dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
55s
max time network
55s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Size

1.6MB
MD5

7fbc72dcc67b2b7366c90f81051bd68a
SHA1

bdd22f70686afb5bf32d638eee6fdd0891ec3248
SHA256

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82
SHA512

e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3044	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	3044	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	3044	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	3044	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	3044	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	3044	schtasks.exe	31

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral17/memory/2432-1-0x0000000001320000-0x00000000014C2000-memory.dmp	dcrat
behavioral17/files/0x000c000000012281-27.dat	dcrat
behavioral17/files/0x0005000000019dd7-34.dat	dcrat
behavioral17/files/0x000e000000012281-45.dat	dcrat
behavioral17/memory/2504-71-0x00000000010C0000-0x0000000001262000-memory.dmp	dcrat
behavioral17/memory/1804-94-0x0000000000340000-0x00000000004E2000-memory.dmp	dcrat
behavioral17/memory/2572-106-0x00000000013D0000-0x0000000001572000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3052	powershell.exe
1992	powershell.exe
2224	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2504	lsass.exe
2260	lsass.exe
1804	lsass.exe
2572	lsass.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\lsass.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\7-Zip\Lang\lsass.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\7-Zip\Lang\6203df4a6bafc7	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXE516.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXE584.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2692	schtasks.exe
2824	schtasks.exe
2728	schtasks.exe
2596	schtasks.exe
2788	schtasks.exe
2816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
1992	powershell.exe
2224	powershell.exe
3052	powershell.exe
2504	lsass.exe
2260	lsass.exe
1804	lsass.exe
2572	lsass.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2504	lsass.exe
Token: SeDebugPrivilege	2260	lsass.exe
Token: SeDebugPrivilege	1804	lsass.exe
Token: SeDebugPrivilege	2572	lsass.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 3052	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	38
PID 2432 wrote to memory of 3052	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	38
PID 2432 wrote to memory of 3052	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	38
PID 2432 wrote to memory of 1992	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	39
PID 2432 wrote to memory of 1992	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	39
PID 2432 wrote to memory of 1992	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	39
PID 2432 wrote to memory of 2224	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	40
PID 2432 wrote to memory of 2224	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	40
PID 2432 wrote to memory of 2224	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	40
PID 2432 wrote to memory of 2504	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	44
PID 2432 wrote to memory of 2504	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	44
PID 2432 wrote to memory of 2504	2432	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	44
PID 2504 wrote to memory of 2868	2504	lsass.exe	45
PID 2504 wrote to memory of 2868	2504	lsass.exe	45
PID 2504 wrote to memory of 2868	2504	lsass.exe	45
PID 2504 wrote to memory of 1132	2504	lsass.exe	46
PID 2504 wrote to memory of 1132	2504	lsass.exe	46
PID 2504 wrote to memory of 1132	2504	lsass.exe	46
PID 2868 wrote to memory of 2260	2868	WScript.exe	47
PID 2868 wrote to memory of 2260	2868	WScript.exe	47
PID 2868 wrote to memory of 2260	2868	WScript.exe	47
PID 2260 wrote to memory of 536	2260	lsass.exe	48
PID 2260 wrote to memory of 536	2260	lsass.exe	48
PID 2260 wrote to memory of 536	2260	lsass.exe	48
PID 2260 wrote to memory of 1404	2260	lsass.exe	49
PID 2260 wrote to memory of 1404	2260	lsass.exe	49
PID 2260 wrote to memory of 1404	2260	lsass.exe	49
PID 536 wrote to memory of 1804	536	WScript.exe	50
PID 536 wrote to memory of 1804	536	WScript.exe	50
PID 536 wrote to memory of 1804	536	WScript.exe	50
PID 1804 wrote to memory of 2820	1804	lsass.exe	51
PID 1804 wrote to memory of 2820	1804	lsass.exe	51
PID 1804 wrote to memory of 2820	1804	lsass.exe	51
PID 1804 wrote to memory of 2192	1804	lsass.exe	52
PID 1804 wrote to memory of 2192	1804	lsass.exe	52
PID 1804 wrote to memory of 2192	1804	lsass.exe	52
PID 2820 wrote to memory of 2572	2820	WScript.exe	53
PID 2820 wrote to memory of 2572	2820	WScript.exe	53
PID 2820 wrote to memory of 2572	2820	WScript.exe	53
PID 2572 wrote to memory of 1632	2572	lsass.exe	54
PID 2572 wrote to memory of 1632	2572	lsass.exe	54
PID 2572 wrote to memory of 1632	2572	lsass.exe	54
PID 2572 wrote to memory of 1336	2572	lsass.exe	55
PID 2572 wrote to memory of 1336	2572	lsass.exe	55
PID 2572 wrote to memory of 1336	2572	lsass.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
"C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Program Files\7-Zip\Lang\lsass.exe
  "C:\Program Files\7-Zip\Lang\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f2e796c-c2eb-4832-b1b1-872428cf09b2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Program Files\7-Zip\Lang\lsass.exe
      "C:\Program Files\7-Zip\Lang\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be110c8b-d9a6-42a8-bfef-dfef9c440a29.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Program Files\7-Zip\Lang\lsass.exe
        
        "C:\Program Files\7-Zip\Lang\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30ae58b1-9f5a-4ed2-8810-c733fb893cfc.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Program Files\7-Zip\Lang\lsass.exe
        
        "C:\Program Files\7-Zip\Lang\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a581e06a-7fbc-42bd-a86c-c7dea6412531.vbs"
        9⤵
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a43a552-5368-43ca-bf6e-d7694cbc5681.vbs"
        9⤵
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\050212b4-e063-41b4-b052-2483c101208b.vbs"
        7⤵
        
        PID:2192
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\827922d7-9cb7-4f9a-a4b9-832d4ac2a243.vbs"
        5⤵
        
        PID:1404
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123200c5-2add-42cd-9b68-b9b6f95f5c23.vbs"
    3⤵
    PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\lsass.exe

Filesize
1.6MB

MD5
d5b33d284d868e201c352a7c044653d9

SHA1
a2c720ade23f2d1ab0b6ca9fc2dcb70de41d14e3

SHA256
82e5d408804b74cff01a4d7124dcd497ed99e36398e1efe1c26e5da219f0fc91

SHA512
dbb9b3a0162fc9b836a349f5ee744f12a88eb3794a6066eab1c0fd6751892b9ca45ae5911fa42dbe5375f30b7bf1a7be014506461bd5bcb838b151c00996a199

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

Filesize
1.6MB

MD5
5f9c9d1c3df7dc4fae233197b02fb2f6

SHA1
e2ca40820aa9e3d61b561b371ee1f245f22d1ffd

SHA256
c065ccb6f670b30994e42eafd274b3b7233a5461ea42ccb752aa7ac266abc598

SHA512
769b298c23bcc0cbe9f5e9ec23b09e61eda642de7e2bd1c9c4b8c106cebefa148cde277fa4a94eeb5bc467a89cbc224de7c281267cc00452088030e78316499d

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

Filesize
1.6MB

MD5
7fbc72dcc67b2b7366c90f81051bd68a

SHA1
bdd22f70686afb5bf32d638eee6fdd0891ec3248

SHA256
1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82

SHA512
e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025

Download Submit
C:\Users\Admin\AppData\Local\Temp\123200c5-2add-42cd-9b68-b9b6f95f5c23.vbs

Filesize
489B

MD5
69395288e639f6431b6235ec194489f9

SHA1
7ecc3d1e12d3022a0adaee938cfde495f74f74de

SHA256
32eb47ee357b5129f1e7e63c5cc83d860b827535babe1d205b05788ef2059c66

SHA512
a0814f295b1c8fdc1f0c0c6dd6798ad18e1dbb3c63136d52c6cf31e03efc3679b3df81773d9a7dc6a53adff9cc7f41e954dda7c62044597e07b5bdad949aaaa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\30ae58b1-9f5a-4ed2-8810-c733fb893cfc.vbs

Filesize
713B

MD5
db07593ef6df83e2a03869d899efcd40

SHA1
e5dbdd9a600cb046bfcdb90a1ec601cd395aac9a

SHA256
98cb6d7693a3fb9c220ce98283b6faf0e17cd20f8d6d78d4671422afaff3fe0a

SHA512
4d7e888bdde7f465d19ba21259d8b30703b839a6e9fae3f8638748fccff9b0db63715db1f2f91d10037f985a054ab073c8eee25a7557eff6dee70090bd157497

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f2e796c-c2eb-4832-b1b1-872428cf09b2.vbs

Filesize
713B

MD5
3bbfa0746b71d935e6bea7f08225ce33

SHA1
26ed19b0d9e293495f31bccfa016ea06e3420fd1

SHA256
b6420824f4b9962ca7e7f37d19f069f4a75c653a6e2cb9ced8ea7996d20f4793

SHA512
7434b707ffedbc374e29a1cb066badb460d67279d8f557d9bd781a81edc0eb761914f858baec49f309ad77c3b7efda47359be894aaad2f4d7f26b465eb3eb230

Download Submit
C:\Users\Admin\AppData\Local\Temp\a581e06a-7fbc-42bd-a86c-c7dea6412531.vbs

Filesize
713B

MD5
9bdb1c13009095d6141d03d0b1c913ef

SHA1
e200e663089a189ad7e505c9d0eb33ae8506beb0

SHA256
97b6e40726c4f57293e0417b082406fbbd01c7be7ab8c094debdebffdedc79a3

SHA512
7940ee61fa4e208b60cce60fad744d5fb861f32d171e16b28c83a392ef33f7848614699d5d7b4187c1dfa010b934c15109f163e551d3773bbe41b8133500b8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\be110c8b-d9a6-42a8-bfef-dfef9c440a29.vbs

Filesize
713B

MD5
a267966d446cb89aadf2c95caa8f3ad5

SHA1
d065db0a16b51caf653fb1a0a030c5a452adb3e6

SHA256
f7f346bfe14dfc7206449f77b77fa763e598868995e3935d2987be0ec1b0413a

SHA512
a51a5b356a31d20e447af6ea33d7649bfaa0f7b76ed86f01fe0e7566bef9483c21bbb2d5f7b6c86ba4e4bd1df9ebb4b96d6e529b979cb6e4853ae9e5ceb1c988

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28d7acc1318d4402acb4fcf4e1f5bbaf

SHA1
5fe8e7570c9a57c4684dd2a515c118bf5a3ad40d

SHA256
4c4910bc8c882fdc842087e8ca68201955fb9cdc337568f5e848762386be0988

SHA512
2d2a076497705025f319cdb80a26668c6534d5ed75da200a6ded373e285ea184c469060a805d93ff6d19f03b7476c57a76e5cb6f60d725e8195bdb5e4cf73d8e

Download Submit
memory/1804-94-0x0000000000340000-0x00000000004E2000-memory.dmp

Filesize
1.6MB

Download
memory/1992-60-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1992-58-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2432-16-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2432-8-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2432-14-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2432-15-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2432-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/2432-12-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/2432-11-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/2432-10-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2432-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2432-13-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2432-7-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/2432-1-0x0000000001320000-0x00000000014C2000-memory.dmp

Filesize
1.6MB

Download
memory/2432-72-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-6-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2432-5-0x0000000000310000-0x0000000000326000-memory.dmp

Filesize
88KB

Download
memory/2432-4-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2432-3-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2432-2-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-71-0x00000000010C0000-0x0000000001262000-memory.dmp

Filesize
1.6MB

Download
memory/2572-106-0x00000000013D0000-0x0000000001572000-memory.dmp

Filesize
1.6MB

Download