Overview

overview

10

Static

static

10

57a247f9f8...cs.exe

windows7-x64

10

57a247f9f8...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 01:17

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe

  • Size

    2.7MB

  • MD5

    57a247f9f8794206cc585e249c645a30

  • SHA1

    62181064bcea86150b2bc7c800c026b3e8054aa3

  • SHA256

    b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2

  • SHA512

    f0fb8bdebce741d8aeee50243899d5f2e4c5bc4be16d7a2c40fa5400deec37945382ea34ed888c8920461ce42a1f50e55e57b28e9132e76b7267ea36945ca3da

  • SSDEEP

    49152:qH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:qHfE5Ad8Xd295UmGc

Score
10/10
dcratevasionexecutioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 15 IoCs
    persistence
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 30 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 40 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wYX5El6vYF.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2444
        • C:\Program Files\Windows Portable Devices\winlogon.exe
          "C:\Program Files\Windows Portable Devices\winlogon.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:1444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1232
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1584
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2136
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Media Renderer\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Media Renderer\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\dotnet\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2732
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:408
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\StartMenuExperienceHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2492

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          4
          T1112

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          3
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\VideoLAN\VLC\taskhostw.exe
            Filesize

            2.7MB

            MD5

            b89e7dee183931b0505775b76e8414e1

            SHA1

            2755d7240e3cb5530ae8f119e4811a60528f2d42

            SHA256

            d3592c4629890388ddd2243bdb14dcad8f7d409075d0fcf422b091de24673bf9

            SHA512

            6d253fc961ca46035772c8796424c373391c095be10f9c54bcbfc9c5b9bd20bfafff51713bcaa87692f7cbede3566010721e9b7d8c4fc56ef10a2ac276be20df

            Download Submit

          • C:\Program Files\Windows Portable Devices\winlogon.exe
            Filesize

            2.7MB

            MD5

            e147292cc17642d7cc7a9666a57c4eef

            SHA1

            7b83b0cd8aa1969465881f6c7faf5426c64e2ac0

            SHA256

            a489e5bd2054857ac8fa3bb874d6e59130c34317713a4a8cf3793d5ce6dec0b2

            SHA512

            8693639bd7e4f41aba578d1a661b650108f1f4c87d74accb1a87cca7dbf06bd410141b32c1d689d567119651416d40d2fe183f9e0a3f3bf8ba589ef53b5e2ada

            Download Submit

          • C:\Recovery\WindowsRE\backgroundTaskHost.exe
            Filesize

            2.7MB

            MD5

            57a247f9f8794206cc585e249c645a30

            SHA1

            62181064bcea86150b2bc7c800c026b3e8054aa3

            SHA256

            b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2

            SHA512

            f0fb8bdebce741d8aeee50243899d5f2e4c5bc4be16d7a2c40fa5400deec37945382ea34ed888c8920461ce42a1f50e55e57b28e9132e76b7267ea36945ca3da

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lpdwvipm.3un.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\wYX5El6vYF.bat
            Filesize

            219B

            MD5

            b269dc32ea3ef55eaeae55361dcc6a6f

            SHA1

            994fd368c49b538f48a26b8852893f5eaa913026

            SHA256

            cf703e48081d799671f4d95e804d72c196d689624e2540e896e904e3abc7475a

            SHA512

            b36cc0a275dc4aedd1ea38dd97597de67fb072a08fa5fb6482ed11e3229cd5ef1ac160bbe56286d94249a814c7bc493747444678166356910187536ceb0abfb4

            Download Submit

          • memory/1444-184-0x000000001C130000-0x000000001C186000-memory.dmp

            Filesize

            344KB

            Download

          • memory/1444-183-0x0000000000B40000-0x0000000000E00000-memory.dmp

            Filesize

            2.8MB

            Download

          • memory/2588-176-0x000001DDFEF80000-0x000001DDFEFA2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2928-18-0x000000001BC00000-0x000000001BC0C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2928-23-0x000000001BE40000-0x000000001BE4C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2928-9-0x000000001B3D0000-0x000000001B3D8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2928-11-0x000000001B3F0000-0x000000001B400000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2928-12-0x000000001B400000-0x000000001B40A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2928-13-0x000000001BB20000-0x000000001BB76000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2928-14-0x000000001BBC0000-0x000000001BBC8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2928-15-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2928-16-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2928-17-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2928-0-0x00007FFB824E3000-0x00007FFB824E5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2928-19-0x000000001BC10000-0x000000001BC1C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2928-20-0x000000001BE70000-0x000000001BE78000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2928-22-0x000000001BE30000-0x000000001BE3C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2928-24-0x000000001BE50000-0x000000001BE58000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2928-10-0x000000001B3E0000-0x000000001B3E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2928-21-0x000000001BD20000-0x000000001BD28000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2928-26-0x000000001BEC0000-0x000000001BECC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2928-25-0x000000001BE60000-0x000000001BE6A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2928-27-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2928-30-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2928-8-0x000000001B3A0000-0x000000001B3B6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2928-6-0x000000001B380000-0x000000001B388000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2928-166-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2928-7-0x000000001B390000-0x000000001B3A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2928-5-0x000000001BB70000-0x000000001BBC0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2928-4-0x000000001B360000-0x000000001B37C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2928-3-0x000000001B350000-0x000000001B358000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2928-2-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2928-1-0x00000000005A0000-0x0000000000860000-memory.dmp

            Filesize

            2.8MB

            Download