Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 03:31

General

  • Target

    CE2EC4539435DFEAC7E246FE5565C521.exe

  • Size

    2.9MB

  • MD5

    ce2ec4539435dfeac7e246fe5565c521

  • SHA1

    59f3da006005a109914c31b5d5cd94dc4c93309c

  • SHA256

    d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562

  • SHA512

    408a1db2cd98702bca3811e124d78a56cbca79a1d200593759bde1947a4a599f8cd40cd8dbb2e7be7dec416e3f5de0c4466f98ddea1daf6d313671695f25a7ba

  • SSDEEP

    49152:6h/814lignPl1s5Cp5+tOCiqgc8I7uBiYUtGGirMn0JkH4SwiLwRktMtL+CsA7Z:6h/8Hgn9u4P+l8I7uB6db0JhAw6tMtLr

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe
    "C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0mf1e0gc\0mf1e0gc.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF8F.tmp" "c:\Windows\System32\CSCB32719BC980543A78AE64AA8AE9699C.TMP"
        3⤵
          PID:604
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2012
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2984
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:352
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2480
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2092
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2588
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:800
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2676
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pWdHaxy7nM.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2452
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:2636
            • C:\Program Files (x86)\Steam\steamclient.exe
              "C:\Program Files (x86)\Steam\steamclient.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "steamclients" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:480
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "steamclient" /sc ONLOGON /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2800
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "steamclients" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2796
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521C" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2096
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521C" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:328

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Steam\steamclient.exe

          Filesize

          2.9MB

          MD5

          ce2ec4539435dfeac7e246fe5565c521

          SHA1

          59f3da006005a109914c31b5d5cd94dc4c93309c

          SHA256

          d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562

          SHA512

          408a1db2cd98702bca3811e124d78a56cbca79a1d200593759bde1947a4a599f8cd40cd8dbb2e7be7dec416e3f5de0c4466f98ddea1daf6d313671695f25a7ba

        • C:\Users\Admin\AppData\Local\Temp\RESCF8F.tmp

          Filesize

          1KB

          MD5

          3cb814ad812398023b7814a80f9e5b85

          SHA1

          e3bea5f8aa227e44e4508074234c5d8d5365af2d

          SHA256

          3e7e27877a40446725747fd9507736e2123ef6a752b37c0bcf5c8f6f2bf5b7af

          SHA512

          fbbb4a7a5528eaffce8221e62cdfeafd6af9aff7c28ab65a9554326f72a2374c295acde8414088851d60239aee997ffa5bf357a784cc11eee824fbceac8bbd34

        • C:\Users\Admin\AppData\Local\Temp\pWdHaxy7nM.bat

          Filesize

          220B

          MD5

          2d67804436b3951d60ac92e9c488bfcf

          SHA1

          14512e0c9ac1f991c746603f98ece6f02606adfe

          SHA256

          b1e9ca66ce06a8b09e945a284b7c8ab746a8c38fc5098232a0e44e26c985785a

          SHA512

          736764eb69d0f73899f90ef8c2c8e208ffcc7260027da91dcbab4bc2ec9dfadad7bcc600f988aa4cafcc8495c201c519d7e4ab47cbbc812dfc63263673b874a0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          bb79e05bbf02959b21d76babbd1fbaa7

          SHA1

          842d01addfe73805924ccb5407de9df711bcfc96

          SHA256

          fff9c84988d0cd9855ef3c9c50b30fe9efe8292ca1f64239defb3558acb2db7a

          SHA512

          964e28ea97dbf20325e4507bbb7d095ede73bf6fd3b58fcf93ad8ef2a42bca7c8d021706b0c85aa5490bf91b574a1a12c40ea774162346f013ae89f0a1ed19e7

        • \??\c:\Users\Admin\AppData\Local\Temp\0mf1e0gc\0mf1e0gc.0.cs

          Filesize

          376B

          MD5

          915de29bf403fa1efa22af06e29302e1

          SHA1

          10d7a0c835055a87ff92a593144152f5e2e00d75

          SHA256

          aabe8e35811a23c351ca6e8e90e9513a2c3427d0b65b4fe225dea2caec5c1d82

          SHA512

          077648b5d4dc99b51b485f3d7ec57d8ef5cd3efae14e8152d8d3f7f8106a53d680becbaf87be196bb7608d6be94a4513d389fe3f28191943da5ccf9f19027740

        • \??\c:\Users\Admin\AppData\Local\Temp\0mf1e0gc\0mf1e0gc.cmdline

          Filesize

          235B

          MD5

          e7dbbcf384feeddd992173fda97a6ae6

          SHA1

          5a6cfd0428f958b972585afca2ece7b9ae0572c3

          SHA256

          039380f4be08b7583e5ad948e6a7af151bdad3bb2c296ac41d7aeb88e3215a40

          SHA512

          38fc460c6279c8a10eec4a58ac2d4329f8a8dbda048edcf138663634c856f4b6402de385ee985a01b03346a1dd66e32bc5c01d7b234105f499c42396bd1a331b

        • \??\c:\Windows\System32\CSCB32719BC980543A78AE64AA8AE9699C.TMP

          Filesize

          1KB

          MD5

          078586b266e519b5c113064d7a0bf45c

          SHA1

          a9395c0ef35add5c75591ebb94c85c1f33f408bf

          SHA256

          ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

          SHA512

          5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

        • memory/2432-43-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-61-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-10-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-14-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-12-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-8-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-6-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-4-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-17-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-16-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-41-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-54-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-19-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-21-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-23-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-25-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-27-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-29-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-31-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-33-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-35-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-37-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-67-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-65-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-63-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-3562-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-59-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-3560-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-57-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-55-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-53-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-51-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-49-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-47-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-45-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-2-0x000000001ADF0000-0x000000001B12C000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-39-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-3561-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

          Filesize

          4KB

        • memory/2432-3573-0x0000000000510000-0x0000000000520000-memory.dmp

          Filesize

          64KB

        • memory/2432-3-0x000000001ADF0000-0x000000001B126000-memory.dmp

          Filesize

          3.2MB

        • memory/2432-3571-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-3581-0x0000000000530000-0x0000000000540000-memory.dmp

          Filesize

          64KB

        • memory/2432-3587-0x00000000009A0000-0x00000000009B2000-memory.dmp

          Filesize

          72KB

        • memory/2432-3591-0x0000000000990000-0x00000000009A0000-memory.dmp

          Filesize

          64KB

        • memory/2432-3595-0x0000000001F10000-0x0000000001F22000-memory.dmp

          Filesize

          72KB

        • memory/2432-3593-0x0000000001EF0000-0x0000000001F06000-memory.dmp

          Filesize

          88KB

        • memory/2432-3589-0x0000000000980000-0x000000000098C000-memory.dmp

          Filesize

          48KB

        • memory/2432-3585-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-3599-0x00000000009D0000-0x00000000009E0000-memory.dmp

          Filesize

          64KB

        • memory/2432-3603-0x000000001AAC0000-0x000000001AB1A000-memory.dmp

          Filesize

          360KB

        • memory/2432-3605-0x0000000001F40000-0x0000000001F4E000-memory.dmp

          Filesize

          56KB

        • memory/2432-3609-0x0000000001F60000-0x0000000001F6E000-memory.dmp

          Filesize

          56KB

        • memory/2432-3611-0x0000000001F70000-0x0000000001F78000-memory.dmp

          Filesize

          32KB

        • memory/2432-3613-0x0000000002240000-0x0000000002258000-memory.dmp

          Filesize

          96KB

        • memory/2432-3615-0x0000000002080000-0x000000000208C000-memory.dmp

          Filesize

          48KB

        • memory/2432-3607-0x0000000001F50000-0x0000000001F60000-memory.dmp

          Filesize

          64KB

        • memory/2432-3601-0x0000000001F30000-0x0000000001F40000-memory.dmp

          Filesize

          64KB

        • memory/2432-3597-0x00000000009C0000-0x00000000009CE000-memory.dmp

          Filesize

          56KB

        • memory/2432-3584-0x00000000005A0000-0x00000000005AE000-memory.dmp

          Filesize

          56KB

        • memory/2432-3582-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-3579-0x0000000000520000-0x0000000000530000-memory.dmp

          Filesize

          64KB

        • memory/2432-3577-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-3576-0x0000000000750000-0x0000000000768000-memory.dmp

          Filesize

          96KB

        • memory/2432-3574-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-3565-0x0000000000540000-0x0000000000566000-memory.dmp

          Filesize

          152KB

        • memory/2432-3570-0x0000000000580000-0x000000000059C000-memory.dmp

          Filesize

          112KB

        • memory/2432-3568-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-3567-0x0000000000380000-0x000000000038E000-memory.dmp

          Filesize

          56KB

        • memory/2432-3623-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-3625-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-1-0x00000000009E0000-0x00000000009E8000-memory.dmp

          Filesize

          32KB

        • memory/2432-3637-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-3563-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

          Filesize

          4KB

        • memory/2676-3709-0x0000000002310000-0x0000000002318000-memory.dmp

          Filesize

          32KB

        • memory/2724-3708-0x000000001B790000-0x000000001BA72000-memory.dmp

          Filesize

          2.9MB

        • memory/2784-3712-0x0000000000E60000-0x0000000000E68000-memory.dmp

          Filesize

          32KB