Overview

overview

10

Static

static

3

CE2EC45394...21.exe

windows7-x64

10

CE2EC45394...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 03:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CE2EC4539435DFEAC7E246FE5565C521.exe

  • Size

    2.9MB

  • MD5

    ce2ec4539435dfeac7e246fe5565c521

  • SHA1

    59f3da006005a109914c31b5d5cd94dc4c93309c

  • SHA256

    d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562

  • SHA512

    408a1db2cd98702bca3811e124d78a56cbca79a1d200593759bde1947a4a599f8cd40cd8dbb2e7be7dec416e3f5de0c4466f98ddea1daf6d313671695f25a7ba

  • SSDEEP

    49152:6h/814lignPl1s5Cp5+tOCiqgc8I7uBiYUtGGirMn0JkH4SwiLwRktMtL+CsA7Z:6h/8Hgn9u4P+l8I7uB6db0JhAw6tMtLr

Score
10/10
dcratexecutioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe
    "C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h5qqwz1y\h5qqwz1y.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3488
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40D7.tmp" "c:\Windows\System32\CSC972B77824B804794AD4E9390743AAAC5.TMP"
        3⤵
          PID:3536
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3668
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3676
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3716
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3740
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3852
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3868
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3876
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wWQ0NXzKDZ.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2680
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:1296
            • C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe
              "C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2244
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "steamclients" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3404
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "steamclient" /sc ONLOGON /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "steamclients" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3464
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521C" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3632
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521C" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3660

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES40D7.tmp
          Filesize

          1KB

          MD5

          aae26dbb820b8a8de0028fd15172be7f

          SHA1

          98ffa41f0bfe66cf58e1b9b5cb549fffcfd7a507

          SHA256

          0dd11b2855cd9aceaf5aba3bc6a22ca2f817aefcc1f0909abaf2806943f86e2e

          SHA512

          11bf399d5a27f14041dc9dbaf241ab4ce605b1b01f9d7b9d4922021ac394691ae031ee6752b40413883dd96e656291f41cab690986dce525062c86081ba7ab8b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wWQ0NXzKDZ.bat
          Filesize

          246B

          MD5

          b796921ad065c8fc2f99f18e2b64c9ce

          SHA1

          1a547b96a7dc6caa8ca1f40c473ca6bd467d8189

          SHA256

          6e793831268580056f4bd3468c1f40b4230386f3c2ea1d10da1ebfbad81054a4

          SHA512

          b4c24ef8b68c03bd0540addc9aaee285370b591748b78063d474518ac96fb8ccd9f357323035e8c3a653216e21258d65b1a7289bef76a0247ef1ec9cc811c914

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          578d4eaa31390ff1261b5640a1bb46a1

          SHA1

          479a0b7b22db5f1783b907d2b9a2a5bf96f52588

          SHA256

          f5f2be0aa6f44f59f55a0440b34a191be0ed1522d1b7280c0957f309f8ad7165

          SHA512

          f94fe2e6e4c111990fa34968a8219175186f17684760e8b89a9e29aa120b0fddff20fa2ad2f006baff6fe0f30a81e95aa69b66e9445504f76e0d3c7cfa6d32fe

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\h5qqwz1y\h5qqwz1y.0.cs
          Filesize

          376B

          MD5

          46b17118e73afe8ffa11c46346d9da47

          SHA1

          ee89f224105cca5d9dfb09f69a66a89253d562ea

          SHA256

          86882d0430ca36d06473635780aece782fc75105a5c0724c18bf56b9ce7f8e0a

          SHA512

          a1779c2633264523adc50e45aaf541761d4e17e15715a2487d10984ec3a53820da92dd9ecb45fb0cff3dbb66dfd34bdcdfd81282b68301c394b83ad8be49d5b7

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\h5qqwz1y\h5qqwz1y.cmdline
          Filesize

          235B

          MD5

          9b5f10c408b2a803e0dbff4187d27dda

          SHA1

          1886a46bf1a7a65ae585c852f4be959d7ac3c222

          SHA256

          2ba2e8e111d7022ae62c4f49bda09834fa35dde30d4d8858d1e77329f8ff53d5

          SHA512

          d5e7187bf22674a736ee661b8a859b6bcc09f771b0139860d1eac3bbae9b3702aacb12b76c9adac557f67e815556a613f5c09a96182c367adbd54b0bcc941264

          Download Submit

        • \??\c:\Windows\System32\CSC972B77824B804794AD4E9390743AAAC5.TMP
          Filesize

          1KB

          MD5

          167c870490dc33ec13a83ebb533b1bf6

          SHA1

          182378ebfa7c8372a988dee50a7dd6f8cda6a367

          SHA256

          3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6

          SHA512

          1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

          Download Submit

        • memory/2652-56-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-14-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-3-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-6-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-52-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-48-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-12-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-8-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-4-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-16-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-18-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-50-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-62-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-20-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-22-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-24-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-26-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-28-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-30-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-32-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-34-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-36-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-38-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-40-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-42-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-44-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-3559-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2652-66-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-64-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-3560-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2652-60-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-58-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-1-0x0000000001300000-0x0000000001308000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2652-54-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-46-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-2-0x000000001AEF0000-0x000000001B22C000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-10-0x000000001AEF0000-0x000000001B226000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2652-3561-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2652-3563-0x0000000000340000-0x0000000000366000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2652-3565-0x0000000000200000-0x000000000020E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2652-3566-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2652-3568-0x0000000000370000-0x000000000038C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2652-3570-0x0000000000310000-0x0000000000320000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2652-3572-0x0000000000390000-0x00000000003A8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2652-3574-0x0000000000320000-0x0000000000330000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2652-3576-0x0000000000330000-0x0000000000340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2652-3578-0x00000000003B0000-0x00000000003BE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2652-3579-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2652-3581-0x00000000005F0000-0x0000000000602000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2652-3583-0x00000000005D0000-0x00000000005DC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2652-3585-0x00000000005E0000-0x00000000005F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2652-3587-0x0000000000850000-0x0000000000866000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2652-3589-0x0000000000B20000-0x0000000000B32000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2652-3590-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2652-3592-0x0000000000610000-0x000000000061E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2652-3594-0x0000000000830000-0x0000000000840000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2652-3596-0x0000000000840000-0x0000000000850000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2652-3597-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2652-3599-0x0000000000DD0000-0x0000000000E2A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2652-3601-0x0000000000870000-0x000000000087E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2652-3603-0x0000000000B40000-0x0000000000B50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2652-3604-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2652-3606-0x0000000000B50000-0x0000000000B5E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2652-3608-0x0000000000B60000-0x0000000000B68000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2652-3610-0x0000000000B90000-0x0000000000BA8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2652-3612-0x0000000000B70000-0x0000000000B7C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2652-3616-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2652-3617-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2652-3636-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2652-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3700-3655-0x000000001B510000-0x000000001B7F2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/3700-3657-0x00000000028E0000-0x00000000028E8000-memory.dmp

          Filesize

          32KB

          Download