dcrat | 195688fdc5454fb7f6ba8188015e395bfe86876a9c0e28b818944ee264f0e77c

Resubmissions

21-08-2024 19:30

240821-x76q3sweqg 10

21-08-2024 17:42

240821-v92h2avgpj 10

12-06-2024 16:01

240612-tgps4a1bqh 10

Analysis

max time kernel
60s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
12-06-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Size

9.4MB
MD5

813b749967045532f86e6442447bcd8b
SHA1

8d0615e7f7ba672a3fc94c05a9451f9d08797af7
SHA256

0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464
SHA512

47c16f403ab33ebb9e59c7c3a053dc29d0d654174d2be9153966ad9fc873e641f34ab44c7e38fb4c6fd376b384d4e1da0dacafb384e9abb1c7eb92cb32533877
SSDEEP

24576:GYx7SFGwWG8/Ad5kybgeK8uQY2ZqR7NlaDbTxnVhv2MMLdGIhJ:IFFbK8q2ZhDbTNv2MuV

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/memory/4588-6-0x0000000000400000-0x0000000000538000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
2140	spoolsv.exe
2508	spoolsv.exe
2904	spoolsv.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

pid	Process
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1020 set thread context of 4588	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	89
PID 2140 set thread context of 2904	2140	spoolsv.exe	117

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\e6c9b481da804f07baff8eff543b0a1441069b5d	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Program Files\ModifiableWindowsApps\RuntimeBroker.exe	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1792	1020	WerFault.exe	79
3280	2140	WerFault.exe	106

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2936	schtasks.exe
900	schtasks.exe
2568	schtasks.exe
4828	schtasks.exe
3920	schtasks.exe
4116	schtasks.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
940	timeout.exe
4852	timeout.exe
5052	timeout.exe
5112	timeout.exe
3196	timeout.exe
2452	timeout.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
2904	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Token: SeDebugPrivilege	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Token: SeDebugPrivilege	2140	spoolsv.exe
Token: SeDebugPrivilege	2904	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 3376	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	80
PID 1020 wrote to memory of 3376	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	80
PID 1020 wrote to memory of 3376	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	80
PID 3376 wrote to memory of 5052	3376	cmd.exe	82
PID 3376 wrote to memory of 5052	3376	cmd.exe	82
PID 3376 wrote to memory of 5052	3376	cmd.exe	82
PID 1020 wrote to memory of 3948	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	83
PID 1020 wrote to memory of 3948	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	83
PID 1020 wrote to memory of 3948	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	83
PID 3948 wrote to memory of 5112	3948	cmd.exe	85
PID 3948 wrote to memory of 5112	3948	cmd.exe	85
PID 3948 wrote to memory of 5112	3948	cmd.exe	85
PID 1020 wrote to memory of 1620	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	86
PID 1020 wrote to memory of 1620	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	86
PID 1020 wrote to memory of 1620	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	86
PID 1620 wrote to memory of 3196	1620	cmd.exe	88
PID 1620 wrote to memory of 3196	1620	cmd.exe	88
PID 1620 wrote to memory of 3196	1620	cmd.exe	88
PID 1020 wrote to memory of 4588	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	89
PID 1020 wrote to memory of 4588	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	89
PID 1020 wrote to memory of 4588	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	89
PID 1020 wrote to memory of 4588	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	89
PID 1020 wrote to memory of 4588	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	89
PID 1020 wrote to memory of 4588	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	89
PID 1020 wrote to memory of 4588	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	89
PID 1020 wrote to memory of 4588	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	89
PID 1020 wrote to memory of 4588	1020	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	89
PID 4588 wrote to memory of 2936	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	94
PID 4588 wrote to memory of 2936	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	94
PID 4588 wrote to memory of 2936	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	94
PID 4588 wrote to memory of 900	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	96
PID 4588 wrote to memory of 900	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	96
PID 4588 wrote to memory of 900	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	96
PID 4588 wrote to memory of 2568	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	98
PID 4588 wrote to memory of 2568	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	98
PID 4588 wrote to memory of 2568	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	98
PID 4588 wrote to memory of 4828	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	100
PID 4588 wrote to memory of 4828	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	100
PID 4588 wrote to memory of 4828	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	100
PID 4588 wrote to memory of 3920	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 4588 wrote to memory of 3920	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 4588 wrote to memory of 3920	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 4588 wrote to memory of 4116	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	104
PID 4588 wrote to memory of 4116	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	104
PID 4588 wrote to memory of 4116	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	104
PID 4588 wrote to memory of 2140	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	106
PID 4588 wrote to memory of 2140	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	106
PID 4588 wrote to memory of 2140	4588	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	106
PID 2140 wrote to memory of 1960	2140	spoolsv.exe	107
PID 2140 wrote to memory of 1960	2140	spoolsv.exe	107
PID 2140 wrote to memory of 1960	2140	spoolsv.exe	107
PID 1960 wrote to memory of 2452	1960	cmd.exe	109
PID 1960 wrote to memory of 2452	1960	cmd.exe	109
PID 1960 wrote to memory of 2452	1960	cmd.exe	109
PID 2140 wrote to memory of 4596	2140	spoolsv.exe	110
PID 2140 wrote to memory of 4596	2140	spoolsv.exe	110
PID 2140 wrote to memory of 4596	2140	spoolsv.exe	110
PID 4596 wrote to memory of 940	4596	cmd.exe	112
PID 4596 wrote to memory of 940	4596	cmd.exe	112
PID 4596 wrote to memory of 940	4596	cmd.exe	112
PID 2140 wrote to memory of 3392	2140	spoolsv.exe	113
PID 2140 wrote to memory of 3392	2140	spoolsv.exe	113
PID 2140 wrote to memory of 3392	2140	spoolsv.exe	113
PID 3392 wrote to memory of 4852	3392	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
"C:\Users\Admin\AppData\Local\Temp\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:5052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:5112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3196
- C:\Users\Admin\AppData\Local\Temp\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
  "C:\Users\Admin\AppData\Local\Temp\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\RuntimeBroker.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2936
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\explorer.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:900
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2568
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4828
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3920
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4116
- - C:\Recovery\WindowsRE\spoolsv.exe
    "C:\Recovery\WindowsRE\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4852
  - - C:\Recovery\WindowsRE\spoolsv.exe
      "C:\Recovery\WindowsRE\spoolsv.exe"
      4⤵
      Executes dropped EXE
      PID:2508
  - - C:\Recovery\WindowsRE\spoolsv.exe
      "C:\Recovery\WindowsRE\spoolsv.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 912
      4⤵
      Program crash
      PID:3280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 904
  2⤵
  - Program crash
  PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1020 -ip 1020
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2140 -ip 2140
1⤵
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Searches\spoolsv.exe

Filesize
9.4MB

MD5
813b749967045532f86e6442447bcd8b

SHA1
8d0615e7f7ba672a3fc94c05a9451f9d08797af7

SHA256
0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464

SHA512
47c16f403ab33ebb9e59c7c3a053dc29d0d654174d2be9153966ad9fc873e641f34ab44c7e38fb4c6fd376b384d4e1da0dacafb384e9abb1c7eb92cb32533877

Download Submit
memory/1020-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/1020-1-0x0000000000EA0000-0x00000000017FC000-memory.dmp

Filesize
9.4MB

Download
memory/1020-2-0x0000000006250000-0x00000000062EC000-memory.dmp

Filesize
624KB

Download
memory/1020-3-0x0000000074B60000-0x0000000075311000-memory.dmp

Filesize
7.7MB

Download
memory/1020-4-0x00000000073F0000-0x0000000007536000-memory.dmp

Filesize
1.3MB

Download
memory/1020-5-0x000000000B9A0000-0x000000000BF46000-memory.dmp

Filesize
5.6MB

Download
memory/1020-8-0x0000000074B60000-0x0000000075311000-memory.dmp

Filesize
7.7MB

Download
memory/4588-6-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4588-7-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/4588-9-0x0000000006780000-0x0000000006812000-memory.dmp

Filesize
584KB

Download