dcrat | d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0b

Analysis

max time kernel
1s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Size

3.2MB
MD5

a665e22aa25b2f62c5524fc10feb2820
SHA1

0f8f6aa96b425633eb11f84aece99ef2f9d67b9e
SHA256

d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0b
SHA512

cbc565fb6b584d5b9720c6bfbebeaf71d4884ea41033fd26cba78a6b3544b39e83e0a5b011c901bbd56f9d509735a0830d18036ef677c43abf6b94eec03cc381
SSDEEP

49152:oD+WhPI+P05YhHbpHP1qcdhymFKN/1cCLKtrp8qotx/8jwwpO:k+WhPIq0iHPEA1W/19LGrBoP9wpO

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3900	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	3900	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	3900	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	3900	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3900	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	3900	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3900	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	3900	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3900	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	3900	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	3900	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	3900	schtasks.exe	85

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4188-1-0x00000000004A0000-0x00000000007D4000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c91-49.dat	dcrat
behavioral2/files/0x0009000000023c92-71.dat	dcrat
behavioral2/files/0x000600000001e5b5-93.dat	dcrat
behavioral2/memory/5052-164-0x00000000007F0000-0x0000000000B24000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3776	powershell.exe
3508	powershell.exe
1800	powershell.exe
1804	powershell.exe
5040	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\SppExtComObj.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\SppExtComObj.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\e1ef82546f0b02	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4836	schtasks.exe
4252	schtasks.exe
4788	schtasks.exe
3984	schtasks.exe
2660	schtasks.exe
884	schtasks.exe
2116	schtasks.exe
4740	schtasks.exe
4148	schtasks.exe
2948	schtasks.exe
4588	schtasks.exe
4796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4188	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
4188	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
4188	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4188	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
"C:\Users\Admin\AppData\Local\Temp\d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2jWrKESR9g.bat"
  2⤵
  PID:752
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2396
- - C:\Recovery\WindowsRE\wininit.exe
    "C:\Recovery\WindowsRE\wininit.exe"
    3⤵
    PID:5052
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\320ceb91-f607-4a3f-b5f3-f19509e79908.vbs"
      4⤵
      PID:2528
    - - C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        5⤵
        
        PID:736
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06a33039-2cc4-4cd1-a36f-4cf83f21e4e5.vbs"
      4⤵
      PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\SIGNUP\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\wininit.exe

Filesize
3.2MB

MD5
99cb12b0ed7f9deb00d312d9209c7e9e

SHA1
3e21814d6925661de193d15982e326b382e88e84

SHA256
0d61ba32c976e2181135134ee5b687c476ceee0088066f23e0f3518714d7fdb3

SHA512
3b184840bfb78b65fd97e4a81e46715072589cac2ced51bf4f0dc89fb9dba97a019470a7a4bd51a29c959f9f91127f308f77855bc15df1e414dddf447d39f371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\06a33039-2cc4-4cd1-a36f-4cf83f21e4e5.vbs

Filesize
485B

MD5
5a21b8e8b16120e6c36d1855edf7604b

SHA1
0844ed185625f9812ffaf5621ebc7a984390955a

SHA256
4f98353e107e0584ef5c4070e1af7bfb155de4aba42d75fcf0d3e7bfbc069780

SHA512
ba8f05882d6582523e4b408efeecdf803fbc07e35ec7fd44642c48a9a0163b7a933b010285140736a1d6067afdb9082c8ba64fc05dbebe3e6de732083b8127c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jWrKESR9g.bat

Filesize
198B

MD5
a6d51e915289ba676a5bf3333dbcbc55

SHA1
3b2aa3a31bb388f70661a944f8af12eb0ba6c90b

SHA256
3f5e39022ed893dc9994c36dc1af511f6523976495d1f86dbab4207653f1e780

SHA512
63634b252f15d45a9871337dd212889e04bfce12030ac3fbf88db12f32032a5be245f8e67dcd174b830efabebcce94cae0fe6d49ec9c5dccb593912caad519c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\320ceb91-f607-4a3f-b5f3-f19509e79908.vbs

Filesize
709B

MD5
846c588be38dfea3b8a1a2c6d4a1038d

SHA1
37993fd9bdcadb2d943c78db2d673f3145785cad

SHA256
13b8d3efd71c3c53c0e57afd6b8575c6b230a48ceb2c51d2cb67570a3f0fa30e

SHA512
196046a9f549eb3ce24e451d7a2074cc2ba6192d8cdcee18ad37e5e4246bf6346df2d802321ca9fdbf61f609bb7c6a4c076fad1010397eff384440272fdc808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXBDA4.tmp

Filesize
3.2MB

MD5
a665e22aa25b2f62c5524fc10feb2820

SHA1
0f8f6aa96b425633eb11f84aece99ef2f9d67b9e

SHA256
d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0b

SHA512
cbc565fb6b584d5b9720c6bfbebeaf71d4884ea41033fd26cba78a6b3544b39e83e0a5b011c901bbd56f9d509735a0830d18036ef677c43abf6b94eec03cc381

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qadcmcst.xa3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Default\services.exe

Filesize
3.2MB

MD5
aeab6f314258403127f1b09c45194187

SHA1
8fc459ffd3c7e77618c9d74fa27d6d4a555c9c13

SHA256
bc0eb1acfb548a0a72c08ac8b4122921db6f87c80dc84661320e500f7a1424f6

SHA512
98e7d616ca8c3c6594696d1cadfdf8bd1979b77e2d550ed517f1685e2a750c080ce191c92f918074a4f6dcc3e65235799f45fd73bd6e3bbef31a5c5089430b22

Download Submit
memory/4188-7-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/4188-39-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

Filesize
10.8MB

Download
memory/4188-1-0x00000000004A0000-0x00000000007D4000-memory.dmp

Filesize
3.2MB

Download
memory/4188-18-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/4188-16-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download
memory/4188-6-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/4188-4-0x00000000028F0000-0x000000000290C000-memory.dmp

Filesize
112KB

Download
memory/4188-20-0x0000000002AA0000-0x0000000002AAC000-memory.dmp

Filesize
48KB

Download
memory/4188-19-0x000000001C250000-0x000000001C778000-memory.dmp

Filesize
5.2MB

Download
memory/4188-23-0x000000001B5B0000-0x000000001B5BC000-memory.dmp

Filesize
48KB

Download
memory/4188-22-0x000000001B5A0000-0x000000001B5A8000-memory.dmp

Filesize
32KB

Download
memory/4188-24-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

Filesize
48KB

Download
memory/4188-21-0x0000000002AB0000-0x0000000002ABC000-memory.dmp

Filesize
48KB

Download
memory/4188-28-0x000000001B5F0000-0x000000001B5FE000-memory.dmp

Filesize
56KB

Download
memory/4188-25-0x000000001B750000-0x000000001B758000-memory.dmp

Filesize
32KB

Download
memory/4188-30-0x000000001B720000-0x000000001B72E000-memory.dmp

Filesize
56KB

Download
memory/4188-29-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/4188-34-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

Filesize
10.8MB

Download
memory/4188-35-0x000000001B7B0000-0x000000001B7BA000-memory.dmp

Filesize
40KB

Download
memory/4188-36-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

Filesize
48KB

Download
memory/4188-33-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

Filesize
32KB

Download
memory/4188-8-0x0000000002930000-0x0000000002946000-memory.dmp

Filesize
88KB

Download
memory/4188-27-0x000000001B5E0000-0x000000001B5EA000-memory.dmp

Filesize
40KB

Download
memory/4188-26-0x000000001B5D0000-0x000000001B5DC000-memory.dmp

Filesize
48KB

Download
memory/4188-32-0x000000001B740000-0x000000001B74C000-memory.dmp

Filesize
48KB

Download
memory/4188-13-0x00000000029F0000-0x0000000002A46000-memory.dmp

Filesize
344KB

Download
memory/4188-31-0x000000001B730000-0x000000001B738000-memory.dmp

Filesize
32KB

Download
memory/4188-15-0x0000000002A50000-0x0000000002A5C000-memory.dmp

Filesize
48KB

Download
memory/4188-14-0x0000000002A40000-0x0000000002A48000-memory.dmp

Filesize
32KB

Download
memory/4188-9-0x0000000002950000-0x0000000002958000-memory.dmp

Filesize
32KB

Download
memory/4188-0-0x00007FFAF29E3000-0x00007FFAF29E5000-memory.dmp

Filesize
8KB

Download
memory/4188-112-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

Filesize
10.8MB

Download
memory/4188-12-0x00000000029E0000-0x00000000029EA000-memory.dmp

Filesize
40KB

Download
memory/4188-10-0x00000000029B0000-0x00000000029B8000-memory.dmp

Filesize
32KB

Download
memory/4188-11-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/4188-5-0x0000000002960000-0x00000000029B0000-memory.dmp

Filesize
320KB

Download
memory/4188-2-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

Filesize
10.8MB

Download
memory/4188-3-0x0000000001130000-0x000000000113E000-memory.dmp

Filesize
56KB

Download
memory/5040-111-0x000002486B070000-0x000002486B092000-memory.dmp

Filesize
136KB

Download
memory/5052-165-0x000000001B7D0000-0x000000001B826000-memory.dmp

Filesize
344KB

Download
memory/5052-164-0x00000000007F0000-0x0000000000B24000-memory.dmp

Filesize
3.2MB

Download