Overview

overview

10

Static

static

3

d347075029...85.exe

windows7-x64

10

d347075029...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe

  • Size

    2.5MB

  • MD5

    dbb2561808f77df19c729393b7e2c004

  • SHA1

    d06044c1eb2f286017e03b02e389cca516c55fc0

  • SHA256

    d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885

  • SHA512

    54e8959bfc848bad7c2f97eacc8635e0316b68befd0bfa769b07c0216f2e89b84e4d187df15deeda2abbec95266083199879ddf2b8c88985ff79b22c8948b06f

  • SSDEEP

    49152:BTmiAznN8OLA03GMjKoZYz+WqE3GMAsH4wDnyBMzTvAaULscNpVQPUmXqO:0iAzSOLA0cooNrkSD6brVlU

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
    "C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
      "C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe"
      2⤵
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1040
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\smss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\csrss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1604
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\taskhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1940
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dwm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2008
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2340
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:524
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\attachments\explorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2208
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xi7FenmHsd.bat"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\SysWOW64\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2096
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            5⤵
              PID:1268
          • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe
            "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2020
            • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe
              "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\addins\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2248
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2288
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\Crashpad\attachments\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\attachments\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:276

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\MSBuild\smss.exe
      Filesize

      2.5MB

      MD5

      5ab7242d97e0ab7e9c461ddc6b3d5dce

      SHA1

      3d463c4a4a0b5cf8b64a713a1708336c4fdea4d9

      SHA256

      736d0e1ff9ab9e00300aa8aa9936de0f940efba8cd7b9bfe97eaa55c1d1cf4f6

      SHA512

      0b923f8113329be82cbb07c56c55e5a02cab7a354db2e4f7229ebd3878cc6a35f7ce0c9a4b5301ff05e3fdcd3c939875374851d5021469cc705446326ea6075b

      Download Submit

    • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe
      Filesize

      2.5MB

      MD5

      942f257982ffd689e06a17f313391f4d

      SHA1

      a57b55c99fcd7019b769fc1f334a118f40d4a9b7

      SHA256

      640d6a88c5f5e6311b4b0a19cb2ceb9c6a7107db3b4011a60767f1318aa7dac4

      SHA512

      e2a311a00b2939f6df1475369f62648483a49ceb4f29bbf268984e75160e193023541aeffd25d18ee09d7714011aa3eae64a0c6b0915fce8dcba1d24038774e4

      Download Submit

    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
      Filesize

      2.5MB

      MD5

      fc6c20d81ed6af96fd298a4480ab6506

      SHA1

      ce691784bae9896b7ee9545b2c13a62aea015e23

      SHA256

      ee891734bf75d3e7cd26d5dc17d70062aa3de9eec9df31f127954b7df123176a

      SHA512

      a75aac72d0fbf286b3b962e9a342c51bb0132b0ffcda74c28c37d7c477d7057d95f9f16db306c3872790a7785563ec32cb97e63f302ba071ebd7d0cd682705d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xi7FenmHsd.bat
      Filesize

      240B

      MD5

      4257c4a449f3120f627b3a392da27060

      SHA1

      9458f58b59e7366cd8c3a63f05a5d52880c882c4

      SHA256

      ccbf60e4dad76aac316ccf3b109a62c282340ace67a9b378a9a753e0dd9b5e85

      SHA512

      a8d243499d01d7757afd33b22fbfe24bdefbf21e43ba68a00775e740247afea803cb316ac16e19fb305259792ef9002d7a204cce4ed90663df30c497f95fea20

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      d8d00ad551280c3c59d6533209f07e68

      SHA1

      35c3b6c09e2f501d0210bfaeebf5de823e0b8963

      SHA256

      e7e750eb8ffa76fb88168a4bdee9849511226a2d27e83960614d3902c7aba116

      SHA512

      bcfb03d1f5bf4f6a406080c682ddc1c82b85ab4c39a1905e33d46254b0fcd23363d9726159cacac2a14e3511589564417ff8ca903e061e4bed1b6c14bef77e5e

      Download Submit

    • C:\Users\Default\dwm.exe
      Filesize

      2.5MB

      MD5

      dbb2561808f77df19c729393b7e2c004

      SHA1

      d06044c1eb2f286017e03b02e389cca516c55fc0

      SHA256

      d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885

      SHA512

      54e8959bfc848bad7c2f97eacc8635e0316b68befd0bfa769b07c0216f2e89b84e4d187df15deeda2abbec95266083199879ddf2b8c88985ff79b22c8948b06f

      Download Submit

    • C:\Users\Default\dwm.exe
      Filesize

      2.5MB

      MD5

      a8237e7a2e80214499347969a6680751

      SHA1

      3f1c2716bab932b81324b140fcefd0f1172851bc

      SHA256

      61196b389a60a164f172421fd82d1d6806c514297f021c67f4be8d763d942b02

      SHA512

      82cb482bf413c9810d6272de9c317f78ca730238f1ea2b775ac28f013f2a4f355220e8f6ab77d3e9c11da4efd18a633854e55d2561535f79c076614d2d68d6f5

      Download Submit

    • memory/1952-24-0x0000000074080000-0x000000007476E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1952-0-0x000000007408E000-0x000000007408F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1952-1-0x0000000000FD0000-0x0000000001250000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1952-2-0x0000000074080000-0x000000007476E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1952-3-0x0000000000590000-0x00000000005AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1952-4-0x000000007408E000-0x000000007408F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1952-5-0x0000000074080000-0x000000007476E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1952-8-0x0000000009CA0000-0x0000000009EC6000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1952-6-0x00000000005F0000-0x00000000005FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1952-7-0x0000000008860000-0x0000000008A90000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2020-200-0x0000000000910000-0x0000000000B90000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2192-23-0x0000000000400000-0x00000000005D8000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2192-22-0x0000000074080000-0x000000007476E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2192-26-0x0000000000360000-0x0000000000368000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2192-27-0x0000000000370000-0x000000000038C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2192-28-0x00000000003A0000-0x00000000003B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2192-29-0x00000000003B0000-0x00000000003C6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2192-30-0x00000000006C0000-0x0000000000716000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2192-31-0x0000000000710000-0x000000000071E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2192-32-0x0000000000790000-0x000000000079C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2192-13-0x0000000000400000-0x00000000005D8000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2192-14-0x0000000000400000-0x00000000005D8000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2192-25-0x0000000074080000-0x000000007476E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2192-19-0x0000000000400000-0x00000000005D8000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2192-111-0x0000000074080000-0x000000007476E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2192-18-0x0000000000400000-0x00000000005D8000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2192-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2192-169-0x0000000074080000-0x000000007476E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2192-11-0x0000000000400000-0x00000000005D8000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2192-195-0x0000000074080000-0x000000007476E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2192-9-0x0000000000400000-0x00000000005D8000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2480-209-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download