Overview

overview

10

Static

static

3

Nursultan Alpha.exe

windows7-x64

10

Nursultan Alpha.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan Alpha.exe

  • Size

    1.8MB

  • MD5

    a0645e34ac6cb9437068b77b866359d3

  • SHA1

    18336dcb1df21c059424ab7a39fda24917ed17db

  • SHA256

    be0eac22d3c922d2b394a32b3bb0721c27f0fe1fbfa8c062db3c81b8b9d57fea

  • SHA512

    07340cc1d83997031bf20831a1f01700fbce98a294d8135cd4aa4c3d5f43b035faaee9a6c127766e802e018c98835358be268f3aac24a84a82317510c87a4968

  • SSDEEP

    24576:HTbBv5rUr3617t7ROjwJqMAVS2hEijP79eAPkavlCCyYcBoZ11q8UuZPt5PsuWy:BBw6Bt7R0wJ4L5Uw5lCCyG31oIPmy

Score
10/10
dcratdiscoveryexecutioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hyperprovidernetCommon\N7RAApaJedNAiIei7PmzIxjENbypjK6WEY7Bu.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\hyperprovidernetCommon\2ljacxinndiciEWf.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\hyperprovidernetCommon\portsvc.exe
          "C:\hyperprovidernetCommon/portsvc.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jjhge0li\jjhge0li.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:5020
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A54.tmp" "c:\Windows\System32\CSCCFD9A6358E8B4A5DBEB942FF1EF6CA1A.TMP"
              6⤵
                PID:5064
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1576
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperprovidernetCommon\lsass.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2136
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\portsvc.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2100
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2896
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:844
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperprovidernetCommon\portsvc.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1304
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qowTaQRdZ8.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3244
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4408
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4492
                • C:\hyperprovidernetCommon\lsass.exe
                  "C:\hyperprovidernetCommon\lsass.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4936
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\hyperprovidernetCommon\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5108
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\hyperprovidernetCommon\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\hyperprovidernetCommon\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "portsvcp" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\portsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "portsvc" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\portsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "portsvcp" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\portsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1700
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1440
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1992
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1436
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "portsvcp" /sc MINUTE /mo 10 /tr "'C:\hyperprovidernetCommon\portsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "portsvc" /sc ONLOGON /tr "'C:\hyperprovidernetCommon\portsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "portsvcp" /sc MINUTE /mo 5 /tr "'C:\hyperprovidernetCommon\portsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2748
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3316

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES1A54.tmp
        Filesize

        1KB

        MD5

        a2001d34a89d4abec1fa23d7827933fb

        SHA1

        c11c70eeb3c5022ad48f6886b38489ee4c47f896

        SHA256

        d91c5ca450a2d1eeb4dff1c5d6c21aea123a601158aa115eaa6a9ca3e4a0517b

        SHA512

        75a3e6e0516d3e11bcb889fa1e4f556903ddebef6b2d079af4ca6478616a90d3ae665edcc31692334ffe5ea4c53cd4620d1108b84ed9b58323e532ffbe7754eb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\qowTaQRdZ8.bat
        Filesize

        163B

        MD5

        d00134d08a2670e365f1a9eccf4398f9

        SHA1

        6f812c4d9d563db74b5c9eabbd9564140b21f6d4

        SHA256

        bf7b518960cf2a75cc9fcc42318f5a702eb231d01355f181f2c6a94b1882e35d

        SHA512

        5db12e222d88ab3c569769960a43f56bfc4f48d9d0f1dddbb4ef4b72fb9176ff577df3e1e669b7129696cd93a1fbb22b80f40a943c0cc3df3a3b72828bc868cb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        0304332c0cbe86949ce18e246c2c936a

        SHA1

        de1908086d0e202d621d425f1d78c73ed82681ca

        SHA256

        a8fda2fa9dee99a9398429bb035c7388aa4870b8c8937b848de3c530478adc91

        SHA512

        9e38104454fd450a7ce44ba4e89c896a82f9454b9fdd78e1cd7f7de4c8d891c07a04cd28ec80bf82cfa4922a63a9c2af3daecdb4acec8fffbddbcd74d7ea3751

        Download Submit

      • C:\hyperprovidernetCommon\2ljacxinndiciEWf.bat
        Filesize

        85B

        MD5

        a436f47e288aec61b404a201a1804123

        SHA1

        690cbc048b9869ab2d2b44ee768f50d6f70204c1

        SHA256

        234f00d62571597987980b985bb658cb66241152e79e650a67eead897f6d1d43

        SHA512

        d919d24ef1de90a61ccf272bf80515eebff38b8392eebe9a389447e3a3cc31ce6f6782197025cade80cbec1da310a0b49df32ce2faee2fe1b94edd93677340b8

        Download Submit

      • C:\hyperprovidernetCommon\N7RAApaJedNAiIei7PmzIxjENbypjK6WEY7Bu.vbe
        Filesize

        217B

        MD5

        b1ee2467709d5369dd4360da76616312

        SHA1

        d12b98698416881d291b0c79c567310ae71353d2

        SHA256

        057d03229939e04c5f7d26ab6b7ed449e9f863ed44880762976a3e81184b9db2

        SHA512

        5d525e04acc96e3ac9aa9870a85cdee86fb60f0186baeca429274c044579bc6193ff65553bf1a0e44f144f639c9ad89326f37fbd666c95286d3d5a9f32673570

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\jjhge0li\jjhge0li.0.cs
        Filesize

        392B

        MD5

        11a3972ca02af9b4e0315019f0c12063

        SHA1

        f61b0372ff3a3c7e408efd6014825d2371ded066

        SHA256

        2a281056258ca50fc645fa71ff7b8240efa53c40fd258f14876a8d442d46f51e

        SHA512

        2dddb27c4843dfa1cb7579b35c36343d8db5778752bcbdae38f441d4d971b0ef9c2363a9b0c419c0c1468c27ab68430b92f008a886b421ce52403d89b0b4eebc

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\jjhge0li\jjhge0li.cmdline
        Filesize

        235B

        MD5

        0749dc96ba3ed2326af681a424b51e24

        SHA1

        164bdb3636bcb15ea1fbab3c8d0e38b9e01ac614

        SHA256

        e51e0c8db62c4b6ee7c8b83b0caed98c583fee132999f44daf012b15c0c78e33

        SHA512

        067425f36c967765fea9a66afa408db35459f574caee5a426e1fbb13e1693f81e50889077de0472b95dfd7fc739b3b0020a73dab9f884a9742495ef523232c56

        Download Submit

      • \??\c:\Windows\System32\CSCCFD9A6358E8B4A5DBEB942FF1EF6CA1A.TMP
        Filesize

        1KB

        MD5

        dbb2cd021b80875d9c777c705ef845c8

        SHA1

        3ed0cde3b4f4d8267c3cddd37dd4ede100b5ecce

        SHA256

        a4d8c8c391bc1975510bdea24653db0f578d998dead4ce7f8a85eb8fbb3ec829

        SHA512

        a8076e4d1b1641e189d2066050809ce0cce557e23c110fba77c2cfb7448b5915252b2e2f4d3443f708941277b947b951cfba6c191980a09b8c7710589c766c8e

        Download Submit

      • \hyperprovidernetCommon\portsvc.exe
        Filesize

        1.5MB

        MD5

        6689bd9a5c795eedc631e5fbb850b7ff

        SHA1

        b63d8e25d4eb9abea3ed0f7867f70db2ab18cba2

        SHA256

        cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b

        SHA512

        ff51ccd8918344bb0439a4d9e39394383bff2196496d778db9a3d2862479e55f1bf59c7d467ff055c721231cb592c3c7ded63c5af28a3f9552dc6421dd1151bf

        Download Submit

      • memory/1304-3637-0x0000000002790000-0x0000000002798000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1304-3636-0x000000001B590000-0x000000001B872000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1804-3640-0x0000000000A00000-0x0000000000A08000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2640-58-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-42-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-22-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-20-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-16-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-24-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-78-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-76-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-72-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-70-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-66-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-64-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-62-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-60-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-68-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-56-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-54-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-50-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-48-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-46-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-44-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-52-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-40-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-38-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-36-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-34-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-32-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-30-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-28-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-26-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-74-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-19-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-15-0x000000001AE80000-0x000000001B054000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2640-14-0x000000001AE80000-0x000000001B05A000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2640-13-0x0000000000850000-0x0000000000858000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2640-3572-0x0000000000370000-0x000000000037E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2640-3574-0x0000000000380000-0x000000000039C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2640-3576-0x00000000003A0000-0x00000000003B8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2640-3578-0x00000000003D0000-0x00000000003DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3316-7201-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/3316-7202-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/3316-7203-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download