dcrat | 786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216

Analysis

max time kernel
43s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
Size

2.0MB
MD5

d0a2079bcfdad884762f8283dcc3eb50
SHA1

2f7c0d9d5c8a185e2fff72ecec2ffd8ff33ca845
SHA256

786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216
SHA512

0db54130b2b33374e3ad742b3f8eed7cd762a31521b4c39c19e12b2d606deb3a8113c347c54f0a41f90d544a1f01e666d6c64a3fbbeb60a42eb27e466e9382ea
SSDEEP

24576:YIWvTgWtxIEUy/N3VfEj2kiGJrgnhU66dtZyXSt1Q65bNAJO4f6/NJmlEUDAS9gd:YIWTxhVG7ohU665Y0JbNm8mkjYLy

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2920	schtasks.exe	30

Executes dropped EXE 1 IoCs

pid	Process
2356	spoolsv.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\spoolsv.exe	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
File created	C:\Program Files\Google\Chrome\Application\f3b6ecef712a24	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe
1332	schtasks.exe
692	schtasks.exe
2760	schtasks.exe
2952	schtasks.exe
2352	schtasks.exe
3036	schtasks.exe
2404	schtasks.exe
2868	schtasks.exe
3004	schtasks.exe
2752	schtasks.exe
2684	schtasks.exe
1420	schtasks.exe
1092	schtasks.exe
2872	schtasks.exe
1808	schtasks.exe
1864	schtasks.exe
2976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
Token: SeDebugPrivilege	2356	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1328	2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe	49
PID 2196 wrote to memory of 1328	2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe	49
PID 2196 wrote to memory of 1328	2196	786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe	49
PID 1328 wrote to memory of 2260	1328	cmd.exe	51
PID 1328 wrote to memory of 2260	1328	cmd.exe	51
PID 1328 wrote to memory of 2260	1328	cmd.exe	51
PID 1328 wrote to memory of 2200	1328	cmd.exe	52
PID 1328 wrote to memory of 2200	1328	cmd.exe	52
PID 1328 wrote to memory of 2200	1328	cmd.exe	52
PID 1328 wrote to memory of 2356	1328	cmd.exe	54
PID 1328 wrote to memory of 2356	1328	cmd.exe	54
PID 1328 wrote to memory of 2356	1328	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe
"C:\Users\Admin\AppData\Local\Temp\786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpIemu4Vl1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2260
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2200
- - C:\Program Files\Google\Chrome\Application\spoolsv.exe
    "C:\Program Files\Google\Chrome\Application\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N7" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N7" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\services.exe

Filesize
2.0MB

MD5
d0a2079bcfdad884762f8283dcc3eb50

SHA1
2f7c0d9d5c8a185e2fff72ecec2ffd8ff33ca845

SHA256
786ef385538288e14f110e576ccdbd9ca40b6305d7fb80760c99f8e1a0750216

SHA512
0db54130b2b33374e3ad742b3f8eed7cd762a31521b4c39c19e12b2d606deb3a8113c347c54f0a41f90d544a1f01e666d6c64a3fbbeb60a42eb27e466e9382ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpIemu4Vl1.bat

Filesize
230B

MD5
93c77db8c0fdbf34612e59dcfebcc6c5

SHA1
73ba29c9fbfe66ce41ed7d56c9f969a78afde0b0

SHA256
5eb75e0eeb5c638cf3002c3288da482c0a81f1738bb1dd4f59ed361042b46cff

SHA512
3bf8aaf0a484fc33134b632188e5af936469722f4381135d4f20fdd1adaa98108787c846c6eb9c874737f466d76e1da2e7ceecfe4020afa04a98b0739904da65

Download Submit
memory/2196-15-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/2196-17-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2196-4-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-6-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/2196-7-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-9-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/2196-11-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/2196-13-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/2196-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

Filesize
4KB

Download
memory/2196-3-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-20-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-19-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2196-22-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2196-23-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-35-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-36-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-41-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-1-0x0000000000ED0000-0x00000000010CE000-memory.dmp

Filesize
2.0MB

Download
memory/2356-45-0x0000000000FC0000-0x00000000011BE000-memory.dmp

Filesize
2.0MB

Download