dcrat | 8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe
Size

3.4MB
MD5

7ef00acfc8df431c545e07f3d4862e2a
SHA1

c9623ec807abb692cae9b4f41bc964ada568f4a5
SHA256

8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc
SHA512

878964774c9436646a410e10a37b95ea6ae23aaa42d172bb85c78b3082d7424b7c266ebce1a12466665aea54546d0956d3b2d0d7261143fb71f86a3f8c756ba8
SSDEEP

98304:Gp5lanw2dJ20UXYpNUihy2F8ij2cFlwVF3XlMX:GpGnw2dA0UUUiYiR+FFk

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023cc4-64.dat	family_dcrat_v2
behavioral2/memory/5012-67-0x00000000003F0000-0x0000000000612000-memory.dmp	family_dcrat_v2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Installer.exe

Executes dropped EXE 10 IoCs

pid	Process
4940	7z.exe
8	7z.exe
1280	7z.exe
1172	7z.exe
208	7z.exe
5008	7z.exe
320	7z.exe
3004	7z.exe
5012	Installer.exe
720	explorer.exe

Loads dropped DLL 8 IoCs

pid	Process
4940	7z.exe
8	7z.exe
1280	7z.exe
1172	7z.exe
208	7z.exe
5008	7z.exe
320	7z.exe
3004	7z.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\de-DE\dwm.exe	Installer.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\6cb0b6c459d5d3	Installer.exe
File created	C:\Program Files\Uninstall Information\sysmon.exe	Installer.exe
File created	C:\Program Files\Uninstall Information\121e5b5079f7c0	Installer.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\appcompat\encapsulation\explorer.exe	Installer.exe
File opened for modification	C:\Windows\appcompat\encapsulation\explorer.exe	Installer.exe
File created	C:\Windows\appcompat\encapsulation\7a0fd90576e088	Installer.exe
File created	C:\Windows\ServiceProfiles\System.exe	Installer.exe
File created	C:\Windows\ServiceProfiles\27d1bcfc3c54e0	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
708	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	Installer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
708	PING.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
5012	Installer.exe
720	explorer.exe
720	explorer.exe
720	explorer.exe
720	explorer.exe
720	explorer.exe
720	explorer.exe
720	explorer.exe
720	explorer.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeRestorePrivilege	4940	7z.exe
Token: 35	4940	7z.exe
Token: SeSecurityPrivilege	4940	7z.exe
Token: SeSecurityPrivilege	4940	7z.exe
Token: SeRestorePrivilege	8	7z.exe
Token: 35	8	7z.exe
Token: SeSecurityPrivilege	8	7z.exe
Token: SeSecurityPrivilege	8	7z.exe
Token: SeRestorePrivilege	1280	7z.exe
Token: 35	1280	7z.exe
Token: SeSecurityPrivilege	1280	7z.exe
Token: SeSecurityPrivilege	1280	7z.exe
Token: SeRestorePrivilege	1172	7z.exe
Token: 35	1172	7z.exe
Token: SeSecurityPrivilege	1172	7z.exe
Token: SeSecurityPrivilege	1172	7z.exe
Token: SeRestorePrivilege	208	7z.exe
Token: 35	208	7z.exe
Token: SeSecurityPrivilege	208	7z.exe
Token: SeSecurityPrivilege	208	7z.exe
Token: SeRestorePrivilege	5008	7z.exe
Token: 35	5008	7z.exe
Token: SeSecurityPrivilege	5008	7z.exe
Token: SeSecurityPrivilege	5008	7z.exe
Token: SeRestorePrivilege	320	7z.exe
Token: 35	320	7z.exe
Token: SeSecurityPrivilege	320	7z.exe
Token: SeSecurityPrivilege	320	7z.exe
Token: SeRestorePrivilege	3004	7z.exe
Token: 35	3004	7z.exe
Token: SeSecurityPrivilege	3004	7z.exe
Token: SeSecurityPrivilege	3004	7z.exe
Token: SeDebugPrivilege	5012	Installer.exe
Token: SeDebugPrivilege	720	explorer.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 2700	384	8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe	82
PID 384 wrote to memory of 2700	384	8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe	82
PID 2700 wrote to memory of 4068	2700	cmd.exe	84
PID 2700 wrote to memory of 4068	2700	cmd.exe	84
PID 2700 wrote to memory of 4940	2700	cmd.exe	85
PID 2700 wrote to memory of 4940	2700	cmd.exe	85
PID 2700 wrote to memory of 8	2700	cmd.exe	86
PID 2700 wrote to memory of 8	2700	cmd.exe	86
PID 2700 wrote to memory of 1280	2700	cmd.exe	87
PID 2700 wrote to memory of 1280	2700	cmd.exe	87
PID 2700 wrote to memory of 1172	2700	cmd.exe	88
PID 2700 wrote to memory of 1172	2700	cmd.exe	88
PID 2700 wrote to memory of 208	2700	cmd.exe	89
PID 2700 wrote to memory of 208	2700	cmd.exe	89
PID 2700 wrote to memory of 5008	2700	cmd.exe	90
PID 2700 wrote to memory of 5008	2700	cmd.exe	90
PID 2700 wrote to memory of 320	2700	cmd.exe	91
PID 2700 wrote to memory of 320	2700	cmd.exe	91
PID 2700 wrote to memory of 3004	2700	cmd.exe	92
PID 2700 wrote to memory of 3004	2700	cmd.exe	92
PID 2700 wrote to memory of 4884	2700	cmd.exe	93
PID 2700 wrote to memory of 4884	2700	cmd.exe	93
PID 2700 wrote to memory of 5012	2700	cmd.exe	94
PID 2700 wrote to memory of 5012	2700	cmd.exe	94
PID 5012 wrote to memory of 4780	5012	Installer.exe	95
PID 5012 wrote to memory of 4780	5012	Installer.exe	95
PID 4780 wrote to memory of 4216	4780	cmd.exe	97
PID 4780 wrote to memory of 4216	4780	cmd.exe	97
PID 4780 wrote to memory of 708	4780	cmd.exe	98
PID 4780 wrote to memory of 708	4780	cmd.exe	98
PID 4780 wrote to memory of 720	4780	cmd.exe	99
PID 4780 wrote to memory of 720	4780	cmd.exe	99

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4884	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe
"C:\Users\Admin\AppData\Local\Temp\8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:4068
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p4658306642333125776751625289 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:4884
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\efmwQbCflK.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4216
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:708
    - - C:\Windows\appcompat\encapsulation\explorer.exe
        
        "C:\Windows\appcompat\encapsulation\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\efmwQbCflK.bat

Filesize
175B

MD5
3bdbd5d7506fa359ccbc0cfa4b362628

SHA1
7cbf50eedf38bc25b678d4f5769020e5747038f2

SHA256
10c761355130a397407fe6f6afe55adcfeedee19c77e51b7ecfe48d64afefa43

SHA512
9ff6052dc5c84bdbfbe20b3c5f3a6c2d3e2ede1d43a4bdef5e112a4e5516d7aebc4fdd9bc3852ebbe68e9683e4a8a7a96eb0ab2b7541e3944d09d602129d5cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
a497aa5dab56231fe698956b60508693

SHA1
3889f5a43a4069bd012e542e019bc7e4c03074df

SHA256
4eb57fc22fa4b6d1ab6e3a6aa5a72d3ddfca049cb5d5077c18c9e57d60f3df6c

SHA512
9a3ea2e5b4fc3049e718a6b98876db4fa3ffeb075385a733415f449eabda2c40b289cb1fa1bd630d269af6a82b88997f37ccbf8e6c17198ed298571027a4cbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
2.1MB

MD5
b4036128c7ff4c734044f5e9e7ba53b5

SHA1
40968864998e8488f883138c9fd228e2d2bb33b1

SHA256
00a3e3ff92bd1b3940b91e4f5cda30d2afa2e93c90220b91d56037ea7ec75940

SHA512
c5fde840ffc57786223cf49874033b84caa60e4ae6b92bcd7497ceef62e717917d3e55f8372ec2df0d5fe6262dbbb6e3b63a459e97b6032b1ac7b1dba9092acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
943KB

MD5
6fba6fdd825cd10f8a9014b87c8fe4ab

SHA1
330433fcdc4149fb4368286830b41064901a65c3

SHA256
155c1c2d7435cdeba2f618d83a635fb4aa5a71a18ed500e32b589e5906971802

SHA512
1e1fe06e99f13e1995aa042a8467e504bc294436feb7d40519b6a374d534c75b1dc313f6ff83d61ceac821ae3e8af3f6b2e376a9a9f14ed8dcd7b10185cbf97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
943KB

MD5
acbcfacf26e4bbe3a6e6a3ef8aacfd1b

SHA1
3b18efc7446c88cf80a6d122e0236038eff81ecb

SHA256
165c5371ef9924bdfea8b3a1f54f6ae0f8b72d85898ff76f4a8d77d57907a878

SHA512
7de4a4aa602a361a21e6c5a8cbe786ca6fae643a0cf5ca7a1e54be06c145e68bda81c8d0e2961f3673c1a87ddb1bb8e245e8ea0a2c82edd21eacc9f9080a2a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
943KB

MD5
c8dccfc008a1e7cdbc20758a41ec042c

SHA1
f1ab82c8c4fdfdd86d7e59990a67b83eab0fb3f3

SHA256
a6ccce53e150338685f92bec51168933276fdaecb11f701ef2e8da4257275f82

SHA512
ca0183b650c27aedfc17f1ea4d96d4f03ce3d99ca62f52586ab1d8e18b45a66ba72540fac8fa3dffa05fefe984d1840d785e802bfe52e5f84a458b34c4492d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
944KB

MD5
cf31e10d32847fb6513ab6ca8c92664b

SHA1
cb2342b36a8d7bf479834e1fdc765c3548aa4342

SHA256
3ce2ed9b784c0f53ea48f3719fa06668aed3077ce1a37bcafd36773eddc2feea

SHA512
7aed841f6c23166f4738817630d6aa430e2533ff7cb50146520df8bd075115aafa44fa9fa813bf1e49414534ddbd59d81154f682372cc7cd968d3458527be280

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
944KB

MD5
40d34a2a420216efe29a46b4fcbaf150

SHA1
1a76914f91ecac48572bff39d52224755a6756c3

SHA256
a69516782c40c05dde2a64c9da3dbcf3c7abffb37408be8bff27bdb66d5baef5

SHA512
474a64711402dfcb5199f4fdc88cae4f296f7c7d843752ab2357a519edefa7a9da5a39379d72f2fc595474d0fbad39a7ccc7ebbdc77e372536225380c3120a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
944KB

MD5
c3894a9664a7d4ccc62ffca6f9109906

SHA1
031fa3e3ae6d43cd1e0b6fa8391d5b30ec967bea

SHA256
b711f0a16a61d789d4624f78fd20849b1d1e83f4037d4242a493ab485229a03e

SHA512
91aba6158052176b049ccfe3afb19f770f4a71a558e5fb3012af517a8d290b92663bcd207dd39fb196386da4c532f3c9b6fe285c73f644638ed847c82357f42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
2.5MB

MD5
31d6dd52fc392847b5bdf13199f8c74b

SHA1
b411cffbca67cca0cb1ff8d0edd36b0afc0fe6e3

SHA256
68d36fcb6d5cdc955a9bea92de0019e87b5dce5b26e6534b110c3648ae53b4a1

SHA512
cdb3886b6e1d8bf75ac0e215719542053435d809d76703fe669f6d2e6982fa5588d508bc3885fac9c23bf0917a2e1556fecfd61e6ade5cb3b0b6d45bdc9d133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.5MB

MD5
d8d494a5e14177ece568b03e5fa2951b

SHA1
80569f8b248efe1a7f4d8cddc636baa03fa01224

SHA256
4caebcd0acccc1e631adbd0648a1c63e4baedb1c1e068f77513833e5651a530e

SHA512
d31e18053e2e2ed03d397a2232a2a22967b9c1147cea068cdc81132173ec084bc43140df51a558f512d6d063e1a35c29af131da97b988a7f4a5569968269e745

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
474B

MD5
051802bd0f6ae25a7307ebe5ce07484b

SHA1
56a79893d916411ad24bf56a5efae06053b069e2

SHA256
7b436db4aa8b38625f783e2dc8a750e071585ab4e52a86ab61cabbbbe0869cbe

SHA512
5f0ec679ec4d4c920f4fcb00f993c372aef7e1236ebdef1ceef8e19de7b6bcd6138eb3f98563327d3216cc69ae1bd53b9a15190543890b7d480c25ceb2cee3fe

Download Submit
memory/5012-68-0x0000000000DB0000-0x0000000000DD6000-memory.dmp

Filesize
152KB

Download
memory/5012-77-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/5012-70-0x0000000000DE0000-0x0000000000DFC000-memory.dmp

Filesize
112KB

Download
memory/5012-71-0x0000000002840000-0x0000000002890000-memory.dmp

Filesize
320KB

Download
memory/5012-72-0x0000000000E00000-0x0000000000E18000-memory.dmp

Filesize
96KB

Download
memory/5012-73-0x0000000000E20000-0x0000000000E2E000-memory.dmp

Filesize
56KB

Download
memory/5012-74-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/5012-75-0x0000000000E40000-0x0000000000E56000-memory.dmp

Filesize
88KB

Download
memory/5012-76-0x0000000000E50000-0x0000000000E5E000-memory.dmp

Filesize
56KB

Download
memory/5012-69-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

Filesize
56KB

Download
memory/5012-78-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/5012-79-0x000000001B280000-0x000000001B2DA000-memory.dmp

Filesize
360KB

Download
memory/5012-80-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/5012-81-0x000000001B2E0000-0x000000001B2EE000-memory.dmp

Filesize
56KB

Download
memory/5012-82-0x000000001B2F0000-0x000000001B308000-memory.dmp

Filesize
96KB

Download
memory/5012-83-0x000000001B450000-0x000000001B49E000-memory.dmp

Filesize
312KB

Download
memory/5012-67-0x00000000003F0000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download