dcrat | 8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/01/2025, 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7EF00ACFC8DF431C545E07F3D4862E2A.exe
Size

3.4MB
MD5

7ef00acfc8df431c545e07f3d4862e2a
SHA1

c9623ec807abb692cae9b4f41bc964ada568f4a5
SHA256

8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc
SHA512

878964774c9436646a410e10a37b95ea6ae23aaa42d172bb85c78b3082d7424b7c266ebce1a12466665aea54546d0956d3b2d0d7261143fb71f86a3f8c756ba8
SSDEEP

98304:Gp5lanw2dJ20UXYpNUihy2F8ij2cFlwVF3XlMX:GpGnw2dA0UUUiYiR+FFk

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x000500000001926c-77.dat	family_dcrat_v2
behavioral1/memory/1380-80-0x0000000000220000-0x0000000000442000-memory.dmp	family_dcrat_v2
behavioral1/memory/1924-114-0x00000000008A0000-0x0000000000AC2000-memory.dmp	family_dcrat_v2

Executes dropped EXE 10 IoCs

pid	Process
2684	7z.exe
2692	7z.exe
2824	7z.exe
2848	7z.exe
2704	7z.exe
2552	7z.exe
2984	7z.exe
3000	7z.exe
1380	Installer.exe
1924	winlogon.exe

Loads dropped DLL 16 IoCs

pid	Process
2072	cmd.exe
2684	7z.exe
2072	cmd.exe
2692	7z.exe
2072	cmd.exe
2824	7z.exe
2072	cmd.exe
2848	7z.exe
2072	cmd.exe
2704	7z.exe
2072	cmd.exe
2552	7z.exe
2072	cmd.exe
2984	7z.exe
2072	cmd.exe
3000	7z.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe	Installer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe	Installer.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\cc11b995f2a76d	Installer.exe
File created	C:\Program Files\DVD Maker\de-DE\System.exe	Installer.exe
File created	C:\Program Files\DVD Maker\de-DE\27d1bcfc3c54e0	Installer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\security\templates\WMIADAP.exe	Installer.exe
File created	C:\Windows\security\templates\75a57c1bdf437c	Installer.exe
File created	C:\Windows\Vss\Writers\Application\services.exe	Installer.exe
File created	C:\Windows\Vss\Writers\Application\c5b4cb5e9653cc	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7EF00ACFC8DF431C545E07F3D4862E2A.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1816	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1816	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1380	Installer.exe
1924	winlogon.exe
1924	winlogon.exe
1924	winlogon.exe
1924	winlogon.exe
1924	winlogon.exe
1924	winlogon.exe
1924	winlogon.exe
1924	winlogon.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeRestorePrivilege	2684	7z.exe
Token: 35	2684	7z.exe
Token: SeSecurityPrivilege	2684	7z.exe
Token: SeSecurityPrivilege	2684	7z.exe
Token: SeRestorePrivilege	2692	7z.exe
Token: 35	2692	7z.exe
Token: SeSecurityPrivilege	2692	7z.exe
Token: SeSecurityPrivilege	2692	7z.exe
Token: SeRestorePrivilege	2824	7z.exe
Token: 35	2824	7z.exe
Token: SeSecurityPrivilege	2824	7z.exe
Token: SeSecurityPrivilege	2824	7z.exe
Token: SeRestorePrivilege	2848	7z.exe
Token: 35	2848	7z.exe
Token: SeSecurityPrivilege	2848	7z.exe
Token: SeSecurityPrivilege	2848	7z.exe
Token: SeRestorePrivilege	2704	7z.exe
Token: 35	2704	7z.exe
Token: SeSecurityPrivilege	2704	7z.exe
Token: SeSecurityPrivilege	2704	7z.exe
Token: SeRestorePrivilege	2552	7z.exe
Token: 35	2552	7z.exe
Token: SeSecurityPrivilege	2552	7z.exe
Token: SeSecurityPrivilege	2552	7z.exe
Token: SeRestorePrivilege	2984	7z.exe
Token: 35	2984	7z.exe
Token: SeSecurityPrivilege	2984	7z.exe
Token: SeSecurityPrivilege	2984	7z.exe
Token: SeRestorePrivilege	3000	7z.exe
Token: 35	3000	7z.exe
Token: SeSecurityPrivilege	3000	7z.exe
Token: SeSecurityPrivilege	3000	7z.exe
Token: SeDebugPrivilege	1380	Installer.exe
Token: SeDebugPrivilege	1924	winlogon.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2072	3060	7EF00ACFC8DF431C545E07F3D4862E2A.exe	31
PID 3060 wrote to memory of 2072	3060	7EF00ACFC8DF431C545E07F3D4862E2A.exe	31
PID 3060 wrote to memory of 2072	3060	7EF00ACFC8DF431C545E07F3D4862E2A.exe	31
PID 3060 wrote to memory of 2072	3060	7EF00ACFC8DF431C545E07F3D4862E2A.exe	31
PID 2072 wrote to memory of 2084	2072	cmd.exe	33
PID 2072 wrote to memory of 2084	2072	cmd.exe	33
PID 2072 wrote to memory of 2084	2072	cmd.exe	33
PID 2072 wrote to memory of 2684	2072	cmd.exe	34
PID 2072 wrote to memory of 2684	2072	cmd.exe	34
PID 2072 wrote to memory of 2684	2072	cmd.exe	34
PID 2072 wrote to memory of 2692	2072	cmd.exe	35
PID 2072 wrote to memory of 2692	2072	cmd.exe	35
PID 2072 wrote to memory of 2692	2072	cmd.exe	35
PID 2072 wrote to memory of 2824	2072	cmd.exe	36
PID 2072 wrote to memory of 2824	2072	cmd.exe	36
PID 2072 wrote to memory of 2824	2072	cmd.exe	36
PID 2072 wrote to memory of 2848	2072	cmd.exe	37
PID 2072 wrote to memory of 2848	2072	cmd.exe	37
PID 2072 wrote to memory of 2848	2072	cmd.exe	37
PID 2072 wrote to memory of 2704	2072	cmd.exe	38
PID 2072 wrote to memory of 2704	2072	cmd.exe	38
PID 2072 wrote to memory of 2704	2072	cmd.exe	38
PID 2072 wrote to memory of 2552	2072	cmd.exe	39
PID 2072 wrote to memory of 2552	2072	cmd.exe	39
PID 2072 wrote to memory of 2552	2072	cmd.exe	39
PID 2072 wrote to memory of 2984	2072	cmd.exe	40
PID 2072 wrote to memory of 2984	2072	cmd.exe	40
PID 2072 wrote to memory of 2984	2072	cmd.exe	40
PID 2072 wrote to memory of 3000	2072	cmd.exe	41
PID 2072 wrote to memory of 3000	2072	cmd.exe	41
PID 2072 wrote to memory of 3000	2072	cmd.exe	41
PID 2072 wrote to memory of 2288	2072	cmd.exe	42
PID 2072 wrote to memory of 2288	2072	cmd.exe	42
PID 2072 wrote to memory of 2288	2072	cmd.exe	42
PID 2072 wrote to memory of 1380	2072	cmd.exe	43
PID 2072 wrote to memory of 1380	2072	cmd.exe	43
PID 2072 wrote to memory of 1380	2072	cmd.exe	43
PID 1380 wrote to memory of 2360	1380	Installer.exe	44
PID 1380 wrote to memory of 2360	1380	Installer.exe	44
PID 1380 wrote to memory of 2360	1380	Installer.exe	44
PID 2360 wrote to memory of 1272	2360	cmd.exe	46
PID 2360 wrote to memory of 1272	2360	cmd.exe	46
PID 2360 wrote to memory of 1272	2360	cmd.exe	46
PID 2360 wrote to memory of 1816	2360	cmd.exe	47
PID 2360 wrote to memory of 1816	2360	cmd.exe	47
PID 2360 wrote to memory of 1816	2360	cmd.exe	47
PID 2360 wrote to memory of 1924	2360	cmd.exe	48
PID 2360 wrote to memory of 1924	2360	cmd.exe	48
PID 2360 wrote to memory of 1924	2360	cmd.exe	48

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2288	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7EF00ACFC8DF431C545E07F3D4862E2A.exe
"C:\Users\Admin\AppData\Local\Temp\7EF00ACFC8DF431C545E07F3D4862E2A.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2084
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p4658306642333125776751625289 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xvs9zGFFi6.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1272
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1816
    - - C:\Users\Default\SendTo\winlogon.exe
        
        "C:\Users\Default\SendTo\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
a497aa5dab56231fe698956b60508693

SHA1
3889f5a43a4069bd012e542e019bc7e4c03074df

SHA256
4eb57fc22fa4b6d1ab6e3a6aa5a72d3ddfca049cb5d5077c18c9e57d60f3df6c

SHA512
9a3ea2e5b4fc3049e718a6b98876db4fa3ffeb075385a733415f449eabda2c40b289cb1fa1bd630d269af6a82b88997f37ccbf8e6c17198ed298571027a4cbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
2.1MB

MD5
b4036128c7ff4c734044f5e9e7ba53b5

SHA1
40968864998e8488f883138c9fd228e2d2bb33b1

SHA256
00a3e3ff92bd1b3940b91e4f5cda30d2afa2e93c90220b91d56037ea7ec75940

SHA512
c5fde840ffc57786223cf49874033b84caa60e4ae6b92bcd7497ceef62e717917d3e55f8372ec2df0d5fe6262dbbb6e3b63a459e97b6032b1ac7b1dba9092acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
943KB

MD5
6fba6fdd825cd10f8a9014b87c8fe4ab

SHA1
330433fcdc4149fb4368286830b41064901a65c3

SHA256
155c1c2d7435cdeba2f618d83a635fb4aa5a71a18ed500e32b589e5906971802

SHA512
1e1fe06e99f13e1995aa042a8467e504bc294436feb7d40519b6a374d534c75b1dc313f6ff83d61ceac821ae3e8af3f6b2e376a9a9f14ed8dcd7b10185cbf97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
943KB

MD5
acbcfacf26e4bbe3a6e6a3ef8aacfd1b

SHA1
3b18efc7446c88cf80a6d122e0236038eff81ecb

SHA256
165c5371ef9924bdfea8b3a1f54f6ae0f8b72d85898ff76f4a8d77d57907a878

SHA512
7de4a4aa602a361a21e6c5a8cbe786ca6fae643a0cf5ca7a1e54be06c145e68bda81c8d0e2961f3673c1a87ddb1bb8e245e8ea0a2c82edd21eacc9f9080a2a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
943KB

MD5
c8dccfc008a1e7cdbc20758a41ec042c

SHA1
f1ab82c8c4fdfdd86d7e59990a67b83eab0fb3f3

SHA256
a6ccce53e150338685f92bec51168933276fdaecb11f701ef2e8da4257275f82

SHA512
ca0183b650c27aedfc17f1ea4d96d4f03ce3d99ca62f52586ab1d8e18b45a66ba72540fac8fa3dffa05fefe984d1840d785e802bfe52e5f84a458b34c4492d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
944KB

MD5
cf31e10d32847fb6513ab6ca8c92664b

SHA1
cb2342b36a8d7bf479834e1fdc765c3548aa4342

SHA256
3ce2ed9b784c0f53ea48f3719fa06668aed3077ce1a37bcafd36773eddc2feea

SHA512
7aed841f6c23166f4738817630d6aa430e2533ff7cb50146520df8bd075115aafa44fa9fa813bf1e49414534ddbd59d81154f682372cc7cd968d3458527be280

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
944KB

MD5
40d34a2a420216efe29a46b4fcbaf150

SHA1
1a76914f91ecac48572bff39d52224755a6756c3

SHA256
a69516782c40c05dde2a64c9da3dbcf3c7abffb37408be8bff27bdb66d5baef5

SHA512
474a64711402dfcb5199f4fdc88cae4f296f7c7d843752ab2357a519edefa7a9da5a39379d72f2fc595474d0fbad39a7ccc7ebbdc77e372536225380c3120a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
944KB

MD5
c3894a9664a7d4ccc62ffca6f9109906

SHA1
031fa3e3ae6d43cd1e0b6fa8391d5b30ec967bea

SHA256
b711f0a16a61d789d4624f78fd20849b1d1e83f4037d4242a493ab485229a03e

SHA512
91aba6158052176b049ccfe3afb19f770f4a71a558e5fb3012af517a8d290b92663bcd207dd39fb196386da4c532f3c9b6fe285c73f644638ed847c82357f42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
2.5MB

MD5
31d6dd52fc392847b5bdf13199f8c74b

SHA1
b411cffbca67cca0cb1ff8d0edd36b0afc0fe6e3

SHA256
68d36fcb6d5cdc955a9bea92de0019e87b5dce5b26e6534b110c3648ae53b4a1

SHA512
cdb3886b6e1d8bf75ac0e215719542053435d809d76703fe669f6d2e6982fa5588d508bc3885fac9c23bf0917a2e1556fecfd61e6ade5cb3b0b6d45bdc9d133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.5MB

MD5
d8d494a5e14177ece568b03e5fa2951b

SHA1
80569f8b248efe1a7f4d8cddc636baa03fa01224

SHA256
4caebcd0acccc1e631adbd0648a1c63e4baedb1c1e068f77513833e5651a530e

SHA512
d31e18053e2e2ed03d397a2232a2a22967b9c1147cea068cdc81132173ec084bc43140df51a558f512d6d063e1a35c29af131da97b988a7f4a5569968269e745

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
474B

MD5
051802bd0f6ae25a7307ebe5ce07484b

SHA1
56a79893d916411ad24bf56a5efae06053b069e2

SHA256
7b436db4aa8b38625f783e2dc8a750e071585ab4e52a86ab61cabbbbe0869cbe

SHA512
5f0ec679ec4d4c920f4fcb00f993c372aef7e1236ebdef1ceef8e19de7b6bcd6138eb3f98563327d3216cc69ae1bd53b9a15190543890b7d480c25ceb2cee3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvs9zGFFi6.bat

Filesize
164B

MD5
f19c990b5d386cfeb625692dc685764b

SHA1
27214d19aabaea39ccf4607733cba3174fdce497

SHA256
ac073807332169f78afd67131f222547e74470e5f04c79367afbbad6a1a9bca2

SHA512
c6883c8feec9716a1ca481d19bc98ab50b8677b96c03e1545a47e96c927b99761545669c90b1d1aabc2657de84bcd59f099e311570b8c210e36853337bd41941

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1380-83-0x00000000006C0000-0x00000000006DC000-memory.dmp

Filesize
112KB

Download
memory/1380-90-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/1380-81-0x0000000000600000-0x0000000000626000-memory.dmp

Filesize
152KB

Download
memory/1380-84-0x00000000006E0000-0x00000000006F8000-memory.dmp

Filesize
96KB

Download
memory/1380-85-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/1380-86-0x0000000000700000-0x0000000000712000-memory.dmp

Filesize
72KB

Download
memory/1380-87-0x0000000000710000-0x0000000000726000-memory.dmp

Filesize
88KB

Download
memory/1380-88-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/1380-89-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/1380-82-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/1380-91-0x0000000002230000-0x000000000228A000-memory.dmp

Filesize
360KB

Download
memory/1380-92-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/1380-93-0x00000000008E0000-0x00000000008EE000-memory.dmp

Filesize
56KB

Download
memory/1380-94-0x0000000002320000-0x0000000002338000-memory.dmp

Filesize
96KB

Download
memory/1380-95-0x0000000002340000-0x000000000238E000-memory.dmp

Filesize
312KB

Download
memory/1380-80-0x0000000000220000-0x0000000000442000-memory.dmp

Filesize
2.1MB

Download
memory/1924-114-0x00000000008A0000-0x0000000000AC2000-memory.dmp

Filesize
2.1MB

Download
memory/1924-115-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download