dcrat | e472d4ac46025c6c8b5e0a745cbde67adc25f8297732b8d432ef7b63c219c2b2

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2023, 01:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
Size

2.3MB
MD5

333413d3a10dbf3bf121d1ab4b866346
SHA1

e4ab9d6bbc56e1c48c2a444cf885833af963fd09
SHA256

7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842
SHA512

59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20
SSDEEP

49152:INaBz16Zarg7zdXaCVCPr5szFTBwWGZfr9KWz/:Ia8YQsfPrUlyWGF4Wz/

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	1120	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	1120	schtasks.exe	86

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2920-136-0x00000000006E0000-0x0000000000932000-memory.dmp	dcrat
behavioral2/files/0x00060000000230a4-149.dat	dcrat
behavioral2/files/0x00060000000230a9-167.dat	dcrat
behavioral2/files/0x00060000000230a9-168.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe

Executes dropped EXE 1 IoCs

pid	Process
1668	unsecapp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ipinfo.io
25	ipinfo.io

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\lsass.exe	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\6203df4a6bafc7	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\SppExtComObj.exe	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\e1ef82546f0b02	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\RuntimeBroker.exe	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
File created	C:\Windows\Offline Web Pages\9e8d7a4ca61bd9	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
File created	C:\Windows\Cursors\RuntimeBroker.exe	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
File created	C:\Windows\Cursors\9e8d7a4ca61bd9	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2484	schtasks.exe
1964	schtasks.exe
3740	schtasks.exe
2412	schtasks.exe
3556	schtasks.exe
2900	schtasks.exe
4580	schtasks.exe
4948	schtasks.exe
2704	schtasks.exe
3972	schtasks.exe
648	schtasks.exe
1128	schtasks.exe
3684	schtasks.exe
4920	schtasks.exe
4532	schtasks.exe
2464	schtasks.exe
3652	schtasks.exe
4528	schtasks.exe
4776	schtasks.exe
3884	schtasks.exe
2284	schtasks.exe
2684	schtasks.exe
1832	schtasks.exe
4088	schtasks.exe
4304	schtasks.exe
4212	schtasks.exe
2660	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
1668	unsecapp.exe
1668	unsecapp.exe
1668	unsecapp.exe
1668	unsecapp.exe
1668	unsecapp.exe
1668	unsecapp.exe
1668	unsecapp.exe
1668	unsecapp.exe
1668	unsecapp.exe
1668	unsecapp.exe
1668	unsecapp.exe
1668	unsecapp.exe
1668	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
Token: SeDebugPrivilege	1668	unsecapp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 1816	2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe	114
PID 2920 wrote to memory of 1816	2920	7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe	114
PID 1816 wrote to memory of 844	1816	cmd.exe	116
PID 1816 wrote to memory of 844	1816	cmd.exe	116
PID 1816 wrote to memory of 1668	1816	cmd.exe	121
PID 1816 wrote to memory of 1668	1816	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe
"C:\Users\Admin\AppData\Local\Temp\7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D4AhPIy1ax.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:844
- - C:\odt\unsecapp.exe
    "C:\odt\unsecapp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Cursors\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D4AhPIy1ax.bat

Filesize
184B

MD5
35875f6af01cc4ee42ce3dfd6a42f416

SHA1
b9af1788c1ebc2cc21b4ca3eb46f611966e5474c

SHA256
176a5769c17e3f7e6508c49fd2639616422eeef71f2ad6d2d31a9fade25c8a93

SHA512
9e62802a0f44f11c43192f529e61f76999a7bdaf9dc7096e420edaa33a4673f48e394f2f4eba6469f15ee86c732d5c00b2b9e7fa5f1c0db5b89258f6f5bc21e8

Download Submit
C:\Users\Admin\SearchApp.exe

Filesize
2.3MB

MD5
333413d3a10dbf3bf121d1ab4b866346

SHA1
e4ab9d6bbc56e1c48c2a444cf885833af963fd09

SHA256
7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842

SHA512
59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20

Download Submit
C:\odt\unsecapp.exe

Filesize
2.3MB

MD5
333413d3a10dbf3bf121d1ab4b866346

SHA1
e4ab9d6bbc56e1c48c2a444cf885833af963fd09

SHA256
7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842

SHA512
59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20

Download Submit
C:\odt\unsecapp.exe

Filesize
2.3MB

MD5
333413d3a10dbf3bf121d1ab4b866346

SHA1
e4ab9d6bbc56e1c48c2a444cf885833af963fd09

SHA256
7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842

SHA512
59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20

Download Submit
memory/1668-172-0x000000001B390000-0x000000001B3A0000-memory.dmp

Filesize
64KB

Download
memory/1668-171-0x00007FF9EDBD0000-0x00007FF9EE691000-memory.dmp

Filesize
10.8MB

Download
memory/1668-170-0x000000001B390000-0x000000001B3A0000-memory.dmp

Filesize
64KB

Download
memory/1668-169-0x00007FF9EDBD0000-0x00007FF9EE691000-memory.dmp

Filesize
10.8MB

Download
memory/2920-139-0x000000001BC30000-0x000000001BC80000-memory.dmp

Filesize
320KB

Download
memory/2920-164-0x00007FF9ED950000-0x00007FF9EE411000-memory.dmp

Filesize
10.8MB

Download
memory/2920-140-0x000000001C1B0000-0x000000001C6D8000-memory.dmp

Filesize
5.2MB

Download
memory/2920-136-0x00000000006E0000-0x0000000000932000-memory.dmp

Filesize
2.3MB

Download
memory/2920-138-0x000000001B560000-0x000000001B570000-memory.dmp

Filesize
64KB

Download
memory/2920-137-0x00007FF9ED950000-0x00007FF9EE411000-memory.dmp

Filesize
10.8MB

Download