Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2024 11:24

General

  • Target

    DCrat.exe

  • Size

    3.7MB

  • MD5

    22cc90f49c151e2b37d98947d4fc7390

  • SHA1

    2838b3e4d3d67bd9af50535130c017f3f0e03e61

  • SHA256

    1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067

  • SHA512

    12eae0f34661ed05742cd183dc4225949004a60d59487d9771b6789482a71821560b3ffd1c81cdb4d5cd2e289f3843b91bfdb65379810b4200c03778c9e44b22

  • SSDEEP

    98304:Ubtsvkrdch4OslTJ64XIQB3MjkbFw6kzGYn:UJs8rCrsp44XIq3qztn

Malware Config

Signatures

  • DcRat 34 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 11 IoCs
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 39 IoCs
  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 22 IoCs
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCrat.exe
    "C:\Users\Admin\AppData\Local\Temp\DCrat.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\HyperSurrogateContaineragentWin\bGPSMCCx73WsREqaBZfJC0ze9BBQbq.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\HyperSurrogateContaineragentWin\Trh5bm.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\HyperSurrogateContaineragentWin\portruntimesvc.exe
          "C:\HyperSurrogateContaineragentWin\portruntimesvc.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2580
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XuKa62DI0l.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:692
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:924
              • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:1112
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48d04892-a3cf-4ca5-82b3-6f932380e804.vbs"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1908
                  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                    "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                    8⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:652
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6e6a87f-6ead-4114-9d9b-bbe2df5a2cf0.vbs"
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1196
                      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:2256
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96410553-6d5d-477c-a835-db803e91f8e3.vbs"
                          11⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1760
                          • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                            "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                            12⤵
                            • UAC bypass
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            • System policy modification
                            PID:2524
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15d1e7de-0093-4918-a3ef-6d7dc342c204.vbs"
                              13⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1932
                              • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                                "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                                14⤵
                                • UAC bypass
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:2668
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\833958fd-ae7c-4c63-8431-3c6e2f8c1eec.vbs"
                                  15⤵
                                    PID:1120
                                    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                                      "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                                      16⤵
                                      • UAC bypass
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:572
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0169f93b-8112-43ff-aead-313c69d8efab.vbs"
                                        17⤵
                                          PID:2368
                                          • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                                            "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                                            18⤵
                                            • UAC bypass
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:2116
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebe45706-d2c8-4d96-a437-a69ad62542dd.vbs"
                                              19⤵
                                                PID:1520
                                                • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                                                  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                                                  20⤵
                                                  • UAC bypass
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:2648
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd872ec3-cd30-4ecf-8699-1b2b3b7a8de5.vbs"
                                                    21⤵
                                                      PID:2524
                                                      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                                                        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                                                        22⤵
                                                        • UAC bypass
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:1084
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84656bd3-bdf1-4d14-ab39-fbe4374bd092.vbs"
                                                          23⤵
                                                            PID:2600
                                                            • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                                                              "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                                                              24⤵
                                                              • UAC bypass
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:2412
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ead3c224-1cfe-4fee-b25c-48b10cce21f8.vbs"
                                                                25⤵
                                                                  PID:1468
                                                                  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                                                                    "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                                                                    26⤵
                                                                    • UAC bypass
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:832
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf1abfda-a1df-48eb-9764-3ecd88b91804.vbs"
                                                                      27⤵
                                                                        PID:2164
                                                                        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe
                                                                          "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"
                                                                          28⤵
                                                                          • UAC bypass
                                                                          • Executes dropped EXE
                                                                          • Checks whether UAC is enabled
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • System policy modification
                                                                          PID:2136
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccd7564f-3d5a-4cfa-acba-72e59a949530.vbs"
                                                                            29⤵
                                                                              PID:1800
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c180b9d5-2b83-4517-8dc2-73ed8a4b6df6.vbs"
                                                                          27⤵
                                                                            PID:2920
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3951f787-844e-441d-bf8f-dcce7fe3e8e0.vbs"
                                                                        25⤵
                                                                          PID:2984
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b9f2b4e-0187-4572-bef1-4f4b1679bda8.vbs"
                                                                      23⤵
                                                                        PID:1708
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0ae3d1a-07ec-46c5-9a4f-3d220644da4e.vbs"
                                                                    21⤵
                                                                      PID:1464
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2916988c-3199-4cc0-b53b-cdb1a886867c.vbs"
                                                                  19⤵
                                                                    PID:2224
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b84ffa6-f791-43fd-bf44-7ac2d82a8451.vbs"
                                                                17⤵
                                                                  PID:2260
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea01abc8-dfd6-4f25-9b30-56f4291a8c25.vbs"
                                                              15⤵
                                                                PID:2780
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f789bacc-9843-442a-8bb0-ed8c384b8890.vbs"
                                                            13⤵
                                                              PID:1016
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4275a316-a08c-4244-ba51-0bcd3e2b0200.vbs"
                                                          11⤵
                                                            PID:668
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84c9f1cb-ca87-4d0b-9a54-d6ad648e5257.vbs"
                                                        9⤵
                                                          PID:1492
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49fc3cb3-6b85-4d6f-80a1-aaef0fad8954.vbs"
                                                      7⤵
                                                        PID:2956
                                                • C:\Windows\SysWOW64\reg.exe
                                                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                  4⤵
                                                  • Modifies registry key
                                                  PID:1016
                                            • C:\Windows\SysWOW64\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\HyperSurrogateContaineragentWin\file.vbs"
                                              2⤵
                                                PID:2428
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2572
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2856
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2920
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\winlogon.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:588
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1456
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1424
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\HyperSurrogateContaineragentWin\winlogon.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2140
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\HyperSurrogateContaineragentWin\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2116
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\HyperSurrogateContaineragentWin\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2128
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\HyperSurrogateContaineragentWin\WmiPrvSE.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1408
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\HyperSurrogateContaineragentWin\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1676
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\HyperSurrogateContaineragentWin\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2184
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2176
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2056
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2364
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2288
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2244
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1972
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1896
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2208
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2088
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:940
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1608
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1952
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\wscript.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1468
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\wscript.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1528
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\wscript.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:868
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:608
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2948
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2668
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\taskhost.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1816
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1064
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2456

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\HyperSurrogateContaineragentWin\Trh5bm.bat

                                              Filesize

                                              167B

                                              MD5

                                              44e4cd0532339b7e22611a09c8220999

                                              SHA1

                                              8f742acb720ef17baa41ef700c29a3af5582bef9

                                              SHA256

                                              d4ecf707a041c14ab6e6719b4c0bcdea96c159865ff6ef80fd73de0b26b695c8

                                              SHA512

                                              f10dfda0fc0021f642fc0689a8d217052e50c9e58d1057c2f26005df0433e3af54ac77331d9059746804ddb72589f0e4ec3f50c53b1576efb09134e2aa691809

                                            • C:\HyperSurrogateContaineragentWin\bGPSMCCx73WsREqaBZfJC0ze9BBQbq.vbe

                                              Filesize

                                              214B

                                              MD5

                                              bbd4951dfa4c586309c29313a1acc7b9

                                              SHA1

                                              b16961014ff484fee5c5548506fa9f8786ead667

                                              SHA256

                                              e6a2ee525011550a1508f69a603a3b485e35ec89b9783171cff58a4adccb1fee

                                              SHA512

                                              5a7985a58c283240a7c999521a14a8befe71db33d9023f06a78870c663fefbfeac5b9acafc114937ea44ddffb97bad88c448a0c2d025aa21f73d7941b3aaa50e

                                            • C:\HyperSurrogateContaineragentWin\file.vbs

                                              Filesize

                                              34B

                                              MD5

                                              677cc4360477c72cb0ce00406a949c61

                                              SHA1

                                              b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

                                              SHA256

                                              f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

                                              SHA512

                                              7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

                                            • C:\Users\Admin\AppData\Local\Temp\0169f93b-8112-43ff-aead-313c69d8efab.vbs

                                              Filesize

                                              749B

                                              MD5

                                              65b3b4aa49b4a0c4a0410055538c7bbc

                                              SHA1

                                              e8347ca00048fae68a26375d4309625cade3a666

                                              SHA256

                                              2b636aae5d1738676c6a22375b23868fcf870eec84b3d77779fd23a19a296582

                                              SHA512

                                              509d5ead7392bcfc8f62e8a8bd4d87769f02d5bb7b82ebb285803f1609de87a32b6071e24b5a01852323a760ad9b6e1088a3b028c62510a47ec1258735d700a2

                                            • C:\Users\Admin\AppData\Local\Temp\15d1e7de-0093-4918-a3ef-6d7dc342c204.vbs

                                              Filesize

                                              750B

                                              MD5

                                              d85c78936c5e8cca91bf0bb7af9b2c06

                                              SHA1

                                              b34077cc9926ad690281a6c25723f82db8005115

                                              SHA256

                                              f9a09398ffcc6c2a684e6ca3d601a898d90750d167c8dbc057e25148b2ee68b3

                                              SHA512

                                              83fbd6d49370a92298f5943c9721c0309f983a4515f18a995bbe25c89cbe90e6248bc75da844dfb1ee6a41b0d3ba97bb84b0937775840b1babc384020380c090

                                            • C:\Users\Admin\AppData\Local\Temp\48d04892-a3cf-4ca5-82b3-6f932380e804.vbs

                                              Filesize

                                              750B

                                              MD5

                                              6d3be6c7f1bd4743469eec7906e11631

                                              SHA1

                                              c0aa9813de28c7502b9c908bb5dccac5eedc3343

                                              SHA256

                                              dba993ed3150c7677f9f6e07deea099c4bbb558842d2076657269920af46354e

                                              SHA512

                                              e1d5794c47e0e3e74f09fabc1f9f824b40de8694de7ea180928d70136e324927148135bc51e5586cdd370157617bbce409b4150fdf64382cd04fc840638fde35

                                            • C:\Users\Admin\AppData\Local\Temp\49fc3cb3-6b85-4d6f-80a1-aaef0fad8954.vbs

                                              Filesize

                                              526B

                                              MD5

                                              543ef82b4c75e7c93e165ccf0b2ce9bd

                                              SHA1

                                              47bf3c7dcaa4396e7373594a8993455f75d25245

                                              SHA256

                                              3773c8c5f6df445c1405d2437642209da2c378ba5f1c598e6cfdd137fadff378

                                              SHA512

                                              89798362ddcc95213a5e5d9c13332b000a5691eded97d7c48548d7cce9da077a609633381a40e9451864d1b712c59a064a9d180c6883984eeead477ee160e97b

                                            • C:\Users\Admin\AppData\Local\Temp\833958fd-ae7c-4c63-8431-3c6e2f8c1eec.vbs

                                              Filesize

                                              750B

                                              MD5

                                              37fd340796610b5572ce8922f5e1cd0e

                                              SHA1

                                              168b9fee896bd633bb0ba21f2ce8a453783618d7

                                              SHA256

                                              7d5509a449f7ad43b6ba0ee1eceff8893f2fbecff8a1dcde94ce70e715dccaea

                                              SHA512

                                              abf9113abf360ac08f18a94b91014dbf141e081556e82e7cccd536a615b722a5253a2b16d3d3ca5e5e44d4cd371c14dcc0914c8212a77c0c3d9c81e429444308

                                            • C:\Users\Admin\AppData\Local\Temp\84656bd3-bdf1-4d14-ab39-fbe4374bd092.vbs

                                              Filesize

                                              750B

                                              MD5

                                              9f96ddddfef265c387d71542d9900b31

                                              SHA1

                                              fa581913fea04ec7d46b7a3b67a833f7523df01a

                                              SHA256

                                              561cc98c5ace3e628d4b54e06302bcf6607c384c6c788dbf269c773edd236f01

                                              SHA512

                                              8f3fdba0a29c09b1ce58306a5ed3c1936a41f0d6ea585d6421819b276d62db2d1a1175f3352d0b7cbacf9d1e872367ae0db488e3ca125d94c7a3aebcddf8b9a0

                                            • C:\Users\Admin\AppData\Local\Temp\96410553-6d5d-477c-a835-db803e91f8e3.vbs

                                              Filesize

                                              750B

                                              MD5

                                              b5a24a28cb230950fe5d1c48d59da522

                                              SHA1

                                              ec633297dcb824571f6515c3cd926204e49e9fa6

                                              SHA256

                                              9afb1e8f14a56c91056b79f2b5daddff25977a0b4e14cadf2c9375e594b10701

                                              SHA512

                                              64bf9aa29a018a22a918ff9a14efa3077b360fac1e9bcdead8f1ca2fe7c2a0444c0b1b6d0fa8c87dada2e7fa411e62068e85189f260f50f05951f4dd0853b68a

                                            • C:\Users\Admin\AppData\Local\Temp\XuKa62DI0l.bat

                                              Filesize

                                              239B

                                              MD5

                                              b1d989e9c11b1f3e3859987a0696cbaa

                                              SHA1

                                              cdfa7340821a57337ea3e5f681a5683ca8b2e6c3

                                              SHA256

                                              1ef3c0ef22b0f7c39e78898d8886fd76cf5f7dbf61397611adad4701f5a67f06

                                              SHA512

                                              811c21595c6786803f8d4ab1f63c373430fa805d5525604392e9d5bfeba6dd6250cdf44e8c427c6c5e4178c9187c06b98043525c2e612f56795478c0282b0d7a

                                            • C:\Users\Admin\AppData\Local\Temp\cf1abfda-a1df-48eb-9764-3ecd88b91804.vbs

                                              Filesize

                                              749B

                                              MD5

                                              a1b12939762088fded3d179f153bb2b9

                                              SHA1

                                              8fcf054aff4f8b57b49b5cb770168dcee661e256

                                              SHA256

                                              0339e31c0dc1d3c1a311096defaef306c96b6ceb2bcf2d82fca0d0d6c266c90f

                                              SHA512

                                              e9de3087da7432c09931b2ec304da0697c18cb9460cfe7c1a8eabccb431a671026ac62a6f33267bd3c977e9cfc27769411d6a92dc7c7aaff409c11ff55860282

                                            • C:\Users\Admin\AppData\Local\Temp\d6e6a87f-6ead-4114-9d9b-bbe2df5a2cf0.vbs

                                              Filesize

                                              749B

                                              MD5

                                              833b3c846b13ee840ba5e49c66fd33f3

                                              SHA1

                                              1233c4280077e82b14acc71d1fcaaf91d036048c

                                              SHA256

                                              2ccf1e6499cf00c932da4e6c3b312497229ad0dc3fd15d2febca9eac68828800

                                              SHA512

                                              9863cbe139c58baece5d645c8eecf24bf0d7cbc57d37b09cc614ef9ea06cdfce6ebe0496d6c3ba0f3ae9f06f875125fc7a5026e9ac65c4eb39322a9ed774e4a1

                                            • C:\Users\Admin\AppData\Local\Temp\dd872ec3-cd30-4ecf-8699-1b2b3b7a8de5.vbs

                                              Filesize

                                              750B

                                              MD5

                                              ad9e133e10582d3c9f2fbb71f8e78418

                                              SHA1

                                              172a6f27fba6e37e2eb6437cdb4901ca58304e79

                                              SHA256

                                              0439f8e4e68a01cfd210beb32f627ac4b2217d05f3c660ea8fec5ccb7a0b0076

                                              SHA512

                                              40ce8820f665cd6e180303f28fd8a8a393cec78e0cd15fb3f032fd7c8e3026d085416ce37786c8a17498f67f018fca1c61e3d391a5e8c99ab83088615b3bc5d9

                                            • C:\Users\Admin\AppData\Local\Temp\ead3c224-1cfe-4fee-b25c-48b10cce21f8.vbs

                                              Filesize

                                              750B

                                              MD5

                                              b0fd572fc21f986e2c9792b9a5fe0908

                                              SHA1

                                              47a2fde4c9c65981ee6e1c79c14a6d428b4a349a

                                              SHA256

                                              e4593c695159ca856ec4b8a13523be6dc00f3f2e82597f91e32e6fb5569164c9

                                              SHA512

                                              6928dad3dcbed0e13efe3559fbbdc9f8a1e9fc0d16d3b0dca216c6463ce39d1f2ed8b2328bad923b25f4adc75c8ae11a1312dddb202a44df89a3c50d2cb75cc2

                                            • C:\Users\Admin\AppData\Local\Temp\ebe45706-d2c8-4d96-a437-a69ad62542dd.vbs

                                              Filesize

                                              750B

                                              MD5

                                              787a1efd4f21a9c8ffd61ea156cc69d1

                                              SHA1

                                              f38f3aad75291f58f2c5108532be32560ea4ab7d

                                              SHA256

                                              f5227df90f087f50795a9dca1e2a3a816c1858305b9f760fe659bca2d960c71b

                                              SHA512

                                              4f014d2c91b02d139200e63326a80dfdfd04a815d6f2c688a06cf2d114c63ebcbaaf39d8c691fe9feb358ad5f601772102b1e1887100fdd3ff1ebc83adcec516

                                            • \HyperSurrogateContaineragentWin\portruntimesvc.exe

                                              Filesize

                                              3.4MB

                                              MD5

                                              3ae60214e5dd15829d6380f5dcaac75c

                                              SHA1

                                              c4ff1e0ef5b97b467b28039b3b902b088107ebae

                                              SHA256

                                              1a38cd5a9e8fb8086a6f84ac2bbac0ded061766fcdf3a25a1e6147a400cb8b39

                                              SHA512

                                              816f2e195827abe524d3ffe3c87ee6a5e02289c2fad1a5ed5b5751ecc356998b61b9638c65b7db7f231a3bc50c002995823755650a703cae12aa9decf4c995ac

                                            • memory/572-145-0x0000000000030000-0x000000000039A000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/652-95-0x00000000010E0000-0x000000000144A000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/652-96-0x0000000000D30000-0x0000000000D86000-memory.dmp

                                              Filesize

                                              344KB

                                            • memory/832-206-0x00000000004F0000-0x0000000000502000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1112-83-0x0000000000830000-0x0000000000B9A000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/1112-84-0x0000000002350000-0x0000000002362000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2116-159-0x000000001A970000-0x000000001A982000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2116-157-0x0000000000AF0000-0x0000000000E5A000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/2116-158-0x0000000000540000-0x0000000000552000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2136-218-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2256-108-0x0000000000610000-0x0000000000622000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2412-194-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2524-120-0x0000000000040000-0x00000000003AA000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/2580-31-0x0000000000C50000-0x0000000000C5A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2580-35-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2580-46-0x000000001AD80000-0x000000001AD8E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/2580-47-0x000000001AD90000-0x000000001AD98000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2580-48-0x000000001ADA0000-0x000000001ADAE000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/2580-49-0x000000001ADB0000-0x000000001ADB8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2580-50-0x000000001ADC0000-0x000000001ADCC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2580-51-0x000000001ADD0000-0x000000001ADD8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2580-52-0x000000001ADE0000-0x000000001ADEA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2580-53-0x000000001B1C0000-0x000000001B1CC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2580-44-0x000000001AD60000-0x000000001AD6C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2580-43-0x000000001AD50000-0x000000001AD58000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2580-42-0x000000001AD40000-0x000000001AD4C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2580-41-0x000000001AD30000-0x000000001AD3C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2580-40-0x000000001AD20000-0x000000001AD28000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2580-39-0x000000001AB10000-0x000000001AB1C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2580-38-0x000000001AB00000-0x000000001AB0C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2580-37-0x0000000000CF0000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2580-36-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2580-45-0x000000001AD70000-0x000000001AD7A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2580-34-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2580-33-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2580-18-0x0000000000FF0000-0x000000000135A000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/2580-19-0x0000000000440000-0x000000000044E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/2580-32-0x0000000000C60000-0x0000000000CB6000-memory.dmp

                                              Filesize

                                              344KB

                                            • memory/2580-30-0x0000000000C40000-0x0000000000C50000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/2580-29-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2580-28-0x0000000000B90000-0x0000000000B9C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2580-27-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2580-26-0x0000000000B80000-0x0000000000B88000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2580-25-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/2580-20-0x00000000004D0000-0x00000000004DE000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/2580-24-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/2580-23-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2580-22-0x0000000000570000-0x000000000058C000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/2580-21-0x0000000000560000-0x0000000000568000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2648-171-0x0000000000D70000-0x00000000010DA000-memory.dmp

                                              Filesize

                                              3.4MB

                                            • memory/2668-133-0x0000000002290000-0x00000000022A2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2668-132-0x0000000000390000-0x00000000006FA000-memory.dmp

                                              Filesize

                                              3.4MB