dcrat | e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
Size

1.4MB
MD5

0745161ebca7b94e13caca7a0f89b7fb
SHA1

9dfb820c738616a08042081cda0c4dcbdbb4a970
SHA256

e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc
SHA512

d7bfe29f1e5a73c1dc8e31d148dd4e62265f5d7a3897061cba9d63bfa6541cab77aabfb17f89c090092f980f132a55f7eab5e6da99a2eece21afde3db02a67be
SSDEEP

24576:z2G/nvxW3WwL+zdHJ2zljtfM8zCxqY3+SiSals+S5WhqN7+4H:zbA3f+hp4Zle+SIqNqo

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2728	schtasks.exe
		572	schtasks.exe
		1988	schtasks.exe
		1020	schtasks.exe
		1168	schtasks.exe
		1628	schtasks.exe
		1784	schtasks.exe
		2724	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe

Dcrat family
dcrat

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	3004	schtasks.exe	34

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015df1-9.dat	dcrat
behavioral1/memory/2704-13-0x0000000000D10000-0x0000000000E2E000-memory.dmp	dcrat
behavioral1/memory/2020-28-0x0000000000FF0000-0x000000000110E000-memory.dmp	dcrat
behavioral1/memory/3064-44-0x00000000003C0000-0x00000000004DE000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
2704	ReviewsessionbrokerdllBrokerhostNet.exe
2020	ReviewsessionbrokerdllBrokerhostNet.exe
3064	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	cmd.exe
2404	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\services.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\xpsservices\\taskhost.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\softkbd\\spoolsv.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT\\OSPPSVC.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\avicap32\\spoolsv.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\WindowsShell\\explorer.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\Idle.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\joy\\wininit.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\xpsservices\b75386f1303e64d8139363b71e44ac16341adf4e	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\softkbd\spoolsv.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\softkbd\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\avicap32\spoolsv.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\avicap32\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\joy\wininit.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\joy\560854153607923c4c5f107085a7db67be01f252	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\xpsservices\taskhost.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File opened for modification	C:\Windows\System32\xpsservices\taskhost.exe	ReviewsessionbrokerdllBrokerhostNet.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\Idle.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Program Files\Java\jdk1.7.0_80\6ccacd8608530fba3a93e87ae2225c7032aa18c1	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\services.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\OSPPSVC.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\1610b97d3ab4a74cd8ae104b51bea7bfcc5b9c6f	ReviewsessionbrokerdllBrokerhostNet.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\WindowsShell\explorer.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File opened for modification	C:\Windows\WindowsShell\explorer.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\WindowsShell\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	ReviewsessionbrokerdllBrokerhostNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
1628	schtasks.exe
1784	schtasks.exe
572	schtasks.exe
2724	schtasks.exe
1988	schtasks.exe
1020	schtasks.exe
1168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2704	ReviewsessionbrokerdllBrokerhostNet.exe
2020	ReviewsessionbrokerdllBrokerhostNet.exe
3064	taskhost.exe
3064	taskhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	ReviewsessionbrokerdllBrokerhostNet.exe
Token: SeDebugPrivilege	2020	ReviewsessionbrokerdllBrokerhostNet.exe
Token: SeDebugPrivilege	3064	taskhost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2936	2648	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe	30
PID 2648 wrote to memory of 2936	2648	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe	30
PID 2648 wrote to memory of 2936	2648	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe	30
PID 2648 wrote to memory of 2936	2648	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe	30
PID 2936 wrote to memory of 2404	2936	WScript.exe	31
PID 2936 wrote to memory of 2404	2936	WScript.exe	31
PID 2936 wrote to memory of 2404	2936	WScript.exe	31
PID 2936 wrote to memory of 2404	2936	WScript.exe	31
PID 2404 wrote to memory of 2704	2404	cmd.exe	33
PID 2404 wrote to memory of 2704	2404	cmd.exe	33
PID 2404 wrote to memory of 2704	2404	cmd.exe	33
PID 2404 wrote to memory of 2704	2404	cmd.exe	33
PID 2704 wrote to memory of 2144	2704	ReviewsessionbrokerdllBrokerhostNet.exe	39
PID 2704 wrote to memory of 2144	2704	ReviewsessionbrokerdllBrokerhostNet.exe	39
PID 2704 wrote to memory of 2144	2704	ReviewsessionbrokerdllBrokerhostNet.exe	39
PID 2144 wrote to memory of 2092	2144	cmd.exe	41
PID 2144 wrote to memory of 2092	2144	cmd.exe	41
PID 2144 wrote to memory of 2092	2144	cmd.exe	41
PID 2144 wrote to memory of 2020	2144	cmd.exe	42
PID 2144 wrote to memory of 2020	2144	cmd.exe	42
PID 2144 wrote to memory of 2020	2144	cmd.exe	42
PID 2020 wrote to memory of 1884	2020	ReviewsessionbrokerdllBrokerhostNet.exe	47
PID 2020 wrote to memory of 1884	2020	ReviewsessionbrokerdllBrokerhostNet.exe	47
PID 2020 wrote to memory of 1884	2020	ReviewsessionbrokerdllBrokerhostNet.exe	47
PID 1884 wrote to memory of 2284	1884	cmd.exe	49
PID 1884 wrote to memory of 2284	1884	cmd.exe	49
PID 1884 wrote to memory of 2284	1884	cmd.exe	49
PID 1884 wrote to memory of 3064	1884	cmd.exe	50
PID 1884 wrote to memory of 3064	1884	cmd.exe	50
PID 1884 wrote to memory of 3064	1884	cmd.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
"C:\Users\Admin\AppData\Local\Temp\e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Reviewsessionbrokerdll\lVMLXJBAdPIapT.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Reviewsessionbrokerdll\A6Eco3zU0RirI70.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe
      "C:\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rxRoajrxua.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2092
      - C:\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe
        
        "C:\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HYkHlAuNWh.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2284
        
        C:\Windows\System32\xpsservices\taskhost.exe
        
        "C:\Windows\System32\xpsservices\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\WindowsShell\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\joy\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\xpsservices\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\softkbd\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\avicap32\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Reviewsessionbrokerdll\A6Eco3zU0RirI70.bat

Filesize
67B

MD5
88c29e093073e22265a1b092448f78ff

SHA1
7562a360c1ec30c93f3897fef165265e9b83c641

SHA256
1c948ec9ca40c8a579471b1a7353c3c06cb4c961993962304fb0f60cfaee7333

SHA512
51447ebfe6eaa496eb449bf8ff5184389a6d89ed36042e8916663587e1e0a2b563e8a977adab3d1e7c6c32d7d74eb0b1c7ee21d68b68202d114d877269a76f1e

Download Submit
C:\Reviewsessionbrokerdll\lVMLXJBAdPIapT.vbe

Filesize
214B

MD5
f3e2d57473806af2657d0ecc4d9776cb

SHA1
8d215aef321e642586cbdf25d251b60a42aa41c3

SHA256
e05139fb41a25ef9796b27b604fb54b27394e5f5b33874d4b15445d9de2fbcca

SHA512
0d7b22cc29c82c175309ea5da45ce6f159022cc45e21f950add7ce24b3cde62c74b4eb598300bab1e1244fb8a963be29388baa2f6333033fd0dce6c3fcca04db

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYkHlAuNWh.bat

Filesize
208B

MD5
5aa5f3ee83646b08ec72ed1b19a25814

SHA1
df3fb454675aeb3420bc1cb178f68e2a498f9fb3

SHA256
8116ee605acc6368cac2f5db0cb741cd9d76a5e81f9e27ea6f7eae45746ff690

SHA512
bf707f31f468fb7bf1f2acc26df4d9347cf5f25eaa8a2ed0f6825b1f856b6a73626064f199991197a61c041863e817c13e6fcfcfa301d0824e661d8eefb1e416

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxRoajrxua.bat

Filesize
229B

MD5
1af317ddfff5184b34d570dc4d6d492e

SHA1
94d01435c49ef296a4318c431b31eb107b93206e

SHA256
36caade3ec15d13010c657880ae5a59c5bbc4a6961cdce8f1f9eecdb68923841

SHA512
87b00be8859aab4c53cf2f38e83e604fdb2835741a911e5696e84c2e58f95b3f2608cdca7434a7a5e438b9cc462d4e4986892c920dd5afed004abfb06e9f87ac

Download Submit
\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe

Filesize
1.1MB

MD5
1612f102a43924196f6c67852264eee8

SHA1
49b0ca8d344345a84622d020b1b8d4057ab02868

SHA256
cd7d786f6ffe4622aad7f8f7bba9de05c09cf37ed9a4c21a398e92808bd13d35

SHA512
f32d5d110ac8c1356a70fe204c9e12663db2df4f35943532d81b277d597b28da92ec8550957479cb1a070564e8518839469a2a2dac4477b60fa1a203e5b371d4

Download Submit
memory/2020-28-0x0000000000FF0000-0x000000000110E000-memory.dmp

Filesize
1.1MB

Download
memory/2704-13-0x0000000000D10000-0x0000000000E2E000-memory.dmp

Filesize
1.1MB

Download
memory/3064-45-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/3064-44-0x00000000003C0000-0x00000000004DE000-memory.dmp

Filesize
1.1MB

Download
memory/3064-46-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/3064-47-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/3064-48-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/3064-49-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/3064-50-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/3064-51-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/3064-52-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/3064-53-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download