dcrat | 3c8446105b8c784de66d9f19aea1ff4a12afda154f2f35056fa6acfecfa6453e

Analysis

max time kernel
4s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe
Size

3.4MB
MD5

638809035dd3fafc1377ffd71f4a5296
SHA1

1a5920fc6fcb463288bc07023ad5840ebbca4b11
SHA256

1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274
SHA512

3ddd44ead391ab72c5fe9476608a1c908f983ff6dacb499b27e21bb638d1da88951335262562ede806100cb83d72283bf6446e02a422e3a06b567e7406dbc896
SSDEEP

98304:uTbZZD8r18Vx4IuzrIXltEDjm/PtLORlm0:W3DY2/IgjEu4Q

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	584	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000e00000001223e-2.dat	dcrat
behavioral1/files/0x000e00000001223e-5.dat	dcrat
behavioral1/files/0x000e00000001223e-9.dat	dcrat
behavioral1/memory/2012-15-0x0000000000400000-0x0000000000744000-memory.dmp	dcrat
behavioral1/files/0x000e00000001223e-8.dat	dcrat
behavioral1/files/0x000e00000001223e-7.dat	dcrat
behavioral1/files/0x0006000000019740-50.dat	dcrat
behavioral1/memory/2636-52-0x0000000001170000-0x00000000012A8000-memory.dmp	dcrat
behavioral1/files/0x0005000000019d55-63.dat	dcrat
behavioral1/files/0x0005000000019fbc-74.dat	dcrat
behavioral1/files/0x0005000000019fbc-73.dat	dcrat
behavioral1/memory/2660-75-0x0000000000CD0000-0x0000000000E08000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
2428	Everything-1.4.exe
2072	Everything-1.4.1.1024.x86-Setup.exe
2636	containerFontbroker.exe

Loads dropped DLL 11 IoCs

pid	Process
2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe
2428	Everything-1.4.exe
2428	Everything-1.4.exe
2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe
2072	Everything-1.4.1.1024.x86-Setup.exe
2072	Everything-1.4.1.1024.x86-Setup.exe
2072	Everything-1.4.1.1024.x86-Setup.exe
2072	Everything-1.4.1.1024.x86-Setup.exe
2072	Everything-1.4.1.1024.x86-Setup.exe
2576	cmd.exe
2576	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\spoolsv.exe	containerFontbroker.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe	containerFontbroker.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\42af1c969fbb7b	containerFontbroker.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\audiodg.exe	containerFontbroker.exe
File opened for modification	C:\Windows\Tasks\audiodg.exe	containerFontbroker.exe
File created	C:\Windows\Tasks\42af1c969fbb7b	containerFontbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2416	schtasks.exe
1636	schtasks.exe
2824	schtasks.exe
1972	schtasks.exe
1948	schtasks.exe
2532	schtasks.exe
2868	schtasks.exe
1100	schtasks.exe
2908	schtasks.exe
2152	schtasks.exe
1632	schtasks.exe
1580	schtasks.exe
840	schtasks.exe
1500	schtasks.exe
2892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2636	containerFontbroker.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	containerFontbroker.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2428	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	28
PID 2012 wrote to memory of 2428	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	28
PID 2012 wrote to memory of 2428	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	28
PID 2012 wrote to memory of 2428	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	28
PID 2012 wrote to memory of 2428	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	28
PID 2012 wrote to memory of 2428	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	28
PID 2012 wrote to memory of 2428	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	28
PID 2012 wrote to memory of 2072	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	29
PID 2012 wrote to memory of 2072	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	29
PID 2012 wrote to memory of 2072	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	29
PID 2012 wrote to memory of 2072	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	29
PID 2012 wrote to memory of 2072	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	29
PID 2012 wrote to memory of 2072	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	29
PID 2012 wrote to memory of 2072	2012	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	29
PID 2428 wrote to memory of 2728	2428	Everything-1.4.exe	30
PID 2428 wrote to memory of 2728	2428	Everything-1.4.exe	30
PID 2428 wrote to memory of 2728	2428	Everything-1.4.exe	30
PID 2428 wrote to memory of 2728	2428	Everything-1.4.exe	30
PID 2428 wrote to memory of 2728	2428	Everything-1.4.exe	30
PID 2428 wrote to memory of 2728	2428	Everything-1.4.exe	30
PID 2428 wrote to memory of 2728	2428	Everything-1.4.exe	30
PID 2728 wrote to memory of 2576	2728	WScript.exe	32
PID 2728 wrote to memory of 2576	2728	WScript.exe	32
PID 2728 wrote to memory of 2576	2728	WScript.exe	32
PID 2728 wrote to memory of 2576	2728	WScript.exe	32
PID 2728 wrote to memory of 2576	2728	WScript.exe	32
PID 2728 wrote to memory of 2576	2728	WScript.exe	32
PID 2728 wrote to memory of 2576	2728	WScript.exe	32
PID 2576 wrote to memory of 2636	2576	cmd.exe	33
PID 2576 wrote to memory of 2636	2576	cmd.exe	33
PID 2576 wrote to memory of 2636	2576	cmd.exe	33
PID 2576 wrote to memory of 2636	2576	cmd.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe
"C:\Users\Admin\AppData\Local\Temp\1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\Everything-1.4.exe
  "C:\Users\Admin\AppData\Local\Temp\Everything-1.4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\MscontainerFontdhcp\G5AvcxxZA.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\MscontainerFontdhcp\zzCGYue9RCi0hOJ5cjYS.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\MscontainerFontdhcp\containerFontbroker.exe
        
        "C:\MscontainerFontdhcp\containerFontbroker.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe"
        6⤵
        
        PID:2660
- C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Tasks\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe

Filesize
79KB

MD5
cdaccd358c2c11615b35517bf0c58d5f

SHA1
c3439c3215d615721372990a3bd55390c52a93ef

SHA256
8be292bd907c4582b0c18f7029a3396ef607715e09d325da1478c9869c03f3a7

SHA512
13c156837b393da594e60165d4bfeee3fb3ec278a32b849f7a85aff20bb19b3d52046f3b9c011f2d8740ba88571e0084885cbed62b452d31bd72dca79204e855

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe

Filesize
31KB

MD5
63fc89289c8ea89cfa491464e38f8568

SHA1
234ff98e9a848705eede351128d20225e383d30f

SHA256
c307748e773662ed07d4839314a8bc7d282d0736ee45c09220859037f8a05c69

SHA512
97e11905c13010db4aeec4e65d17d59e6b06ce2627ad623591cfa9a37eb84ce7ab652b8c522d5626aacc30a5075b1f106cf46228d8f31d12380bb49d1e085256

Download Submit
C:\Users\Admin\AppData\Local\Temp\Everything-1.4.exe

Filesize
1.1MB

MD5
74b2b713dedde5eac714da55dfe4615d

SHA1
18481f714e12c5b779ff59244e92fb03d84d3112

SHA256
76471c6f4944652e11688a9df5d0c5957c1463a11e41159ece15dd50ed69fbe2

SHA512
f181342c6acc97341b15e6397e632c1fe8eed46675d8f1a5a020954dee84491a7420ce27dcc051259612d08da2a35668c0e205dac0a55233a7d4435759fd8f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Everything-1.4.exe

Filesize
726KB

MD5
84741ff5f3f0d74a9a908293654c5468

SHA1
438fe4f850f9e592babac9a2b598a18cff44480e

SHA256
01cbd0ff3d655a2526ed2c793bef8179fb6117f88eb53919f182178689bb1b9a

SHA512
fbc1f5288cb488dcbb244b7feb78a5d93c2fb2fb9dafdf7e6373cba285fe8c9a67d5844572668db23b4b3e2dc6b55d7187b56ac7f3b155496b63827810295538

Download Submit
C:\Users\Admin\Idle.exe

Filesize
40KB

MD5
b0176bf37e6ad9e67d8be6f1ca43bb53

SHA1
b6d32dc15b18e7fc388d29f015869fd74ba96139

SHA256
81bff9023d90dd9a7d163e782d5522be15f79d698b2a7c2455a7e07227210932

SHA512
de259e536f5a908dfb82a2beb2f87b6d8d024672bd10f8ea5cb127a02e8fa63bbff5a7f2b6bf2b8b5e0ea289029e01032164e388c9ea135bf33d2f6e096878b8

Download Submit
\MscontainerFontdhcp\containerFontbroker.exe

Filesize
3KB

MD5
6bcb56a3332a5d64db2a30cb1d7a421e

SHA1
15c262b0b932ca02426ee56cacd8b45d4aab531d

SHA256
b902cb48f2bf17510f5b3c89afd9d596669e01e562472b7c02d799f80f902b82

SHA512
48792170a2c0b8f180d3c7f884762e0c336c87d9f6401a5df814b86960c340a3a77ed495f44b2fb73afaea251f67ce34e1964ddc729742aa8f20eda343ea8c33

Download Submit
\Users\Admin\AppData\Local\Temp\Everything-1.4.exe

Filesize
1.0MB

MD5
1cad15cba5b678312f7ad9628a651664

SHA1
0c7accbbd0d043686afcf0e7d0ab9afedf9b77de

SHA256
9d79c1b01e8f4efc0753be8b081d06ac6da72f253a24dae051437fed1ad4902c

SHA512
d4deb2206ecebb143cbb4523720d3719cdbb8855d617cb43f5ec8a1b88de5a4b055d2f5f51afc4ad6925cb1ad5e95f66914e34d1b65dceffd8ae6b4734500127

Download Submit
\Users\Admin\AppData\Local\Temp\Everything-1.4.exe

Filesize
62B

MD5
30888b64a52eac1fdac29f765c59fc6f

SHA1
ed6f68e463e26e0d0663a2a4aaa618ec18511fcb

SHA256
013e85c1b68f1fb6f5118752d67b33b004d0303182ff72d83a7d0b2fba5f5bc9

SHA512
674cace80f8c56fce1519897eee6cc0f161dbdf1106fe059d52dfc3650deedbafdd69cb8ada7bdc7d04729c0e7a6e1f458308e26799b33b7da4ae00ceda1d8e8

Download Submit
\Users\Admin\AppData\Local\Temp\Everything-1.4.exe

Filesize
294KB

MD5
3c4ffb8560396b0218aaeb2f0f334f0d

SHA1
d16528c3e31b864f855b8ce3486dc7f08965955d

SHA256
14c71a9ee569cb17067bc862142f9a4f6fa45c115b6ef1ba7c78733f8fd694ef

SHA512
01e4ed2a97e6ea9f4f380ae76e9f1dcfef8d2f5d7b1745c13aa68485d4ecab33bdb69047b3a8d0a16ea1ca5f8c6516a33dce4aa2b06e34a2d288e6ff3e46254b

Download Submit
memory/2012-15-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/2636-52-0x0000000001170000-0x00000000012A8000-memory.dmp

Filesize
1.2MB

Download
memory/2636-56-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

Filesize
88KB

Download
memory/2636-58-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/2636-57-0x0000000000360000-0x000000000036E000-memory.dmp

Filesize
56KB

Download
memory/2636-53-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

Filesize
9.9MB

Download
memory/2636-55-0x0000000000A90000-0x0000000000AAC000-memory.dmp

Filesize
112KB

Download
memory/2636-54-0x000000001AF80000-0x000000001B000000-memory.dmp

Filesize
512KB

Download
memory/2636-78-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-75-0x0000000000CD0000-0x0000000000E08000-memory.dmp

Filesize
1.2MB

Download
memory/2660-76-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-77-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/2660-93-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

Filesize
9.9MB

Download