dcrat | 75bdb5811baa0d78e23f7bf2ad17e5ad8abae746aac3c8e4c739d7141e7a5e05

Analysis

max time kernel
127s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

config.exe
Size

1.1MB
MD5

4ccc39f7b4d6505188f19e6a99b0ef53
SHA1

2b8b5f4ae1957dda47f50798a00921a9b9541691
SHA256

75bdb5811baa0d78e23f7bf2ad17e5ad8abae746aac3c8e4c739d7141e7a5e05
SHA512

5c03902fc5d02dfbbea886f1f4d1443abac5b0a8a0f799e2555f3e62838134ee3f89fca7837f6c4ee6e3a7b8f6b4b874673a964b30497cb722ca62d1dcf943a7
SSDEEP

24576:U2G/nvxW3Ww0tgxRE+GY+7I9qe0KRP808I4lxmP7lp:UbA30wE+yI9qeLyw/

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3320	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	3320	schtasks.exe	91

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b4e-10.dat	dcrat
behavioral2/memory/3768-13-0x0000000000140000-0x0000000000216000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	config.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	componentInto.exe

Executes dropped EXE 2 IoCs

pid	Process
3768	componentInto.exe
4536	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\cmd.exe	componentInto.exe
File created	C:\Program Files\Windows Defender\ebf1f9fa8afd6d	componentInto.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\es-ES\services.exe	componentInto.exe
File created	C:\Windows\SoftwareDistribution\RuntimeBroker.exe	componentInto.exe
File created	C:\Windows\SoftwareDistribution\9e8d7a4ca61bd9	componentInto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	config.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	componentInto.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1184	schtasks.exe
3992	schtasks.exe
4456	schtasks.exe
2900	schtasks.exe
4564	schtasks.exe
1900	schtasks.exe
2368	schtasks.exe
4668	schtasks.exe
1928	schtasks.exe
3644	schtasks.exe
2856	schtasks.exe
1348	schtasks.exe
2296	schtasks.exe
4812	schtasks.exe
3328	schtasks.exe
1580	schtasks.exe
436	schtasks.exe
3988	schtasks.exe
4364	schtasks.exe
1596	schtasks.exe
1116	schtasks.exe
1276	schtasks.exe
2948	schtasks.exe
2988	schtasks.exe
1624	schtasks.exe
856	schtasks.exe
1796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3768	componentInto.exe
3768	componentInto.exe
3768	componentInto.exe
3768	componentInto.exe
3768	componentInto.exe
3768	componentInto.exe
3768	componentInto.exe
3768	componentInto.exe
4536	cmd.exe
4536	cmd.exe
4536	cmd.exe
4536	cmd.exe
4536	cmd.exe
4536	cmd.exe
4536	cmd.exe
4536	cmd.exe
4536	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4536	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	componentInto.exe
Token: SeDebugPrivilege	4536	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3868	1924	config.exe	85
PID 1924 wrote to memory of 3868	1924	config.exe	85
PID 1924 wrote to memory of 3868	1924	config.exe	85
PID 3868 wrote to memory of 1180	3868	WScript.exe	92
PID 3868 wrote to memory of 1180	3868	WScript.exe	92
PID 3868 wrote to memory of 1180	3868	WScript.exe	92
PID 1180 wrote to memory of 3768	1180	cmd.exe	94
PID 1180 wrote to memory of 3768	1180	cmd.exe	94
PID 3768 wrote to memory of 1336	3768	componentInto.exe	122
PID 3768 wrote to memory of 1336	3768	componentInto.exe	122
PID 1336 wrote to memory of 2360	1336	cmd.exe	124
PID 1336 wrote to memory of 2360	1336	cmd.exe	124
PID 1336 wrote to memory of 4536	1336	cmd.exe	128
PID 1336 wrote to memory of 4536	1336	cmd.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\config.exe
"C:\Users\Admin\AppData\Local\Temp\config.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HyperreviewPerf\4e8TrghIZ6.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\HyperreviewPerf\NyJ75tn22ob7UuEicUknatF.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\HyperreviewPerf\componentInto.exe
      "C:\HyperreviewPerf\componentInto.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3768
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNXcqu3uD1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2360
      - C:\Program Files\Windows Defender\cmd.exe
        
        "C:\Program Files\Windows Defender\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\HyperreviewPerf\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\HyperreviewPerf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\HyperreviewPerf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\HyperreviewPerf\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\HyperreviewPerf\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\HyperreviewPerf\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HyperreviewPerf\4e8TrghIZ6.vbe

Filesize
215B

MD5
c39c12e3c87d51dc84d40b74018339ba

SHA1
9bd6171b3a22fefffc1c388848c71d4532601304

SHA256
43ba4f182cda7af480c5331e42369a610ffa93b211621d5cb7f53daca3d03209

SHA512
add9d7ed720df9d440a5d5cad1d31f253d58a435ce6f57d9e7157dd8ffe07b8315c7a670e0c0729e4e802eef9e38e70e9f30565647283631eb4a6340f726658a

Download Submit
C:\HyperreviewPerf\NyJ75tn22ob7UuEicUknatF.bat

Filesize
38B

MD5
256205d3142b0269d77b312f3c7056b1

SHA1
121683c5077db5d98169cae7bd5ac6bd9e8ffe7e

SHA256
538c0935c9ca2b0a088eb6f26775b005f67256aadb7b4f43744b776deb6b6a4d

SHA512
8234ab457c94c7bf40667e57b89f941bc31bef962daf31f97ca8a1de6ea7de8694fff17e170e08296e3b270d527c17ea39ed3255a3e7d0b05218ad2aaa9ff431

Download Submit
C:\HyperreviewPerf\componentInto.exe

Filesize
828KB

MD5
b3da667f34717abe2502139db4e81935

SHA1
7c48e7bbd435081d51ad32a1fe9704901e2b1d58

SHA256
a9c495044580a2faf91d4b73000e3338ef66551ead4f3f6b18820ddc84879aa0

SHA512
741b2eb2731c84f04f0794115d35bbc3bcca91270bca95a794ac21fbe477ea15dcc29e7e83e8abc661c64cc7dad020e197ed04cfe33e8a895484a5060af48e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNXcqu3uD1.bat

Filesize
206B

MD5
2aee1441df9f6e6c6fa356fc11ae89b5

SHA1
3ed58eb1315c654927e15191a1dbdbfa424c2b4a

SHA256
249610aab09c9d71e5b5782394602329662a494646dae432d0ae09ecb4950a44

SHA512
e8f1db27e0fe940071566e7db349ffb4c2c6a365325e61e5693fd2a24990b80178033b50a71e6f369f41ab19cedcf8cc04cde27b28aea29ad03f72c766c55c95

Download Submit
memory/3768-12-0x00007FFDBB293000-0x00007FFDBB295000-memory.dmp

Filesize
8KB

Download
memory/3768-13-0x0000000000140000-0x0000000000216000-memory.dmp

Filesize
856KB

Download