Overview

overview

10

Static

static

5

Dcrat (123).zip

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2025, 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dcrat (123).zip

  • Size

    19.3MB

  • MD5

    ada95e6c53495d51f34c6d72fc307d2b

  • SHA1

    757911647698aa230384eb959d3a8f21b2e294f1

  • SHA256

    dce5f8b5b180084796a8f8d7cfb22d112ae3694fb649649543ad8b3ba2e8e37c

  • SHA512

    4b7dea50882c870b4581f3a57b043b9c567b52592ff430dc26fa58eb1ba1c43f18d1b59bc2dd6e353c950be8f570a1a88e46b8ec4fa6988e7831a22a403013aa

  • SSDEEP

    393216:C6gw5Z8d2wavvVtMPKwkMbpQjC/yTQAToEY6fmpEW+fz4wbMy:xo4vASwkMbpQjXTZYAmpj+rDbMy

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Dcrat (123).zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2248
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1820
    • C:\Users\Admin\Desktop\DcRat\DСRat.exe
      "C:\Users\Admin\Desktop\DcRat\DСRat.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ChainPortComponent\suGy7lNz4EdXdrhhLoh4rCffAOfAHVy377olZbjfYJITd7YOasuhrV0aHSw.vbe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\ChainPortComponent\ovKE7rk3Q5uLiIkL9gDVaPu3MpJpfNwAiQiASSjIWox.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\ChainPortComponent\DriverDhcp.exe
            "C:\ChainPortComponent/DriverDhcp.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1632
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4232
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ChainPortComponent/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2016
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:956
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4736
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2124
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5044
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2448
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1620
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3080
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1684
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4040
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1924
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:456
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\RuntimeBroker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4028
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3432
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\sppsvc.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4008
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainPortComponent\DriverDhcp.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3360
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ZUKzs1xos.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:372
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:6116
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:6044
                • C:\ChainPortComponent\DriverDhcp.exe
                  "C:\ChainPortComponent\DriverDhcp.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3168
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2264
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1668
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2376
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4448
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1440
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1412
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1516
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1564
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3184
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5024
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "DriverDhcpD" /sc MINUTE /mo 5 /tr "'C:\ChainPortComponent\DriverDhcp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4228
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "DriverDhcp" /sc ONLOGON /tr "'C:\ChainPortComponent\DriverDhcp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "DriverDhcpD" /sc MINUTE /mo 9 /tr "'C:\ChainPortComponent\DriverDhcp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4516
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        1⤵
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:5488
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9908fcc40,0x7ff9908fcc4c,0x7ff9908fcc58
          2⤵
            PID:5576
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1808 /prefetch:2
            2⤵
              PID:5876
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1952,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1972 /prefetch:3
              2⤵
                PID:5888
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2076,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:8
                2⤵
                  PID:5976
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
                  2⤵
                    PID:3680
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3304,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3320 /prefetch:1
                    2⤵
                      PID:6116
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4504,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:1
                      2⤵
                        PID:6236
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4796,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
                        2⤵
                          PID:6784
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
                          2⤵
                            PID:6872
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
                            2⤵
                              PID:7036
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5300,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3780 /prefetch:8
                              2⤵
                                PID:7084
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3816,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
                                2⤵
                                  PID:7120
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5436,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
                                  2⤵
                                    PID:5172
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5176,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5248 /prefetch:2
                                    2⤵
                                      PID:5520
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5104,i,5180547913693080919,11354128126525308313,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5368 /prefetch:1
                                      2⤵
                                        PID:2336
                                    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                      1⤵
                                        PID:6192
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                        1⤵
                                          PID:6880
                                        • C:\Users\Admin\Desktop\DcRat\DСRat.exe
                                          "C:\Users\Admin\Desktop\DcRat\DСRat.exe"
                                          1⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          PID:6728
                                          • C:\Windows\SysWOW64\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\ChainPortComponent\suGy7lNz4EdXdrhhLoh4rCffAOfAHVy377olZbjfYJITd7YOasuhrV0aHSw.vbe"
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:6740
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\ChainPortComponent\ovKE7rk3Q5uLiIkL9gDVaPu3MpJpfNwAiQiASSjIWox.bat" "
                                              3⤵
                                                PID:6876

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\ChainPortComponent\DriverDhcp.exe
                                            Filesize

                                            1.8MB

                                            MD5

                                            d8584a829e9fc21cca437df98bcc9209

                                            SHA1

                                            1236e27622e4232882b4d0329ba5105a19b8a00d

                                            SHA256

                                            58be661256b9656d3dc50ba59915579315542f27038465e8bdc45729414dde27

                                            SHA512

                                            faf7358ec42c4fa7b2b3459e03496766fde6b255c13fc7c501d36645f2ed6f4be4bf6fff6ddd313259548edb7ec624f9f2e8434bb715ab3b472d1ff4c433c157

                                            Download Submit

                                          • C:\ChainPortComponent\ovKE7rk3Q5uLiIkL9gDVaPu3MpJpfNwAiQiASSjIWox.bat
                                            Filesize

                                            107B

                                            MD5

                                            139006bc83dd9b558f1c5f0e7738eb2e

                                            SHA1

                                            2db8b80c8de86de9825462d48587fb99f5aed577

                                            SHA256

                                            db44c5a7712b4549623d3938a543d221fa15e9464d743004fb5ba192cdf89249

                                            SHA512

                                            811c1a83917b4a74e3676f11b5644508c89b745cda5d6af985d48978d2db3d693fb04ddcd33ff1f5afb7bcadbb1056ce451f47841f80b8b645ed405f819c282a

                                            Download Submit

                                          • C:\ChainPortComponent\suGy7lNz4EdXdrhhLoh4rCffAOfAHVy377olZbjfYJITd7YOasuhrV0aHSw.vbe
                                            Filesize

                                            250B

                                            MD5

                                            7fca95693aba89d447b7aa2b0df464b3

                                            SHA1

                                            636ec1daa14e557f8eb102e03b253bcddbe11914

                                            SHA256

                                            fe9be2daaa44a196e6d4c796b6e5add5814d54aa16cb623e74cc18315144aef6

                                            SHA512

                                            03539e296b3867bb505ea19a2632842265b15b78cb43abd96679dc4913fe13d298f5e0856b4d48a673f33215d1750c0f2f590b9f4d31acfde3480b70a237320c

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                            Filesize

                                            649B

                                            MD5

                                            ee734a608ecc34f7bc569decb237c846

                                            SHA1

                                            220c23c5e751b1abd220d88d0e342375e85f44ae

                                            SHA256

                                            4961b48671998bc5870d0e2af33af85ac8a4a328bf5020332eee3a9176c31ae3

                                            SHA512

                                            d13a4d4b56b483d652df3b525a78106fe02107c93aebc653bf0a003e89a8a949ef83bd7413b45c60d031a0eaf9d446b7fbf393cf411f188c8cf9862c5fd2528e

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
                                            Filesize

                                            851B

                                            MD5

                                            07ffbe5f24ca348723ff8c6c488abfb8

                                            SHA1

                                            6dc2851e39b2ee38f88cf5c35a90171dbea5b690

                                            SHA256

                                            6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

                                            SHA512

                                            7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
                                            Filesize

                                            854B

                                            MD5

                                            4ec1df2da46182103d2ffc3b92d20ca5

                                            SHA1

                                            fb9d1ba3710cf31a87165317c6edc110e98994ce

                                            SHA256

                                            6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

                                            SHA512

                                            939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                            Filesize

                                            2B

                                            MD5

                                            d751713988987e9331980363e24189ce

                                            SHA1

                                            97d170e1550eee4afc0af065b78cda302a97674c

                                            SHA256

                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                            SHA512

                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                            Filesize

                                            354B

                                            MD5

                                            7bc74cb6f63879056518c088aa0ba99b

                                            SHA1

                                            5f2578a71b91b4eb48e475fc1bd9d1c8551bc811

                                            SHA256

                                            4119261a64b23bc9e5039fff874e166dcdc501a351c195b32f739d8329474252

                                            SHA512

                                            0480d716575dfc351ea96304e7e7ae02ae6600f7aadf64e743758e6e0f479830fe4f4213c3f7afd0fd532bbf8a3c8666da90399ad5e88d0ea06f95d59165e43b

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                            Filesize

                                            9KB

                                            MD5

                                            2a88099fe93c3b95520dc94b6da3d2b4

                                            SHA1

                                            57b1172003d12913b353c70bdcd7e363c16edd0d

                                            SHA256

                                            394a05389453f671743238992515bdbf606d88242a177ab20fa41e4197a695b9

                                            SHA512

                                            1d70260784b8d83300d9acdac182d5787e1513fe4c466164d5f78d9d3c160c017a359ca038b6018db88329884a8ceb78d242933860b30b0a54d7b1bbf421385e

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                            Filesize

                                            9KB

                                            MD5

                                            580e174bd5cb695bea2154e347d72e20

                                            SHA1

                                            4eb4e17d0cddfcc5a139322f20646ebfd2463c6a

                                            SHA256

                                            07ab99ea4f2ba4f022fc738165f2c9a23fc10ec16748d86f35bbebcf98e73760

                                            SHA512

                                            a73ca9b5c582cf76b704f9a241e182122ce42b70c210378cd785c7901717da29c5664dfaae1a2b6d7556e5887e515e547dfa7133f8123ac18d8b7a608c57a6bc

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                            Filesize

                                            15KB

                                            MD5

                                            558963e9ad81649a5244c3f5df5c7a91

                                            SHA1

                                            78a92e63669e81162fcd4d16fffc0691f8369294

                                            SHA256

                                            81f149f65a79401dc5613a2fcfc5827a23c9b5e247689b3dc79382cc7b1db7bb

                                            SHA512

                                            41baf592f84e3ba73d8f2d3aa7d3bd0aebf154ee6ccd2a545c9d86be0c0ca94b3a878c879965fe3783c6299b2c01b8313db00ae2eb90afc9b31595c354206353

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                            Filesize

                                            231KB

                                            MD5

                                            b228e5a4b14c683fb29e1d1fec33bd4a

                                            SHA1

                                            393823084e8a220b20a043d957e8e41e59f58948

                                            SHA256

                                            2bac71fce59ddb60c51cd564750ddbfcb117ab148b38bc79b684acb8031e5d2f

                                            SHA512

                                            a246115c21f6f2723f315e742d417cbcf25844b82c910ec7aec3755872832f4daf3fc2af85cb8a5ec00dd30a40916a648e3eac035ec0956c63393fd8427c567f

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DriverDhcp.exe.log
                                            Filesize

                                            1KB

                                            MD5

                                            4ef3ab577fdbd5c7dd815e496ecd5601

                                            SHA1

                                            8dd86865a8e5f1c4c77a21cc2b26cc31e8330ad8

                                            SHA256

                                            72a639b0e0027ca8e0bb9d3cbd12b56797c431a9171acaea9217aff387961964

                                            SHA512

                                            ffe35302cf9922fb22d681c989162a46220b949b5dcaf076eadb1ced347ff0b7a77421ce6ee06514faf9c5364e2094f5a2ec239a537c28c88d32e21262501c9d

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                            Filesize

                                            2KB

                                            MD5

                                            d85ba6ff808d9e5444a4b369f5bc2730

                                            SHA1

                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                            SHA256

                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                            SHA512

                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            6d3e9c29fe44e90aae6ed30ccf799ca8

                                            SHA1

                                            c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                            SHA256

                                            2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                            SHA512

                                            60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            cadef9abd087803c630df65264a6c81c

                                            SHA1

                                            babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                            SHA256

                                            cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                            SHA512

                                            7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            3a6bad9528f8e23fb5c77fbd81fa28e8

                                            SHA1

                                            f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                            SHA256

                                            986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                            SHA512

                                            846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            bd5940f08d0be56e65e5f2aaf47c538e

                                            SHA1

                                            d7e31b87866e5e383ab5499da64aba50f03e8443

                                            SHA256

                                            2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                            SHA512

                                            c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            5f0ddc7f3691c81ee14d17b419ba220d

                                            SHA1

                                            f0ef5fde8bab9d17c0b47137e014c91be888ee53

                                            SHA256

                                            a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                                            SHA512

                                            2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\7zE8C8971C7\DcRat\plugins\chat_native\fav.png
                                            Filesize

                                            2KB

                                            MD5

                                            a8e72c0e27750ce36da3110126c38afe

                                            SHA1

                                            e96bc3555f8ed8e715af94d492965b4e6597563c

                                            SHA256

                                            a4f7e5adde35c1979fbf2cc44b37e2907ec963468443e34262b207dd3dab81b8

                                            SHA512

                                            e43e2c6abb6006c783331cb8b0e290560bb65f7cfd0e113bbddb31a6978aee31fb39a2b22b38ef83f27d512152329d066bc270e640e8900b2746a2a4e0b4dd48

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\9ZUKzs1xos.bat
                                            Filesize

                                            164B

                                            MD5

                                            a1625357a4eef774bd61712644efde87

                                            SHA1

                                            a02af250373fa963041bc20e7326dbb877c59b06

                                            SHA256

                                            5c4a6c8a12722ed9e1bd64a4ab8c1b295048bcdb4c4b2175596fa0969d826d09

                                            SHA512

                                            dc3e953c5484eebe5c12ee7ae98b60ad6c256c6123e5f9a31f45d034855b45afb17d31933771abd304d16c12ced9770a158cca33b0efe4b4127b5cc8997bc44f

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzb4uuiu.vgq.ps1
                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\scoped_dir5488_72457082\11d88f8b-ee05-47fd-a601-08f0e57fb7e8.tmp
                                            Filesize

                                            150KB

                                            MD5

                                            14937b985303ecce4196154a24fc369a

                                            SHA1

                                            ecfe89e11a8d08ce0c8745ff5735d5edad683730

                                            SHA256

                                            71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

                                            SHA512

                                            1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\scoped_dir5488_72457082\CRX_INSTALL\_locales\en\messages.json
                                            Filesize

                                            711B

                                            MD5

                                            558659936250e03cc14b60ebf648aa09

                                            SHA1

                                            32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

                                            SHA256

                                            2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

                                            SHA512

                                            1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

                                            Download Submit

                                          • C:\Users\Admin\Desktop\DcRat\DСRat.exe
                                            Filesize

                                            2.1MB

                                            MD5

                                            64fe78220e3402b8f9cc9cdc9eadc0b9

                                            SHA1

                                            661d9b0eefe090ef86f7962e312206947a2d3864

                                            SHA256

                                            64f3afb77c169d547dea0fbde90161e20db66e4c62a595ce1bbd760eee5ff809

                                            SHA512

                                            d370014de6581edfcd437d6ba4227dea3b5f813cadcae99304f3e6a9600e27623674c0ac0966c69ce335c364209082dcca12ea5cd647e69c6504a5e493e44004

                                            Download Submit

                                          • C:\Users\Admin\Desktop\install.php
                                            Filesize

                                            27KB

                                            MD5

                                            ac1fdf116c19452d2bd39208fdb76e49

                                            SHA1

                                            ff11c6d70c6bea384ff8f3dd814a30da67cf8e4e

                                            SHA256

                                            25bd4290bcc401314c27b5868262ef52c5ee9ac7710eb489ead797fab7d67948

                                            SHA512

                                            076194424cf44c188e1f9a53ef1747bfce77b1b72fdf9131e71464be0a9672d1fbee75595680e0009a4046b3e01dfc9b0cd07e5de72c92a1f760efa2b1c80870

                                            Download Submit

                                          • memory/456-464-0x000002033CA70000-0x000002033CBDA000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/956-454-0x000001E5D9730000-0x000001E5D989A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/1620-466-0x0000026577770000-0x00000265778DA000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/1632-424-0x000002BBC4390000-0x000002BBC44FA000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/1684-468-0x0000021B7F860000-0x0000021B7F9CA000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/1924-435-0x0000015351CF0000-0x0000015351E5A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/2016-443-0x000002D0E21D0000-0x000002D0E233A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/2124-423-0x0000015EEB650000-0x0000015EEB7BA000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/2448-247-0x0000025F28A90000-0x0000025F28AB2000-memory.dmp

                                            Filesize

                                            136KB

                                            Download

                                          • memory/2448-422-0x0000025F28C10000-0x0000025F28D7A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/2868-218-0x0000000002A80000-0x0000000002A8C000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/2868-216-0x0000000002A70000-0x0000000002A7C000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/2868-214-0x0000000002A20000-0x0000000002A2E000-memory.dmp

                                            Filesize

                                            56KB

                                            Download

                                          • memory/2868-220-0x0000000002A90000-0x0000000002AA0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/2868-222-0x0000000002BB0000-0x0000000002BBC000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/2868-241-0x000000001B700000-0x000000001B74E000-memory.dmp

                                            Filesize

                                            312KB

                                            Download

                                          • memory/2868-212-0x0000000000790000-0x0000000000958000-memory.dmp

                                            Filesize

                                            1.8MB

                                            Download

                                          • memory/3080-469-0x000001D7A72A0000-0x000001D7A740A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/3360-432-0x00000219C52C0000-0x00000219C542A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/3432-431-0x00000178B52F0000-0x00000178B545A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/4008-451-0x00000221C0D00000-0x00000221C0E6A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/4028-436-0x00000258E3930000-0x00000258E3A9A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/4040-459-0x000001F555C00000-0x000001F555D6A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/4232-444-0x0000021EAA930000-0x0000021EAAA9A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/4736-467-0x000001A7B4320000-0x000001A7B448A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/5044-465-0x000001D5EF5F0000-0x000001D5EF75A000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/5780-912-0x000000001C590000-0x000000001C5DE000-memory.dmp

                                            Filesize

                                            312KB

                                            Download