Overview

overview

10

Static

static

10

d653ac9835...87.exe

windows7-x64

10

d653ac9835...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 04:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe

  • Size

    1.7MB

  • MD5

    7094bec5c74b11ca66951e7013264883

  • SHA1

    1e784f9036b8186f79f774e8c5994a40a6e0ce1d

  • SHA256

    d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087

  • SHA512

    c1f2abed94ee88516a362eda3cd7404eefc816136ae1174efa665e16a0cf89913e51a3ab0dc40fe671bf7c360b65e1eed7a16c9787622b8ca039ef3763530bfe

  • SSDEEP

    49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvG:OTHUxUoh1IF9gl2h

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
    "C:\Users\Admin\AppData\Local\Temp\d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:708
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e7C8pmPDNU.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2284
        • C:\Windows\System32\winrm\0410\csrss.exe
          "C:\Windows\System32\winrm\0410\csrss.exe"
          3⤵
          • Executes dropped EXE
          PID:1280
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3568d5e-5d61-4d8f-b7be-4231768e47be.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3020
            • C:\Windows\System32\winrm\0410\csrss.exe
              C:\Windows\System32\winrm\0410\csrss.exe
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2776
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fd813cb-5888-4d2b-8573-a6504d4a13d3.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2796
                • C:\Windows\System32\winrm\0410\csrss.exe
                  C:\Windows\System32\winrm\0410\csrss.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2456
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\033d4fa4-373a-4a12-9ef8-5234c615958f.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:768
                    • C:\Windows\System32\winrm\0410\csrss.exe
                      C:\Windows\System32\winrm\0410\csrss.exe
                      9⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1796
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba9a7777-f035-445e-961f-f9148f0f71fc.vbs"
                        10⤵
                          PID:1744
                          • C:\Windows\System32\winrm\0410\csrss.exe
                            C:\Windows\System32\winrm\0410\csrss.exe
                            11⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1736
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a8cb1b9-c3f0-49bd-b41f-f0117c5f962b.vbs"
                              12⤵
                                PID:2364
                                • C:\Windows\System32\winrm\0410\csrss.exe
                                  C:\Windows\System32\winrm\0410\csrss.exe
                                  13⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:688
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8573289c-0bbf-4011-8421-262a87595778.vbs"
                                    14⤵
                                      PID:408
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f145758-ac1b-496a-947a-1999fc85904d.vbs"
                                      14⤵
                                        PID:2088
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\341021f0-8952-4f2b-9a58-396a31d2ff0d.vbs"
                                    12⤵
                                      PID:1624
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ab3c66e-a443-4eba-a93a-7683d43981e5.vbs"
                                  10⤵
                                    PID:1636
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b598786-e63a-4ea7-aa19-8fb0afa4cd25.vbs"
                                8⤵
                                  PID:1172
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fd95f7d-2b52-46e1-bd65-cc845813137b.vbs"
                              6⤵
                                PID:2100
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df1d88db-548a-476f-a3b2-9f89cb20690d.vbs"
                            4⤵
                              PID:2936
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\winrm\0410\csrss.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2944
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\winrm\0410\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2836
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\winrm\0410\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3060
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2744
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2736
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2848

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\033d4fa4-373a-4a12-9ef8-5234c615958f.vbs
                        Filesize

                        716B

                        MD5

                        831d5477364b4f8512c06a75e59ba92e

                        SHA1

                        b584c84413219218ec8fcd5831919e8cf3fa349f

                        SHA256

                        bbcb4b7ca230fc50a77ff496bea99a4edc55922f725c2f67e16e7e1649ddb867

                        SHA512

                        9aec631bffc248b037409365c8d5c975972281dc222554b1ee2b6f4eb417a50c4c21dc92168e815af944f7b3c15c122f2922b442fcf0db525d623a7b00f1fc6c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\1fd813cb-5888-4d2b-8573-a6504d4a13d3.vbs
                        Filesize

                        716B

                        MD5

                        c415527ecb1c55ede4d307bbf4e991b5

                        SHA1

                        7e23addc7e7a9159ae73249efcafb35cd3c1e54d

                        SHA256

                        a5ac26d0035af682a5249a2355ca14f78499db59113e4497cb06e42f0b122b65

                        SHA512

                        17d5d7fd83a635e56dd357c1c8eaca4e4feb856ea676c03646f442d8032287b2ac8661caab23ac3649dd3bf9ce1219fc728fb71ef18b5d2318a3b02ac4d99277

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\5fd95f7d-2b52-46e1-bd65-cc845813137b.vbs
                        Filesize

                        492B

                        MD5

                        01c61c4dd9d78701b10db2d54877116c

                        SHA1

                        1b36f34e38e2723d024e0891c3049273fd7ae5fa

                        SHA256

                        7a62b282c26c8e51f85f2a3b78d7d29b76f3ca186012d7d43af7b8efbb02aaa6

                        SHA512

                        e4079e10cbaa4687a0fc1c78479a4242e111772dec0ed5ae13deee0f2a2f8b1bc46da1df01db012c0758528b08104baf5ef66dc510e4f59cee9d78c9b229a7bd

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\7a8cb1b9-c3f0-49bd-b41f-f0117c5f962b.vbs
                        Filesize

                        716B

                        MD5

                        36ef6e20db86b26bd3b938969b09edeb

                        SHA1

                        627fd536d6ac3f36e8701c1aeb020568927f1113

                        SHA256

                        a3136eac725fb4b7975f6e9bd115ac93afe1b732495e5d2345ede896f410e5c7

                        SHA512

                        28948d81656338522f1e5a20b1224f1c2e094f81c5b955673bb9e7fd847f58ca9fb11c7547f2783a7e6036c27479b7bae0ac15bf012132d24cfabcf8d561591e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\8573289c-0bbf-4011-8421-262a87595778.vbs
                        Filesize

                        715B

                        MD5

                        feaa6e80c87101666be2f6594c564fb0

                        SHA1

                        71fb904b959ae632a9feafdedeaecba93330e0bb

                        SHA256

                        83982873079d9670eb2b06d60eab76ad6554116ecff233c956e6e6ab500b56ff

                        SHA512

                        2e7f751a2b5ee9b69ccade2d4becb247ba2459a7539e54a0a3e0e3307c24845ab1d184732c9d0c44e3f9d2d660f913e816c92d8303c97cc82b007a73e64eec03

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\ba9a7777-f035-445e-961f-f9148f0f71fc.vbs
                        Filesize

                        716B

                        MD5

                        bf9c6e85131b450a46758a31e847049e

                        SHA1

                        c711005c12e4488e82b016402f363044760736bc

                        SHA256

                        23d0ae23c0008452a00cf5da8fa10d33b435b6e00737c12831ca2ea03d24d120

                        SHA512

                        8ca27fe8bab8ca413493e49d850d54fe5e3af3c5e0e35b71cd51443430338af30512add5f735ef9f20887d79a07b00b9a9a3eef8524db2cacc2e07c8e29c2a55

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\e7C8pmPDNU.bat
                        Filesize

                        205B

                        MD5

                        ba2317c211213a5f675aedc1e99e0f31

                        SHA1

                        5c160c116a71132594a5dbdd437468796ab396f3

                        SHA256

                        4107a8edcf3c6da4fd1e22a86bd3d918e66ad9f50069dcb85fcd0cce72e5090d

                        SHA512

                        c3be8ab8e016e1867f4bb3d9b073b807221057e79def36102f49cbe927bff7f1cb7f894c2342456ce605f788506b03adcdf2486a586e9409c21b6f4545d912ed

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                        Filesize

                        7KB

                        MD5

                        d96f2f8ab9f9c0212e93becb436baa75

                        SHA1

                        559861071e268b5c84256cc9f439384182e10ade

                        SHA256

                        8c7c8730766d88c62cc2addfd6f99e83e4c3a7ba145b21a098761017ee207729

                        SHA512

                        f62a38d14a5179edb39ab74658e486ed8173853f7d67995ce73db75d70c718fcca79db090f629b264af10c043e005c08abf3cee82f9ac9937bac1022709c111b

                        Download Submit

                      • C:\Windows\System32\winrm\0410\csrss.exe
                        Filesize

                        1.7MB

                        MD5

                        7094bec5c74b11ca66951e7013264883

                        SHA1

                        1e784f9036b8186f79f774e8c5994a40a6e0ce1d

                        SHA256

                        d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087

                        SHA512

                        c1f2abed94ee88516a362eda3cd7404eefc816136ae1174efa665e16a0cf89913e51a3ab0dc40fe671bf7c360b65e1eed7a16c9787622b8ca039ef3763530bfe

                        Download Submit

                      • memory/688-155-0x0000000000E10000-0x0000000000FD0000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/1720-13-0x00000000006E0000-0x00000000006EA000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/1720-57-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/1720-14-0x00000000006F0000-0x00000000006FE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/1720-16-0x0000000000710000-0x000000000071C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/1720-17-0x0000000000720000-0x000000000072C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/1720-15-0x0000000000700000-0x0000000000708000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/1720-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1720-20-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/1720-11-0x00000000004A0000-0x00000000004B2000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/1720-4-0x0000000000150000-0x0000000000158000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/1720-9-0x0000000000490000-0x0000000000498000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/1720-1-0x00000000002B0000-0x0000000000470000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/1720-8-0x0000000000480000-0x000000000048C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/1720-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/1720-3-0x0000000000270000-0x000000000028C000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/1720-7-0x0000000000470000-0x0000000000480000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1720-6-0x0000000000290000-0x00000000002A6000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/1720-12-0x00000000004B0000-0x00000000004BC000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/1720-5-0x0000000000170000-0x0000000000180000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1736-143-0x0000000000CA0000-0x0000000000E60000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/1796-131-0x0000000000370000-0x0000000000530000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/2456-119-0x0000000000980000-0x0000000000B40000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/2776-108-0x0000000000290000-0x0000000000450000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/2928-104-0x0000000001F70000-0x0000000001F78000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/2928-80-0x000000001B700000-0x000000001B9E2000-memory.dmp

                        Filesize

                        2.9MB

                        Download