dcrat | 7efd49f4c002fbe6c0380ae3da89cab96456090a2a9ea148fec6fc5263433d78

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2023 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b68945406413301b4a5195cda123ef91.exe
Size

2.3MB
MD5

b68945406413301b4a5195cda123ef91
SHA1

3ee195713743c21c2d0576a4c37a3bb2687f601a
SHA256

7efd49f4c002fbe6c0380ae3da89cab96456090a2a9ea148fec6fc5263433d78
SHA512

ff6686870938b901d765af2085f60cb1a7a7698c14a6e2c41d0f03c536e0c4fa894cdb4c455904197c5cd2c282e049b230014c99c3f318ea1536f7e21ff5ade5
SSDEEP

49152:4EAW6oV1uWgMzCAKcNqGAonnXvjGt8YxKIh3i2L:bADWgmNqGAKKBli

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	4432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	4432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	4432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	4432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	4432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4432	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4800-132-0x0000000000460000-0x00000000006B4000-memory.dmp	dcrat
C:\Recovery\WindowsRE\dwm.exe	dcrat
C:\Recovery\WindowsRE\dwm.exe	dcrat
behavioral2/memory/4716-149-0x0000000000700000-0x0000000000954000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

dwm.exe

pid process

4716 dwm.exe

pid	process
4716	dwm.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b68945406413301b4a5195cda123ef91.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	b68945406413301b4a5195cda123ef91.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dwm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Windows directory 5 IoCs

Processes:

b68945406413301b4a5195cda123ef91.exe

description	ioc	process
File created	C:\Windows\schemas\AvailableNetwork\7a0fd90576e088	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXF356.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXF3F3.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\explorer.exe	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\schemas\AvailableNetwork\explorer.exe	b68945406413301b4a5195cda123ef91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4952	schtasks.exe
1196	schtasks.exe
4148	schtasks.exe
4500	schtasks.exe
2544	schtasks.exe
2348	schtasks.exe
4924	schtasks.exe
1668	schtasks.exe
1800	schtasks.exe
4208	schtasks.exe
1540	schtasks.exe
4052	schtasks.exe

Modifies registry class 2 IoCs

Processes:

dwm.exeb68945406413301b4a5195cda123ef91.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b68945406413301b4a5195cda123ef91.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

b68945406413301b4a5195cda123ef91.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exe

pid	process
4800	b68945406413301b4a5195cda123ef91.exe
4800	b68945406413301b4a5195cda123ef91.exe
4800	b68945406413301b4a5195cda123ef91.exe
4800	b68945406413301b4a5195cda123ef91.exe
4800	b68945406413301b4a5195cda123ef91.exe
4800	b68945406413301b4a5195cda123ef91.exe
4800	b68945406413301b4a5195cda123ef91.exe
4800	b68945406413301b4a5195cda123ef91.exe
4800	b68945406413301b4a5195cda123ef91.exe
1448	powershell.exe
4212	powershell.exe
1964	powershell.exe
2100	powershell.exe
3580	powershell.exe
1964	powershell.exe
1448	powershell.exe
4212	powershell.exe
2100	powershell.exe
3580	powershell.exe
4716	dwm.exe
4716	dwm.exe
4716	dwm.exe
4716	dwm.exe
4716	dwm.exe
4716	dwm.exe
4716	dwm.exe
4716	dwm.exe
4716	dwm.exe
4716	dwm.exe
4716	dwm.exe
4716	dwm.exe
4716	dwm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwm.exe

pid process

4716 dwm.exe

pid	process
4716	dwm.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

b68945406413301b4a5195cda123ef91.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4800	b68945406413301b4a5195cda123ef91.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	4716	dwm.exe
Token: SeBackupPrivilege	3948	vssvc.exe
Token: SeRestorePrivilege	3948	vssvc.exe
Token: SeAuditPrivilege	3948	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b68945406413301b4a5195cda123ef91.exedwm.exe

description	pid	process	target process
PID 4800 wrote to memory of 1448	4800	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 4800 wrote to memory of 1448	4800	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 4800 wrote to memory of 1964	4800	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 4800 wrote to memory of 1964	4800	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 4800 wrote to memory of 2100	4800	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 4800 wrote to memory of 2100	4800	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 4800 wrote to memory of 4212	4800	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 4800 wrote to memory of 4212	4800	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 4800 wrote to memory of 3580	4800	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 4800 wrote to memory of 3580	4800	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 4800 wrote to memory of 4716	4800	b68945406413301b4a5195cda123ef91.exe	dwm.exe
PID 4800 wrote to memory of 4716	4800	b68945406413301b4a5195cda123ef91.exe	dwm.exe
PID 4716 wrote to memory of 3340	4716	dwm.exe	WScript.exe
PID 4716 wrote to memory of 3340	4716	dwm.exe	WScript.exe
PID 4716 wrote to memory of 8	4716	dwm.exe	WScript.exe
PID 4716 wrote to memory of 8	4716	dwm.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\b68945406413301b4a5195cda123ef91.exe
"C:\Users\Admin\AppData\Local\Temp\b68945406413301b4a5195cda123ef91.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b68945406413301b4a5195cda123ef91.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\RuntimeBroker.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\AvailableNetwork\explorer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Recovery\WindowsRE\dwm.exe
"C:\Recovery\WindowsRE\dwm.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1f32077-5ee2-4a1d-b8d2-8ddbc758b4d9.vbs"
3⤵
PID:3340

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52ddfddd-f9d4-4038-973d-fddb51746813.vbs"
3⤵
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\schemas\AvailableNetwork\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\AvailableNetwork\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\dwm.exe
Filesize
2.3MB

MD5
c90124e66a9689075179b70dad009510

SHA1
47fe2e228b005e5a42434a05f70b6532ad5ae716

SHA256
081ae7434d56915bcbc530938020d4036cd8ddbc4e126705cd02d33db1218623

SHA512
663c64864db2e3c0e8b5afd319f1c230910498d2ac62714ead015cff3fa41b00247bcecc4ac417243011793fc6c07c115c3300de02c3a7f8f783300ee2b79055

Download Submit
C:\Recovery\WindowsRE\dwm.exe
Filesize
2.3MB

MD5
c90124e66a9689075179b70dad009510

SHA1
47fe2e228b005e5a42434a05f70b6532ad5ae716

SHA256
081ae7434d56915bcbc530938020d4036cd8ddbc4e126705cd02d33db1218623

SHA512
663c64864db2e3c0e8b5afd319f1c230910498d2ac62714ead015cff3fa41b00247bcecc4ac417243011793fc6c07c115c3300de02c3a7f8f783300ee2b79055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\52ddfddd-f9d4-4038-973d-fddb51746813.vbs
Filesize
481B

MD5
8734ffd672f0b2fde5cc3d7dea27d7b0

SHA1
dc3166dde34a8ec680f5eae610e84cae40e7aabe

SHA256
f447b4408198eb06b1abed3f737e6961829ef2b91307c066a142e9862ab4150b

SHA512
d111c615e99e67f4043575a7dbdcc5a216d745ee0abf007bfa4334bd70611d294e56e7c99396c0c3b8b103a6333ff0f06af9a86f634571784bafe8dcaaa13b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1f32077-5ee2-4a1d-b8d2-8ddbc758b4d9.vbs
Filesize
705B

MD5
b9fc4d5db76ff20c797bba1861e1e37d

SHA1
2211f0bcd395758726eae934556bc7f7e9fedff5

SHA256
ae53b9a5d1c44a607b37e213249fb3415d300384cafa4c0a3543a33e05ba3102

SHA512
0b89e558d9678b97eb9c05680792e169a181b4fa7fac1c0d4dee65574c1de72e1fc671cbb75932ad2c213b2b6064b581b2e08fbfe10cbfeafa0c572bfc498de0

Download Submit
memory/8-164-0x0000000000000000-mapping.dmp

Download
memory/1448-140-0x00000243F0AD0000-0x00000243F0AF2000-memory.dmp

Filesize
136KB

Download
memory/1448-141-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/1448-160-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/1448-135-0x0000000000000000-mapping.dmp

Download
memory/1964-151-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/1964-143-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/1964-136-0x0000000000000000-mapping.dmp

Download
memory/2100-137-0x0000000000000000-mapping.dmp

Download
memory/2100-144-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/2100-158-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/3340-162-0x0000000000000000-mapping.dmp

Download
memory/3580-139-0x0000000000000000-mapping.dmp

Download
memory/3580-145-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/3580-159-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/4212-157-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/4212-138-0x0000000000000000-mapping.dmp

Download
memory/4212-142-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/4716-161-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/4716-149-0x0000000000700000-0x0000000000954000-memory.dmp

Filesize
2.3MB

Download
memory/4716-146-0x0000000000000000-mapping.dmp

Download
memory/4716-166-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/4800-132-0x0000000000460000-0x00000000006B4000-memory.dmp

Filesize
2.3MB

Download
memory/4800-134-0x000000001C570000-0x000000001C5C0000-memory.dmp

Filesize
320KB

Download
memory/4800-133-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/4800-150-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download