Overview

overview

10

Static

static

10

faa40b4bcb...1a.exe

windows7-x64

10

faa40b4bcb...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2025 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    faa40b4bcb1f0e493c693399173b381eda22db9ca1c3436d8167b5fdb0deaf1a.exe

  • Size

    1.7MB

  • MD5

    8d57c2893df62748ad2a6023840a5ac2

  • SHA1

    2d7f94e19ce1f9f531c149370ed416ba7fea2ee0

  • SHA256

    faa40b4bcb1f0e493c693399173b381eda22db9ca1c3436d8167b5fdb0deaf1a

  • SHA512

    68d7a6358ca50cbdd398fc04e53162ed6e16731ff28fcdb025947424d7232bc20136c2fe4725e82360a882ba279b75af90340d00928902a8d6f24bdf4ccd6390

  • SSDEEP

    24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\faa40b4bcb1f0e493c693399173b381eda22db9ca1c3436d8167b5fdb0deaf1a.exe
    "C:\Users\Admin\AppData\Local\Temp\faa40b4bcb1f0e493c693399173b381eda22db9ca1c3436d8167b5fdb0deaf1a.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Program Files\Windows Defender\ja-JP\wininit.exe
      "C:\Program Files\Windows Defender\ja-JP\wininit.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f533e2fe-ff7a-4636-8ff2-2bedd7a63bae.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Program Files\Windows Defender\ja-JP\wininit.exe
          "C:\Program Files\Windows Defender\ja-JP\wininit.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2208
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28b1cb01-bd9d-4212-a7db-49c44deef885.vbs"
        3⤵
          PID:1628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\de-DE\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\de-DE\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Landscapes\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\Wallpaper\Landscapes\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1288
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:288
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2080
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1900
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:324
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Adobe\services.exe
      Filesize

      1.7MB

      MD5

      4396c50adcfde6c013c95aa22d57a9c6

      SHA1

      f0d6af62eb8a38fce6407def7768323eb1146385

      SHA256

      99a018d98cf623c7a280e90e1c052f02ab8dded8586eb7ed0d82c5c1873cfb84

      SHA512

      b8d4ec0b180e4d5a9879934b2735385cd0caa0419d26d67d927ea70926985fe3b6083a0013cd5598469f7becaa03ae24e2cd970af1e15c2046cc69784ee0435c

      Download Submit

    • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe
      Filesize

      1.7MB

      MD5

      8d57c2893df62748ad2a6023840a5ac2

      SHA1

      2d7f94e19ce1f9f531c149370ed416ba7fea2ee0

      SHA256

      faa40b4bcb1f0e493c693399173b381eda22db9ca1c3436d8167b5fdb0deaf1a

      SHA512

      68d7a6358ca50cbdd398fc04e53162ed6e16731ff28fcdb025947424d7232bc20136c2fe4725e82360a882ba279b75af90340d00928902a8d6f24bdf4ccd6390

      Download Submit

    • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe
      Filesize

      1.7MB

      MD5

      55818e26fcd8eeb64a88463c4f913757

      SHA1

      06a4948454f3e51aaf7e6502eca6d3a79b4f0cb7

      SHA256

      8fd14d7161f12e69b080d9e38436e17b535c56eb549010fa2c1572ab8c96e0ae

      SHA512

      3d646a752584d6e8c854ce9576edc1056f08fc78a1dc50857abf92eb533b9a6af91c2c4e96945839ad098e1961abc1748afaa5bd18419e94a88e3ec9b3c59e7a

      Download Submit

    • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
      Filesize

      1.7MB

      MD5

      0e5ba30e211777e00fb6029dbd3a5782

      SHA1

      c9136ed630cbc12efd4f2778b9c5ad3e70f1a58c

      SHA256

      c8429cf8d1d865fb92d68e0bfd42dcaa964e20b36c9a098be052c4e2003afe14

      SHA512

      6429df6523bf46c969821551059ec885f2fde3cd1b83e671b413cd75802ddbe6befd60ac044a6172d10db6d3b306d662c6d956ad2815636cdf6d55eb8a403844

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\28b1cb01-bd9d-4212-a7db-49c44deef885.vbs
      Filesize

      503B

      MD5

      76b47fc64502c0e0a2e3b192d2682dc3

      SHA1

      f75ed509da820fd89d06419cbf40a8a4b71dc6fc

      SHA256

      4881a6996950993aeda46f19d8cdd81aef3f55e9f0acc429d1bdbcb3494512a6

      SHA512

      3db31c06441613e2180a19ca7222a860fe5846511729883c800ce3c424f032306c3e3a24fc573ebeb943795a2e427c8c73f1d5a9e2ca0b4a80340a5051e1965c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\f533e2fe-ff7a-4636-8ff2-2bedd7a63bae.vbs
      Filesize

      727B

      MD5

      47e74ca7828af5b6e024f1828e0ea515

      SHA1

      cde046d01805bad3d895f58a181753b19ac1624b

      SHA256

      60b1e93a2ef99b5203b8ee284ee7bf94df78f8cccf7872be8ccf46112ccb7fa8

      SHA512

      8d3c4427ed000afe1cf7ff209d77c373a39c0499d61eef48e7b1cbf4e9f1a7f7e0c6642bc720a74c0d831697c3148b7250229f9578f1402f024c80b1e3595c0c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      45515c945777f01c54e5bcef7ce6d665

      SHA1

      132e5136fd5421aeca28d53cdda1723a15dda6ed

      SHA256

      92fbc6f2fcb5e21ea5cbb3ee71cca29febd0d668f16d2bbe67a695542c826bbd

      SHA512

      92299ca20e498823b02fab0b821443f42ef22913a2955e880d4eec70c519d8cde6b4f4a782214f1d365c52b85ce19469cd3dc10502e4d7f471fb059d59a66de9

      Download Submit

    • C:\Windows\Web\Wallpaper\Landscapes\System.exe
      Filesize

      1.7MB

      MD5

      f23e8eb44be9ff95a2c94ca29f818cbd

      SHA1

      b6b8f505bb689787c09ddeec1b3945487d9b0482

      SHA256

      7e15ac7c0e552e911e26dcafd4c636c93152f84c071bdd66ea063cea0cc47583

      SHA512

      d1ec012628a3c24acd17a618499d1242234aeb3832164cfdc4a6cfa8e3f7628ff305617432080ad3aeb859cdba23418c19173c038ff25fe2694945209e552fc3

      Download Submit

    • memory/916-161-0x000000001B810000-0x000000001BAF2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/916-167-0x00000000023A0000-0x00000000023A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2204-194-0x0000000000240000-0x00000000003F6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2208-226-0x0000000000270000-0x0000000000426000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2208-227-0x0000000000540000-0x0000000000552000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3036-8-0x00000000005A0000-0x00000000005B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3036-9-0x0000000000580000-0x000000000058C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3036-15-0x00000000020F0000-0x00000000020F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3036-17-0x00000000022B0000-0x00000000022BC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3036-20-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3036-14-0x00000000006D0000-0x00000000006DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3036-16-0x00000000022A0000-0x00000000022AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3036-12-0x00000000006C0000-0x00000000006CC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3036-10-0x00000000006B0000-0x00000000006B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3036-13-0x0000000002100000-0x000000000210C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3036-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3036-6-0x0000000000350000-0x0000000000366000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3036-7-0x0000000000570000-0x0000000000582000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3036-5-0x0000000000340000-0x0000000000350000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3036-200-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3036-4-0x0000000000330000-0x0000000000338000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3036-3-0x0000000000300000-0x000000000031C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3036-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3036-1-0x0000000000030000-0x00000000001E6000-memory.dmp

      Filesize

      1.7MB

      Download