dcrat | 9084394a955e7b25bca70b2298e1e3359c5aab5189628b647eba18706ffd67c3

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24EDBB670151083A35200EAE5E927259.exe
Size

2.0MB
MD5

24edbb670151083a35200eae5e927259
SHA1

c69efb169379d77388c94969fdcb3f50f768cfcc
SHA256

9084394a955e7b25bca70b2298e1e3359c5aab5189628b647eba18706ffd67c3
SHA512

dffdea54ed58823858cc30259b64536cd96c6ab28d8eb4570d9501d187b82ac48f1ee7ac8058555df725165ae660f279ec259b2dafa5b3056e98ed84b003b0a2
SSDEEP

49152:FqHEuTrhUqQcvwHnX9B0gQ1TgqAsoqbBmXob3:QHrUqQcvQnX9B0gQ1TgqAsRVmXob3

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 12 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2536	schtasks.exe
2440	schtasks.exe
2736	schtasks.exe
2864	schtasks.exe
2600	schtasks.exe
2224	schtasks.exe
2488	schtasks.exe
2772	schtasks.exe
240	schtasks.exe
1560	schtasks.exe
2404	schtasks.exe
1252	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\""	24EDBB670151083A35200EAE5E927259.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Default User\\dllhost.exe\""	24EDBB670151083A35200EAE5E927259.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\dllhost.exe\""	24EDBB670151083A35200EAE5E927259.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\sppsvc.exe\""	24EDBB670151083A35200EAE5E927259.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2160	schtasks.exe	28

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2020-0-0x0000000000930000-0x0000000000B3A000-memory.dmp	dcrat
behavioral1/files/0x000800000001222a-36.dat	dcrat
behavioral1/files/0x000800000001222a-72.dat	dcrat
behavioral1/files/0x000800000001222a-73.dat	dcrat
behavioral1/memory/1496-82-0x00000000002B0000-0x00000000004BA000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1496	dwm.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	24EDBB670151083A35200EAE5E927259.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\dllhost.exe\""	24EDBB670151083A35200EAE5E927259.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\dllhost.exe\""	24EDBB670151083A35200EAE5E927259.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\sppsvc.exe\""	24EDBB670151083A35200EAE5E927259.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\sppsvc.exe\""	24EDBB670151083A35200EAE5E927259.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\""	24EDBB670151083A35200EAE5E927259.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\""	24EDBB670151083A35200EAE5E927259.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	24EDBB670151083A35200EAE5E927259.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2440	schtasks.exe
2736	schtasks.exe
2864	schtasks.exe
1560	schtasks.exe
2404	schtasks.exe
2772	schtasks.exe
2224	schtasks.exe
2536	schtasks.exe
1252	schtasks.exe
2600	schtasks.exe
2488	schtasks.exe
240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
2020	24EDBB670151083A35200EAE5E927259.exe
1968	powershell.exe
1920	powershell.exe
1820	powershell.exe
1944	powershell.exe
1524	powershell.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	24EDBB670151083A35200EAE5E927259.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1496	dwm.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1820	2020	24EDBB670151083A35200EAE5E927259.exe	41
PID 2020 wrote to memory of 1820	2020	24EDBB670151083A35200EAE5E927259.exe	41
PID 2020 wrote to memory of 1820	2020	24EDBB670151083A35200EAE5E927259.exe	41
PID 2020 wrote to memory of 1920	2020	24EDBB670151083A35200EAE5E927259.exe	42
PID 2020 wrote to memory of 1920	2020	24EDBB670151083A35200EAE5E927259.exe	42
PID 2020 wrote to memory of 1920	2020	24EDBB670151083A35200EAE5E927259.exe	42
PID 2020 wrote to memory of 1524	2020	24EDBB670151083A35200EAE5E927259.exe	43
PID 2020 wrote to memory of 1524	2020	24EDBB670151083A35200EAE5E927259.exe	43
PID 2020 wrote to memory of 1524	2020	24EDBB670151083A35200EAE5E927259.exe	43
PID 2020 wrote to memory of 1944	2020	24EDBB670151083A35200EAE5E927259.exe	45
PID 2020 wrote to memory of 1944	2020	24EDBB670151083A35200EAE5E927259.exe	45
PID 2020 wrote to memory of 1944	2020	24EDBB670151083A35200EAE5E927259.exe	45
PID 2020 wrote to memory of 1968	2020	24EDBB670151083A35200EAE5E927259.exe	44
PID 2020 wrote to memory of 1968	2020	24EDBB670151083A35200EAE5E927259.exe	44
PID 2020 wrote to memory of 1968	2020	24EDBB670151083A35200EAE5E927259.exe	44
PID 2020 wrote to memory of 1496	2020	24EDBB670151083A35200EAE5E927259.exe	51
PID 2020 wrote to memory of 1496	2020	24EDBB670151083A35200EAE5E927259.exe	51
PID 2020 wrote to memory of 1496	2020	24EDBB670151083A35200EAE5E927259.exe	51
PID 1496 wrote to memory of 1616	1496	dwm.exe	52
PID 1496 wrote to memory of 1616	1496	dwm.exe	52
PID 1496 wrote to memory of 1616	1496	dwm.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\24EDBB670151083A35200EAE5E927259.exe
"C:\Users\Admin\AppData\Local\Temp\24EDBB670151083A35200EAE5E927259.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\24EDBB670151083A35200EAE5E927259.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
  "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1496 -s 1132
    3⤵
    PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
1.1MB

MD5
cbed9b910fccf711ec72e79f39fb8082

SHA1
52e478f278f81d942961a3f37475f8859123b767

SHA256
76918c9853816513a0d1df79a4e0ef14bb2c87909f0cfd549bb662ec89b93642

SHA512
2821460eed0f1498d15553b0a0c8929e35653026c29493f1111c7a40ac42850f169c5ddd182930e021ec1d5ebea6054cfc5c6165cf5d8da523f2428f6c37b7ee

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
1.9MB

MD5
e3e2691d79bbf291c1b31b74bbf341b4

SHA1
09502c0c25c7755c4c79129c930f4927e3f277ab

SHA256
4fac42b42f7a113ba521255240b7d7b818403d27bd97ad37f84d9538b14c6484

SHA512
a3883a4ed2b5a7bf771a0d10be253ebd991d04ed23c89b8ab1d88c32a76243a6e960f44ae041fa3eeff919dbedbedf07ff95852ad9d5ab35321682cc62fb7465

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
1.4MB

MD5
499248224b205cd4537062ccd0a87c80

SHA1
92a62fdbcd8d8c60d9591f2effc3fe67afdc474b

SHA256
8394a2b2c6780c5a6d71b22dc89f15ffbde1d98308f010ba18ee0b945efff0af

SHA512
0092eb13165d867df54ddf791e70e89168ed6613220b3f5b920b44df118f4e588e61ed428d2136e0734e0b8fa36711691f1e6cfc54a5667bf28c44052b7a58b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cdd42d607215f00048a73b78e20cd764

SHA1
e87f601377eb2cbe921a3411c71110db6af29c70

SHA256
debe94cf0c7ea62b6109e30d5b6f91c3c0a9ff994c8d9734e881f0a3cfaf0385

SHA512
4e133b45e865399d6787ceb86bfd07ce71aab19578d835aced724a007cb9269d27132c8601205e16f1fd662c358a0c7096ffada9c564cb3cc1221162dfb3296b

Download Submit
memory/1496-131-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/1496-130-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/1496-129-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/1496-82-0x00000000002B0000-0x00000000004BA000-memory.dmp

Filesize
2.0MB

Download
memory/1496-117-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/1524-120-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1524-116-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1524-119-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1524-124-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1524-126-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/1820-115-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/1820-110-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/1820-101-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/1820-100-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1820-99-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/1820-123-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1820-79-0x000000001B400000-0x000000001B6E2000-memory.dmp

Filesize
2.9MB

Download
memory/1820-98-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1920-121-0x00000000024CB000-0x0000000002532000-memory.dmp

Filesize
412KB

Download
memory/1920-125-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1920-111-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1920-109-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1920-108-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1920-107-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1944-113-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1944-112-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1944-114-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1944-102-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1944-128-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1944-127-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1968-118-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/1968-122-0x00000000025CB000-0x0000000002632000-memory.dmp

Filesize
412KB

Download
memory/1968-80-0x0000000002090000-0x0000000002098000-memory.dmp

Filesize
32KB

Download
memory/1968-106-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/1968-105-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/1968-103-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/1968-104-0x000007FEEC290000-0x000007FEECC2D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-12-0x00000000023C0000-0x00000000023CC000-memory.dmp

Filesize
48KB

Download
memory/2020-7-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/2020-10-0x00000000022E0000-0x00000000022EC000-memory.dmp

Filesize
48KB

Download
memory/2020-11-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/2020-15-0x00000000023E0000-0x00000000023EC000-memory.dmp

Filesize
48KB

Download
memory/2020-13-0x00000000023D0000-0x00000000023DC000-memory.dmp

Filesize
48KB

Download
memory/2020-42-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2020-14-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/2020-32-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2020-31-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2020-0-0x0000000000930000-0x0000000000B3A000-memory.dmp

Filesize
2.0MB

Download
memory/2020-9-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2020-8-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/2020-97-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2020-22-0x000000001A950000-0x000000001A95C000-memory.dmp

Filesize
48KB

Download
memory/2020-6-0x00000000022C0000-0x00000000022DC000-memory.dmp

Filesize
112KB

Download
memory/2020-21-0x000000001A940000-0x000000001A94A000-memory.dmp

Filesize
40KB

Download
memory/2020-20-0x000000001A930000-0x000000001A93C000-memory.dmp

Filesize
48KB

Download
memory/2020-19-0x000000001A920000-0x000000001A92E000-memory.dmp

Filesize
56KB

Download
memory/2020-5-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/2020-18-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2020-4-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2020-17-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2020-16-0x0000000002400000-0x000000000240E000-memory.dmp

Filesize
56KB

Download
memory/2020-3-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2020-2-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2020-1-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download