Overview

overview

10

Static

static

3

4aa398eb33...7b.exe

windows7-x64

10

4aa398eb33...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2025 03:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe

  • Size

    1.8MB

  • MD5

    2a6e3f3275d854bf07aba2427baa6610

  • SHA1

    37d6411844b5d8a9d997f38f7718168b33cbc564

  • SHA256

    4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b

  • SHA512

    a6054ab62fc7415dafaca1dc273b42edd9680541e964b7b20d6b7ed07d65fb2ee01ea833bfedec9abc3687814449bb65f7c041ba462aed5cc44397e0ae2d4ef0

  • SSDEEP

    24576:4p8qWcx5AkyZrtziLafchZChMHTzC6SXYdzNyCzrgEctNjfRn5rEQi:wcJQLa0hs2HTbbtNhzrgZnp5rE

Score
10/10
dcratexecutioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe
    "C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xqjrlbx5\xqjrlbx5.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE8E.tmp" "c:\Windows\System32\CSCCEC79B4C2E7C4A2C9C4A14F5C5DDB84E.TMP"
        3⤵
          PID:2732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:288
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1752
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2932
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2916
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2912
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2944
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2928
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2984
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2980
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2204
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\OSPPSVC.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2232
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\dllhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2216
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:844
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1yxBWcZbA8.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1880
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:2664
            • C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe
              "C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe"
              3⤵
              • Modifies system certificate store
              • Suspicious use of AdjustPrivilegeToken
              PID:2132
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2724
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2600
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2660
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1560
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\OSPPSVC.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:812
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2412
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1444
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2696
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1504
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1252
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b4" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:864
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1060
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b4" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1156

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe
          Filesize

          1.8MB

          MD5

          2a6e3f3275d854bf07aba2427baa6610

          SHA1

          37d6411844b5d8a9d997f38f7718168b33cbc564

          SHA256

          4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b

          SHA512

          a6054ab62fc7415dafaca1dc273b42edd9680541e964b7b20d6b7ed07d65fb2ee01ea833bfedec9abc3687814449bb65f7c041ba462aed5cc44397e0ae2d4ef0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1yxBWcZbA8.bat
          Filesize

          278B

          MD5

          cdda133d7770fb8f575f64c51a5bcead

          SHA1

          d18f0c1519a919a6120eaa68d8dd820e7a3777a1

          SHA256

          46272e48d84cefea2e216ca4489d709315641f72aef7a4490ce2d89fa9e7cacc

          SHA512

          2d10e011c6b9ac8e273ed66228516a6ea558a92caa3ed955d269a51ac3a35452233bc7798a0e2325d143a42a5e83756b34311d6dcf014a69648d6d392b44d1ce

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESBE8E.tmp
          Filesize

          1KB

          MD5

          4ef5c4bab103493a0f4cf47bedd30539

          SHA1

          ccd88420f0b652a83f670020a13f21bd5d519eb5

          SHA256

          0049bafbabeb81285e3dda69b6612081124bc123590d7c4b131db40d27399ef3

          SHA512

          0f467d134d619f69c8fadb7bf762e5120d96ef643449b7c9ec8c144b13483dd36415d4dd7b92426f8cecc3d796099a615f97f113a35681bcad87dcda4edd72d6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          ad8f9958a6c39055784a6fbda16fe230

          SHA1

          70e465e70485fa4a9fd704e55df1ddd2e001705d

          SHA256

          a0d900d35d95e503f7c5331ee05a5f08fb3e3890b2f1d9f87fb49a1e88858d66

          SHA512

          b2d68de6e96f6fd190d8d4df03b5e544e500d67571e5e79013418456ed971271c6eac29afb37d1eddf4f3c32eb421ba2f814a01ca02feab2d847335788078a9a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\xqjrlbx5\xqjrlbx5.0.cs
          Filesize

          418B

          MD5

          cfe1abfd25a38691a275abc2d7c7041b

          SHA1

          567f0098f5ce733048486231544cdfa37c6820a3

          SHA256

          9e62368dd1fab25af85174cba66161c0a1bada24cd256c92f80cf7d16ac001b5

          SHA512

          3411c41d387404a3b8281b170431f257a17835c7e72dfc77280d81c60a88d0fbe68ee528434b673ee79598a88ac3fc52bbbde7744b47f6235bfb29dcc7f4946a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\xqjrlbx5\xqjrlbx5.cmdline
          Filesize

          235B

          MD5

          2203b49481a50226037113d1884d5d17

          SHA1

          b9209c3a80daab33478c21ce974370de76f1a978

          SHA256

          fed07aa7ec0f5d36e62b00805cc33b50ce4b2c07efbfe8a8bb91c967450e05b8

          SHA512

          976bc46e409bb77299ad54b30a5bd33f9ef52fec8666ad689d19416550089e2aa7313d6d8fd474eff77514a98bc891c52f7b95c538c230850e86da6e3d141fb4

          Download Submit

        • \??\c:\Windows\System32\CSCCEC79B4C2E7C4A2C9C4A14F5C5DDB84E.TMP
          Filesize

          1KB

          MD5

          078586b266e519b5c113064d7a0bf45c

          SHA1

          a9395c0ef35add5c75591ebb94c85c1f33f408bf

          SHA256

          ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

          SHA512

          5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

          Download Submit

        • memory/288-59-0x000000001B6A0000-0x000000001B982000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/288-61-0x00000000027A0000-0x00000000027A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2132-135-0x0000000000DC0000-0x0000000000F88000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2384-7-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2384-8-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2384-17-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2384-13-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2384-28-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2384-12-0x0000000000420000-0x0000000000428000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2384-10-0x0000000000440000-0x000000000045C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2384-15-0x0000000000430000-0x000000000043C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2384-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2384-6-0x0000000000410000-0x000000000041E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2384-4-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2384-3-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2384-2-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2384-129-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2384-1-0x0000000000880000-0x0000000000A48000-memory.dmp

          Filesize

          1.8MB

          Download