Overview

overview

10

Static

static

3

68ef473852...aa.exe

windows7-x64

10

68ef473852...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68ef473852d3aefd8e5e4f2e00b3dfaa.exe

  • Size

    1.8MB

  • MD5

    68ef473852d3aefd8e5e4f2e00b3dfaa

  • SHA1

    3ba2594ec459d1c9152558ebdd9611427347a73e

  • SHA256

    f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec

  • SHA512

    8602717380a4ad4ca7cbcdbb2373e63ff8578d58e6324d43530b134c6d7005469ff89c45bad773da978d4263a56c51efd331b09790f5708a563f26a513cad3ff

  • SSDEEP

    49152:x4LJMXaJ0ypWp8GkSVPa7aQ8b0U51h3r:x4LJWeK3kE9QY53r

Score
10/10
dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe
    "C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\101gwnj3\101gwnj3.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF0C.tmp" "c:\Windows\System32\CSCB1F88D484D49438D9B64BC89FC57B91.TMP"
        3⤵
          PID:2940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\services.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\winlogon.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3260
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\taskhostw.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2912
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3264
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qXdchiva86.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1128
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:636
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1592
          • C:\Users\Public\Documents\My Videos\services.exe
            "C:\Users\Public\Documents\My Videos\services.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:4220
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4444
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3216
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:436
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\taskhostw.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3184
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "68ef473852d3aefd8e5e4f2e00b3dfaa6" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "68ef473852d3aefd8e5e4f2e00b3dfaa" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "68ef473852d3aefd8e5e4f2e00b3dfaa6" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4044

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
        Filesize

        1.8MB

        MD5

        68ef473852d3aefd8e5e4f2e00b3dfaa

        SHA1

        3ba2594ec459d1c9152558ebdd9611427347a73e

        SHA256

        f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec

        SHA512

        8602717380a4ad4ca7cbcdbb2373e63ff8578d58e6324d43530b134c6d7005469ff89c45bad773da978d4263a56c51efd331b09790f5708a563f26a513cad3ff

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d28a889fd956d5cb3accfbaf1143eb6f

        SHA1

        157ba54b365341f8ff06707d996b3635da8446f7

        SHA256

        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

        SHA512

        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        bd5940f08d0be56e65e5f2aaf47c538e

        SHA1

        d7e31b87866e5e383ab5499da64aba50f03e8443

        SHA256

        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

        SHA512

        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESAF0C.tmp
        Filesize

        1KB

        MD5

        2d402447f1bb3f84fa29b984023be8ab

        SHA1

        94017b52b1892ffdc041884d4d505455812de897

        SHA256

        3909fd2d963e9c11b1e2234cab7aa33b8c82db9e69d700e7418593450b2fc343

        SHA512

        ca08ac660524a8b4566f9b7fdb08f5abecba51b32800961852262dcceabef366ad809418511c590c708c18aa9591bffee5307e0f428cfe9dfb6906206d6140ce

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51uwtgpt.4wt.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\qXdchiva86.bat
        Filesize

        176B

        MD5

        2bd1e9d28a4affae76886cb9da334b02

        SHA1

        1a8326bba8f5bdab17dc4e4ec9b2f5fe8a1a1c08

        SHA256

        e6aacbadbbc14e0ba8072c33df38bfd6a55cae42d1958541f200c905b3c39fcc

        SHA512

        f5f70701c810a845239de706f772d4c56cec9f274167425a4d1d02a1269cc5a93bba76de1ac5f77c06d2af3f2b5310f52d5a989a316e3f88c3d4b80f3045658d

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\101gwnj3\101gwnj3.0.cs
        Filesize

        395B

        MD5

        ddb6466835dd7cd24c6def710c148b70

        SHA1

        fba52dfa4179fd3acdb9bc79dda5b72699de00f9

        SHA256

        80fe94f67caab96f2632ec41f27f18c2101c9e8fe1c8e9c56178f9ce080097f5

        SHA512

        f75c5b6a78e93977695dd4f100631430e13509b495bbef8d96576f190d60296594d01db594c2a0a0ec9fbe93c935600e497a06221a2330d7c39225b50854e178

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\101gwnj3\101gwnj3.cmdline
        Filesize

        235B

        MD5

        07e86f582ec332c1f78b5dcb10a14cd3

        SHA1

        3cb6d962ac3fd1c2ebdb2cf839b3a73a40769b16

        SHA256

        f2b0ba447a8c364f9d8193d0dd0c0f970185d3136b6d29f42b0673cbfa635dc0

        SHA512

        d1bad61624c762deb8ac69e06b4f503e5c6da2442b88efecf49262d59d8b69af0ae24b096134111a0c982660b1cd43eddbb6d7472783e418ba26a593254fdb89

        Download Submit

      • \??\c:\Windows\System32\CSCB1F88D484D49438D9B64BC89FC57B91.TMP
        Filesize

        1KB

        MD5

        2fd2b90e7053b01e6af25701a467eb1f

        SHA1

        68801a13cebba82c24f67a9d7c886fcefcf01a51

        SHA256

        12b900db56a20f01f0f1d65f46933971415d5b5675e59e8b02b3dae12aaa1527

        SHA512

        081d3a621e3664709867f3fdd82808364978f896fb007c0c8e6c8dfe25f2f2b8d37c9e0b2e4fb51c90bc6f691507b569e5d841ef3ca3bd38bd6adda2d30f32af

        Download Submit

      • memory/452-8-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/452-0-0x00007FFE84C83000-0x00007FFE84C85000-memory.dmp

        Filesize

        8KB

        Download

      • memory/452-13-0x000000001AF80000-0x000000001AF98000-memory.dmp

        Filesize

        96KB

        Download

      • memory/452-27-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/452-28-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/452-29-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/452-30-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/452-34-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/452-35-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/452-11-0x000000001B410000-0x000000001B460000-memory.dmp

        Filesize

        320KB

        Download

      • memory/452-10-0x000000001AF60000-0x000000001AF7C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/452-15-0x000000001AF30000-0x000000001AF3C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/452-7-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/452-6-0x0000000002600000-0x000000000260E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/452-1-0x0000000000250000-0x000000000042C000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/452-78-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/452-4-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/452-3-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/452-2-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3264-59-0x000001BF54530000-0x000001BF54552000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4220-127-0x000000001E6E0000-0x000000001E7F5000-memory.dmp

        Filesize

        1.1MB

        Download