dcrat | c17ee50458ad78fb43b23fd8001002cd35bb8effac19ec33091ddadefbc7dcac

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2023 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.6MB
MD5

373992db74a918562686a9e9144ecbbe
SHA1

953c7daaec55cdf106b371b555bc73f83a127b26
SHA256

c17ee50458ad78fb43b23fd8001002cd35bb8effac19ec33091ddadefbc7dcac
SHA512

ddf9af3d9b765708ce9e91f1ba7631f4111202016deae60f0da80026688fd465e9877fe55ec175be0296db153e300188a5aeadd5566b2e72fc8cf0e1bb8a80e4
SSDEEP

24576:U2G/nvxW3Ww0t1urfikuV13mFFkwIuKOaZDIpw6P/KlBrJ/GB+8xNEJnw:UbA30Wiku13qF1jtpwG/KR/YxNEJw

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	964	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe	dcrat
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe	dcrat
behavioral2/memory/776-145-0x00000000006F0000-0x0000000000844000-memory.dmp	dcrat
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe	dcrat
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe	dcrat
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exeWScript.execomponentMonitorcommon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	componentMonitorcommon.exe

Executes dropped EXE 2 IoCs

Processes:

componentMonitorcommon.exesysmon.exe

pid process

776 componentMonitorcommon.exe
1504 sysmon.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ipinfo.io
34 ipinfo.io

flow	ioc
35	ipinfo.io
34	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

componentMonitorcommon.exe

description	ioc	process
File created	C:\Windows\SysWOW64\pl-PL\Idle.exe	componentMonitorcommon.exe
File created	C:\Windows\SysWOW64\pl-PL\6ccacd8608530f	componentMonitorcommon.exe

Drops file in Program Files directory 2 IoCs

Processes:

componentMonitorcommon.exe

description	ioc	process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\121e5b5079f7c0	componentMonitorcommon.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe	componentMonitorcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
704	schtasks.exe
3976	schtasks.exe
4068	schtasks.exe
3336	schtasks.exe
116	schtasks.exe
2892	schtasks.exe
3220	schtasks.exe
2572	schtasks.exe
112	schtasks.exe

Modifies registry class 1 IoCs

Processes:

tmp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings tmp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	tmp.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

componentMonitorcommon.exepowershell.exepowershell.exepowershell.exepowershell.exesysmon.exe

pid	process
776	componentMonitorcommon.exe
776	componentMonitorcommon.exe
776	componentMonitorcommon.exe
1756	powershell.exe
4368	powershell.exe
2376	powershell.exe
1776	powershell.exe
4368	powershell.exe
2376	powershell.exe
1504	sysmon.exe
1756	powershell.exe
1776	powershell.exe
1504	sysmon.exe
1504	sysmon.exe
1504	sysmon.exe
1504	sysmon.exe
1504	sysmon.exe
1504	sysmon.exe
1504	sysmon.exe
1504	sysmon.exe
1504	sysmon.exe
1504	sysmon.exe
1504	sysmon.exe
1504	sysmon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sysmon.exe

pid process

1504 sysmon.exe

pid	process
1504	sysmon.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

componentMonitorcommon.exepowershell.exepowershell.exepowershell.exepowershell.exesysmon.exe

description	pid	process
Token: SeDebugPrivilege	776	componentMonitorcommon.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1504	sysmon.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

tmp.exeWScript.execmd.execomponentMonitorcommon.exe

description	pid	process	target process
PID 1268 wrote to memory of 3324	1268	tmp.exe	WScript.exe
PID 1268 wrote to memory of 3324	1268	tmp.exe	WScript.exe
PID 1268 wrote to memory of 3324	1268	tmp.exe	WScript.exe
PID 3324 wrote to memory of 2300	3324	WScript.exe	cmd.exe
PID 3324 wrote to memory of 2300	3324	WScript.exe	cmd.exe
PID 3324 wrote to memory of 2300	3324	WScript.exe	cmd.exe
PID 2300 wrote to memory of 776	2300	cmd.exe	componentMonitorcommon.exe
PID 2300 wrote to memory of 776	2300	cmd.exe	componentMonitorcommon.exe
PID 776 wrote to memory of 1756	776	componentMonitorcommon.exe	powershell.exe
PID 776 wrote to memory of 1756	776	componentMonitorcommon.exe	powershell.exe
PID 776 wrote to memory of 1776	776	componentMonitorcommon.exe	powershell.exe
PID 776 wrote to memory of 1776	776	componentMonitorcommon.exe	powershell.exe
PID 776 wrote to memory of 4368	776	componentMonitorcommon.exe	powershell.exe
PID 776 wrote to memory of 4368	776	componentMonitorcommon.exe	powershell.exe
PID 776 wrote to memory of 2376	776	componentMonitorcommon.exe	powershell.exe
PID 776 wrote to memory of 2376	776	componentMonitorcommon.exe	powershell.exe
PID 776 wrote to memory of 1504	776	componentMonitorcommon.exe	sysmon.exe
PID 776 wrote to memory of 1504	776	componentMonitorcommon.exe	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\vQ3VIYUYL2xofTcP0gCIzAw.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\mQTPECbUX38DuLpdMmoUBOwQ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe
"C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\pl-PL\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\pl-PL\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SysWOW64\pl-PL\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\pl-PL\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvvd0ezl.jos.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\mQTPECbUX38DuLpdMmoUBOwQ.bat
Filesize
55B

MD5
4eca9a6bf6c52d04c26fa14ea74bf227

SHA1
ca0fea58051517e6295da2da5e3f249ad4ff3504

SHA256
96ca7d8a38fd1f411bf623f952bbd4b8e93243167c2158917eba0d68f00e85cc

SHA512
3d818f8e1ea332deb3a0aaff2284deb6380639a56dc30a7e675cfe76c253f0c626783e5b7652cd6dbad541022ccb6058376ec5d7f12d0674a4478cfefef9df18

Download Submit
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\vQ3VIYUYL2xofTcP0gCIzAw.vbe
Filesize
224B

MD5
7b5df8b8d4d8d1b95b3313ffaf3c420b

SHA1
70c9cb3ea22d5349044e03f7e6fa4d98e6bc208d

SHA256
1c307726e10a7546162838a9981c0d0565306998ed731ee73a047d664d72a3ea

SHA512
ddc870977887cd25ca709ff3b3be1311d7478e5c361936d3ff3dd845aa04633fcc081a27bc088e20001f1105862c88972d9325a3b40126157906400ccda65270

Download Submit
memory/776-145-0x00000000006F0000-0x0000000000844000-memory.dmp

Filesize
1.3MB

Download
memory/776-146-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/776-147-0x000000001B9F0000-0x000000001BA40000-memory.dmp

Filesize
320KB

Download
memory/1504-217-0x000000001BE70000-0x000000001BE80000-memory.dmp

Filesize
64KB

Download
memory/1504-257-0x000000001BE70000-0x000000001BE80000-memory.dmp

Filesize
64KB

Download
memory/1504-218-0x000000001CF40000-0x000000001D102000-memory.dmp

Filesize
1.8MB

Download
memory/1504-219-0x000000001DB40000-0x000000001E068000-memory.dmp

Filesize
5.2MB

Download
memory/1504-255-0x000000001BDB0000-0x000000001BDE0000-memory.dmp

Filesize
192KB

Download
memory/1504-256-0x000000001D610000-0x000000001D7B9000-memory.dmp

Filesize
1.7MB

Download
memory/1756-164-0x000001E5BC310000-0x000001E5BC320000-memory.dmp

Filesize
64KB

Download
memory/1756-170-0x000001E5BC310000-0x000001E5BC320000-memory.dmp

Filesize
64KB

Download
memory/1756-188-0x000001E5D47B0000-0x000001E5D47D2000-memory.dmp

Filesize
136KB

Download
memory/2376-163-0x0000025247F40000-0x0000025247F50000-memory.dmp

Filesize
64KB

Download
memory/2376-161-0x0000025247F40000-0x0000025247F50000-memory.dmp

Filesize
64KB

Download
memory/4368-169-0x0000028F496E0000-0x0000028F496F0000-memory.dmp

Filesize
64KB

Download
memory/4368-168-0x0000028F496E0000-0x0000028F496F0000-memory.dmp

Filesize
64KB

Download