Overview

overview

10

Static

static

10

433c302a29...e2.exe

windows7-x64

10

433c302a29...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 03:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

  • Size

    1.8MB

  • MD5

    d7e7b597ce0c3a87c408c197af695fc4

  • SHA1

    abf13cbcb77d1fe2270b3b7746087419f366748d

  • SHA256

    433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2

  • SHA512

    7cfbf0bd871b9e04e8cd178e8f82052efb108284a279c8e16ea0087e322dfbf00aca117db9cfccb6b6278134edcbce2b8f3b6c050fa4021f6f65f2ccdaf02c91

  • SSDEEP

    24576:fpu2MG9vXL71sCw7sULd3yRsjBp2gltcEA4pUiD7nApwp6t1:Bu2Mw7Y0RsrB5UiD8pw

Score
10/10
dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
    "C:\Users\Admin\AppData\Local\Temp\433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ursq4oyw\ursq4oyw.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2F2.tmp" "c:\Windows\System32\CSC192333977344A06B4BC19CE53B083AC.TMP"
        3⤵
          PID:3696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3312
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\explorer.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4836
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2276
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\RuntimeBroker.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2000
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xKhr3C7ze.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2396
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4256
          • C:\Program Files\Windows Mail\RuntimeBroker.exe
            "C:\Program Files\Windows Mail\RuntimeBroker.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3652
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4228
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3652
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1744
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3264
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3404
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3520
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1364
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2332
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3764

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Windows Mail\RuntimeBroker.exe
        Filesize

        1.8MB

        MD5

        d7e7b597ce0c3a87c408c197af695fc4

        SHA1

        abf13cbcb77d1fe2270b3b7746087419f366748d

        SHA256

        433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2

        SHA512

        7cfbf0bd871b9e04e8cd178e8f82052efb108284a279c8e16ea0087e322dfbf00aca117db9cfccb6b6278134edcbce2b8f3b6c050fa4021f6f65f2ccdaf02c91

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        2e907f77659a6601fcc408274894da2e

        SHA1

        9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

        SHA256

        385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

        SHA512

        34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        cadef9abd087803c630df65264a6c81c

        SHA1

        babbf3636c347c8727c35f3eef2ee643dbcc4bd2

        SHA256

        cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

        SHA512

        7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\0xKhr3C7ze.bat
        Filesize

        175B

        MD5

        80224ae77b9a78992c661d025152fddb

        SHA1

        95d63720c8baee3fa362d0ff6be8e7cee4c75128

        SHA256

        b8bb958a67f82a4c1a08bdc90384c8c97f79b55f251f2d7fefcdce99f322b35c

        SHA512

        f7947c28aefb7b5d268874140963714b374a2deac1f01a99dad757269e94b5b0c65dd65f22bc5e638491c003f14cac1d5662330a8d42d953dc44d2b2adf1d54c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\49DpWgaTLd
        Filesize

        116KB

        MD5

        f70aa3fa04f0536280f872ad17973c3d

        SHA1

        50a7b889329a92de1b272d0ecf5fce87395d3123

        SHA256

        8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

        SHA512

        30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESC2F2.tmp
        Filesize

        1KB

        MD5

        8ff95bf41b0d5f6ff663f9981e2846d1

        SHA1

        85ce0214b37b84c247e668a6b2d8fa4d4b1b9751

        SHA256

        b84e3a513ef87eb50ed84c1156f7f62be229f83ff22f302c200ec60d2160a5ec

        SHA512

        4375b45188d712865d76aa4cfd13a5b8049ecb32078415430ab2345ef35975329706f84528caf81f683b10d45cbde60d9955c9a6e0517cb92b9a4b1ecad43def

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pwrpsvnb.ymq.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ecgoKWwoY0
        Filesize

        114KB

        MD5

        2ba42ee03f1c6909ca8a6575bd08257a

        SHA1

        88b18450a4d9cc88e5f27c8d11c0323f475d1ae6

        SHA256

        a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd

        SHA512

        a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ursq4oyw\ursq4oyw.0.cs
        Filesize

        364B

        MD5

        5b60203bf5f49ee1f2128575fec475ad

        SHA1

        015249ab4ff3df4f097d6f47dcb516162f1d8519

        SHA256

        34f20a2f0dda8b7e6689f19f9c30014d21d508338160dcefd6970ace05baffd4

        SHA512

        6a25a0df5b2fcdaa3ebeb84dbc970c7226ceed6827fac9367d3553e9ae8881d8727db8cd8dcecf8d9cb9dbec2f9e0dfa013769d6c11acdf2197a7db99b7b6b58

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ursq4oyw\ursq4oyw.cmdline
        Filesize

        235B

        MD5

        53ca323014774e9f59cf5b6d1446b6b3

        SHA1

        a5f224f7715f4c30a8994badbad9841639152ce8

        SHA256

        8f8ead8ee917a20bdf06917034a6099d30d818d5109f3b50f43393049fdbaf65

        SHA512

        b14f5ee7a4e9afd57f14c4bc782af028162d173e7d752473d494c953d44ba7bd9450babe643901814b13fb1815e0dbbe5c55028829b2f762d2d6abcfb36e23d3

        Download Submit

      • \??\c:\Windows\System32\CSC192333977344A06B4BC19CE53B083AC.TMP
        Filesize

        1KB

        MD5

        be99f41194f5159cc131a1a4353a0e0a

        SHA1

        f24e3bf06e777b4de8d072166cff693e43f2295c

        SHA256

        564d9051e5639603c83562a9ff2c2e478cc7e13d54faf39f761297bac78603bf

        SHA512

        51d1a50772bb7d689193e6a9b2e363185cf5438103644b2b68cf13e08274c5d99407b99f8cdc856143d28669f5ee4ee316041a8e33df42f55bfd181aa3f3c0f5

        Download Submit

      • memory/2000-79-0x000002E35A7E0000-0x000002E35A802000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3652-151-0x000000001E270000-0x000000001E419000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3652-192-0x000000001E270000-0x000000001E419000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/4588-18-0x00000000028E0000-0x00000000028EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4588-25-0x000000001B3C0000-0x000000001B3CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4588-23-0x000000001B3B0000-0x000000001B3BC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4588-30-0x000000001B5D0000-0x000000001B5E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4588-28-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4588-31-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4588-32-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4588-33-0x000000001BB20000-0x000000001C048000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4588-35-0x000000001B3D0000-0x000000001B3DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4588-37-0x000000001B530000-0x000000001B540000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4588-39-0x000000001B590000-0x000000001B59E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4588-41-0x000000001B610000-0x000000001B628000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4588-46-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4588-45-0x000000001B680000-0x000000001B6CE000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4588-43-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4588-27-0x000000001B5B0000-0x000000001B5C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4588-21-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4588-16-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4588-20-0x00000000028F0000-0x00000000028FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4588-0-0x00007FFEEB9B3000-0x00007FFEEB9B5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4588-14-0x0000000002A10000-0x0000000002A28000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4588-12-0x000000001B540000-0x000000001B590000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4588-107-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4588-10-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4588-11-0x00000000028B0000-0x00000000028CC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4588-9-0x00000000028D0000-0x00000000028EC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4588-5-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4588-7-0x00000000010F0000-0x00000000010FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4588-4-0x000000001B310000-0x000000001B336000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4588-2-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4588-1-0x0000000000670000-0x0000000000840000-memory.dmp

        Filesize

        1.8MB

        Download