dcrat | 35916e8b40ec27b8f3a931566a94f5a464dc9e5783c7fca1bdd194e7193bf0d7

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d735d6b2f34e9a7cd2604d3036ac8486.exe
Size

1.6MB
MD5

d735d6b2f34e9a7cd2604d3036ac8486
SHA1

a9573454a2ad6414594b5b0f8d69e2e82bae35d6
SHA256

c5fa332ed4a6180d87d8b8f63d024a740117ebc2dcacb4e314483013f68fe488
SHA512

d29023f2d896eb06e2e740423396a9fe17d91bd30f7ee2e8f3374cf73d947e8c761c1c48071ade640db2a597c8c17542b94950f57a05cc84bcf47147013eb9a1
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2848	schtasks.exe	31

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral29/memory/2756-1-0x0000000000340000-0x00000000004E2000-memory.dmp	dcrat
behavioral29/files/0x000500000001960c-25.dat	dcrat
behavioral29/files/0x000b0000000122ce-53.dat	dcrat
behavioral29/files/0x000a0000000194f3-99.dat	dcrat
behavioral29/memory/2132-139-0x00000000003A0000-0x0000000000542000-memory.dmp	dcrat
behavioral29/memory/2384-157-0x0000000000880000-0x0000000000A22000-memory.dmp	dcrat
behavioral29/memory/1736-169-0x0000000000C00000-0x0000000000DA2000-memory.dmp	dcrat
behavioral29/memory/1592-192-0x00000000001E0000-0x0000000000382000-memory.dmp	dcrat
behavioral29/memory/1848-204-0x00000000003F0000-0x0000000000592000-memory.dmp	dcrat
behavioral29/memory/1252-216-0x00000000013A0000-0x0000000001542000-memory.dmp	dcrat
behavioral29/memory/2436-228-0x0000000000050000-0x00000000001F2000-memory.dmp	dcrat
behavioral29/memory/2424-240-0x0000000000AF0000-0x0000000000C92000-memory.dmp	dcrat
behavioral29/memory/1832-263-0x0000000000CD0000-0x0000000000E72000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2404	powershell.exe
2448	powershell.exe
1936	powershell.exe
1864	powershell.exe
560	powershell.exe
956	powershell.exe
1952	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2132	spoolsv.exe
2384	spoolsv.exe
1736	spoolsv.exe
792	spoolsv.exe
1592	spoolsv.exe
1848	spoolsv.exe
1252	spoolsv.exe
2436	spoolsv.exe
2424	spoolsv.exe
2396	spoolsv.exe
1832	spoolsv.exe
2656	spoolsv.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\csrss.exe	d735d6b2f34e9a7cd2604d3036ac8486.exe
File created	C:\Program Files (x86)\Google\Temp\taskhost.exe	d735d6b2f34e9a7cd2604d3036ac8486.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\886983d96e3d3e	d735d6b2f34e9a7cd2604d3036ac8486.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXF9FB.tmp	d735d6b2f34e9a7cd2604d3036ac8486.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXFC6C.tmp	d735d6b2f34e9a7cd2604d3036ac8486.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXFCDB.tmp	d735d6b2f34e9a7cd2604d3036ac8486.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\taskhost.exe	d735d6b2f34e9a7cd2604d3036ac8486.exe
File created	C:\Program Files (x86)\Google\Temp\b75386f1303e64	d735d6b2f34e9a7cd2604d3036ac8486.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\csrss.exe	d735d6b2f34e9a7cd2604d3036ac8486.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXF9FA.tmp	d735d6b2f34e9a7cd2604d3036ac8486.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\cc11b995f2a76d	d735d6b2f34e9a7cd2604d3036ac8486.exe
File opened for modification	C:\Windows\Migration\WTR\RCX55A.tmp	d735d6b2f34e9a7cd2604d3036ac8486.exe
File opened for modification	C:\Windows\Migration\WTR\RCX5C8.tmp	d735d6b2f34e9a7cd2604d3036ac8486.exe
File opened for modification	C:\Windows\Migration\WTR\winlogon.exe	d735d6b2f34e9a7cd2604d3036ac8486.exe
File created	C:\Windows\rescache\rc0005\WMIADAP.exe	d735d6b2f34e9a7cd2604d3036ac8486.exe
File created	C:\Windows\Migration\WTR\winlogon.exe	d735d6b2f34e9a7cd2604d3036ac8486.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2496	schtasks.exe
1928	schtasks.exe
2384	schtasks.exe
1708	schtasks.exe
2596	schtasks.exe
2896	schtasks.exe
2776	schtasks.exe
3040	schtasks.exe
2548	schtasks.exe
1472	schtasks.exe
2996	schtasks.exe
760	schtasks.exe
2772	schtasks.exe
712	schtasks.exe
1216	schtasks.exe
1876	schtasks.exe
2052	schtasks.exe
684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2756	d735d6b2f34e9a7cd2604d3036ac8486.exe
2448	powershell.exe
2404	powershell.exe
560	powershell.exe
1864	powershell.exe
956	powershell.exe
1952	powershell.exe
1936	powershell.exe
2132	spoolsv.exe
2384	spoolsv.exe
1736	spoolsv.exe
792	spoolsv.exe
1592	spoolsv.exe
1848	spoolsv.exe
1252	spoolsv.exe
2436	spoolsv.exe
2424	spoolsv.exe
2396	spoolsv.exe
1832	spoolsv.exe
2656	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2132	spoolsv.exe
Token: SeDebugPrivilege	2384	spoolsv.exe
Token: SeDebugPrivilege	1736	spoolsv.exe
Token: SeDebugPrivilege	792	spoolsv.exe
Token: SeDebugPrivilege	1592	spoolsv.exe
Token: SeDebugPrivilege	1848	spoolsv.exe
Token: SeDebugPrivilege	1252	spoolsv.exe
Token: SeDebugPrivilege	2436	spoolsv.exe
Token: SeDebugPrivilege	2424	spoolsv.exe
Token: SeDebugPrivilege	2396	spoolsv.exe
Token: SeDebugPrivilege	1832	spoolsv.exe
Token: SeDebugPrivilege	2656	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2404	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	50
PID 2756 wrote to memory of 2404	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	50
PID 2756 wrote to memory of 2404	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	50
PID 2756 wrote to memory of 1952	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	51
PID 2756 wrote to memory of 1952	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	51
PID 2756 wrote to memory of 1952	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	51
PID 2756 wrote to memory of 956	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	52
PID 2756 wrote to memory of 956	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	52
PID 2756 wrote to memory of 956	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	52
PID 2756 wrote to memory of 560	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	56
PID 2756 wrote to memory of 560	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	56
PID 2756 wrote to memory of 560	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	56
PID 2756 wrote to memory of 1864	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	57
PID 2756 wrote to memory of 1864	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	57
PID 2756 wrote to memory of 1864	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	57
PID 2756 wrote to memory of 1936	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	58
PID 2756 wrote to memory of 1936	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	58
PID 2756 wrote to memory of 1936	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	58
PID 2756 wrote to memory of 2448	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	59
PID 2756 wrote to memory of 2448	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	59
PID 2756 wrote to memory of 2448	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	59
PID 2756 wrote to memory of 2132	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	64
PID 2756 wrote to memory of 2132	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	64
PID 2756 wrote to memory of 2132	2756	d735d6b2f34e9a7cd2604d3036ac8486.exe	64
PID 2132 wrote to memory of 2416	2132	spoolsv.exe	65
PID 2132 wrote to memory of 2416	2132	spoolsv.exe	65
PID 2132 wrote to memory of 2416	2132	spoolsv.exe	65
PID 2132 wrote to memory of 2008	2132	spoolsv.exe	66
PID 2132 wrote to memory of 2008	2132	spoolsv.exe	66
PID 2132 wrote to memory of 2008	2132	spoolsv.exe	66
PID 2416 wrote to memory of 2384	2416	WScript.exe	67
PID 2416 wrote to memory of 2384	2416	WScript.exe	67
PID 2416 wrote to memory of 2384	2416	WScript.exe	67
PID 2384 wrote to memory of 1572	2384	spoolsv.exe	68
PID 2384 wrote to memory of 1572	2384	spoolsv.exe	68
PID 2384 wrote to memory of 1572	2384	spoolsv.exe	68
PID 2384 wrote to memory of 2844	2384	spoolsv.exe	69
PID 2384 wrote to memory of 2844	2384	spoolsv.exe	69
PID 2384 wrote to memory of 2844	2384	spoolsv.exe	69
PID 1572 wrote to memory of 1736	1572	WScript.exe	70
PID 1572 wrote to memory of 1736	1572	WScript.exe	70
PID 1572 wrote to memory of 1736	1572	WScript.exe	70
PID 1736 wrote to memory of 1424	1736	spoolsv.exe	71
PID 1736 wrote to memory of 1424	1736	spoolsv.exe	71
PID 1736 wrote to memory of 1424	1736	spoolsv.exe	71
PID 1736 wrote to memory of 1164	1736	spoolsv.exe	72
PID 1736 wrote to memory of 1164	1736	spoolsv.exe	72
PID 1736 wrote to memory of 1164	1736	spoolsv.exe	72
PID 1424 wrote to memory of 792	1424	WScript.exe	73
PID 1424 wrote to memory of 792	1424	WScript.exe	73
PID 1424 wrote to memory of 792	1424	WScript.exe	73
PID 792 wrote to memory of 588	792	spoolsv.exe	74
PID 792 wrote to memory of 588	792	spoolsv.exe	74
PID 792 wrote to memory of 588	792	spoolsv.exe	74
PID 792 wrote to memory of 3016	792	spoolsv.exe	75
PID 792 wrote to memory of 3016	792	spoolsv.exe	75
PID 792 wrote to memory of 3016	792	spoolsv.exe	75
PID 588 wrote to memory of 1592	588	WScript.exe	76
PID 588 wrote to memory of 1592	588	WScript.exe	76
PID 588 wrote to memory of 1592	588	WScript.exe	76
PID 1592 wrote to memory of 2568	1592	spoolsv.exe	77
PID 1592 wrote to memory of 2568	1592	spoolsv.exe	77
PID 1592 wrote to memory of 2568	1592	spoolsv.exe	77
PID 1592 wrote to memory of 1716	1592	spoolsv.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d735d6b2f34e9a7cd2604d3036ac8486.exe
"C:\Users\Admin\AppData\Local\Temp\d735d6b2f34e9a7cd2604d3036ac8486.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d735d6b2f34e9a7cd2604d3036ac8486.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Users\Default\Desktop\spoolsv.exe
  "C:\Users\Default\Desktop\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da8355d3-b2cc-42b3-99b3-e91ed9b7a874.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Default\Desktop\spoolsv.exe
      C:\Users\Default\Desktop\spoolsv.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c15c9088-e246-4e15-94d2-80e46afe0cd3.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8708b374-4cf8-4145-bf5f-07d5ad6cebc5.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\247e4999-5cae-4dbc-851e-ea3846ebdb3a.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5429fbb7-0e63-43b8-8f48-2b4619b2f4de.vbs"
        11⤵
        
        PID:2568
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eef11ec9-1d0c-4c21-b79a-95bff20aeacf.vbs"
        13⤵
        
        PID:1968
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe179551-9a4f-442a-809b-d3710536f723.vbs"
        15⤵
        
        PID:2176
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70742df9-1981-4747-ad3b-4a6f92e12c73.vbs"
        17⤵
        
        PID:2812
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77194fb6-7d47-4f04-8f73-7b21afbd8e80.vbs"
        19⤵
        
        PID:2452
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de9a061e-6397-4066-a4ca-59212221a275.vbs"
        21⤵
        
        PID:2600
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e570a24-56cd-41c6-a214-e5e7e4614dd0.vbs"
        23⤵
        
        PID:444
        
        C:\Users\Default\Desktop\spoolsv.exe
        
        C:\Users\Default\Desktop\spoolsv.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dee5dc1-021d-4463-9271-e00495b2d801.vbs"
        25⤵
        
        PID:1184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66ecafc6-ccc8-4c9d-b030-5aa4936bd167.vbs"
        25⤵
        
        PID:1476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b0d5442-539c-4c5f-89a8-a3d7729c3700.vbs"
        23⤵
        
        PID:2172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44303288-b3d7-4066-b5bd-f6f75c72e79f.vbs"
        21⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\243abe46-cfa2-4232-9702-04fae71d0c69.vbs"
        19⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d201d41c-cb50-4b40-b0f5-dde0c77bcd21.vbs"
        17⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f60c3f18-39b4-4292-aca2-7224863ba15f.vbs"
        15⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2845bbda-3336-4138-a94c-5ccb0d6575a5.vbs"
        13⤵
        
        PID:236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\252dc6e8-0166-4ee6-a8a4-031b5edf637a.vbs"
        11⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72775f7a-9469-4f04-971e-355f118fd4b3.vbs"
        9⤵
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f9da8dd-62e0-4963-adf1-87b47acded44.vbs"
        7⤵
        
        PID:1164
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53d80006-1afa-4e3d-b197-8753bac00be8.vbs"
        5⤵
        
        PID:2844
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52c499e8-1205-4329-bcf4-7e6789d4450c.vbs"
    3⤵
    PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\fr-FR\csrss.exe

Filesize
1.6MB

MD5
c9b7d8bf1d25cd0a67d29e410f12dcdc

SHA1
236cae5a236c286ceba019b3a95fbd6a884db210

SHA256
7754c78d89cfb88ae402db39d5ab4a1589c2d3371af946423e11d02c678fafd1

SHA512
51566ca69496cf36877400eb69aca012d6f0838af6d72163eb02688daabe310c020ebd7c1bbc703602281fe3b7c957d5c60905b480e1b7f2c926a96b070eac11

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe

Filesize
1.6MB

MD5
d735d6b2f34e9a7cd2604d3036ac8486

SHA1
a9573454a2ad6414594b5b0f8d69e2e82bae35d6

SHA256
c5fa332ed4a6180d87d8b8f63d024a740117ebc2dcacb4e314483013f68fe488

SHA512
d29023f2d896eb06e2e740423396a9fe17d91bd30f7ee2e8f3374cf73d947e8c761c1c48071ade640db2a597c8c17542b94950f57a05cc84bcf47147013eb9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\247e4999-5cae-4dbc-851e-ea3846ebdb3a.vbs

Filesize
711B

MD5
4da29c191a4508ea59fe5c6ab691ca40

SHA1
27f8edfde76411fb0221751eb1cc17d5f2054636

SHA256
db94a734891089ef6f8e01c74f90f54b586f55338081ca11b9b95b3b5d77e148

SHA512
d6b479177816babbb862646be09a841ba56aee199f60a5ce788945b5ff5519e4d6ca99ba9326bb018a5389339849bdfb7e46b0a2b91d141fbdcea670ad4508e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\52c499e8-1205-4329-bcf4-7e6789d4450c.vbs

Filesize
488B

MD5
e37253110561824e5c402461ac383c8c

SHA1
1ddddcdd279df5be12ff24ecf5f83cbda6857efe

SHA256
3cfc3d273c6344f72f5f855672e8fb36c63781c0a4e88f29aa7bf58c00994e54

SHA512
3219f0e729473a1ef5679b7d840e27cb832de1910c708611458cafa551333886b7648aedbd8c5a61bf79448728566eb54bf3ebc3eac1f12c1d21be3164ce60ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\5429fbb7-0e63-43b8-8f48-2b4619b2f4de.vbs

Filesize
712B

MD5
b04469fa6fc10c877899152a1375ea7e

SHA1
322c05cf2811f7e7d379cd362954a19b0002c5da

SHA256
dc26c34372e40fe80910b2bc8ca0ff9c8f3712398cbd3232b01407db83c38c6c

SHA512
891b0bf8a6ba47a5eff4a2f8b17af273815abdf1f59b243d287bd13dff4bf275b913f5a27665f7661bcc37f584855b26615114b57055b315615f6cb0f70242e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e570a24-56cd-41c6-a214-e5e7e4614dd0.vbs

Filesize
712B

MD5
8ff70f29b44f5b6c6433d5b701da9e76

SHA1
5c0beca86a3acad5538f56123160f32495280eae

SHA256
d32310f493ef130c8b99772da74b0e4379c9f50f1aa08838a71c936a96249c50

SHA512
1ec9abf12da8030bd86fd695dcea1a45f620e35af6a87956d36abb6c1a40ad266092ccf232ca2ba9bf08842d45b9fee3559e03e2d8bd2c9c5603ee39e8e19c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\70742df9-1981-4747-ad3b-4a6f92e12c73.vbs

Filesize
712B

MD5
119528db974d3573537e4013a890fb0e

SHA1
8643a32f3564a5ccba770168cfc32016db294ed5

SHA256
9d726105a3ea78a8c238ddbefaabdd00d9bea395a6cea8545401be83cc182b58

SHA512
e968daea8f86aac4869e49b8f58b11a2283339dbf543ab1b62d01cfca60e7c3546d114fd18f6ec9eb6bdd2c650bb81b9e5d7aa752f23503eed0286d45dc89c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\77194fb6-7d47-4f04-8f73-7b21afbd8e80.vbs

Filesize
712B

MD5
58c666d89f6db6a123447ab3a58cccfe

SHA1
be0ddf97418c72d086dd9c213cf21c4d92e9fc3b

SHA256
184ace4fcfbafc19842f3edde816c248bf756e75a99bd6646cc74a66869522f4

SHA512
be7985bbc32fab86faf91fabba3db566fd3ecb1686421e716827d34e4e9b4c1b8800981eece8f5a1b971e59b5654fae0594858bd5d4fe387d8a449deef466dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8708b374-4cf8-4145-bf5f-07d5ad6cebc5.vbs

Filesize
712B

MD5
8becd9ec23cc16f8451aec3d6ae139da

SHA1
410e7583f45b8ce5f6c7165ef7c7bde4c9c9c970

SHA256
8a4563110ad4ed4fdd24f119a7cf3bb6ff1d526848c32aa2312de233a2156a5a

SHA512
6fb7ca6558a25866dd1bc71716c3be97a4953dfc11cb1bfe538c6d02efdd9023a31ef40f53ed4152610a232f2eab2fbe7de1938be66e06b0ee47a0689636ad97

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dee5dc1-021d-4463-9271-e00495b2d801.vbs

Filesize
712B

MD5
888b199ce24f48f6216c8c4d9a02962e

SHA1
6b60f8405b3985484b280864f916d933496d4e9e

SHA256
a0f76328e40cc23500beb040ee589d057af48fba718cd347f857c67811077d50

SHA512
8636b4dd069d6485db1d4a74c8cd6256abcf61c9d673057367781a4c06f811481ccda206f153b8ad3f5f1206156f5870277f9e008c4e943bb496b8b17e8b3aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c15c9088-e246-4e15-94d2-80e46afe0cd3.vbs

Filesize
712B

MD5
686c855e2c7029352d8c588e8cdbe31e

SHA1
f950642096f88dfbce3f69bf64f95f3b3d8cd524

SHA256
725473a2e2dce76debbdc19883eca17daf50be9207e835127925b2c94e1e6f55

SHA512
998b88f718406c57ac6c4622c8456f2bab1059ce08acc1542a97b2a99a827777dfcf00b9f11779d5cd0ae800d90737c786e8fc1d528128a398f81cc1a641e741

Download Submit
C:\Users\Admin\AppData\Local\Temp\da8355d3-b2cc-42b3-99b3-e91ed9b7a874.vbs

Filesize
712B

MD5
d8820065bd888bb78110672b1f0694dc

SHA1
9efd005a45800dc708b58303497fbb4fb7f6754e

SHA256
7a01c399804013177938f8faf0e07043e445760655912c7071b58c9a344ae36e

SHA512
0b37a5f8a7ee0dc3e3a2bf85bdd2712cb74daf77270d3b8c7fcc7f21376b2e657535a6b89af154fdf28741527a03b4544f3687722c7a1e51ce981437adca49b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\de9a061e-6397-4066-a4ca-59212221a275.vbs

Filesize
712B

MD5
221d9590f34bf09935d33bf5aae34350

SHA1
85c22aafa7774dc8972e6dd6e7a6d14f8058561b

SHA256
164752c45351e2725e6801a2d9ab5634293053ba8c7da667cd09aa5588a95a79

SHA512
200df8ec928cb8808adf90eca5965955389b54c81b3d366de1f33e9347025c532d8e5d50cd05f368675519e576d33a8fb23ce2ee7d7295e22920f88b6db8cae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eef11ec9-1d0c-4c21-b79a-95bff20aeacf.vbs

Filesize
712B

MD5
47778f42cbbd94576a4616ee2104bbd3

SHA1
b97bed860ccb86d274d056c328acdb31ffcac908

SHA256
4b18dee172eaea075a542e20627f23fa7e93d0254b49b81563519bcc4aea2378

SHA512
d0829f85d713b2c33cd943e489f3f37adf2f56f84930137a12d8820327e51e174e0e5f8110457e2e76f7c50abefe10ff01d55c3460dfe3492b2fb4331a462742

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe179551-9a4f-442a-809b-d3710536f723.vbs

Filesize
712B

MD5
a2a71425aef547a92c9a5e00d1db7f0c

SHA1
0ab33440bfc49db401fbf23768913ad9deed87db

SHA256
c39c33d892ec80e2a734e4e72c5544e63521eddf7035876aca76afc9bab7c4dd

SHA512
9a270eb3476aed4dcd7718804648069406a953915ac9514cfc5bb3ecc72c7267a78625a901d1315125158f901679a706e3c64488889101cdca3d54d7e2662a62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
101565fd50b746a229427ced1fa7516c

SHA1
d6a7ea4b6c6109cf61d1228beecdf02df29fb333

SHA256
82e641707cd81ba50510ce223cff68c23e29b5154c14baf3670aa52555f33a1a

SHA512
5dbcf438db1d4c0af547f122e4fbcff1ab542afaf22cda841971cd060978ae10bed26411b10a13eb6650e4935f1a994a89f336555707925a817c8b98b41b8c8f

Download Submit
C:\Windows\Migration\WTR\winlogon.exe

Filesize
1.6MB

MD5
53fb2f031c9e6ce843115450eab6c103

SHA1
e417afa0e20b4805e6d0d974dd7da01153f57da0

SHA256
20274d7750e10ec575ae9b85fbfae2f36d50446201ef94fbb3b89a1ec3b783da

SHA512
399458050d86bec308a51e4eed0d597202b3dc80178145dd66ae524691b901665de685690ef4d6f0e3e434da8b270193a6ed6ac2744078412a853baf722b9e45

Download Submit
memory/1252-216-0x00000000013A0000-0x0000000001542000-memory.dmp

Filesize
1.6MB

Download
memory/1592-192-0x00000000001E0000-0x0000000000382000-memory.dmp

Filesize
1.6MB

Download
memory/1736-169-0x0000000000C00000-0x0000000000DA2000-memory.dmp

Filesize
1.6MB

Download
memory/1832-263-0x0000000000CD0000-0x0000000000E72000-memory.dmp

Filesize
1.6MB

Download
memory/1848-204-0x00000000003F0000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2132-139-0x00000000003A0000-0x0000000000542000-memory.dmp

Filesize
1.6MB

Download
memory/2384-157-0x0000000000880000-0x0000000000A22000-memory.dmp

Filesize
1.6MB

Download
memory/2424-240-0x0000000000AF0000-0x0000000000C92000-memory.dmp

Filesize
1.6MB

Download
memory/2436-228-0x0000000000050000-0x00000000001F2000-memory.dmp

Filesize
1.6MB

Download
memory/2448-145-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2448-118-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2756-15-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/2756-8-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/2756-11-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2756-12-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/2756-13-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2756-14-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2756-16-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2756-146-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-0-0x000007FEF6623000-0x000007FEF6624000-memory.dmp

Filesize
4KB

Download
memory/2756-10-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2756-9-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2756-7-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2756-5-0x0000000000170000-0x0000000000186000-memory.dmp

Filesize
88KB

Download
memory/2756-6-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/2756-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2756-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2756-2-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-1-0x0000000000340000-0x00000000004E2000-memory.dmp

Filesize
1.6MB

Download