dcrat | 080aa2ae09ce367b0e01fad94ad61eabdba7b250714632fdfae1332ee593bab5

Analysis

max time kernel
99s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0b144d6271a0926544defae2630be10f.exe
Size

1.1MB
MD5

0b144d6271a0926544defae2630be10f
SHA1

62ba6e83d84f11dffc48ea7742b15f3941426493
SHA256

080aa2ae09ce367b0e01fad94ad61eabdba7b250714632fdfae1332ee593bab5
SHA512

8dbc6f532e4e81957acb1b6165bde7b9d468ca5b540b4ae7524f959264181c41631301606f82c3bae2352d48b2a11a8fd76d22d4c6e580f432d8d33c9e9aab36
SSDEEP

24576:TE9h8YY4mB7WnMSTdTvX+5pdKj30HZQHEG:TeGYDmBcBpvEpdKj3W/

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	3620	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3620	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	3620	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	3620	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3620	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	3620	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	3620	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3620	schtasks.exe	91

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0009000000023bac-15.dat	dcrat
behavioral2/memory/3800-33-0x0000000000FC0000-0x0000000001056000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	savesbrokerDriverSavesbroker.exe

Executes dropped EXE 3 IoCs

pid	Process
3800	savesbrokerDriverSavesbroker.exe
1176	FPS Booster 2.0.7.exe
1384	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
1176	FPS Booster 2.0.7.exe
1176	FPS Booster 2.0.7.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	savesbrokerDriverSavesbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\""	savesbrokerDriverSavesbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_0b144d6271a0926544defae2630be10f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wct6215\\JaffaCakes118_0b144d6271a0926544defae2630be10f.exe\""	savesbrokerDriverSavesbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\Pictures\\Saved Pictures\\System.exe\""	savesbrokerDriverSavesbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\pdh\\lsass.exe\""	savesbrokerDriverSavesbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\savesbrokerDriverSavesbroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\savesbrokerDriverSavesbroker.exe\""	savesbrokerDriverSavesbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Documents and Settings\\upfc.exe\""	savesbrokerDriverSavesbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PerfLogs\\services.exe\""	savesbrokerDriverSavesbroker.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\pdh\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	savesbrokerDriverSavesbroker.exe
File created	C:\Windows\System32\pdh\lsass.exe	savesbrokerDriverSavesbroker.exe
File opened for modification	C:\Windows\System32\pdh\lsass.exe	savesbrokerDriverSavesbroker.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4808 set thread context of 4480	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	85

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\savesbrokerDriverSavesbroker.exe	savesbrokerDriverSavesbroker.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\2476693e60613dcc387cd5a4c6859b2eb59a007f	savesbrokerDriverSavesbroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe	savesbrokerDriverSavesbroker.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\22eafd247d37c30fed3795ee41d259ec72bb351c	savesbrokerDriverSavesbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	4808	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FPS Booster 2.0.7.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	savesbrokerDriverSavesbroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4592	schtasks.exe
2844	schtasks.exe
3948	schtasks.exe
2812	schtasks.exe
1288	schtasks.exe
3508	schtasks.exe
2512	schtasks.exe
3456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3800	savesbrokerDriverSavesbroker.exe
3800	savesbrokerDriverSavesbroker.exe
3800	savesbrokerDriverSavesbroker.exe
3800	savesbrokerDriverSavesbroker.exe
3800	savesbrokerDriverSavesbroker.exe
1384	lsass.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe
Token: SeDebugPrivilege	3800	savesbrokerDriverSavesbroker.exe
Token: SeDebugPrivilege	1384	lsass.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 5116	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	83
PID 4808 wrote to memory of 5116	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	83
PID 4808 wrote to memory of 5116	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	83
PID 4808 wrote to memory of 4044	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	84
PID 4808 wrote to memory of 4044	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	84
PID 4808 wrote to memory of 4044	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	84
PID 4808 wrote to memory of 4480	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	85
PID 4808 wrote to memory of 4480	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	85
PID 4808 wrote to memory of 4480	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	85
PID 4808 wrote to memory of 4480	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	85
PID 4808 wrote to memory of 4480	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	85
PID 4808 wrote to memory of 4480	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	85
PID 4808 wrote to memory of 4480	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	85
PID 4808 wrote to memory of 4480	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	85
PID 4808 wrote to memory of 4480	4808	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	85
PID 4480 wrote to memory of 3800	4480	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	88
PID 4480 wrote to memory of 3800	4480	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	88
PID 4480 wrote to memory of 1176	4480	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	89
PID 4480 wrote to memory of 1176	4480	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	89
PID 4480 wrote to memory of 1176	4480	JaffaCakes118_0b144d6271a0926544defae2630be10f.exe	89
PID 3800 wrote to memory of 2780	3800	savesbrokerDriverSavesbroker.exe	100
PID 3800 wrote to memory of 2780	3800	savesbrokerDriverSavesbroker.exe	100
PID 2780 wrote to memory of 1732	2780	cmd.exe	102
PID 2780 wrote to memory of 1732	2780	cmd.exe	102
PID 2780 wrote to memory of 1060	2780	cmd.exe	103
PID 2780 wrote to memory of 1060	2780	cmd.exe	103
PID 2780 wrote to memory of 1384	2780	cmd.exe	105
PID 2780 wrote to memory of 1384	2780	cmd.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b144d6271a0926544defae2630be10f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b144d6271a0926544defae2630be10f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b144d6271a0926544defae2630be10f.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b144d6271a0926544defae2630be10f.exe"
  2⤵
  PID:5116
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b144d6271a0926544defae2630be10f.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b144d6271a0926544defae2630be10f.exe"
  2⤵
  PID:4044
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b144d6271a0926544defae2630be10f.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b144d6271a0926544defae2630be10f.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
    "C:\Users\Admin\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C1rEV5Qez5.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1732
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1060
    - - C:\Windows\System32\pdh\lsass.exe
        
        "C:\Windows\System32\pdh\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
- - C:\Users\Admin\AppData\Local\Temp\FPS Booster 2.0.7.exe
    "C:\Users\Admin\AppData\Local\Temp\FPS Booster 2.0.7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 968
  2⤵
  - Program crash
  PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4808 -ip 4808
1⤵
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\pdh\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesbrokerDriverSavesbroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\savesbrokerDriverSavesbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Documents and Settings\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "JaffaCakes118_0b144d6271a0926544defae2630be10f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\wct6215\JaffaCakes118_0b144d6271a0926544defae2630be10f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C1rEV5Qez5.bat

Filesize
209B

MD5
22988533b79b950241fee8df63f8666f

SHA1
f968e7937efdfd6094917da31dc3544fa2dd3310

SHA256
88ba009d3cfe4f65118f7f0a285b0af497234a1859b879bc3f18c8e92d9f8749

SHA512
40bd4aa1c64eb183429cf73d38e6ef9c173956d3451067ab3ffb00053a4ab958ea19896179b99f4e82ad8e00be28f724c8c1a6a4e972268864627f0bc1f24843

Download Submit
C:\Users\Admin\AppData\Local\Temp\FPS Booster 2.0.7.exe

Filesize
429KB

MD5
74be806e27a351565f2ec136dcb5232c

SHA1
0ec9fc48c5c290014958c05940bc340eed942e15

SHA256
33b5e6ff81c482b3b62f8ed847fd25e39724dc6eb6c2a3881b1004dc75c170b6

SHA512
0ece93924e569718eb7dca19474f2cde1199bac8ead206a01a65dcf33e7718fcc7c668d6d891dd164f011ae9fb53272003bbc5db54ebe6de62c3b01d4986dd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA1DE.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA1DE.tmp\nsDialogs.dll

Filesize
9KB

MD5
4ccc4a742d4423f2f0ed744fd9c81f63

SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc

SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe

Filesize
572KB

MD5
222edc84e2d32948f2639554b23e7b04

SHA1
22cedf83a69b08259db3c2f3618df067dd7c7522

SHA256
55ab1b21734f31815058fa1e2841e8b62e6e4f04e635a4b51ebea3fde646e920

SHA512
95dd51cf8be6461955b867b853d58eab7bf6ac363e9f99f5c8c8f13046daa373ed845db3531e9f765515e43f8955955ec4ea83f19807a2b3c04f2c1f6a0c6855

Download Submit
memory/1384-76-0x000000001ADD0000-0x000000001ADDA000-memory.dmp

Filesize
40KB

Download
memory/1384-75-0x000000001ADC0000-0x000000001ADCC000-memory.dmp

Filesize
48KB

Download
memory/3800-30-0x00007FF8DBA03000-0x00007FF8DBA05000-memory.dmp

Filesize
8KB

Download
memory/3800-33-0x0000000000FC0000-0x0000000001056000-memory.dmp

Filesize
600KB

Download
memory/4480-34-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4480-6-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4480-8-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4480-10-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4808-9-0x0000000003420000-0x0000000003428000-memory.dmp

Filesize
32KB

Download
memory/4808-4-0x0000000005B90000-0x0000000005C54000-memory.dmp

Filesize
784KB

Download
memory/4808-3-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4808-2-0x0000000005AF0000-0x0000000005B8C000-memory.dmp

Filesize
624KB

Download
memory/4808-49-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4808-1-0x0000000000F60000-0x000000000107A000-memory.dmp

Filesize
1.1MB

Download
memory/4808-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/4808-5-0x0000000006300000-0x00000000068A4000-memory.dmp

Filesize
5.6MB

Download