dcrat | fc7ca5dbd9e3d228416ea9725c7283d105d75533f7a4e069d89f2632840e1a5d

Resubmissions

12-02-2023 06:08

230212-gwaw9shf55 10

02-02-2023 03:07

230202-dmra4see74 10

Analysis

max time kernel
138s
max time network
190s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-02-2023 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PZCheat.exe
Size

1.5MB
MD5

164ba5ee6f6b30539e874248ccfa4c05
SHA1

6b14ed8dab712359453779f2896e1cbad78871d7
SHA256

fc7ca5dbd9e3d228416ea9725c7283d105d75533f7a4e069d89f2632840e1a5d
SHA512

c9b2eef0e4499832f9c4eca8b503f17f4cc7589d0d2b12fe82572ad5df23e85cef9267bdc24928b7ac6df0fff70fe49d2422d6e9a549f07a74c8f9bd47892cfc
SSDEEP

24576:B2G/nvxW3WLRnhzLfSRyBWkNUk9tJIzxIq2+kt3S5wFAiQuwV4ilByjNTVu1:BbA3+p9SRyBW0Tty2E5wFzQuo4iupRu1

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1616	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1984-66-0x00000000002A0000-0x000000000065C000-memory.dmp	dcrat
behavioral1/memory/1984-71-0x00000000002A0000-0x000000000065C000-memory.dmp	dcrat
behavioral1/memory/468-80-0x00000000003D0000-0x000000000078C000-memory.dmp	dcrat
behavioral1/memory/468-81-0x00000000003D0000-0x000000000078C000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

containersavesCrt.exelsass.exe

pid process

1984 containersavesCrt.exe
468 lsass.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exe

pid process

888 cmd.exe
888 cmd.exe
1416 cmd.exe
1416 cmd.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

containersavesCrt.exelsass.exe

pid process

1984 containersavesCrt.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe

pid	process
1984	containersavesCrt.exe
468	lsass.exe

pid	process
888	cmd.exe
888	cmd.exe
1416	cmd.exe
1416	cmd.exe

pid	process
1984	containersavesCrt.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe

Drops file in Program Files directory 2 IoCs

Processes:

containersavesCrt.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe	containersavesCrt.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\6ccacd8608530f	containersavesCrt.exe

Drops file in Windows directory 5 IoCs

Processes:

containersavesCrt.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DPX\cmd.exe	containersavesCrt.exe
File created	C:\Windows\Logs\DPX\ebf1f9fa8afd6d	containersavesCrt.exe
File created	C:\Windows\Microsoft.NET\assembly\winlogon.exe	containersavesCrt.exe
File created	C:\Windows\Microsoft.NET\assembly\cc11b995f2a76d	containersavesCrt.exe
File created	C:\Windows\Logs\DPX\cmd.exe	containersavesCrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1264	schtasks.exe
1828	schtasks.exe
1940	schtasks.exe
384	schtasks.exe
1980	schtasks.exe
1920	schtasks.exe
268	schtasks.exe
1308	schtasks.exe
316	schtasks.exe
1760	schtasks.exe
1912	schtasks.exe
1512	schtasks.exe
1392	schtasks.exe
912	schtasks.exe
1120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

containersavesCrt.exelsass.exe

pid process

1984 containersavesCrt.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
468 lsass.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

containersavesCrt.exelsass.exe

description pid process

Token: SeDebugPrivilege 1984 containersavesCrt.exe
Token: SeDebugPrivilege 468 lsass.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

containersavesCrt.exelsass.exe

pid process

1984 containersavesCrt.exe
468 lsass.exe

pid	process
1984	containersavesCrt.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe
468	lsass.exe

description	pid	process
Token: SeDebugPrivilege	1984	containersavesCrt.exe
Token: SeDebugPrivilege	468	lsass.exe

pid	process
1984	containersavesCrt.exe
468	lsass.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

PZCheat.exeWScript.execmd.execontainersavesCrt.execmd.exew32tm.exe

description	pid	process	target process
PID 944 wrote to memory of 1380	944	PZCheat.exe	WScript.exe
PID 944 wrote to memory of 1380	944	PZCheat.exe	WScript.exe
PID 944 wrote to memory of 1380	944	PZCheat.exe	WScript.exe
PID 944 wrote to memory of 1380	944	PZCheat.exe	WScript.exe
PID 1380 wrote to memory of 888	1380	WScript.exe	cmd.exe
PID 1380 wrote to memory of 888	1380	WScript.exe	cmd.exe
PID 1380 wrote to memory of 888	1380	WScript.exe	cmd.exe
PID 1380 wrote to memory of 888	1380	WScript.exe	cmd.exe
PID 888 wrote to memory of 1984	888	cmd.exe	containersavesCrt.exe
PID 888 wrote to memory of 1984	888	cmd.exe	containersavesCrt.exe
PID 888 wrote to memory of 1984	888	cmd.exe	containersavesCrt.exe
PID 888 wrote to memory of 1984	888	cmd.exe	containersavesCrt.exe
PID 1984 wrote to memory of 1416	1984	containersavesCrt.exe	cmd.exe
PID 1984 wrote to memory of 1416	1984	containersavesCrt.exe	cmd.exe
PID 1984 wrote to memory of 1416	1984	containersavesCrt.exe	cmd.exe
PID 1984 wrote to memory of 1416	1984	containersavesCrt.exe	cmd.exe
PID 1416 wrote to memory of 1636	1416	cmd.exe	w32tm.exe
PID 1416 wrote to memory of 1636	1416	cmd.exe	w32tm.exe
PID 1416 wrote to memory of 1636	1416	cmd.exe	w32tm.exe
PID 1416 wrote to memory of 1636	1416	cmd.exe	w32tm.exe
PID 1636 wrote to memory of 2036	1636	w32tm.exe	w32tm.exe
PID 1636 wrote to memory of 2036	1636	w32tm.exe	w32tm.exe
PID 1636 wrote to memory of 2036	1636	w32tm.exe	w32tm.exe
PID 1636 wrote to memory of 2036	1636	w32tm.exe	w32tm.exe
PID 1416 wrote to memory of 468	1416	cmd.exe	lsass.exe
PID 1416 wrote to memory of 468	1416	cmd.exe	lsass.exe
PID 1416 wrote to memory of 468	1416	cmd.exe	lsass.exe
PID 1416 wrote to memory of 468	1416	cmd.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\PZCheat.exe
"C:\Users\Admin\AppData\Local\Temp\PZCheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\surrogateContainerhostcrtDll\qAjDBhKogos2S0J68ty6.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\surrogateContainerhostcrtDll\fba6WO2dA9UqWb6NlbxSa.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\surrogateContainerhostcrtDll\containersavesCrt.exe
      "C:\surrogateContainerhostcrtDll\containersavesCrt.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZdpG9cvkU5.bat"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2036
      - C:\Users\Default\Downloads\lsass.exe
        
        "C:\Users\Default\Downloads\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\DPX\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\DPX\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\assembly\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Downloads\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Downloads\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZdpG9cvkU5.bat

Filesize
201B

MD5
da548d18752ad95ab2975eddb3be5ee6

SHA1
55a46a7254ee21d5ba5644660a4903f8a96852bc

SHA256
e778f487c9420b840021b8354f05310dbaf0b7eca822f4a267edac361c23fbf8

SHA512
435f00dc65fc91baf93d7f97c473d89d5b14dbe456ec91b66edbe9cb6e4b002526a28c160ca1c1e487997da21eb486da6e2b48689829838c3c1cbe3b029cf22e

Download Submit
C:\Users\Default\Downloads\lsass.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\Users\Default\Downloads\lsass.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\surrogateContainerhostcrtDll\containersavesCrt.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\surrogateContainerhostcrtDll\containersavesCrt.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\surrogateContainerhostcrtDll\fba6WO2dA9UqWb6NlbxSa.bat

Filesize
55B

MD5
f1a7c3c3ddb14918973adcec0ca793e5

SHA1
cd8dc923af6be2083d0a41f69fb32c9a08b2ea7a

SHA256
ed360b14dbbe3a7a03e882f0bd9b892af8357642fcbb296e62bac96112d4a526

SHA512
472f2d9d775d7b3a9a17fc8327040438e591ffbaaf87be8353a4e02446bd5ee805ce39fa2c57f1b32ca6f971210fba6532d3b993b7f861a6dd49edb0986dbccf

Download Submit
C:\surrogateContainerhostcrtDll\qAjDBhKogos2S0J68ty6.vbe

Filesize
226B

MD5
6a5882c4cb8293cb361d7f95c51de59e

SHA1
48662867659024019cfc01e2e4731f9efaa83c67

SHA256
1ce3ab815dfa8ab817dab9bb42c012e940041735fa4f2064f780cd44b7a5c0a2

SHA512
e5c5940e4f1358688df06cb84ab1b9ea3a26a336ccbef7b02b0c40cb6477894855c8513f037ec602b4fce7a72f4a54b4f4ccf314437b595521aa4b3d4f21fe9f

Download Submit
\Users\Default\Downloads\lsass.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
\Users\Default\Downloads\lsass.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
\surrogateContainerhostcrtDll\containersavesCrt.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
\surrogateContainerhostcrtDll\containersavesCrt.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
memory/468-82-0x00000000003D0000-0x000000000078C000-memory.dmp

Filesize
3.7MB

Download
memory/468-80-0x00000000003D0000-0x000000000078C000-memory.dmp

Filesize
3.7MB

Download
memory/468-81-0x00000000003D0000-0x000000000078C000-memory.dmp

Filesize
3.7MB

Download
memory/468-77-0x0000000000000000-mapping.dmp

Download
memory/888-59-0x0000000000000000-mapping.dmp

Download
memory/944-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1380-55-0x0000000000000000-mapping.dmp

Download
memory/1416-68-0x0000000000000000-mapping.dmp

Download
memory/1636-70-0x0000000000000000-mapping.dmp

Download
memory/1984-71-0x00000000002A0000-0x000000000065C000-memory.dmp

Filesize
3.7MB

Download
memory/1984-67-0x00000000002A0000-0x000000000065C000-memory.dmp

Filesize
3.7MB

Download
memory/1984-66-0x00000000002A0000-0x000000000065C000-memory.dmp

Filesize
3.7MB

Download
memory/1984-63-0x0000000000000000-mapping.dmp

Download
memory/2036-73-0x0000000000000000-mapping.dmp

Download