dcrat | 4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b

Analysis

max time kernel
123s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe
Size

1.3MB
MD5

520e77f53f92ef7e28948e1939f94651
SHA1

0f72452004ae38b62defec4e9a27525a1ce85ea7
SHA256

4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b
SHA512

c95375b082d27ad7995c80be71a1695804631deb62a5a68910b0def008079646afa7652736793d5a08b914973b9053134f2f40987ec7fe9efb4575c1ecec1c7c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	3348	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	3348	schtasks.exe	70

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001abba-284.dat	dcrat
behavioral1/files/0x000900000001abba-285.dat	dcrat
behavioral1/memory/4256-286-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/files/0x000600000001abcb-306.dat	dcrat
behavioral1/files/0x000600000001abcb-305.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
4256	DllCommonsvc.exe
3936	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\9e8d7a4ca61bd9	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Maps\font\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Maps\font\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5076	schtasks.exe
3164	schtasks.exe
4604	schtasks.exe
4684	schtasks.exe
4940	schtasks.exe
2780	schtasks.exe
4392	schtasks.exe
4232	schtasks.exe
4424	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4256	DllCommonsvc.exe
4256	DllCommonsvc.exe
4256	DllCommonsvc.exe
4256	DllCommonsvc.exe
4256	DllCommonsvc.exe
4256	DllCommonsvc.exe
4256	DllCommonsvc.exe
2880	powershell.exe
4500	powershell.exe
4544	powershell.exe
4476	powershell.exe
4500	powershell.exe
3936	spoolsv.exe
2880	powershell.exe
4544	powershell.exe
4476	powershell.exe
4500	powershell.exe
2880	powershell.exe
4544	powershell.exe
4476	powershell.exe
3936	spoolsv.exe
3936	spoolsv.exe
3936	spoolsv.exe
3936	spoolsv.exe
3936	spoolsv.exe
3936	spoolsv.exe
3936	spoolsv.exe
3936	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3936	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4256	DllCommonsvc.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	3936	spoolsv.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeIncreaseQuotaPrivilege	4500	powershell.exe
Token: SeSecurityPrivilege	4500	powershell.exe
Token: SeTakeOwnershipPrivilege	4500	powershell.exe
Token: SeLoadDriverPrivilege	4500	powershell.exe
Token: SeSystemProfilePrivilege	4500	powershell.exe
Token: SeSystemtimePrivilege	4500	powershell.exe
Token: SeProfSingleProcessPrivilege	4500	powershell.exe
Token: SeIncBasePriorityPrivilege	4500	powershell.exe
Token: SeCreatePagefilePrivilege	4500	powershell.exe
Token: SeBackupPrivilege	4500	powershell.exe
Token: SeRestorePrivilege	4500	powershell.exe
Token: SeShutdownPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeSystemEnvironmentPrivilege	4500	powershell.exe
Token: SeRemoteShutdownPrivilege	4500	powershell.exe
Token: SeUndockPrivilege	4500	powershell.exe
Token: SeManageVolumePrivilege	4500	powershell.exe
Token: 33	4500	powershell.exe
Token: 34	4500	powershell.exe
Token: 35	4500	powershell.exe
Token: 36	4500	powershell.exe
Token: SeIncreaseQuotaPrivilege	2880	powershell.exe
Token: SeSecurityPrivilege	2880	powershell.exe
Token: SeTakeOwnershipPrivilege	2880	powershell.exe
Token: SeLoadDriverPrivilege	2880	powershell.exe
Token: SeSystemProfilePrivilege	2880	powershell.exe
Token: SeSystemtimePrivilege	2880	powershell.exe
Token: SeProfSingleProcessPrivilege	2880	powershell.exe
Token: SeIncBasePriorityPrivilege	2880	powershell.exe
Token: SeCreatePagefilePrivilege	2880	powershell.exe
Token: SeBackupPrivilege	2880	powershell.exe
Token: SeRestorePrivilege	2880	powershell.exe
Token: SeShutdownPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeSystemEnvironmentPrivilege	2880	powershell.exe
Token: SeRemoteShutdownPrivilege	2880	powershell.exe
Token: SeUndockPrivilege	2880	powershell.exe
Token: SeManageVolumePrivilege	2880	powershell.exe
Token: 33	2880	powershell.exe
Token: 34	2880	powershell.exe
Token: 35	2880	powershell.exe
Token: 36	2880	powershell.exe
Token: SeIncreaseQuotaPrivilege	4544	powershell.exe
Token: SeSecurityPrivilege	4544	powershell.exe
Token: SeTakeOwnershipPrivilege	4544	powershell.exe
Token: SeLoadDriverPrivilege	4544	powershell.exe
Token: SeSystemProfilePrivilege	4544	powershell.exe
Token: SeSystemtimePrivilege	4544	powershell.exe
Token: SeProfSingleProcessPrivilege	4544	powershell.exe
Token: SeIncBasePriorityPrivilege	4544	powershell.exe
Token: SeCreatePagefilePrivilege	4544	powershell.exe
Token: SeBackupPrivilege	4544	powershell.exe
Token: SeRestorePrivilege	4544	powershell.exe
Token: SeShutdownPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeSystemEnvironmentPrivilege	4544	powershell.exe
Token: SeRemoteShutdownPrivilege	4544	powershell.exe
Token: SeUndockPrivilege	4544	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 1192	520	4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe	66
PID 520 wrote to memory of 1192	520	4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe	66
PID 520 wrote to memory of 1192	520	4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe	66
PID 1192 wrote to memory of 3308	1192	WScript.exe	67
PID 1192 wrote to memory of 3308	1192	WScript.exe	67
PID 1192 wrote to memory of 3308	1192	WScript.exe	67
PID 3308 wrote to memory of 4256	3308	cmd.exe	69
PID 3308 wrote to memory of 4256	3308	cmd.exe	69
PID 4256 wrote to memory of 2880	4256	DllCommonsvc.exe	80
PID 4256 wrote to memory of 2880	4256	DllCommonsvc.exe	80
PID 4256 wrote to memory of 4500	4256	DllCommonsvc.exe	87
PID 4256 wrote to memory of 4500	4256	DllCommonsvc.exe	87
PID 4256 wrote to memory of 4544	4256	DllCommonsvc.exe	81
PID 4256 wrote to memory of 4544	4256	DllCommonsvc.exe	81
PID 4256 wrote to memory of 4476	4256	DllCommonsvc.exe	82
PID 4256 wrote to memory of 4476	4256	DllCommonsvc.exe	82
PID 4256 wrote to memory of 3936	4256	DllCommonsvc.exe	88
PID 4256 wrote to memory of 3936	4256	DllCommonsvc.exe	88

C:\Users\Admin\AppData\Local\Temp\4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe
"C:\Users\Admin\AppData\Local\Temp\4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Maps\font\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
    - - C:\Windows\Resources\Maps\font\spoolsv.exe
        
        "C:\Windows\Resources\Maps\font\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Maps\font\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Resources\Maps\font\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Maps\font\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf984b340a13d94e95974a870964cb5d

SHA1
3b12d93122209011b2979c9b3696f8ec39be0930

SHA256
2ce32dff322ac329eedac074e4cd5fc2f57aa33698968e652b43f2914abaf4e8

SHA512
17ef5e9a2e0e03d109ce0c67583bbdc93a1f6bf4bac5be49b02e2ff228973ddb37bdf1d910e6519aa79c9b71ae36ebebf00e80ae8e0fc9c260e6112a7aac9b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
754c29885a91889d54e37ff5501b2c64

SHA1
4dc3c40717cd0fae4a04f53e54a5bd80f3bfc319

SHA256
2f6b1a2b6ce7d300327567e9e1f1247a7b7a5c180b2c9ae4a4a55d2104ef9f64

SHA512
c754fd14dd55993c0ff29cb272a46b5c2b3168915c9a462da3c2fe2b99a9ae23c082f086ec5df95bc5f3b8a6f0db6a08414311b1c586e2d4b3e712298ff7057d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eee650941238a0417fa9adcd8e377f84

SHA1
bf4c47612f3894a5b6de879331d82858b5280bb8

SHA256
9047159f95dc8925676e00f9abbdadd65e19531850e4ceac8f752e2b8d918535

SHA512
6e442f8466ffa3e0bcd29772e9e7f77ce18c22d26d5f1621e33f6132f3807f17c7a2ade1446277327381c7be05d440024097b65fabc143ba0d9db6621d95031e

Download Submit
C:\Windows\Resources\Maps\font\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Resources\Maps\font\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/520-144-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-160-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-134-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-135-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-136-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-137-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-138-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-139-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-140-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-141-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-142-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-143-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-120-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-145-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-146-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-147-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-148-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-149-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-150-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-153-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-152-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-151-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-154-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-155-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-156-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-157-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-158-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-159-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-171-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-161-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-162-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-163-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-164-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-165-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-166-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-167-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-168-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-169-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-133-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-170-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-121-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-173-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-174-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-175-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-176-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-177-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-178-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-179-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-180-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-181-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-182-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-183-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-122-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-123-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-125-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-132-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-131-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-126-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-128-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-130-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-129-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-172-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1192-185-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1192-186-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/2880-314-0x0000013BF2910000-0x0000013BF2932000-memory.dmp

Filesize
136KB

Download
memory/4256-287-0x0000000001750000-0x0000000001762000-memory.dmp

Filesize
72KB

Download
memory/4256-290-0x0000000003020000-0x000000000302C000-memory.dmp

Filesize
48KB

Download
memory/4256-289-0x0000000001760000-0x000000000176C000-memory.dmp

Filesize
48KB

Download
memory/4256-286-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/4256-288-0x0000000003030000-0x000000000303C000-memory.dmp

Filesize
48KB

Download
memory/4500-317-0x000001BABA330000-0x000001BABA3A6000-memory.dmp

Filesize
472KB

Download