dcrat | db7e8f25662e1a54432abf68705b2ac077e174ba28a4ec80f6c07c55cc4ba338

Analysis

max time kernel
184s
max time network
206s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F08A6E9C47EB0D630CDDD00A3D9E696C.exe
Size

831KB
MD5

f08a6e9c47eb0d630cddd00a3d9e696c
SHA1

daec48aa94f39454581ba677cf54c24212ecbbc8
SHA256

db7e8f25662e1a54432abf68705b2ac077e174ba28a4ec80f6c07c55cc4ba338
SHA512

8d4715addfc71063cb68768363bc086bd9cc70db4764590d2c1bea6e7858d95a583d2e268779ae8639ac72fda357aab839ecf63e4bef12ffe4d51191884dca16
SSDEEP

24576:fNJByB9O08sndZuYdSZ5XF8TYCVggA+r+gn:1JN0ldsXFvg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2720	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2720	schtasks.exe	29

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2060-0-0x0000000000E90000-0x0000000000F66000-memory.dmp	dcrat
behavioral1/memory/2060-2-0x000000001B1A0000-0x000000001B220000-memory.dmp	dcrat
behavioral1/files/0x0006000000018a9c-11.dat	dcrat
behavioral1/memory/2060-24-0x000000001B1A0000-0x000000001B220000-memory.dmp	dcrat
behavioral1/files/0x0006000000018bbc-30.dat	dcrat
behavioral1/files/0x0006000000018bbc-31.dat	dcrat
behavioral1/memory/2564-33-0x0000000001070000-0x0000000001146000-memory.dmp	dcrat
behavioral1/memory/2564-34-0x000000001B0D0000-0x000000001B150000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2564	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\WmiPrvSE.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files\Windows Journal\24dbde2999530e	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\Idle.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\6ccacd8608530f	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files\Windows NT\lsass.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files\Windows NT\6203df4a6bafc7	F08A6E9C47EB0D630CDDD00A3D9E696C.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\ASP.NET_4.0.30319\0000\27d1bcfc3c54e0	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Windows\de-DE\spoolsv.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Windows\de-DE\f3b6ecef712a24	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Windows\inf\ASP.NET_4.0.30319\0000\System.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1092	schtasks.exe
2740	schtasks.exe
672	schtasks.exe
1400	schtasks.exe
1892	schtasks.exe
1268	schtasks.exe
2980	schtasks.exe
320	schtasks.exe
1208	schtasks.exe
1320	schtasks.exe
2800	schtasks.exe
3032	schtasks.exe
2592	schtasks.exe
2640	schtasks.exe
2464	schtasks.exe
768	schtasks.exe
2264	schtasks.exe
760	schtasks.exe
924	schtasks.exe
1852	schtasks.exe
2600	schtasks.exe
2680	schtasks.exe
2524	schtasks.exe
2252	schtasks.exe
240	schtasks.exe
2828	schtasks.exe
2960	schtasks.exe
2520	schtasks.exe
1692	schtasks.exe
1220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2060	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2564	System.exe
2564	System.exe
2564	System.exe
2564	System.exe
2564	System.exe
2564	System.exe
2564	System.exe
2564	System.exe
2564	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2564	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
Token: SeDebugPrivilege	2564	System.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2564	2060	F08A6E9C47EB0D630CDDD00A3D9E696C.exe	60
PID 2060 wrote to memory of 2564	2060	F08A6E9C47EB0D630CDDD00A3D9E696C.exe	60
PID 2060 wrote to memory of 2564	2060	F08A6E9C47EB0D630CDDD00A3D9E696C.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\F08A6E9C47EB0D630CDDD00A3D9E696C.exe
"C:\Users\Admin\AppData\Local\Temp\F08A6E9C47EB0D630CDDD00A3D9E696C.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\inf\ASP.NET_4.0.30319\0000\System.exe
  "C:\Windows\inf\ASP.NET_4.0.30319\0000\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\ASP.NET_4.0.30319\0000\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\inf\ASP.NET_4.0.30319\0000\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\ASP.NET_4.0.30319\0000\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
831KB

MD5
f08a6e9c47eb0d630cddd00a3d9e696c

SHA1
daec48aa94f39454581ba677cf54c24212ecbbc8

SHA256
db7e8f25662e1a54432abf68705b2ac077e174ba28a4ec80f6c07c55cc4ba338

SHA512
8d4715addfc71063cb68768363bc086bd9cc70db4764590d2c1bea6e7858d95a583d2e268779ae8639ac72fda357aab839ecf63e4bef12ffe4d51191884dca16

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAA07.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAA48.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\inf\ASP.NET_4.0.30319\0000\System.exe

Filesize
831KB

MD5
f08a6e9c47eb0d630cddd00a3d9e696c

SHA1
daec48aa94f39454581ba677cf54c24212ecbbc8

SHA256
db7e8f25662e1a54432abf68705b2ac077e174ba28a4ec80f6c07c55cc4ba338

SHA512
8d4715addfc71063cb68768363bc086bd9cc70db4764590d2c1bea6e7858d95a583d2e268779ae8639ac72fda357aab839ecf63e4bef12ffe4d51191884dca16

Download Submit
C:\Windows\inf\ASP.NET_4.0.30319\0000\System.exe

Filesize
831KB

MD5
f08a6e9c47eb0d630cddd00a3d9e696c

SHA1
daec48aa94f39454581ba677cf54c24212ecbbc8

SHA256
db7e8f25662e1a54432abf68705b2ac077e174ba28a4ec80f6c07c55cc4ba338

SHA512
8d4715addfc71063cb68768363bc086bd9cc70db4764590d2c1bea6e7858d95a583d2e268779ae8639ac72fda357aab839ecf63e4bef12ffe4d51191884dca16

Download Submit
memory/2060-35-0x000007FEF4D40000-0x000007FEF572C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-1-0x000007FEF4D40000-0x000007FEF572C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-2-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2060-23-0x000007FEF4D40000-0x000007FEF572C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-24-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2060-0-0x0000000000E90000-0x0000000000F66000-memory.dmp

Filesize
856KB

Download
memory/2564-33-0x0000000001070000-0x0000000001146000-memory.dmp

Filesize
856KB

Download
memory/2564-36-0x000007FEF4D40000-0x000007FEF572C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-37-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2564-34-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2564-32-0x000007FEF4D40000-0x000007FEF572C000-memory.dmp

Filesize
9.9MB

Download