dcrat | fcc38c997f97bf75b8c29146cfdd4d4c1e5092a84417a26bf9dafe94be14b2f5

Analysis

max time kernel
37s
max time network
39s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-06-2023 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0XCHEATS CRACK.exe
Size

1.2MB
MD5

deac5e3b637fb9f6d0002974c7f2ad1b
SHA1

a9eaaa82f56a124c6cdd43a21f5893082053aa01
SHA256

fcc38c997f97bf75b8c29146cfdd4d4c1e5092a84417a26bf9dafe94be14b2f5
SHA512

d055e42497ff03d5128e95009d6c2b8be96f857e88795e710071eaf8ffb7973c7912fe0ea254634465cefdb5a4ee7cb10f429d186702ccdb680206b39854b1e7
SSDEEP

12288:nRZ+IoG/n9IQxW3OBsegGibs15tT/MZrdzSn219I5txlMK6Nbo7UZVCjyWMjAy8k:P2G/nvxW3WD02b6CU0yoj4HG13l9+4A

Score

10^/10

dcrat evasion infostealer persistence rat

Malware Config

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeIntorefreviewSavesdhcp.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2020	schtasks.exe
1668	schtasks.exe
1440	schtasks.exe
364	schtasks.exe
File created	C:\Windows\System32\KBDKHMR\conhost.exe	IntorefreviewSavesdhcp.exe
760	schtasks.exe
636	schtasks.exe
1016	schtasks.exe
1752	schtasks.exe

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	1848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	1848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1848	schtasks.exe

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Intoref\IntorefreviewSavesdhcp.exe	dcrat
C:\Intoref\IntorefreviewSavesdhcp.exe	dcrat
\Intoref\IntorefreviewSavesdhcp.exe	dcrat
C:\Intoref\IntorefreviewSavesdhcp.exe	dcrat
behavioral1/memory/1812-67-0x0000000000210000-0x0000000000300000-memory.dmp	dcrat
C:\Program Files\Windows Defender\it-IT\explorer.exe	dcrat
C:\Intoref\IntorefreviewSavesdhcp.exe	dcrat
C:\Windows\System32\sppc\csrss.exe	dcrat
C:\Windows\System32\sppc\csrss.exe	dcrat
behavioral1/memory/764-92-0x0000000000F30000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/764-94-0x000000001AE70000-0x000000001AEF0000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

IntorefreviewSavesdhcp.exeIntorefreviewSavesdhcp.execsrss.exe

pid process

1812 IntorefreviewSavesdhcp.exe
1740 IntorefreviewSavesdhcp.exe
764 csrss.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1664 cmd.exe
1664 cmd.exe

pid	process
1812	IntorefreviewSavesdhcp.exe
1740	IntorefreviewSavesdhcp.exe
764	csrss.exe

pid	process
1664	cmd.exe
1664	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IntorefreviewSavesdhcp.exeIntorefreviewSavesdhcp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\KBDKHMR\\conhost.exe\""	IntorefreviewSavesdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\sqlceoledb30\\winlogon.exe\""	IntorefreviewSavesdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Defender\\it-IT\\explorer.exe\""	IntorefreviewSavesdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\d3d11\\dwm.exe\""	IntorefreviewSavesdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\atl\\wininit.exe\""	IntorefreviewSavesdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\Documents\\winlogon.exe\""	IntorefreviewSavesdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\sppc\\csrss.exe\""	IntorefreviewSavesdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Mail\\en-US\\System.exe\""	IntorefreviewSavesdhcp.exe

Drops file in System32 directory 11 IoCs

Processes:

IntorefreviewSavesdhcp.exeIntorefreviewSavesdhcp.exe

description	ioc	process
File created	C:\Windows\System32\sppc\886983d96e3d3e31032c679b2d4ea91b6c05afef	IntorefreviewSavesdhcp.exe
File opened for modification	C:\Windows\System32\KBDKHMR\conhost.exe	IntorefreviewSavesdhcp.exe
File created	C:\Windows\System32\KBDKHMR\088424020bedd6b28ac7fd22ee35dcd7322895ce	IntorefreviewSavesdhcp.exe
File created	C:\Windows\System32\d3d11\dwm.exe	IntorefreviewSavesdhcp.exe
File created	C:\Windows\System32\atl\560854153607923c4c5f107085a7db67be01f252	IntorefreviewSavesdhcp.exe
File created	C:\Windows\System32\atl\wininit.exe	IntorefreviewSavesdhcp.exe
File created	C:\Windows\System32\sppc\csrss.exe	IntorefreviewSavesdhcp.exe
File created	C:\Windows\System32\KBDKHMR\conhost.exe	IntorefreviewSavesdhcp.exe
File created	C:\Windows\System32\sqlceoledb30\winlogon.exe	IntorefreviewSavesdhcp.exe
File created	C:\Windows\System32\sqlceoledb30\cc11b995f2a76da408ea6a601e682e64743153ad	IntorefreviewSavesdhcp.exe
File created	C:\Windows\System32\d3d11\6cb0b6c459d5d3455a3da700e713f2e2529862ff	IntorefreviewSavesdhcp.exe

Drops file in Program Files directory 4 IoCs

Processes:

IntorefreviewSavesdhcp.exeIntorefreviewSavesdhcp.exe

description	ioc	process
File created	C:\Program Files\Windows Defender\it-IT\explorer.exe	IntorefreviewSavesdhcp.exe
File created	C:\Program Files\Windows Defender\it-IT\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	IntorefreviewSavesdhcp.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\System.exe	IntorefreviewSavesdhcp.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a	IntorefreviewSavesdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2020 schtasks.exe
1668 schtasks.exe
636 schtasks.exe
1016 schtasks.exe
1440 schtasks.exe
364 schtasks.exe
1752 schtasks.exe
760 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1780 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

IntorefreviewSavesdhcp.exeIntorefreviewSavesdhcp.exe

pid process

1812 IntorefreviewSavesdhcp.exe
1740 IntorefreviewSavesdhcp.exe

pid	process
2020	schtasks.exe
1668	schtasks.exe
636	schtasks.exe
1016	schtasks.exe
1440	schtasks.exe
364	schtasks.exe
1752	schtasks.exe
760	schtasks.exe

pid	process
1780	reg.exe

pid	process
1812	IntorefreviewSavesdhcp.exe
1740	IntorefreviewSavesdhcp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

IntorefreviewSavesdhcp.exeIntorefreviewSavesdhcp.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	1812	IntorefreviewSavesdhcp.exe
Token: SeDebugPrivilege	1740	IntorefreviewSavesdhcp.exe
Token: SeDebugPrivilege	764	csrss.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

0XCHEATS CRACK.exeWScript.execmd.exeIntorefreviewSavesdhcp.exeIntorefreviewSavesdhcp.exe

description	pid	process	target process
PID 1768 wrote to memory of 1168	1768	0XCHEATS CRACK.exe	WScript.exe
PID 1768 wrote to memory of 1168	1768	0XCHEATS CRACK.exe	WScript.exe
PID 1768 wrote to memory of 1168	1768	0XCHEATS CRACK.exe	WScript.exe
PID 1768 wrote to memory of 1168	1768	0XCHEATS CRACK.exe	WScript.exe
PID 1168 wrote to memory of 1664	1168	WScript.exe	cmd.exe
PID 1168 wrote to memory of 1664	1168	WScript.exe	cmd.exe
PID 1168 wrote to memory of 1664	1168	WScript.exe	cmd.exe
PID 1168 wrote to memory of 1664	1168	WScript.exe	cmd.exe
PID 1664 wrote to memory of 1812	1664	cmd.exe	IntorefreviewSavesdhcp.exe
PID 1664 wrote to memory of 1812	1664	cmd.exe	IntorefreviewSavesdhcp.exe
PID 1664 wrote to memory of 1812	1664	cmd.exe	IntorefreviewSavesdhcp.exe
PID 1664 wrote to memory of 1812	1664	cmd.exe	IntorefreviewSavesdhcp.exe
PID 1812 wrote to memory of 1740	1812	IntorefreviewSavesdhcp.exe	IntorefreviewSavesdhcp.exe
PID 1812 wrote to memory of 1740	1812	IntorefreviewSavesdhcp.exe	IntorefreviewSavesdhcp.exe
PID 1812 wrote to memory of 1740	1812	IntorefreviewSavesdhcp.exe	IntorefreviewSavesdhcp.exe
PID 1664 wrote to memory of 1780	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 1780	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 1780	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 1780	1664	cmd.exe	reg.exe
PID 1740 wrote to memory of 764	1740	IntorefreviewSavesdhcp.exe	csrss.exe
PID 1740 wrote to memory of 764	1740	IntorefreviewSavesdhcp.exe	csrss.exe
PID 1740 wrote to memory of 764	1740	IntorefreviewSavesdhcp.exe	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0XCHEATS CRACK.exe
"C:\Users\Admin\AppData\Local\Temp\0XCHEATS CRACK.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Intoref\Pte8YF1osbZR2uadE24.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Intoref\x2Gksn.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664

C:\Intoref\IntorefreviewSavesdhcp.exe
"C:\Intoref\IntorefreviewSavesdhcp.exe"
4⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Intoref\IntorefreviewSavesdhcp.exe
"C:\Intoref\IntorefreviewSavesdhcp.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\System32\sppc\csrss.exe
"C:\Windows\System32\sppc\csrss.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDKHMR\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\sqlceoledb30\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\d3d11\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\atl\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Documents\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\sppc\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intoref\IntorefreviewSavesdhcp.exe
Filesize
931KB

MD5
026ad0d7148f15cea5e23271f08fb1d2

SHA1
d2b7985c514e421d2c12d3c562217a6d7e582bc6

SHA256
9d05d4fda429a34ff020da16439ba4389ad347576fe22f270014bb5857b6cda5

SHA512
64312f9627b0443cb635d2da10caa440d4ed399b418cdf98eaf4dc5001d29de857eb3b1139c3c102d72964ad18f7613d668a877603745e5b45a9684b1ce0c946

Download Submit
C:\Intoref\IntorefreviewSavesdhcp.exe
Filesize
931KB

MD5
026ad0d7148f15cea5e23271f08fb1d2

SHA1
d2b7985c514e421d2c12d3c562217a6d7e582bc6

SHA256
9d05d4fda429a34ff020da16439ba4389ad347576fe22f270014bb5857b6cda5

SHA512
64312f9627b0443cb635d2da10caa440d4ed399b418cdf98eaf4dc5001d29de857eb3b1139c3c102d72964ad18f7613d668a877603745e5b45a9684b1ce0c946

Download Submit
C:\Intoref\IntorefreviewSavesdhcp.exe
Filesize
931KB

MD5
026ad0d7148f15cea5e23271f08fb1d2

SHA1
d2b7985c514e421d2c12d3c562217a6d7e582bc6

SHA256
9d05d4fda429a34ff020da16439ba4389ad347576fe22f270014bb5857b6cda5

SHA512
64312f9627b0443cb635d2da10caa440d4ed399b418cdf98eaf4dc5001d29de857eb3b1139c3c102d72964ad18f7613d668a877603745e5b45a9684b1ce0c946

Download Submit
C:\Intoref\Pte8YF1osbZR2uadE24.vbe
Filesize
190B

MD5
51405a82a1c1f0cee77a00b886411708

SHA1
01ca085fa65258a360622fff15f7e13d2e28e9b5

SHA256
de12ca7903ea3f438d6153e0bc2e58811fae972579f2b30f9fa07d2fb647d4b3

SHA512
ed4d99031e492a1c839ba4b36e112ba8f62dcd91a185d421a678410c4b2b5c616591739c5f3ad4f734073c495500d98974f2f5c33121a5d2116aa4f039c576d9

Download Submit
C:\Intoref\x2Gksn.bat
Filesize
151B

MD5
376c2f73d44bb6e9a4f3ffa8191cbd13

SHA1
ac2c3573a47f76a541914e7d01a61e565b38afa6

SHA256
086181948fcdf96d5de58e9000220e5825fa97df1a50823ae803bd1afa325081

SHA512
07794f4725e080cf5d5cbacc592a8bcd8071c70f7926ace2a5da939e13e0958f3fdaeb72e82625231d3ae1841f9df978ecc2d426e09bbb8521bf36a838864914

Download Submit
C:\Program Files\Windows Defender\it-IT\explorer.exe
Filesize
931KB

MD5
026ad0d7148f15cea5e23271f08fb1d2

SHA1
d2b7985c514e421d2c12d3c562217a6d7e582bc6

SHA256
9d05d4fda429a34ff020da16439ba4389ad347576fe22f270014bb5857b6cda5

SHA512
64312f9627b0443cb635d2da10caa440d4ed399b418cdf98eaf4dc5001d29de857eb3b1139c3c102d72964ad18f7613d668a877603745e5b45a9684b1ce0c946

Download Submit
C:\Windows\System32\sppc\csrss.exe
Filesize
931KB

MD5
026ad0d7148f15cea5e23271f08fb1d2

SHA1
d2b7985c514e421d2c12d3c562217a6d7e582bc6

SHA256
9d05d4fda429a34ff020da16439ba4389ad347576fe22f270014bb5857b6cda5

SHA512
64312f9627b0443cb635d2da10caa440d4ed399b418cdf98eaf4dc5001d29de857eb3b1139c3c102d72964ad18f7613d668a877603745e5b45a9684b1ce0c946

Download Submit
C:\Windows\System32\sppc\csrss.exe
Filesize
931KB

MD5
026ad0d7148f15cea5e23271f08fb1d2

SHA1
d2b7985c514e421d2c12d3c562217a6d7e582bc6

SHA256
9d05d4fda429a34ff020da16439ba4389ad347576fe22f270014bb5857b6cda5

SHA512
64312f9627b0443cb635d2da10caa440d4ed399b418cdf98eaf4dc5001d29de857eb3b1139c3c102d72964ad18f7613d668a877603745e5b45a9684b1ce0c946

Download Submit
\Intoref\IntorefreviewSavesdhcp.exe
Filesize
931KB

MD5
026ad0d7148f15cea5e23271f08fb1d2

SHA1
d2b7985c514e421d2c12d3c562217a6d7e582bc6

SHA256
9d05d4fda429a34ff020da16439ba4389ad347576fe22f270014bb5857b6cda5

SHA512
64312f9627b0443cb635d2da10caa440d4ed399b418cdf98eaf4dc5001d29de857eb3b1139c3c102d72964ad18f7613d668a877603745e5b45a9684b1ce0c946

Download Submit
\Intoref\IntorefreviewSavesdhcp.exe
Filesize
931KB

MD5
026ad0d7148f15cea5e23271f08fb1d2

SHA1
d2b7985c514e421d2c12d3c562217a6d7e582bc6

SHA256
9d05d4fda429a34ff020da16439ba4389ad347576fe22f270014bb5857b6cda5

SHA512
64312f9627b0443cb635d2da10caa440d4ed399b418cdf98eaf4dc5001d29de857eb3b1139c3c102d72964ad18f7613d668a877603745e5b45a9684b1ce0c946

Download Submit
memory/764-92-0x0000000000F30000-0x0000000001020000-memory.dmp

Filesize
960KB

Download
memory/764-93-0x000000001AE70000-0x000000001AEF0000-memory.dmp

Filesize
512KB

Download
memory/764-94-0x000000001AE70000-0x000000001AEF0000-memory.dmp

Filesize
512KB

Download
memory/1812-67-0x0000000000210000-0x0000000000300000-memory.dmp

Filesize
960KB

Download
memory/1812-76-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download