-24-0x000000001AAA0000-0x000000001AAA8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-25-0x000000001AAB0000-0x000000001AABC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2988-26-0x000000001AAC0000-0x000000001AACC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2988-10-0x0000000000440000-0x0000000000448000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-28-0x000000001AAE0000-0x000000001AAEC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2988-29-0x000000001ABF0000-0x000000001ABFA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2988-30-0x000000001AC00000-0x000000001AC0E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2988-31-0x000000001AC10000-0x000000001AC18000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-32-0x000000001AC20000-0x000000001AC2E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2988-33-0x000000001AC30000-0x000000001AC38000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-34-0x000000001AC40000-0x000000001AC4C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2988-35-0x000000001AC50000-0x000000001AC58000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-36-0x000000001AC60000-0x000000001AC6A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2988-37-0x000000001B040000-0x000000001B04C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2988-8-0x0000000000430000-0x0000000000440000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2988-7-0x00000000003F0000-0x00000000003F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-64-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2988-6-0x0000000000410000-0x000000000042C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2988-5-0x00000000003E0000-0x00000000003E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2988-3-0x00000000003C0000-0x00000000003CE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2988-2-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2988-1-0x0000000000B30000-0x0000000000E9A000-memory.dmp

            Filesize

            3.4MB

            Download