dcrat | 249f9bd035685660ae45fc4138334e744c30ce7e1038c140a98529b90c4270c5

Analysis

max time kernel
149s
max time network
159s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de85b03bebfb919df53912cb0ca84af7.exe
Size

1.6MB
MD5

de85b03bebfb919df53912cb0ca84af7
SHA1

336bd7b1faf7e3cddb45c071ff5f5d6d64f94fb9
SHA256

5c7f27a1cc7422a66ac2e509f12015bff8fe6db6c09bbd293944fd5b736270da
SHA512

ed2c9fbc59c21d07d1894b189569b8539a4a05e94df4a9af1608a4580c90247b011792334a9b08040eefd71d7130ae76019e0ef55a85c56dde12642dcc1564ef
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2852	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/2748-1-0x0000000000B00000-0x0000000000CA2000-memory.dmp	dcrat
behavioral11/files/0x000500000001a457-25.dat	dcrat
behavioral11/files/0x000500000001a49a-68.dat	dcrat
behavioral11/files/0x000600000001a457-102.dat	dcrat
behavioral11/memory/2688-165-0x0000000001370000-0x0000000001512000-memory.dmp	dcrat
behavioral11/memory/1560-199-0x00000000002C0000-0x0000000000462000-memory.dmp	dcrat
behavioral11/memory/3056-211-0x00000000011E0000-0x0000000001382000-memory.dmp	dcrat
behavioral11/memory/360-234-0x0000000001270000-0x0000000001412000-memory.dmp	dcrat
behavioral11/memory/1476-257-0x00000000000C0000-0x0000000000262000-memory.dmp	dcrat
behavioral11/memory/2600-269-0x0000000000A30000-0x0000000000BD2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1492	powershell.exe
2460	powershell.exe
1036	powershell.exe
1684	powershell.exe
1736	powershell.exe
1656	powershell.exe
2308	powershell.exe
1972	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2688	winlogon.exe
2928	winlogon.exe
2552	winlogon.exe
1560	winlogon.exe
3056	winlogon.exe
2096	winlogon.exe
360	winlogon.exe
2708	winlogon.exe
1476	winlogon.exe
2600	winlogon.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\6cb0b6c459d5d3	de85b03bebfb919df53912cb0ca84af7.exe
File created	C:\Program Files\Internet Explorer\fr-FR\dllhost.exe	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX7C17.tmp	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX7C27.tmp	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Program Files (x86)\Windows NT\dwm.exe	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCX7E2B.tmp	de85b03bebfb919df53912cb0ca84af7.exe
File created	C:\Program Files (x86)\Windows NT\dwm.exe	de85b03bebfb919df53912cb0ca84af7.exe
File created	C:\Program Files\Internet Explorer\fr-FR\5940a34987c991	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCX7E99.tmp	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\dllhost.exe	de85b03bebfb919df53912cb0ca84af7.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ehome\es-ES\dwm.exe	de85b03bebfb919df53912cb0ca84af7.exe
File created	C:\Windows\ehome\es-ES\6cb0b6c459d5d3	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Windows\ehome\es-ES\RCX82C1.tmp	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Windows\ehome\es-ES\RCX82D2.tmp	de85b03bebfb919df53912cb0ca84af7.exe
File opened for modification	C:\Windows\ehome\es-ES\dwm.exe	de85b03bebfb919df53912cb0ca84af7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2608	schtasks.exe
520	schtasks.exe
2588	schtasks.exe
684	schtasks.exe
2624	schtasks.exe
1936	schtasks.exe
2304	schtasks.exe
2004	schtasks.exe
2956	schtasks.exe
2944	schtasks.exe
2008	schtasks.exe
2888	schtasks.exe
924	schtasks.exe
2600	schtasks.exe
2940	schtasks.exe
1240	schtasks.exe
568	schtasks.exe
852	schtasks.exe
1632	schtasks.exe
2640	schtasks.exe
3016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2748	de85b03bebfb919df53912cb0ca84af7.exe
2748	de85b03bebfb919df53912cb0ca84af7.exe
2748	de85b03bebfb919df53912cb0ca84af7.exe
1036	powershell.exe
1972	powershell.exe
2460	powershell.exe
1684	powershell.exe
1656	powershell.exe
1492	powershell.exe
2308	powershell.exe
1736	powershell.exe
2688	winlogon.exe
2928	winlogon.exe
2552	winlogon.exe
1560	winlogon.exe
3056	winlogon.exe
2096	winlogon.exe
360	winlogon.exe
2708	winlogon.exe
1476	winlogon.exe
2600	winlogon.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	de85b03bebfb919df53912cb0ca84af7.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2688	winlogon.exe
Token: SeDebugPrivilege	2928	winlogon.exe
Token: SeDebugPrivilege	2552	winlogon.exe
Token: SeDebugPrivilege	1560	winlogon.exe
Token: SeDebugPrivilege	3056	winlogon.exe
Token: SeDebugPrivilege	2096	winlogon.exe
Token: SeDebugPrivilege	360	winlogon.exe
Token: SeDebugPrivilege	2708	winlogon.exe
Token: SeDebugPrivilege	1476	winlogon.exe
Token: SeDebugPrivilege	2600	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2460	2748	de85b03bebfb919df53912cb0ca84af7.exe	52
PID 2748 wrote to memory of 2460	2748	de85b03bebfb919df53912cb0ca84af7.exe	52
PID 2748 wrote to memory of 2460	2748	de85b03bebfb919df53912cb0ca84af7.exe	52
PID 2748 wrote to memory of 1036	2748	de85b03bebfb919df53912cb0ca84af7.exe	53
PID 2748 wrote to memory of 1036	2748	de85b03bebfb919df53912cb0ca84af7.exe	53
PID 2748 wrote to memory of 1036	2748	de85b03bebfb919df53912cb0ca84af7.exe	53
PID 2748 wrote to memory of 1492	2748	de85b03bebfb919df53912cb0ca84af7.exe	55
PID 2748 wrote to memory of 1492	2748	de85b03bebfb919df53912cb0ca84af7.exe	55
PID 2748 wrote to memory of 1492	2748	de85b03bebfb919df53912cb0ca84af7.exe	55
PID 2748 wrote to memory of 1972	2748	de85b03bebfb919df53912cb0ca84af7.exe	56
PID 2748 wrote to memory of 1972	2748	de85b03bebfb919df53912cb0ca84af7.exe	56
PID 2748 wrote to memory of 1972	2748	de85b03bebfb919df53912cb0ca84af7.exe	56
PID 2748 wrote to memory of 2308	2748	de85b03bebfb919df53912cb0ca84af7.exe	57
PID 2748 wrote to memory of 2308	2748	de85b03bebfb919df53912cb0ca84af7.exe	57
PID 2748 wrote to memory of 2308	2748	de85b03bebfb919df53912cb0ca84af7.exe	57
PID 2748 wrote to memory of 1656	2748	de85b03bebfb919df53912cb0ca84af7.exe	59
PID 2748 wrote to memory of 1656	2748	de85b03bebfb919df53912cb0ca84af7.exe	59
PID 2748 wrote to memory of 1656	2748	de85b03bebfb919df53912cb0ca84af7.exe	59
PID 2748 wrote to memory of 1736	2748	de85b03bebfb919df53912cb0ca84af7.exe	61
PID 2748 wrote to memory of 1736	2748	de85b03bebfb919df53912cb0ca84af7.exe	61
PID 2748 wrote to memory of 1736	2748	de85b03bebfb919df53912cb0ca84af7.exe	61
PID 2748 wrote to memory of 1684	2748	de85b03bebfb919df53912cb0ca84af7.exe	63
PID 2748 wrote to memory of 1684	2748	de85b03bebfb919df53912cb0ca84af7.exe	63
PID 2748 wrote to memory of 1684	2748	de85b03bebfb919df53912cb0ca84af7.exe	63
PID 2748 wrote to memory of 2688	2748	de85b03bebfb919df53912cb0ca84af7.exe	68
PID 2748 wrote to memory of 2688	2748	de85b03bebfb919df53912cb0ca84af7.exe	68
PID 2748 wrote to memory of 2688	2748	de85b03bebfb919df53912cb0ca84af7.exe	68
PID 2688 wrote to memory of 2004	2688	winlogon.exe	69
PID 2688 wrote to memory of 2004	2688	winlogon.exe	69
PID 2688 wrote to memory of 2004	2688	winlogon.exe	69
PID 2688 wrote to memory of 2412	2688	winlogon.exe	70
PID 2688 wrote to memory of 2412	2688	winlogon.exe	70
PID 2688 wrote to memory of 2412	2688	winlogon.exe	70
PID 2004 wrote to memory of 2928	2004	WScript.exe	71
PID 2004 wrote to memory of 2928	2004	WScript.exe	71
PID 2004 wrote to memory of 2928	2004	WScript.exe	71
PID 2928 wrote to memory of 1668	2928	winlogon.exe	72
PID 2928 wrote to memory of 1668	2928	winlogon.exe	72
PID 2928 wrote to memory of 1668	2928	winlogon.exe	72
PID 2928 wrote to memory of 904	2928	winlogon.exe	73
PID 2928 wrote to memory of 904	2928	winlogon.exe	73
PID 2928 wrote to memory of 904	2928	winlogon.exe	73
PID 1668 wrote to memory of 2552	1668	WScript.exe	74
PID 1668 wrote to memory of 2552	1668	WScript.exe	74
PID 1668 wrote to memory of 2552	1668	WScript.exe	74
PID 2552 wrote to memory of 756	2552	winlogon.exe	75
PID 2552 wrote to memory of 756	2552	winlogon.exe	75
PID 2552 wrote to memory of 756	2552	winlogon.exe	75
PID 2552 wrote to memory of 3020	2552	winlogon.exe	76
PID 2552 wrote to memory of 3020	2552	winlogon.exe	76
PID 2552 wrote to memory of 3020	2552	winlogon.exe	76
PID 756 wrote to memory of 1560	756	WScript.exe	77
PID 756 wrote to memory of 1560	756	WScript.exe	77
PID 756 wrote to memory of 1560	756	WScript.exe	77
PID 1560 wrote to memory of 2648	1560	winlogon.exe	78
PID 1560 wrote to memory of 2648	1560	winlogon.exe	78
PID 1560 wrote to memory of 2648	1560	winlogon.exe	78
PID 1560 wrote to memory of 2532	1560	winlogon.exe	79
PID 1560 wrote to memory of 2532	1560	winlogon.exe	79
PID 1560 wrote to memory of 2532	1560	winlogon.exe	79
PID 2648 wrote to memory of 3056	2648	WScript.exe	80
PID 2648 wrote to memory of 3056	2648	WScript.exe	80
PID 2648 wrote to memory of 3056	2648	WScript.exe	80
PID 3056 wrote to memory of 2112	3056	winlogon.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\de85b03bebfb919df53912cb0ca84af7.exe
"C:\Users\Admin\AppData\Local\Temp\de85b03bebfb919df53912cb0ca84af7.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\de85b03bebfb919df53912cb0ca84af7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\es-ES\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\de85b03bebfb919df53912cb0ca84af7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
  "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3df472d5-21ee-44e2-8238-62c77ce8227c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
      C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bd760fe-1284-40bc-a4c4-fddabe93bc5f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\969dec55-9bfa-4de8-836b-be14f2ba7514.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d56f9dfd-da6e-4056-a13e-16c830eb08d3.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\861bb258-661e-4459-8609-a4dc0b9366df.vbs"
        11⤵
        
        PID:2112
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdda7b56-5147-49fd-930b-f5fe3ce61152.vbs"
        13⤵
        
        PID:760
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\857e7e9f-2815-4dd3-b588-f6fe7934022b.vbs"
        15⤵
        
        PID:2832
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f5d9c6b-6350-441a-a096-b1c569dc5c62.vbs"
        17⤵
        
        PID:1148
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcdea593-0e5d-413b-b2b4-a155ced9420f.vbs"
        19⤵
        
        PID:2148
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8d5e7cf-7379-485d-b779-5b7ef5c57249.vbs"
        21⤵
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\185ce5d2-f949-4f2c-8721-e91014669f0d.vbs"
        21⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0328da7-9234-46be-8b98-7f0deb591362.vbs"
        19⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d76b07fe-9de6-4a4d-8728-71af5fde4f60.vbs"
        17⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fd29ba5-958d-42ad-b896-e3c480541371.vbs"
        15⤵
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e619b70-6e32-4818-b3cc-792a946fccc8.vbs"
        13⤵
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fca86d4-586e-46d9-9358-bd0ff9a2a02f.vbs"
        11⤵
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d06bae7e-44da-482d-9755-c61931d0a268.vbs"
        9⤵
        
        PID:2532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6596a16-0b09-4fb1-b9d3-b251e881b1f3.vbs"
        7⤵
        
        PID:3020
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae6bb4b1-bc6c-4739-a149-7255e1f8e783.vbs"
        5⤵
        
        PID:904
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdfcabd9-819a-44c6-ac2c-96d988f73da7.vbs"
    3⤵
    PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ehome\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\ehome\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "de85b03bebfb919df53912cb0ca84af7d" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\de85b03bebfb919df53912cb0ca84af7.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "de85b03bebfb919df53912cb0ca84af7" /sc ONLOGON /tr "'C:\MSOCache\All Users\de85b03bebfb919df53912cb0ca84af7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "de85b03bebfb919df53912cb0ca84af7d" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\de85b03bebfb919df53912cb0ca84af7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\de85b03bebfb919df53912cb0ca84af7.exe

Filesize
1.6MB

MD5
8ffb5deb45165b1e87f5edb87a2c5f0e

SHA1
0696d6d263d52d6dbef8164ac4cb791310df659e

SHA256
aee9be0b7307d6981f1b3c1227f024d75f747080cd974bae0217323b485c5951

SHA512
f1bdd6ea34e77c72a93b07984808ceb3f85fc071774ae8f80f6555e3da4ac38abe8a0360a7d50a4debbb774f3180218f48a35a9f130961ba11af1a2f0eeda255

Download Submit
C:\Program Files\Internet Explorer\fr-FR\dllhost.exe

Filesize
1.6MB

MD5
7b6ae43e1a14d08e0815f7c319b73d3e

SHA1
941ccc57a524d06e067a2993ec0a1e3ca4af8b5a

SHA256
76c1c4f8edd025a8e9e8536a33e38cd59a4b6da02a2c46f593670f05d34c0532

SHA512
652c418573f021e5516c420d63a6c79230067ac1fde16ae84a85f0d29a30984973ac4db4305a721a37d486b938d4640d2f4f069f22e3d44058395638da1a713d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f5d9c6b-6350-441a-a096-b1c569dc5c62.vbs

Filesize
737B

MD5
0c106004d204b62c28e22c0759aba1e0

SHA1
ab3fe30cca151207c58b729f6664dbb51cbf2de2

SHA256
e3b208ddb5d3765df73628873fc1f0330f33a75b5773a72da2c97d28fd0bf901

SHA512
229adc9ec18af4edf1b5b24dd5acd62e9cbd896159e7c87369ed99d929b6e998f04f8d57e7d6ce6bf5b9ae7eba631e14f568f4a14408e780a23e738cacf3f7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3df472d5-21ee-44e2-8238-62c77ce8227c.vbs

Filesize
737B

MD5
4eaad4111496e80406177cefc2445380

SHA1
887091209b52a50730bcc7d734165157dfc07ea2

SHA256
7f3dcd45bf9ed879e579ec28ef9ab6fed6a05ce3e109b9d8d9bf03612e178066

SHA512
763f326cfc37c9ad5104ec24402887598db0fe902de18dc1e49c713444f645f809cca83a16067878d2681083e2f3961e675c1179be09b24bc173f64b3ec9e37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bd760fe-1284-40bc-a4c4-fddabe93bc5f.vbs

Filesize
737B

MD5
86af24d48addbd43c7ce06a03ecf2b3b

SHA1
4c0059f5873899dfb5b83c569d0b4cc5baa5b43d

SHA256
a9c5e3e384ee94ce7d006ef03682a81d38309099bd8ccfa644c730ce0d4522f2

SHA512
6d2c99cc7a648e6bd92bd3f72931255394e0054065d7d2acb17f675ace50205b95d56677b129438ab574e672ef1c655bfb2c74495df891e81d0512888a3371e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\857e7e9f-2815-4dd3-b588-f6fe7934022b.vbs

Filesize
736B

MD5
49ca25ab85fd791aea98787ff70a41af

SHA1
6f20c7871c6b557363c67d3fbb7c97abcd03753c

SHA256
5950bf623cdb27b2ef90e28caaa8c6017f17e6429132aaf46857506f2f5bda37

SHA512
12163639de2f7db7a053efc543b9641e2f7e2b6515fc6343dce9a0d4759134ea21b356cc102a5446dcb14c999e9222230bcbd67b56563355ec1a69c85e4e3032

Download Submit
C:\Users\Admin\AppData\Local\Temp\861bb258-661e-4459-8609-a4dc0b9366df.vbs

Filesize
737B

MD5
a300eb6befafa4292c93faf58830e8e8

SHA1
1bf568ae879bf5070039b5753611c8a681a0c1e0

SHA256
18c2bccc0de24fcbf0c940de9ed23152ed6dc63d7a37aae2657837a51384d172

SHA512
0c548318e0741b88943bcc7c58fec8526d815d5bf750ff9874c78aa8da8a75f9ddbf04fbbfb6bdb42e895f0d6923d2c2e5abc4746e65ae56519a403e6189e34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\969dec55-9bfa-4de8-836b-be14f2ba7514.vbs

Filesize
737B

MD5
aca0a6d465a4c16c50cd897b5c8f1321

SHA1
0103d6a3ca45f474749b2aa10c4dc9c6f63e67d1

SHA256
942578203c7406cbd819eb745cbd21177a4812bebb971700afaf293c68a10038

SHA512
87bb0ce42a3ebeeb1098c08424db71b1459aeb44269c1c9e4795fd70367b7f0325009113521fc75b522ba1e88e94d234d6a8d687b8def967ebb92c76271ae4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8d5e7cf-7379-485d-b779-5b7ef5c57249.vbs

Filesize
737B

MD5
970dde4c8a2f12dfdab19b499bc0cd6d

SHA1
5971b77fac31fbd25f767dd979d75e6d7e20a241

SHA256
73d1924890241b3223caee503d7eb8cc7dabb6265cd93c7216b9a91f8d5feeac

SHA512
348086e31960477d646a0e79f966472eda29d44aea9b3c08f287c668e7e3a0cd58cf8204682d6616370835af516ff7119cd194d444ff641ee6dbf376054a12d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcdea593-0e5d-413b-b2b4-a155ced9420f.vbs

Filesize
737B

MD5
b94c0b7990b5bff5dcb4e7b8dc055bd6

SHA1
1b70553dbbda3b66b682161f120a10ab2dc11788

SHA256
e3bbdc5acc9c0b8eaa436f8627596d6459d3972c5bd999bfadf0cbb7ce398f05

SHA512
aeddf546d30f858e6a14808941be8a9a6423bfbad0d37fc77d6ba0f977c5c7b4e02f7a78e96e6332e5bdcc6c5d103ddcb9049fe6066e2b82e66f58f693ceef38

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdda7b56-5147-49fd-930b-f5fe3ce61152.vbs

Filesize
737B

MD5
f55a147a7e8c4bcbb2f19eaa27b61be5

SHA1
d6cdeee3fac6b7c9237b006466d4847127a889c4

SHA256
fc58e632498f1dfdaa6c010c2f9b670755191c88078c1d88ab38783120d110aa

SHA512
1132158e4e38a767e583cade2bc7bff0ee84f40769045c3a8962017770ed5dd9911b831a68f55d8ba191f002535c29c55c57125b4dd25cad0a6f4b145abbaa8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d56f9dfd-da6e-4056-a13e-16c830eb08d3.vbs

Filesize
737B

MD5
92f8f3e04949924ad4867c9610454ceb

SHA1
334612e9080a67fa58357f32f1e4d41db05d2f78

SHA256
7f18f2e1fa8052905ac97f8a7c1589b1c345370dd1b134f27ad7ea53396ef50b

SHA512
7f2327ebe575597b84b8cbf3855cacceee17db8344b7dec496192dbb8acc022b63a0ee5b3d55a2029c99a26949ff224c782c09e1c31dbe4d4b805d978d8914c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdfcabd9-819a-44c6-ac2c-96d988f73da7.vbs

Filesize
513B

MD5
0a48f2ebe76e32d6e791a69e813dddb8

SHA1
2b986a3d708252635d3e32920c6c8c3178e835d0

SHA256
f6d93acf0ce6811a6c37b8c4bb911f7633ec1a26740afd6f47d36b54f69eb6b4

SHA512
74b45e3a35da00b61059f094c102604b1d312f6947b6f2c525b4456f5c9c548e6178edfd4700390b3627667328556aab7e9f54e9d34c9d16f9aae1dc721604c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b19ac8dd5d4619c9db015ac8b07e6621

SHA1
1f67c13ba1bc9237ca273a71b46e7782cbd4ff86

SHA256
78c80ad3e4ca14a305e4234fc085f8e30ab2e4425de50fceddeef2baaa28e32e

SHA512
c2018b11f86462faa902a16f58cdbfcad347372c01a60742672ba8d027f94433c89cfefb3dec8f249e8260e9a63b4623522ef9558e8d921e92a837a960147ae5

Download Submit
C:\Windows\ehome\es-ES\dwm.exe

Filesize
1.6MB

MD5
de85b03bebfb919df53912cb0ca84af7

SHA1
336bd7b1faf7e3cddb45c071ff5f5d6d64f94fb9

SHA256
5c7f27a1cc7422a66ac2e509f12015bff8fe6db6c09bbd293944fd5b736270da

SHA512
ed2c9fbc59c21d07d1894b189569b8539a4a05e94df4a9af1608a4580c90247b011792334a9b08040eefd71d7130ae76019e0ef55a85c56dde12642dcc1564ef

Download Submit
memory/360-234-0x0000000001270000-0x0000000001412000-memory.dmp

Filesize
1.6MB

Download
memory/1036-149-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1036-147-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1476-257-0x00000000000C0000-0x0000000000262000-memory.dmp

Filesize
1.6MB

Download
memory/1560-199-0x00000000002C0000-0x0000000000462000-memory.dmp

Filesize
1.6MB

Download
memory/2600-269-0x0000000000A30000-0x0000000000BD2000-memory.dmp

Filesize
1.6MB

Download
memory/2688-165-0x0000000001370000-0x0000000001512000-memory.dmp

Filesize
1.6MB

Download
memory/2748-10-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2748-5-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2748-159-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-16-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2748-166-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-15-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/2748-14-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/2748-12-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/2748-13-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2748-11-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2748-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x0000000000B00000-0x0000000000CA2000-memory.dmp

Filesize
1.6MB

Download
memory/2748-9-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2748-8-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2748-7-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2748-6-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2748-105-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2748-4-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2748-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2748-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-211-0x00000000011E0000-0x0000000001382000-memory.dmp

Filesize
1.6MB

Download