Overview

overview

10

Static

static

10

ab07eea7bf...29.exe

windows7-x64

10

ab07eea7bf...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe

  • Size

    3.4MB

  • MD5

    4626a1483d82cf0be9302c305f6b54c4

  • SHA1

    7f16e6aee9e0967b26e36b11de4654cfbffe2675

  • SHA256

    ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729

  • SHA512

    6381dab004c7d96449554626bbc53d4d7d20a55d21c930a987e1e866803c34a0f6e964ec7a74fc3649f7a9fe9d490a535a59280875605ef950673d83bdd15f54

  • SSDEEP

    49152:xZXrXU/5+Zc5SVROVisjq7miG9vv2SNty1kIP2XMxARdpe:xZzU4c5SMXq7miAX2SNty1xPuMyHpe

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 7 IoCs
    persistence
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
    "C:\Users\Admin\AppData\Local\Temp\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4548
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SajAHqgZ0I.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:736
        • C:\Recovery\WindowsRE\dllhost.exe
          "C:\Recovery\WindowsRE\dllhost.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4604
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c36fbac-416d-40d4-8d01-1277e37a1905.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2464
            • C:\Recovery\WindowsRE\dllhost.exe
              C:\Recovery\WindowsRE\dllhost.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3624
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbd5f2b3-1f96-4e44-8225-3c1431995616.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2068
                • C:\Recovery\WindowsRE\dllhost.exe
                  C:\Recovery\WindowsRE\dllhost.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:856
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c34e5f4-84d2-4fdc-a0e9-52108d2ee5b4.vbs"
                    8⤵
                      PID:1264
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\478202cb-fcb9-4fbd-a475-b9dafd73c821.vbs"
                      8⤵
                        PID:2300
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc7af76c-6cf6-488f-aabf-e195e02b3140.vbs"
                    6⤵
                      PID:3288
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4862033-52d7-4c3d-acb8-a83119d2adb9.vbs"
                  4⤵
                    PID:3532
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3820
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1000
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3720
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\TextInputHost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3736
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\TextInputHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3524
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\actionqueue\TextInputHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4800
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\upfc.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1216
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\SendTo\upfc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1932
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\upfc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4052
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:216
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3272
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3772
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:220
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2216
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3056
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\fontdrvhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2676
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5044
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Sun\Java\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2220
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:436
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1764
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2940

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            1
            T1562

            Disable or Modify Tools

            1
            T1562.001

            Modify Registry

            4
            T1112

            Credential Access

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            3
            T1082

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
              Filesize

              1KB

              MD5

              49b64127208271d8f797256057d0b006

              SHA1

              b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

              SHA256

              2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

              SHA512

              f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\2c34e5f4-84d2-4fdc-a0e9-52108d2ee5b4.vbs
              Filesize

              708B

              MD5

              285964ff35ed1285913f5f457c750783

              SHA1

              c796c5109f3c7b4cdce08ed4576f8a7926d1e5f2

              SHA256

              8c28a7a3aa424403f94052cd4c2ba59c48bb0fe0369fbf10bc1528df8fb2dfae

              SHA512

              829ac78505af6b8f58fd1c3b07112a083f109125b20c3bcd510b31aeb43c5447286d2171d9d792e5bd6028c5854d6070d2fec67477ca652d91569912b346e9ec

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\3c36fbac-416d-40d4-8d01-1277e37a1905.vbs
              Filesize

              709B

              MD5

              bee135c0a2e9449c92aec656da45fb25

              SHA1

              7babd6c2c270c8cab535ddd96891a6db049bb2c2

              SHA256

              9f1321c299477c493af441285ed032f90681285098104d4834e596d0e3afed62

              SHA512

              165cd9a6aca2a9560090db942b6c8d885e6d8068bd281280154a2a02a7cf9353fe339bf3117b2f8b443268a77119b9fcf89346976f6711aab0e43b9975d9a363

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\SajAHqgZ0I.bat
              Filesize

              198B

              MD5

              71a18bfddd40751f58e74330a1fc9fbc

              SHA1

              d8982478fc96bc04f5b6294aef75c35a8893fd3f

              SHA256

              f3f8e662a1625b55cf2f6323502d5935529d99ecf121b4bfd194c6648e2f1aaa

              SHA512

              9415dbbf2ec1998797b59b846f7ac350b591ac0b908093d624a9fdd68890203c9d09079f58f04e9eb4c83202677fa11be4413d2f4ffe7507d7f5ab98a70b448b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\a4862033-52d7-4c3d-acb8-a83119d2adb9.vbs
              Filesize

              485B

              MD5

              7751d44f699409b4fb053bf3bc26defd

              SHA1

              01bbfc600f73d5c72facc9e2d9181d2089f1c660

              SHA256

              5549afe5676f0fd103e920f3b60fad7001956dfbcbb4cb1ceba1c6726dc92240

              SHA512

              06396481e665a2dd4706ab9529694ec3b79b45d3d6fcf551dc7679b3e006aa3ed7e9249a0700ab8d9686940b45d6201fc34e36608dd0409c2ef583694d2dfbd5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\cbd5f2b3-1f96-4e44-8225-3c1431995616.vbs
              Filesize

              709B

              MD5

              a8327e7dfd1aebb3555762811991b9fa

              SHA1

              a3dbcd4bcbbea65c9de6a43ca01dcd45fe2a261b

              SHA256

              d04b981be5f17848f7da293864f0047cbc22dfd316d1c38d3aba777440895063

              SHA512

              f63135ec9c02a5e044a4047059571d881e22efa1dadbfff3b8ca4eb495a4e619adbc6005a3ba5e5689f229fd12be8751585db6ab61738a9723c821f4f196d17b

              Download Submit

            • C:\Users\Public\AccountPictures\dwm.exe
              Filesize

              3.4MB

              MD5

              4626a1483d82cf0be9302c305f6b54c4

              SHA1

              7f16e6aee9e0967b26e36b11de4654cfbffe2675

              SHA256

              ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729

              SHA512

              6381dab004c7d96449554626bbc53d4d7d20a55d21c930a987e1e866803c34a0f6e964ec7a74fc3649f7a9fe9d490a535a59280875605ef950673d83bdd15f54

              Download Submit

            • memory/856-89-0x000000001BDE0000-0x000000001BDF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3624-77-0x000000001BFA0000-0x000000001BFB2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4548-19-0x000000001BF40000-0x000000001BF48000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4548-25-0x000000001C6C0000-0x000000001C6CC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4548-6-0x00000000032E0000-0x00000000032FC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4548-7-0x000000001BD30000-0x000000001BD80000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4548-8-0x0000000003300000-0x0000000003308000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4548-9-0x0000000003310000-0x0000000003320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4548-10-0x0000000003320000-0x0000000003336000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4548-11-0x0000000003340000-0x0000000003348000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4548-12-0x000000001BDA0000-0x000000001BDB2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4548-13-0x000000001BD90000-0x000000001BD9C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4548-14-0x000000001BD80000-0x000000001BD88000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4548-15-0x000000001BDB0000-0x000000001BDC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4548-16-0x000000001BDC0000-0x000000001BDCA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4548-17-0x000000001BDD0000-0x000000001BE26000-memory.dmp

              Filesize

              344KB

              Download

            • memory/4548-18-0x000000001BF30000-0x000000001BF3C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4548-4-0x00000000032C0000-0x00000000032CE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4548-20-0x000000001BF50000-0x000000001BF5C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4548-22-0x000000001BF70000-0x000000001BF82000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4548-21-0x000000001BF60000-0x000000001BF68000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4548-23-0x000000001CBF0000-0x000000001D118000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/4548-24-0x000000001BFA0000-0x000000001BFAC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4548-5-0x00000000032D0000-0x00000000032D8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4548-27-0x000000001C6E0000-0x000000001C6EC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4548-26-0x000000001C6D0000-0x000000001C6D8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4548-28-0x000000001C6F0000-0x000000001C6FC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4548-29-0x000000001C800000-0x000000001C808000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4548-30-0x000000001C810000-0x000000001C81C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4548-34-0x000000001C950000-0x000000001C95E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4548-33-0x000000001C940000-0x000000001C948000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4548-32-0x000000001C930000-0x000000001C93E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4548-31-0x000000001C820000-0x000000001C82A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4548-39-0x000000001C990000-0x000000001C99C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4548-38-0x000000001CA90000-0x000000001CA9A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4548-37-0x000000001C980000-0x000000001C988000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4548-36-0x000000001C970000-0x000000001C97C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4548-3-0x00000000032B0000-0x00000000032BE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4548-2-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4548-1-0x0000000000E30000-0x000000000119A000-memory.dmp

              Filesize

              3.4MB

              Download

            • memory/4548-0-0x00007FFFAC463000-0x00007FFFAC465000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4548-35-0x000000001C960000-0x000000001C968000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4548-59-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4604-64-0x000000001BCB0000-0x000000001BD06000-memory.dmp

              Filesize

              344KB

              Download