Overview

overview

10

Static

static

10

eb829087dc...a1.exe

windows7-x64

10

eb829087dc...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2025 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb829087dc0c18540bb133b5f74c6092c6e9c6e0da94f0da47ff28fa6d404ea1.exe

  • Size

    2.2MB

  • MD5

    9ca4c55fca9566c4fa4190afc1e0f72d

  • SHA1

    6a5648d383c1e9fa49483c1a5c33fd4188dc2cae

  • SHA256

    eb829087dc0c18540bb133b5f74c6092c6e9c6e0da94f0da47ff28fa6d404ea1

  • SHA512

    aa0be340671557983bdd234aa2ce3781bbdf484a6de9f31f39139757d67dd9be45285a121d4e250b79da16fb5f80d2f98b4d9dbd661ffeda593c33514eb1c1b4

  • SSDEEP

    49152:ssSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvif:sLlK6d3/Nh/bV/Oq3Dxp2RUG

Score
10/10
dcratdefense_evasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 23 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 7 IoCs
    persistence
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 30 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb829087dc0c18540bb133b5f74c6092c6e9c6e0da94f0da47ff28fa6d404ea1.exe
    "C:\Users\Admin\AppData\Local\Temp\eb829087dc0c18540bb133b5f74c6092c6e9c6e0da94f0da47ff28fa6d404ea1.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2376
    • C:\Program Files\DVD Maker\it-IT\audiodg.exe
      "C:\Program Files\DVD Maker\it-IT\audiodg.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1072
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6abb7062-4434-4a40-98c0-0c58c3c5dde8.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Program Files\DVD Maker\it-IT\audiodg.exe
          "C:\Program Files\DVD Maker\it-IT\audiodg.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1772
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6724f5f4-9247-40b9-9e60-7f7b47f6238f.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2784
            • C:\Program Files\DVD Maker\it-IT\audiodg.exe
              "C:\Program Files\DVD Maker\it-IT\audiodg.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1944
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\827e9bc8-049a-4860-8672-801a51889fa0.vbs"
                7⤵
                  PID:1000
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f11da7a9-4540-4e83-9bee-91c15e75b654.vbs"
                  7⤵
                    PID:2588
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a8a0121-078f-4cc7-aa1a-9a1da9ca40dd.vbs"
                5⤵
                  PID:1172
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf039f4c-8bd5-41ea-9b04-2cce6cd93f3e.vbs"
              3⤵
                PID:1672
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\it-IT\audiodg.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2752
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\it-IT\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2744
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\es-ES\audiodg.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2268
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2424
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2916
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\services.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:576
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\services.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1172
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\services.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:924
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2116
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1492
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:568
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3036
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2996
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2456
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2684
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1532
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:652
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Hearts\it-IT\winlogon.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\it-IT\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1100
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Hearts\it-IT\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:608

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          4
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe
            Filesize

            2.2MB

            MD5

            9ca4c55fca9566c4fa4190afc1e0f72d

            SHA1

            6a5648d383c1e9fa49483c1a5c33fd4188dc2cae

            SHA256

            eb829087dc0c18540bb133b5f74c6092c6e9c6e0da94f0da47ff28fa6d404ea1

            SHA512

            aa0be340671557983bdd234aa2ce3781bbdf484a6de9f31f39139757d67dd9be45285a121d4e250b79da16fb5f80d2f98b4d9dbd661ffeda593c33514eb1c1b4

            Download Submit

          • C:\Program Files\DVD Maker\it-IT\audiodg.exe
            Filesize

            2.2MB

            MD5

            36eb039392a4cb929037da7d81b96741

            SHA1

            40a4b317bb43d2e54361b038443f739f5815a1f8

            SHA256

            0d0d0a3f0f514461fc6d457114b87cfb84b2e0392f6a0acea833d1dd958949bf

            SHA512

            4c1914c7fe5cd0fe6c91433eaf2d85451bb7794947ae084a8d5983798702706d466dcb299c36bd01e6140819f5845ae085d44925860361046636fe75fbcb63ff

            Download Submit

          • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
            Filesize

            2.2MB

            MD5

            92c9a0d65988cc509a280861aa9f5214

            SHA1

            74e33acbd83fc839b2696723c430374348ae37f9

            SHA256

            68e042fea06e19ede8f7956dd45f35e5244c784af578a80151c13f8ec1c2703c

            SHA512

            5d444d6004a0011bf22bd186c6078785613df1ded66aca87641fa967a1d924f667ed66b8ffd178653e1bedd0ff9336f55e1bf0b495b7f5b387dd10cf80123033

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\124d8c15f864395aac7fb76f6ec242e58e320409.exe
            Filesize

            2.2MB

            MD5

            f40a9b6440f84f0e050bb92d3cdc0d16

            SHA1

            ba3bf182f1891d8e6920ba26fa251bad6e0ad9a2

            SHA256

            e271650fc339be6d081b560684d59740bc6331611ed44c9cc51c69ea8b938ea4

            SHA512

            5abf6dc4139bf5f0117788eadae5192deea1654247e60e49db03609b544f0e2ac25641f87fd00b531a7eb2fc6a05f96313761e10d65944a49d11d53a3e653ae1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\6724f5f4-9247-40b9-9e60-7f7b47f6238f.vbs
            Filesize

            720B

            MD5

            4c57632b24df3bf0706d6133ce166e92

            SHA1

            2c32cd7ddfd5d7c1a0f954326813bc9d362892a7

            SHA256

            09e6d7213672d3cc90890ac2356cc650660e1cba7d677f895c2c6f609ff7c2c4

            SHA512

            83c804d4d8b79bb790b6abb632ea529ff05e8d592f863de1fc2ec91f29643c8660763c981b9fd4213bf72972abb5b957e7530e591cf187d7c8bfdbbe38f618a5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\6abb7062-4434-4a40-98c0-0c58c3c5dde8.vbs
            Filesize

            720B

            MD5

            1c3b5ad5a7200c502747863e9743a3c7

            SHA1

            bb2a597b017b054ea419538cb46b3c418f24d669

            SHA256

            51b478e2a0402e7c64f6326e4612acb9feb468893bb37bfd5febddad48c09f00

            SHA512

            4bb888ad7675437178e4e392f67c63917fe1fded5270685c57aaeab18a14ea3a831bca4039353c14a2a9e420cac1b2c89844ee734779c040ab2b5a2437c81241

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\827e9bc8-049a-4860-8672-801a51889fa0.vbs
            Filesize

            720B

            MD5

            2f30ca6c288cc3a16fa3c7ccfa50b3e7

            SHA1

            4a4b267b201b88829c58600367a9003711056d89

            SHA256

            d2f37cb292ba5af3c9452187f716dd07d9d50c1bd217814f0ca8f8fbab6896d6

            SHA512

            66bf8c25e89ee0fe4a5f9a02081d44b388ecca24631b8001b5039f0e003920b5e182351bdbf142725863e131309377c51c2ccf737e5f13c65a0c410e394baaa1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\bf039f4c-8bd5-41ea-9b04-2cce6cd93f3e.vbs
            Filesize

            496B

            MD5

            b50b837001af5c284148021073b23670

            SHA1

            ccb54c1ecf91de36075c5622f8d8a39c0176b27a

            SHA256

            818e61364251483e6428b45094c222fe090d1b99b46c363445bd4d28d7036d51

            SHA512

            f6646795aa49fecd2188204755886ddc5e79b907271adb374484bd1da9cd3a8daaa666192fca8d3d476d370eebe3a522a12c2f9fe17a31c07ab9c4f39b7b4c55

            Download Submit

          • memory/1072-138-0x0000000000E60000-0x000000000108E000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/2376-19-0x0000000000EF0000-0x0000000000EFC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2376-24-0x0000000000F40000-0x0000000000F48000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2376-11-0x0000000000E00000-0x0000000000E10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2376-12-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2376-13-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2376-14-0x0000000000E10000-0x0000000000E18000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2376-15-0x0000000000E20000-0x0000000000E2C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2376-16-0x0000000000E30000-0x0000000000E38000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2376-18-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2376-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-20-0x0000000000F00000-0x0000000000F0C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2376-21-0x0000000000F10000-0x0000000000F1C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2376-22-0x0000000000F20000-0x0000000000F2A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2376-23-0x0000000000F30000-0x0000000000F3E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2376-25-0x0000000000F50000-0x0000000000F5E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2376-10-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2376-26-0x0000000000F60000-0x0000000000F6C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2376-27-0x0000000000F70000-0x0000000000F78000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2376-28-0x0000000000F80000-0x0000000000F8C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2376-29-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2376-9-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2376-8-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-7-0x0000000000D90000-0x0000000000DA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2376-139-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2376-6-0x00000000004F0000-0x00000000004F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2376-5-0x0000000000AA0000-0x0000000000ABC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2376-4-0x0000000000460000-0x000000000046E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2376-3-0x0000000000450000-0x000000000045E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2376-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2376-1-0x0000000000F90000-0x00000000011BE000-memory.dmp

            Filesize

            2.2MB

            Download