dcrat | 1a93fd3d8f49308c93bd0890353d36bc720a93dc617d9d7c0e713d39bb12e753

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2023 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Icloader.exe
Size

7.9MB
MD5

ce12fa0411314efb0e9e9d3c6fb943f4
SHA1

1f14997e49595ffe8148f1ad0884d2428444e193
SHA256

1a93fd3d8f49308c93bd0890353d36bc720a93dc617d9d7c0e713d39bb12e753
SHA512

4cb44891e8c4dff32b8516a36200773225c999822b18e2b118da24e7dd1dd9164b83089b68ee55adcafe9fc1df46422576fc0b4fd073e194ccba95f8d92ed4c7
SSDEEP

196608:YO2gG67ej056dQmRrdA6lakaqdVTmRPjKyDd:3g+kdQOlawdIR71d

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	4108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	4108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	4108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	4108	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\Comproviderdriver\hyperportsession.exe	dcrat
C:\Comproviderdriver\hyperportsession.exe	dcrat
behavioral1/memory/3428-152-0x0000000000550000-0x00000000007A2000-memory.dmp	dcrat
C:\Users\Admin\Music\WaaSMedicAgent.exe	dcrat
C:\Users\Admin\Music\WaaSMedicAgent.exe	dcrat

Executes dropped EXE 3 IoCs

Processes:

INST.exehyperportsession.exeWaaSMedicAgent.exe

pid process

2688 INST.exe
3428 hyperportsession.exe
844 WaaSMedicAgent.exe

pid	process
2688	INST.exe
3428	hyperportsession.exe
844	WaaSMedicAgent.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

hyperportsession.exeINST.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	hyperportsession.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	INST.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 2 IoCs

Processes:

Icloader.exe

pid process

1420 Icloader.exe
1420 Icloader.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1420	Icloader.exe
1420	Icloader.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4992	schtasks.exe
4540	schtasks.exe
2912	schtasks.exe
3472	schtasks.exe
1228	schtasks.exe
2848	schtasks.exe
3688	schtasks.exe
3756	schtasks.exe
4660	schtasks.exe

Modifies registry class 1 IoCs

Processes:

INST.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings INST.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	INST.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

hyperportsession.exeWaaSMedicAgent.exe

pid	process
3428	hyperportsession.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe
844	WaaSMedicAgent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WaaSMedicAgent.exe

pid process

844 WaaSMedicAgent.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hyperportsession.exeWaaSMedicAgent.exe

description pid process

Token: SeDebugPrivilege 3428 hyperportsession.exe
Token: SeDebugPrivilege 844 WaaSMedicAgent.exe

pid	process
844	WaaSMedicAgent.exe

description	pid	process
Token: SeDebugPrivilege	3428	hyperportsession.exe
Token: SeDebugPrivilege	844	WaaSMedicAgent.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

Icloader.exeIcloader.execmd.exeINST.exeWScript.execmd.exehyperportsession.exe

description	pid	process	target process
PID 4552 wrote to memory of 1420	4552	Icloader.exe	Icloader.exe
PID 4552 wrote to memory of 1420	4552	Icloader.exe	Icloader.exe
PID 1420 wrote to memory of 4248	1420	Icloader.exe	cmd.exe
PID 1420 wrote to memory of 4248	1420	Icloader.exe	cmd.exe
PID 1420 wrote to memory of 4520	1420	Icloader.exe	cmd.exe
PID 1420 wrote to memory of 4520	1420	Icloader.exe	cmd.exe
PID 4520 wrote to memory of 2688	4520	cmd.exe	INST.exe
PID 4520 wrote to memory of 2688	4520	cmd.exe	INST.exe
PID 4520 wrote to memory of 2688	4520	cmd.exe	INST.exe
PID 2688 wrote to memory of 792	2688	INST.exe	WScript.exe
PID 2688 wrote to memory of 792	2688	INST.exe	WScript.exe
PID 2688 wrote to memory of 792	2688	INST.exe	WScript.exe
PID 2688 wrote to memory of 1672	2688	INST.exe	WScript.exe
PID 2688 wrote to memory of 1672	2688	INST.exe	WScript.exe
PID 2688 wrote to memory of 1672	2688	INST.exe	WScript.exe
PID 792 wrote to memory of 1204	792	WScript.exe	cmd.exe
PID 792 wrote to memory of 1204	792	WScript.exe	cmd.exe
PID 792 wrote to memory of 1204	792	WScript.exe	cmd.exe
PID 1204 wrote to memory of 3428	1204	cmd.exe	hyperportsession.exe
PID 1204 wrote to memory of 3428	1204	cmd.exe	hyperportsession.exe
PID 3428 wrote to memory of 844	3428	hyperportsession.exe	WaaSMedicAgent.exe
PID 3428 wrote to memory of 844	3428	hyperportsession.exe	WaaSMedicAgent.exe

C:\Users\Admin\AppData\Local\Temp\Icloader.exe
"C:\Users\Admin\AppData\Local\Temp\Icloader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\Icloader.exe
"C:\Users\Admin\AppData\Local\Temp\Icloader.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SYSTEM32\cmd.exe
cmd /c echo %temp%
3⤵
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\AppData\Local\Temp\INST.exe
C:\Users\Admin\AppData\Local\Temp\INST.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Comproviderdriver\AQTx4XyFVLzflDDrifZPwFGdIcSe.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Comproviderdriver\kWY7NjZwZ1iBKBun9q6.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Comproviderdriver\hyperportsession.exe
"C:\Comproviderdriver\hyperportsession.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\Music\WaaSMedicAgent.exe
"C:\Users\Admin\Music\WaaSMedicAgent.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Comproviderdriver\file.vbs"
5⤵
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\odt\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Admin\Music\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Comproviderdriver\AQTx4XyFVLzflDDrifZPwFGdIcSe.vbe
Filesize
213B

MD5
9113279e9c8b6335ec9e3e1e311ef188

SHA1
37a4e9ab4bf02a2a65d48918f16f2b494ff5f446

SHA256
829fb3f8655a6ae7791d83e099d9892359924b841d47f0930c7cd92e1d65129e

SHA512
1f846e02362b8fcd4b3c91c745bbe7d08f5e171664d0c96f70800e3a689553c580aaf9845b3e18d4320277b6777964701b82b1664319d9f49f7174e7d39f0389

Download Submit
C:\Comproviderdriver\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Comproviderdriver\hyperportsession.exe
Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\Comproviderdriver\hyperportsession.exe
Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\Comproviderdriver\kWY7NjZwZ1iBKBun9q6.bat
Filesize
43B

MD5
f9b0386eda9b5c1cecad9c265da5b3b7

SHA1
f69cc98e2d196c0f5e2de7a7c75324852bf472fb

SHA256
e59356966e672a4f59cadb7924e07b50346d517101523d7076a03d8c908cc1e1

SHA512
d042e61171f1a5ed353332cdcf018000b9ce61403439282fff5bd029e65dca888bd4374b9986bd13d92a7c1766399d88e2be80ced8b7a8baf797461e65b7346b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe
Filesize
2.6MB

MD5
1ce7698d0f91c39eac6b579e139ae9c4

SHA1
c42979cf7ec941f0ef1a1cccbabb50b6445d2dc4

SHA256
31920a462e8b7c2e6e8e045cd1f867ad2df5939e6edf9bf6a19e376fad43e0cc

SHA512
e6084b09191d2eaaab77fa2ed86ee37384f7fc15da60a76f15e4e2ed1dcf9035be996f32cafd799d24c9c25ac25c284a27044791370a72b9d6ea0cea312c2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe
Filesize
2.6MB

MD5
1ce7698d0f91c39eac6b579e139ae9c4

SHA1
c42979cf7ec941f0ef1a1cccbabb50b6445d2dc4

SHA256
31920a462e8b7c2e6e8e045cd1f867ad2df5939e6edf9bf6a19e376fad43e0cc

SHA512
e6084b09191d2eaaab77fa2ed86ee37384f7fc15da60a76f15e4e2ed1dcf9035be996f32cafd799d24c9c25ac25c284a27044791370a72b9d6ea0cea312c2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\base_library.zip
Filesize
1.0MB

MD5
b344c8ac7c6cb7ce58c5a4ec6c760b96

SHA1
16cb3b9f8fcc90364155f081fb51a74bdf16dce9

SHA256
77c53672ee2afece093ded8b42d316fe443626451448ef603744ca9c7e0cfdb3

SHA512
2976d162b0719c2a1bebf4bc14f6595c291e117f3a2956b69e53996f4a0f4de14a1ea9ec50122a30e95e953ba320a1ac4bf73a5d5980fa7d61bfd92c9af62b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\python310.dll
Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\python310.dll
Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\Music\WaaSMedicAgent.exe
Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\Users\Admin\Music\WaaSMedicAgent.exe
Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
memory/792-143-0x0000000000000000-mapping.dmp

Download
memory/844-156-0x0000000000000000-mapping.dmp

Download
memory/844-160-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

Filesize
10.8MB

Download
memory/844-161-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

Filesize
10.8MB

Download
memory/1204-148-0x0000000000000000-mapping.dmp

Download
memory/1420-132-0x0000000000000000-mapping.dmp

Download
memory/1672-144-0x0000000000000000-mapping.dmp

Download
memory/2688-140-0x0000000000000000-mapping.dmp

Download
memory/3428-153-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

Filesize
10.8MB

Download
memory/3428-155-0x000000001CC00000-0x000000001D128000-memory.dmp

Filesize
5.2MB

Download
memory/3428-154-0x000000001B2C0000-0x000000001B310000-memory.dmp

Filesize
320KB

Download
memory/3428-152-0x0000000000550000-0x00000000007A2000-memory.dmp

Filesize
2.3MB

Download
memory/3428-149-0x0000000000000000-mapping.dmp

Download
memory/3428-159-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

Filesize
10.8MB

Download
memory/4248-138-0x0000000000000000-mapping.dmp

Download
memory/4520-139-0x0000000000000000-mapping.dmp

Download