Overview

overview

10

Static

static

10

b1ed8df7e6...13.exe

windows7-x64

10

b1ed8df7e6...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 02:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1ed8df7e68c8e614b3dc1b91fde36e41d5564b9404c2e36f9d7b756790f2f13.exe

  • Size

    1.7MB

  • MD5

    62b108ad83c4b340fe2bcad3cdaca141

  • SHA1

    ddf933ec41d253e8ead1ce923762f8fcdf36cc2d

  • SHA256

    b1ed8df7e68c8e614b3dc1b91fde36e41d5564b9404c2e36f9d7b756790f2f13

  • SHA512

    1ed101896adcd32440e79b2bb425e9a5a9753c3bf6c6d11ef19b2525a93ae1316ecb779b2a6250318f34c3872d3c4de7e522050dda9516afc0f8e96d554cf76c

  • SSDEEP

    49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvt:uTHUxUoh1IF9gl20

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1ed8df7e68c8e614b3dc1b91fde36e41d5564b9404c2e36f9d7b756790f2f13.exe
    "C:\Users\Admin\AppData\Local\Temp\b1ed8df7e68c8e614b3dc1b91fde36e41d5564b9404c2e36f9d7b756790f2f13.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3948
    • C:\Program Files\Windows Security\BrowserCore\sppsvc.exe
      "C:\Program Files\Windows Security\BrowserCore\sppsvc.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f4d53b0-2843-4e28-a2fa-ad8e0f474e69.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Program Files\Windows Security\BrowserCore\sppsvc.exe
          "C:\Program Files\Windows Security\BrowserCore\sppsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:640
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7513522f-08ef-49c7-8e3b-c6c49ce3ebc2.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2560
            • C:\Program Files\Windows Security\BrowserCore\sppsvc.exe
              "C:\Program Files\Windows Security\BrowserCore\sppsvc.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4876
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\add85742-a282-45fe-86f1-7099f2fd241b.vbs"
                7⤵
                  PID:4292
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ded7201-96e9-4100-94ff-38ec685d0222.vbs"
                  7⤵
                    PID:1108
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6f00beb-7d38-40e6-888f-fe025af6a27f.vbs"
                5⤵
                  PID:4008
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d2e15c-011b-4ecc-b57d-148759835083.vbs"
              3⤵
                PID:2768
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2768
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1624
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3040
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:552
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3644
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1148
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:372
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:688

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Windows Security\BrowserCore\sppsvc.exe
            Filesize

            1.7MB

            MD5

            8c91e951f1d52f5f00890e2f01e778ac

            SHA1

            41ee1a5b87e0e18a9c08f0a6b3d6117228dde2ca

            SHA256

            55fc332992b80eb5e458a618a1e3bb5f5a701fca4f2b9e3791f7d4b02e3cfef0

            SHA512

            ce8d008f7b36c510e4f89a9fc30dbce8eccb8489831caa1c910192772572dc69f36c913ee730f3f31220bef4368d76c6180c9ee0579525fb622de7ef26acf066

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log
            Filesize

            1KB

            MD5

            4a667f150a4d1d02f53a9f24d89d53d1

            SHA1

            306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

            SHA256

            414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

            SHA512

            4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            5f0ddc7f3691c81ee14d17b419ba220d

            SHA1

            f0ef5fde8bab9d17c0b47137e014c91be888ee53

            SHA256

            a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

            SHA512

            2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            ecceac16628651c18879d836acfcb062

            SHA1

            420502b3e5220a01586c59504e94aa1ee11982c9

            SHA256

            58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

            SHA512

            be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            62623d22bd9e037191765d5083ce16a3

            SHA1

            4a07da6872672f715a4780513d95ed8ddeefd259

            SHA256

            95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

            SHA512

            9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            d28a889fd956d5cb3accfbaf1143eb6f

            SHA1

            157ba54b365341f8ff06707d996b3635da8446f7

            SHA256

            21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

            SHA512

            0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\3f4d53b0-2843-4e28-a2fa-ad8e0f474e69.vbs
            Filesize

            732B

            MD5

            c31a0188380c91ab1b3f09404e845818

            SHA1

            bea958f8747bdbf129b90eb21dd341b7ada3cd7d

            SHA256

            63f19555c501f265137817137f4b8aef25dc4ebee9c6bc34036df42de14094de

            SHA512

            8a0eeafa9af5999e0b88127f321c5590ef8935ae74c8c212c49dd7f7b127eaaf70cc76fec0bf9956ae8435e4131ba7b3be5e48f081419f232a665b491d459a8f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7513522f-08ef-49c7-8e3b-c6c49ce3ebc2.vbs
            Filesize

            731B

            MD5

            7dfeadb5a49651f38a9a104f15ac1ada

            SHA1

            a5828230d79ebfbea16e16bc04e2a983f6018668

            SHA256

            f80a772f65b406bdd35335a0bc5518d40e073da060e039010ead09cc5e591894

            SHA512

            da4af39baac6ae86fd351aa772c729bd3b04d2e87a597185c9af62313a5c1bb4386dc1b3bf300c693b647130f77b4a13b4120865039eed83f34b11fdcd6836fe

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RCXB94E.tmp
            Filesize

            1.7MB

            MD5

            5adb3b76b3c985bf7eaee7245a0e9f40

            SHA1

            4c1f2c2a7e5fab59b7c349215411f72c589a5515

            SHA256

            18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8

            SHA512

            bf9bec6624e7781991f752f63eff5622f43f7c11aa561138200f8693f50d4b5bca90c85c168de72bc390273649a5c0aeccc3ce4b070e27bbbd69f6d118bd80ee

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_varlfq1c.ruf.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\add85742-a282-45fe-86f1-7099f2fd241b.vbs
            Filesize

            732B

            MD5

            a987bb94d22148741adbac06852691fc

            SHA1

            1332a73f2e7ed84deb4339683f9c8681f9ce757d

            SHA256

            e5fbd394edde24554dc507ce9ca9b90ca04c8c14524216c3da6ede3cc22b3265

            SHA512

            1a665c10c4e6cf9b349715216c5735d8949c70584a1030d43c84f2f608153e2dca39867b5b9cb501854c31b9e37425d3cf52061cd9349a0b2abce114c8d939c7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d9d2e15c-011b-4ecc-b57d-148759835083.vbs
            Filesize

            508B

            MD5

            2358eaa078605cd4e5ec1aea66e7d98c

            SHA1

            ae4512989c32b07ee042689eb9c010f342f8af43

            SHA256

            bfb8f6aae3c506cc34d2b6c5d5d20aeaabf800eff202c3a2c0e80c06d62f8446

            SHA512

            6e08f97cecef5651d8c474e15caa4697271b1a6b538ac057a850c91a3e0cc473d32198d1b8f47506313e2dc63c183d15fffa8abbfe7ecd4901a74c8f75755614

            Download Submit

          • memory/2120-228-0x0000000000170000-0x0000000000330000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2120-230-0x000000001ADC0000-0x000000001ADD2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3404-126-0x00000188B12C0000-0x00000188B12E2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4440-9-0x000000001BD10000-0x000000001BD1C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4440-12-0x000000001BD30000-0x000000001BD42000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4440-15-0x000000001C4D0000-0x000000001C4DA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4440-20-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4440-23-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4440-17-0x000000001C4F0000-0x000000001C4F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4440-19-0x000000001C610000-0x000000001C61C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4440-18-0x000000001C600000-0x000000001C60C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4440-14-0x000000001C3C0000-0x000000001C3CC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4440-13-0x000000001C8F0000-0x000000001CE18000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/4440-229-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4440-16-0x000000001C4E0000-0x000000001C4EE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4440-10-0x000000001BD20000-0x000000001BD28000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4440-0-0x00007FFEEB9B3000-0x00007FFEEB9B5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4440-7-0x000000001BBD0000-0x000000001BBE6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4440-8-0x000000001BBF0000-0x000000001BC00000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4440-5-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4440-6-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4440-4-0x000000001C350000-0x000000001C3A0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4440-3-0x0000000003170000-0x000000000318C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4440-2-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4440-1-0x0000000000EE0000-0x00000000010A0000-memory.dmp

            Filesize

            1.8MB

            Download