dcrat | b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

Resubmissions

25-01-2022 20:58

220125-zr9txafah2 10

25-01-2022 05:22

220125-f2kszshddn 10

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-en-20211208
submitted
25-01-2022 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5320340037751e10748b6463fab8ee0.exe
Size

2.1MB
MD5

b5320340037751e10748b6463fab8ee0
SHA1

b3e9a125688e9da67708adfcada41bb56de2cd3d
SHA256

b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d
SHA512

67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Score

10^/10

dcrat infostealer persistence rat suricata

Malware Config

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		788	schtasks.exe
File created	C:\Windows\Vss\Writers\System\audiodg.exe		b5320340037751e10748b6463fab8ee0.exe
		2008	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Documents and Settings\\explorer.exe\""		b5320340037751e10748b6463fab8ee0.exe
		1860	schtasks.exe
		1176	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Vss\\Writers\\System\\audiodg.exe\""		b5320340037751e10748b6463fab8ee0.exe
		1828	schtasks.exe
		896	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	services.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	816	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	816	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	816	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	816	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	816	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	816	schtasks.exe	27

suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata

Executes dropped EXE 1 IoCs

pid	Process
1668	services.exe

Deletes itself 1 IoCs

pid	Process
1668	services.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Vss\\Writers\\System\\audiodg.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Documents and Settings\\explorer.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\spcmsg\\services.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Globalization\\ELS\\Transliteration\\csrss.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\ieUnatt\\smss.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\mssip32\\taskhost.exe\""	b5320340037751e10748b6463fab8ee0.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\mssip32\taskhost.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\mssip32\b75386f1303e64	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\spcmsg\services.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\spcmsg\c5b4cb5e9653cc	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\ieUnatt\smss.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\ieUnatt\69ddcba757bf72	b5320340037751e10748b6463fab8ee0.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\System\audiodg.exe	b5320340037751e10748b6463fab8ee0.exe
File opened for modification	C:\Windows\Vss\Writers\System\audiodg.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\Vss\Writers\System\42af1c969fbb7b	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\Globalization\ELS\Transliteration\csrss.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\Globalization\ELS\Transliteration\886983d96e3d3e	b5320340037751e10748b6463fab8ee0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2008	schtasks.exe
1828	schtasks.exe
896	schtasks.exe
1860	schtasks.exe
788	schtasks.exe
1176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
740	b5320340037751e10748b6463fab8ee0.exe
988	powershell.exe
1728	powershell.exe
1756	powershell.exe
2032	powershell.exe
336	powershell.exe
1692	powershell.exe
1668	services.exe
1668	services.exe
1668	services.exe
1668	services.exe
1668	services.exe
1668	services.exe
1668	services.exe
1668	services.exe
1724	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	740	b5320340037751e10748b6463fab8ee0.exe
Token: SeDebugPrivilege	1668	services.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 988	740	b5320340037751e10748b6463fab8ee0.exe	34
PID 740 wrote to memory of 988	740	b5320340037751e10748b6463fab8ee0.exe	34
PID 740 wrote to memory of 988	740	b5320340037751e10748b6463fab8ee0.exe	34
PID 740 wrote to memory of 336	740	b5320340037751e10748b6463fab8ee0.exe	36
PID 740 wrote to memory of 336	740	b5320340037751e10748b6463fab8ee0.exe	36
PID 740 wrote to memory of 336	740	b5320340037751e10748b6463fab8ee0.exe	36
PID 740 wrote to memory of 2032	740	b5320340037751e10748b6463fab8ee0.exe	35
PID 740 wrote to memory of 2032	740	b5320340037751e10748b6463fab8ee0.exe	35
PID 740 wrote to memory of 2032	740	b5320340037751e10748b6463fab8ee0.exe	35
PID 740 wrote to memory of 1692	740	b5320340037751e10748b6463fab8ee0.exe	38
PID 740 wrote to memory of 1692	740	b5320340037751e10748b6463fab8ee0.exe	38
PID 740 wrote to memory of 1692	740	b5320340037751e10748b6463fab8ee0.exe	38
PID 740 wrote to memory of 1728	740	b5320340037751e10748b6463fab8ee0.exe	39
PID 740 wrote to memory of 1728	740	b5320340037751e10748b6463fab8ee0.exe	39
PID 740 wrote to memory of 1728	740	b5320340037751e10748b6463fab8ee0.exe	39
PID 740 wrote to memory of 1724	740	b5320340037751e10748b6463fab8ee0.exe	40
PID 740 wrote to memory of 1724	740	b5320340037751e10748b6463fab8ee0.exe	40
PID 740 wrote to memory of 1724	740	b5320340037751e10748b6463fab8ee0.exe	40
PID 740 wrote to memory of 1756	740	b5320340037751e10748b6463fab8ee0.exe	41
PID 740 wrote to memory of 1756	740	b5320340037751e10748b6463fab8ee0.exe	41
PID 740 wrote to memory of 1756	740	b5320340037751e10748b6463fab8ee0.exe	41
PID 740 wrote to memory of 1668	740	b5320340037751e10748b6463fab8ee0.exe	48
PID 740 wrote to memory of 1668	740	b5320340037751e10748b6463fab8ee0.exe	48
PID 740 wrote to memory of 1668	740	b5320340037751e10748b6463fab8ee0.exe	48
PID 1668 wrote to memory of 1292	1668	services.exe	51
PID 1668 wrote to memory of 1292	1668	services.exe	51
PID 1668 wrote to memory of 1292	1668	services.exe	51
PID 1668 wrote to memory of 1816	1668	services.exe	53
PID 1668 wrote to memory of 1816	1668	services.exe	53
PID 1668 wrote to memory of 1816	1668	services.exe	53
PID 1668 wrote to memory of 2016	1668	services.exe	55
PID 1668 wrote to memory of 2016	1668	services.exe	55
PID 1668 wrote to memory of 2016	1668	services.exe	55
PID 1668 wrote to memory of 736	1668	services.exe	57
PID 1668 wrote to memory of 736	1668	services.exe	57
PID 1668 wrote to memory of 736	1668	services.exe	57
PID 1668 wrote to memory of 108	1668	services.exe	59
PID 1668 wrote to memory of 108	1668	services.exe	59
PID 1668 wrote to memory of 108	1668	services.exe	59
PID 1668 wrote to memory of 1828	1668	services.exe	61
PID 1668 wrote to memory of 1828	1668	services.exe	61
PID 1668 wrote to memory of 1828	1668	services.exe	61
PID 1668 wrote to memory of 1628	1668	services.exe	63
PID 1668 wrote to memory of 1628	1668	services.exe	63
PID 1668 wrote to memory of 1628	1668	services.exe	63
PID 1668 wrote to memory of 788	1668	services.exe	65
PID 1668 wrote to memory of 788	1668	services.exe	65
PID 1668 wrote to memory of 788	1668	services.exe	65
PID 1668 wrote to memory of 1464	1668	services.exe	67
PID 1668 wrote to memory of 1464	1668	services.exe	67
PID 1668 wrote to memory of 1464	1668	services.exe	67
PID 1464 wrote to memory of 1452	1464	cmd.exe	69
PID 1464 wrote to memory of 1452	1464	cmd.exe	69
PID 1464 wrote to memory of 1452	1464	cmd.exe	69

C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe
"C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe"
1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\explorer.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\audiodg.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\spcmsg\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\Transliteration\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ieUnatt\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mssip32\taskhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\spcmsg\services.exe
  "C:\Windows\System32\spcmsg\services.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "b5320340037751e10748b6463fab8ee0" /f
    3⤵
    PID:1292
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "audiodg" /f
    3⤵
    PID:1816
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "explorer" /f
    3⤵
    PID:2016
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "services" /f
    3⤵
    PID:736
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "csrss" /f
    3⤵
    PID:108
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "smss" /f
    3⤵
    PID:1828
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "taskhost" /f
    3⤵
    PID:1628
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "services" /f
    3⤵
    PID:788
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\spcmsg\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\ieUnatt\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\mssip32\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-97-0x00000000022C2000-0x00000000022C4000-memory.dmp

Filesize
8KB

Download
memory/336-102-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download
memory/336-98-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/336-96-0x00000000022C0000-0x00000000022C2000-memory.dmp

Filesize
8KB

Download
memory/336-113-0x00000000022CB000-0x00000000022EA000-memory.dmp

Filesize
124KB

Download
memory/336-108-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/740-59-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/740-58-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/740-55-0x0000000000B60000-0x0000000000D8C000-memory.dmp

Filesize
2.2MB

Download
memory/740-57-0x0000000000360000-0x00000000003B6000-memory.dmp

Filesize
344KB

Download
memory/740-56-0x000000001B340000-0x000000001B342000-memory.dmp

Filesize
8KB

Download
memory/740-62-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/740-60-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/740-63-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/740-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/988-90-0x0000000002660000-0x0000000002662000-memory.dmp

Filesize
8KB

Download
memory/988-111-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/988-64-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

Filesize
8KB

Download
memory/988-74-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download
memory/988-92-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/988-91-0x0000000002662000-0x0000000002664000-memory.dmp

Filesize
8KB

Download
memory/988-104-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1668-101-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1668-83-0x000000001ADB0000-0x000000001ADB2000-memory.dmp

Filesize
8KB

Download
memory/1668-80-0x00000000010A0000-0x00000000012CC000-memory.dmp

Filesize
2.2MB

Download
memory/1692-93-0x0000000002710000-0x0000000002712000-memory.dmp

Filesize
8KB

Download
memory/1692-94-0x0000000002712000-0x0000000002714000-memory.dmp

Filesize
8KB

Download
memory/1692-77-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download
memory/1692-109-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/1692-95-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1724-132-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/1724-130-0x00000000026C2000-0x00000000026C4000-memory.dmp

Filesize
8KB

Download
memory/1724-129-0x00000000026C0000-0x00000000026C2000-memory.dmp

Filesize
8KB

Download
memory/1724-128-0x000000001B950000-0x000000001BC4F000-memory.dmp

Filesize
3.0MB

Download
memory/1724-127-0x000007FEEB660000-0x000007FEEC1BD000-memory.dmp

Filesize
11.4MB

Download
memory/1724-131-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/1728-100-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/1728-110-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/1728-84-0x00000000026D0000-0x00000000026D2000-memory.dmp

Filesize
8KB

Download
memory/1728-99-0x00000000026D2000-0x00000000026D4000-memory.dmp

Filesize
8KB

Download
memory/1728-103-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download
memory/1728-107-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1756-73-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download
memory/1756-87-0x00000000027E0000-0x00000000027E2000-memory.dmp

Filesize
8KB

Download
memory/1756-105-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/1756-88-0x00000000027E2000-0x00000000027E4000-memory.dmp

Filesize
8KB

Download
memory/1756-89-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1756-114-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/2032-86-0x0000000002A14000-0x0000000002A17000-memory.dmp

Filesize
12KB

Download
memory/2032-112-0x0000000002A1B000-0x0000000002A3A000-memory.dmp

Filesize
124KB

Download
memory/2032-82-0x0000000002A10000-0x0000000002A12000-memory.dmp

Filesize
8KB

Download
memory/2032-85-0x0000000002A12000-0x0000000002A14000-memory.dmp

Filesize
8KB

Download
memory/2032-72-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download