Overview

overview

10

Static

static

3

0c8a0a7c4e...84.exe

windows7-x64

10

0c8a0a7c4e...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 07:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0c8a0a7c4e92809c7f8303d35d7f0d84.exe

  • Size

    4.7MB

  • MD5

    0c8a0a7c4e92809c7f8303d35d7f0d84

  • SHA1

    9cebe3c7e1d1698edb7e512847b3d6e9846d7e52

  • SHA256

    6fe3954e5bf41385b5002f96e4bab15545dee6ab4278c2d6455a65157f4e8e9f

  • SHA512

    0544f9abf5a3105cf8229132fe839f4866a1b56f2ee16c8c06f450c549f6ba715f7b4a039a91207df6afa856a985e3e793945648546c1e93f82add6d9cae412a

  • SSDEEP

    98304:Aqwf7ZW2WRBeGGj16dJKmyRN1vAsEVgqyu3OimIkJAr0S:Aqwfo2yUGbJKmEWQu3OYxr0S

Score
10/10
dcratcredential_accessdiscoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 7 IoCs
    persistence
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c8a0a7c4e92809c7f8303d35d7f0d84.exe
    "C:\Users\Admin\AppData\Local\Temp\0c8a0a7c4e92809c7f8303d35d7f0d84.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\midnight.exe
      "C:\Users\Admin\AppData\Local\Temp\midnight.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HypercomComponentwebDhcp\A8jWJusTtraIk1b59.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3800
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\HypercomComponentwebDhcp\IEwUUYV5m7a4xMEXWiWnecp.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4268
          • C:\HypercomComponentwebDhcp\perfdll.exe
            "C:\HypercomComponentwebDhcp\perfdll.exe"
            5⤵
            • Modifies WinLogon for persistence
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:3244
            • C:\HypercomComponentwebDhcp\perfdll.exe
              "C:\HypercomComponentwebDhcp\perfdll.exe"
              6⤵
              • Modifies WinLogon for persistence
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3068
              • C:\Windows\DigitalLocker\en-US\conhost.exe
                "C:\Windows\DigitalLocker\en-US\conhost.exe"
                7⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2028
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28a63d49-0454-439b-8502-4b9f638bd47a.vbs"
                  8⤵
                    PID:4932
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc1d46a6-eee0-4d9f-a9ba-fe93e21806f6.vbs"
                    8⤵
                      PID:2340
        • C:\Users\Admin\AppData\Local\Temp\midnight(.exe
          "C:\Users\Admin\AppData\Local\Temp\midnight(.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3272
          • C:\Users\Admin\AppData\Local\Temp\midni.exe
            "C:\Users\Admin\AppData\Local\Temp\midni.exe"
            3⤵
            • Executes dropped EXE
            PID:3448
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2744
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4116
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\INF\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1700
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\INF\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\HypercomComponentwebDhcp\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1976
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\HypercomComponentwebDhcp\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\HypercomComponentwebDhcp\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3600
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3916
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1608
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\HypercomComponentwebDhcp\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\HypercomComponentwebDhcp\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:460
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\HypercomComponentwebDhcp\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\taskhostw.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:668
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:848
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1976

      Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            1
            T1562

            Disable or Modify Tools

            1
            T1562.001

            Modify Registry

            4
            T1112

            Credential Access

            Credentials from Password Stores

            1
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Browser Information Discovery

            1
            T1217

            Query Registry

            2
            T1012

            System Information Discovery

            3
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\HypercomComponentwebDhcp\A8jWJusTtraIk1b59.vbe
              Filesize

              224B

              MD5

              6c5a0d3f80c0a3ccc9e69824da951da6

              SHA1

              a3a7ef9cedf3207f696a712b6773e3a55608fbf5

              SHA256

              1aab80069c559cf05aae781ab6b09861f47b25948c184b67ab4b58e424c73164

              SHA512

              3cc1d7f36ce30f8897aa4b82f33ac9abb49d35959286e5e724db8ce747e6ebe85b7c2b093d1ec02c7f09eb2f92b897583a633b79f5420f3badb63cc0a76b1d98

              Download Submit

            • C:\HypercomComponentwebDhcp\IEwUUYV5m7a4xMEXWiWnecp.bat
              Filesize

              41B

              MD5

              07f925c0394c46462aeaa6013fe6d7da

              SHA1

              9ae646616e4327c36f299e04b187d79bb647b941

              SHA256

              d4b56955063bb1daba53886eb017780e68b76494a82d70f97a30a8281adc63f5

              SHA512

              c6741fbd27f4cdb112e9d6d17e5a4b26f9f88329d0eda829c9270f0eea49e221ab2839a40ecca87585822bfffb490d1624cab17e7c2332e3ba933a511f3babac

              Download Submit

            • C:\HypercomComponentwebDhcp\perfdll.exe
              Filesize

              3.8MB

              MD5

              c8797d5297a13335c183f189c1823fdc

              SHA1

              83331054936284e390b5a767f624a894269bf1d1

              SHA256

              9bbc7eed5281b551203971ede8fd2b4c7cb88fe04312185d1b61b9e4b329b329

              SHA512

              a998016377ee89a0df1f9202be0b4990ec48421f2abc3d8f17abf1452188710e7b4e4f07e9148f99960db33c9801169414538a78abcfc29df84ea287ac573954

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\perfdll.exe.log
              Filesize

              1KB

              MD5

              655010c15ea0ca05a6e5ddcd84986b98

              SHA1

              120bf7e516aeed462c07625fbfcdab5124ad05d3

              SHA256

              2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

              SHA512

              e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\28a63d49-0454-439b-8502-4b9f638bd47a.vbs
              Filesize

              718B

              MD5

              06528376832c0fbb7efd3b1e19bfd41a

              SHA1

              d35fd3056ea8d621780f89b2e2e790de6fffe725

              SHA256

              8b274fe5a39720634ddc74e06720a2cb1fb75759de419db28eced3ca555216e9

              SHA512

              5a42569d6b5be2a81c5298b255f51d53b716ed4c166be6dc92dc559d36cea8f2fce611fb015ab933856375111de345244210a6392b87a68b64a442b0aef6a3b4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\cc1d46a6-eee0-4d9f-a9ba-fe93e21806f6.vbs
              Filesize

              494B

              MD5

              05106c3f7a72010173d226f731b1074e

              SHA1

              9c14ebef68d8a61c03fb744a57133c6183006873

              SHA256

              94780393dff2c39fc3118b609eb475dbe74e5bda36c36862dcf46cc5f71e7ba2

              SHA512

              2c90f91df51d97ea477909d30dc79086b1f47398407186d11c62b0ee09fe71fbf36128bd0e352a6deb2d87aeae82bd065a45f0f439dc09be0ae1d3f26bef6bec

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\midni.dll
              Filesize

              219KB

              MD5

              7df8b91c7f07e5ded8eae55416667491

              SHA1

              87c76efb92bc714d1b0f2fa435c8209bf4da206b

              SHA256

              8d11dbdcf9ae736b44cec765d5b5f90c506b6056ba1d9b5cc6c6424f6e2fbcbf

              SHA512

              1e9869bc3c37da9567c11e795c01db3ffea0f6aa1ab79a8892115ac35ea539a208a056a81a70135ea4721a0ef8091bd47b4bd6f0ba2c54590dcbf303284a1284

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\midni.exe
              Filesize

              139KB

              MD5

              09897385b47bb55ce7f5061aa8003b22

              SHA1

              c323db05bd880abc58d4ed022dd915ab9b37fbbe

              SHA256

              3e957a0600ee257e2e680ada269b1bb505b4f25227c9c81faa39f56c6b179302

              SHA512

              fcd90430236d4a282961a3d9e8682847d782d49b49c5b42df7132747a0e06bd727356f8d8b6d5165f902e62e2a6b7779f9e9c475c50b5a512ab20530c758e23e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\midni.runtimeconfig.json
              Filesize

              386B

              MD5

              186a65581e2f29258f54d396660409fa

              SHA1

              6f998d3be2e85cb5419205f867135874f27c0a3a

              SHA256

              e1e0974d0e8833375024eb7c78521b3b5cad4228aad22b23d506cbe702445844

              SHA512

              7dea87b523aab01ea3c794779b71bc0b52179e1d5e7b9a45539ddd39c775969ef22853c4c193699aec1e3fa3cbe26e90e3a4881226c52a3aacae1eac260ff896

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\midnight(.exe
              Filesize

              1.2MB

              MD5

              bdfb80b2bb0b0410356d7cdac628d9b2

              SHA1

              33342b297d6804d49e2efbf6c0b05d6768787eff

              SHA256

              503671ec90772706cb8e949a9056c948e09c5bb99599efff67d27b900d1fae21

              SHA512

              c1eed4bea24d408c530632eb63f363264b7b774dcec0136d97735f1278544c1c3532f9f14421c7fe6de5b03472fad9e0694f0f4c92b73afc48b49fca4a9ebe1e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\midnight.exe
              Filesize

              4.3MB

              MD5

              9b1ed067e43e0489a444b5135892f7f3

              SHA1

              ba6e2e07354fa47aa51160ac61de38bb5cefad03

              SHA256

              16600f1ac5b9c2fc43a08bfd25c590c382d14e3d1dd0c9b94665cffc0576bd60

              SHA512

              ee41ed8b5f54150f034f4f6dff7bfdbb5ba4e7027615732522ca5fedaeb77f6ef5c2e8e8dea30bf6ef0a82fab2cfb08951981e198435a9e76c2b91def34d5954

              Download Submit

            • memory/2028-108-0x000000001DD40000-0x000000001DF02000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/3068-82-0x000000001B600000-0x000000001B612000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3244-58-0x000000001C330000-0x000000001C386000-memory.dmp

              Filesize

              344KB

              Download

            • memory/3244-65-0x0000000001780000-0x000000000178A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3244-56-0x00000000030E0000-0x00000000030EC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3244-57-0x00000000030F0000-0x00000000030FA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3244-55-0x00000000030C0000-0x00000000030D6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/3244-53-0x0000000003100000-0x0000000003150000-memory.dmp

              Filesize

              320KB

              Download

            • memory/3244-59-0x000000001BBA0000-0x000000001BBAC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3244-60-0x000000001BBC0000-0x000000001BBD2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3244-62-0x0000000001750000-0x000000000175C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3244-61-0x000000001C8D0000-0x000000001CDF8000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/3244-66-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3244-54-0x00000000030B0000-0x00000000030B8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3244-64-0x0000000001770000-0x0000000001778000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3244-63-0x0000000001760000-0x0000000001768000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3244-69-0x000000001C420000-0x000000001C42A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3244-68-0x000000001C400000-0x000000001C40E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3244-67-0x000000001C3F0000-0x000000001C3F8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3244-70-0x000000001C430000-0x000000001C43C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3244-51-0x00000000017D0000-0x00000000017D8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3244-52-0x0000000003090000-0x00000000030AC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/3244-50-0x00000000017C0000-0x00000000017CE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3244-49-0x00000000017A0000-0x00000000017AE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3244-48-0x0000000000A80000-0x0000000000E50000-memory.dmp

              Filesize

              3.8MB

              Download