Overview

overview

10

Static

static

3

0ffaeedc37...0N.exe

windows7-x64

10

0ffaeedc37...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    02/12/2024, 04:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N.exe

  • Size

    1.9MB

  • MD5

    2123f0ed99f66156c6504fbbdaf2c7b0

  • SHA1

    110a8c7145539bef2c86851076fa63f9dab9967c

  • SHA256

    0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10

  • SHA512

    2c128bf35bff96204d27fdaa9112807d63d9de8c9b5923a0059b40ebbf381ad2ae95f3a4323877f97c5a9ba4cc3219fabdfebeaa30431189f815dc0f575c1511

  • SSDEEP

    49152:zES0GzPDPtGUE/Nb8HdX+rKXJyCnKhgLn0Hc:zES0qybydXUyfK2LC

Score
10/10
dcratexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N.exe
    "C:\Users\Admin\AppData\Local\Temp\0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\twvrqjfj\twvrqjfj.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C77.tmp" "c:\Windows\System32\CSC3872377F71964A49BBF746DA7AD99D3E.TMP"
        3⤵
          PID:1912
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1020
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:536
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:320
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2332
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2156
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2304
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2060
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2328
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1244
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\Idle.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\services.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2340
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\sppsvc.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\audiodg.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2140
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srDwDzQ66H.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:608
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:2228
            • C:\Users\Admin\AppData\Local\Temp\0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N.exe
              "C:\Users\Admin\AppData\Local\Temp\0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N.exe"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1176
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\ehome\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2420
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ehome\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\ehome\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2676
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2260
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1720
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1376
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2248
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2208
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2204
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\DataStore\audiodg.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2940
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1424
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2396
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N0" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N0" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10N.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:588

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES8C77.tmp
          Filesize

          1KB

          MD5

          f02cf3b3d19fe89edbc7c86484bdfd72

          SHA1

          ce76ff794f10d4461c312f6f170ad58be716ca4f

          SHA256

          8d4d9ba9650a761173ac0426ea5d53bebd116d9a93d67ffdaa7a069cf41f2d39

          SHA512

          a12cf9af4878b4f6567d05d97c1371b507e1f30c13e3eb3370c72be8bcf8cee9ecb5dea85a2e777353d5d3e094c291276382e8e2ebb5ec7c8b72e99e8a52c656

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\srDwDzQ66H.bat
          Filesize

          279B

          MD5

          4292dc0cb8c8c2368dd6fc121c9c8399

          SHA1

          4a3bc3b4b3e95912fe39df0d934ae81b641d98a6

          SHA256

          121a8a0bac3f33ad1a67a9a3b959a42496d405d169bdd6aed546057e17c777c4

          SHA512

          48fb56b318d08233f7e9753bd5c96ad8f5a26aa9be8064027c553c0cffffee7f5edd1dc71dcde7adc2a000fab284c4e712db0a478f3a30e479164dc9bfd8f527

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V1EMUFHEF8U2AQ1LBAIB.temp
          Filesize

          7KB

          MD5

          3f56b8925a03ddfcfd8d8a1a06e32f63

          SHA1

          cff2d066a6940f128085b871ff0027ff58135c40

          SHA256

          277a90c514f76faee0444a621cdb255bc686103b432c1e5248500ed9010d8f68

          SHA512

          0d66a60c30a487e3bc241830f2e83afdcd8576a4d605b01674d9ebce63f8f5947945a3613d57663ba6dd87c8d757b9b9afe86644ae331d87e15b985d605712a3

          Download Submit

        • C:\Windows\ehome\Idle.exe
          Filesize

          1.9MB

          MD5

          2123f0ed99f66156c6504fbbdaf2c7b0

          SHA1

          110a8c7145539bef2c86851076fa63f9dab9967c

          SHA256

          0ffaeedc37c79a75072e8a7087803430a13882f3cf31e803263bc8e2febd3c10

          SHA512

          2c128bf35bff96204d27fdaa9112807d63d9de8c9b5923a0059b40ebbf381ad2ae95f3a4323877f97c5a9ba4cc3219fabdfebeaa30431189f815dc0f575c1511

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\twvrqjfj\twvrqjfj.0.cs
          Filesize

          357B

          MD5

          1c4c6fd7fc1c412cdea3b464f1d2bec1

          SHA1

          87a2bb2ba60fce58bdc771d8126f530571f92417

          SHA256

          535cb4d94d2f73f827133934c4bfb0b69fe35ab0886248aea94afc3f34ab8f99

          SHA512

          8acf6510f64c29b7ec71a006bf98aa56f083d3fdcb73628085c72ddd6f0206cafb0e60c79f14ecfce0dd8019d488e114ec8308a58a809132b8b3ec48d6470771

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\twvrqjfj\twvrqjfj.cmdline
          Filesize

          235B

          MD5

          14f2938a02784af291fab00d8c039f75

          SHA1

          b4797548dee619f0e26d90f2fb9373ef50fe6b8e

          SHA256

          37315221a1b8607fa8b3a29494f7541782ecd13ccd489c2a06c73c1c3be137e8

          SHA512

          5015ba303bfeba0bd67b0f275464c319dadf36faa74a8fbd218dee1eeddf9b4ffb568424adfd2c2db396e2ef3ea054f379971d550eb72a503c7170db60714b34

          Download Submit

        • \??\c:\Windows\System32\CSC3872377F71964A49BBF746DA7AD99D3E.TMP
          Filesize

          1KB

          MD5

          332eb1c3dc41d312a6495d9ea0a81166

          SHA1

          1d5c1b68be781b14620d9e98183506f8651f4afd

          SHA256

          bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2

          SHA512

          2c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440

          Download Submit

        • memory/1176-147-0x00000000000A0000-0x0000000000298000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2332-70-0x0000000002860000-0x0000000002868000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2332-69-0x000000001B550000-0x000000001B832000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2744-8-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2744-14-0x0000000000290000-0x000000000029E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2744-20-0x0000000000300000-0x000000000030C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2744-21-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2744-35-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2744-36-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2744-16-0x00000000002A0000-0x00000000002AC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2744-26-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2744-23-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2744-18-0x00000000002F0000-0x00000000002FE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2744-12-0x00000000002D0000-0x00000000002E8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2744-10-0x00000000002B0000-0x00000000002CC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2744-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2744-7-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2744-53-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2744-6-0x0000000000280000-0x000000000028E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2744-4-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2744-3-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2744-2-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2744-1-0x0000000000A50000-0x0000000000C48000-memory.dmp

          Filesize

          2.0MB

          Download