Overview

overview

10

Static

static

10

4735bb00bc...ef.exe

windows7-x64

10

4735bb00bc...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-02-2025 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4735bb00bcb92c0c5d85599e289925ef.exe

  • Size

    3.2MB

  • MD5

    4735bb00bcb92c0c5d85599e289925ef

  • SHA1

    90dee1ecc8721777366e9c0d2d3c9fc2df6a925b

  • SHA256

    8d34477674ccda710d5acd22a1ea3ce7c9e818d7b6d3b19200c896fcf42f5b4b

  • SHA512

    673a67e73f8d3a31403cee50234d3160afe3eda75f75935677f9da0e955e28e67d9265c1a23c80b0fab7bd1aaa85ece8e3bf1bf085e76d9cbbd498a34a77287e

  • SSDEEP

    98304:BjxkN1YiQ2DmsiJb0D2OG5Mbser0ZAY8pD1X0C:B161YitDZiJoZgAY8pDl0

Score
10/10
dcratdefense_evasiondiscoveryinfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\4735bb00bcb92c0c5d85599e289925ef.exe
    "C:\Users\Admin\AppData\Local\Temp\4735bb00bcb92c0c5d85599e289925ef.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1384
    • C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe
      "C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4836
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30f104d6-d341-4052-acea-f2e80e7ffb22.vbs"
        3⤵
          PID:4080
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50875e21-9c1d-47e2-8b59-c931a22f985b.vbs"
          3⤵
            PID:4940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\sihost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2144
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4204
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3024
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4140
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2276
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5108
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4552
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:400
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2016
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "4735bb00bcb92c0c5d85599e289925ef4" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\4735bb00bcb92c0c5d85599e289925ef.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1668
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "4735bb00bcb92c0c5d85599e289925ef" /sc ONLOGON /tr "'C:\Users\Default User\4735bb00bcb92c0c5d85599e289925ef.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "4735bb00bcb92c0c5d85599e289925ef4" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\4735bb00bcb92c0c5d85599e289925ef.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3864
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\ImmersiveControlPanel\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2120
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\ImmersiveControlPanel\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\System\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1420
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5016
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\System\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:660
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1220
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:3920
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REY0ODlDMDgtNTdCRi00NDBELUI0ODktRThGOTkxQTE4MzE5fSIgdXNlcmlkPSJ7MjI3RkEyRDItMjg4MS00NTNFLUJFMkUtMzA4QUUyQUY3OEM5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7REM4RTFCODgtOTA5RC00MzE0LUI3M0EtODA1RjVGM0E4NjMzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTY0MzY1OTgzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
          1⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:2424

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        3
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe
          Filesize

          3.2MB

          MD5

          4735bb00bcb92c0c5d85599e289925ef

          SHA1

          90dee1ecc8721777366e9c0d2d3c9fc2df6a925b

          SHA256

          8d34477674ccda710d5acd22a1ea3ce7c9e818d7b6d3b19200c896fcf42f5b4b

          SHA512

          673a67e73f8d3a31403cee50234d3160afe3eda75f75935677f9da0e955e28e67d9265c1a23c80b0fab7bd1aaa85ece8e3bf1bf085e76d9cbbd498a34a77287e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\30f104d6-d341-4052-acea-f2e80e7ffb22.vbs
          Filesize

          737B

          MD5

          04adf4eb123b1eb5c7633f10ae9a7ffb

          SHA1

          52dc6049cdd22e1156fc61f643e4a2af514435ef

          SHA256

          4eb223983e3cd71e5385ae65ab16e14d6111534941027eb6c4f7a83373d1df0f

          SHA512

          224f263abd6c8301fea4a72e91c390987038aa8df0443461864c13a8810aa0d1cf67a0c35d26a90e10dea6c14483420db35c1b6d551d1b7ebad4dedceb957dc0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\50875e21-9c1d-47e2-8b59-c931a22f985b.vbs
          Filesize

          513B

          MD5

          088e3b345c0431509a27faae5ad4121b

          SHA1

          a1e02d8c0f7653e248b02b97d851cf6388a4a4e4

          SHA256

          a26ea10cba061cdb5802f81bfa8cf08f1fc6087e85fa16801782b133442a14b2

          SHA512

          c799a937e1ebc426ee7684759196cc7ce943e312190001a40664c3382ae14ab5a1780fe1cfacd49af011f6363c83702d678e8509f7d6a5801defcbd2c44e518c

          Download Submit

        • memory/1384-22-0x000000001C3C0000-0x000000001C8E8000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/1384-7-0x000000001BA90000-0x000000001BAE0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1384-11-0x000000001BA80000-0x000000001BA92000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1384-24-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1384-12-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1384-25-0x000000001BEB0000-0x000000001BEB8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-8-0x000000001BA40000-0x000000001BA48000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-23-0x000000001BE90000-0x000000001BE98000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-6-0x00000000029A0000-0x00000000029BC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1384-5-0x0000000002990000-0x0000000002998000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-14-0x000000001BDA0000-0x000000001BDB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1384-13-0x000000001BD90000-0x000000001BD98000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-15-0x000000001BDC0000-0x000000001BDCA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1384-16-0x000000001BDD0000-0x000000001BE26000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1384-17-0x000000001BE20000-0x000000001BE2C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1384-18-0x000000001BE30000-0x000000001BE38000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-19-0x000000001BE40000-0x000000001BE4C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1384-20-0x000000001BE50000-0x000000001BE58000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-21-0x000000001BE60000-0x000000001BE72000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1384-0-0x00007FFE281C3000-0x00007FFE281C5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1384-10-0x000000001BA70000-0x000000001BA78000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-4-0x0000000002960000-0x000000000296E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1384-9-0x000000001BA50000-0x000000001BA66000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1384-26-0x000000001BEC0000-0x000000001BECC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1384-28-0x000000001C150000-0x000000001C158000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-27-0x000000001BED0000-0x000000001BEDC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1384-32-0x000000001C110000-0x000000001C118000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-31-0x000000001C100000-0x000000001C10E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1384-30-0x000000001C0F0000-0x000000001C0FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1384-29-0x000000001C0E0000-0x000000001C0EC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1384-33-0x000000001C120000-0x000000001C12E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1384-36-0x000000001B410000-0x000000001B41A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1384-35-0x000000001B400000-0x000000001B408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-34-0x000000001B3F0000-0x000000001B3F8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1384-37-0x000000001B420000-0x000000001B42C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1384-3-0x0000000002950000-0x000000000295E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1384-71-0x00007FFE281C0000-0x00007FFE28C81000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1384-1-0x00000000004B0000-0x00000000007EE000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/1384-2-0x00007FFE281C0000-0x00007FFE28C81000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4836-72-0x000000001BDF0000-0x000000001BE02000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4836-82-0x000000001F240000-0x000000001F402000-memory.dmp

          Filesize

          1.8MB

          Download