dcrat | 8e52ba8956d643c96cdeb75c43492302cf710a3d2acc852442930dedbe9ea1bb

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Size

2.5MB
MD5

1e5801255eb014a44c56370d9c7e5019
SHA1

9000eacf24a374e6e8512dce6deaae28454ea422
SHA256

eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a
SHA512

d2ba4e8022ba845a124c676b928358b99365691a3b6c4cdc0b488c184325e0cc29bd43ef54833b5c7c527beceab407d96d4d89050bcb6f19fdbc65f7456f8ddd
SSDEEP

49152:BjLLQdzMIwA7G5ALF/CT2vyYSjEf+QSs5saA2R97oF/cZ8ekY4E7Jy:B2l7G5Auotf+Lg4ElM

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2368	schtasks.exe
2760	schtasks.exe
2668	schtasks.exe
2620	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2656	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1720	powershell.exe
2728	powershell.exe
1848	powershell.exe
1084	powershell.exe
2736	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
864	lsm.exe
484	lsm.exe
2708	lsm.exe
680	lsm.exe
2816	lsm.exe
1224	lsm.exe
1692	lsm.exe
2368	lsm.exe
2324	lsm.exe
2040	lsm.exe
2128	lsm.exe
2684	lsm.exe
1588	lsm.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Documents and Settings\\taskhost.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\msvcp120_clr0400\\lsm.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\fc\\lsm.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\msscp\\winlogon.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msvcp120_clr0400\RCXC160.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\msvcp120_clr0400\lsm.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\fc\RCXC3D3.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\msvcp120_clr0400\lsm.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\msvcp120_clr0400\101b941d020240	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\msscp\winlogon.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\msscp\cc11b995f2a76d	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\msvcp120_clr0400\RCXC161.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\fc\RCXC365.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\fc\lsm.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\msscp\RCXC5F6.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\msscp\RCXC5F7.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\fc\lsm.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\fc\101b941d020240	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\msscp\winlogon.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe
2668	schtasks.exe
2620	schtasks.exe
2368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
2736	powershell.exe
1084	powershell.exe
1848	powershell.exe
2728	powershell.exe
1720	powershell.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
864	lsm.exe
484	lsm.exe
484	lsm.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	864	lsm.exe
Token: SeDebugPrivilege	484	lsm.exe
Token: SeDebugPrivilege	2708	lsm.exe
Token: SeDebugPrivilege	680	lsm.exe
Token: SeDebugPrivilege	2816	lsm.exe
Token: SeDebugPrivilege	1224	lsm.exe
Token: SeDebugPrivilege	1692	lsm.exe
Token: SeDebugPrivilege	2368	lsm.exe
Token: SeDebugPrivilege	2324	lsm.exe
Token: SeDebugPrivilege	2040	lsm.exe
Token: SeDebugPrivilege	2128	lsm.exe
Token: SeDebugPrivilege	2684	lsm.exe
Token: SeDebugPrivilege	1588	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1084	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	35
PID 2464 wrote to memory of 1084	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	35
PID 2464 wrote to memory of 1084	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	35
PID 2464 wrote to memory of 2736	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	36
PID 2464 wrote to memory of 2736	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	36
PID 2464 wrote to memory of 2736	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	36
PID 2464 wrote to memory of 1720	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	37
PID 2464 wrote to memory of 1720	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	37
PID 2464 wrote to memory of 1720	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	37
PID 2464 wrote to memory of 2728	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	40
PID 2464 wrote to memory of 2728	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	40
PID 2464 wrote to memory of 2728	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	40
PID 2464 wrote to memory of 1848	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	41
PID 2464 wrote to memory of 1848	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	41
PID 2464 wrote to memory of 1848	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	41
PID 2464 wrote to memory of 1152	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	45
PID 2464 wrote to memory of 1152	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	45
PID 2464 wrote to memory of 1152	2464	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	45
PID 1152 wrote to memory of 2856	1152	cmd.exe	47
PID 1152 wrote to memory of 2856	1152	cmd.exe	47
PID 1152 wrote to memory of 2856	1152	cmd.exe	47
PID 1152 wrote to memory of 864	1152	cmd.exe	49
PID 1152 wrote to memory of 864	1152	cmd.exe	49
PID 1152 wrote to memory of 864	1152	cmd.exe	49
PID 864 wrote to memory of 1656	864	lsm.exe	50
PID 864 wrote to memory of 1656	864	lsm.exe	50
PID 864 wrote to memory of 1656	864	lsm.exe	50
PID 864 wrote to memory of 1628	864	lsm.exe	51
PID 864 wrote to memory of 1628	864	lsm.exe	51
PID 864 wrote to memory of 1628	864	lsm.exe	51
PID 1656 wrote to memory of 484	1656	WScript.exe	52
PID 1656 wrote to memory of 484	1656	WScript.exe	52
PID 1656 wrote to memory of 484	1656	WScript.exe	52
PID 484 wrote to memory of 880	484	lsm.exe	53
PID 484 wrote to memory of 880	484	lsm.exe	53
PID 484 wrote to memory of 880	484	lsm.exe	53
PID 484 wrote to memory of 1504	484	lsm.exe	54
PID 484 wrote to memory of 1504	484	lsm.exe	54
PID 484 wrote to memory of 1504	484	lsm.exe	54
PID 880 wrote to memory of 2708	880	WScript.exe	55
PID 880 wrote to memory of 2708	880	WScript.exe	55
PID 880 wrote to memory of 2708	880	WScript.exe	55
PID 2708 wrote to memory of 2164	2708	lsm.exe	56
PID 2708 wrote to memory of 2164	2708	lsm.exe	56
PID 2708 wrote to memory of 2164	2708	lsm.exe	56
PID 2708 wrote to memory of 868	2708	lsm.exe	57
PID 2708 wrote to memory of 868	2708	lsm.exe	57
PID 2708 wrote to memory of 868	2708	lsm.exe	57
PID 2164 wrote to memory of 680	2164	WScript.exe	58
PID 2164 wrote to memory of 680	2164	WScript.exe	58
PID 2164 wrote to memory of 680	2164	WScript.exe	58
PID 680 wrote to memory of 1540	680	lsm.exe	59
PID 680 wrote to memory of 1540	680	lsm.exe	59
PID 680 wrote to memory of 1540	680	lsm.exe	59
PID 680 wrote to memory of 2740	680	lsm.exe	60
PID 680 wrote to memory of 2740	680	lsm.exe	60
PID 680 wrote to memory of 2740	680	lsm.exe	60
PID 1540 wrote to memory of 2816	1540	WScript.exe	61
PID 1540 wrote to memory of 2816	1540	WScript.exe	61
PID 1540 wrote to memory of 2816	1540	WScript.exe	61
PID 2816 wrote to memory of 1980	2816	lsm.exe	62
PID 2816 wrote to memory of 1980	2816	lsm.exe	62
PID 2816 wrote to memory of 1980	2816	lsm.exe	62
PID 2816 wrote to memory of 3012	2816	lsm.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
"C:\Users\Admin\AppData\Local\Temp\eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\msvcp120_clr0400\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fc\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\msscp\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IQUtZ6bgFh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2856
- - C:\Windows\System32\msvcp120_clr0400\lsm.exe
    "C:\Windows\System32\msvcp120_clr0400\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63786b6c-65d9-4f66-9807-32bde309e5e6.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:484
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a7fcc4d-1727-4e8b-8f16-ec13df581c1e.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ba7d8d5-7311-4e26-8572-c55d51bf62ad.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eee5486-18fe-4ded-bfee-241ed589e90e.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fa0aa03-d3b6-468e-b0aa-22fa7ea4fa8b.vbs"
        12⤵
        
        PID:1980
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5487a8cf-3337-4dc4-9343-de46308d3ed0.vbs"
        14⤵
        
        PID:660
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eee6da94-23c7-41ea-8d45-1df066f5eb8b.vbs"
        16⤵
        
        PID:776
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcdfe518-2f50-47f2-9ae4-5235415b536b.vbs"
        18⤵
        
        PID:2068
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef0ea87d-95ca-4ac6-91d7-d47f49a59e66.vbs"
        20⤵
        
        PID:2996
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f6a0c3f-614a-4ac3-8d4e-5aa9e9399587.vbs"
        22⤵
        
        PID:2016
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0912aed6-3096-44b7-b006-fe209ccc21bc.vbs"
        24⤵
        
        PID:2076
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3973d68-91b8-455a-bf08-41b283cf5ef2.vbs"
        26⤵
        
        PID:2940
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        
        C:\Windows\System32\msvcp120_clr0400\lsm.exe
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be5491ba-acfb-491a-8e9e-d764e9cdbd18.vbs"
        28⤵
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c1ff134-837e-43b5-b59e-72dad22dae19.vbs"
        28⤵
        
        PID:1060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1a129d1-b852-4538-8a18-1784e1f33ba9.vbs"
        26⤵
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7aac356-3640-4dc3-9c10-32fbd36385d4.vbs"
        24⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00f60e18-6ca8-4d03-bf26-25ed23e43d73.vbs"
        22⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51a1112b-627a-46b1-ba8f-d4b0a18eeaad.vbs"
        20⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\751bb39a-1c83-4927-9d49-cb9f554bfcc8.vbs"
        18⤵
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcc8c57b-013c-4f82-8542-379d346bb4dc.vbs"
        16⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50547463-151e-4ed5-9ecf-a772f4fc72ea.vbs"
        14⤵
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2cf15b2-0eee-4dd4-b32b-d817fa3c53ad.vbs"
        12⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\429e5ae4-358a-4ec0-8088-150af8ffd264.vbs"
        10⤵
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7cf8873-9215-4e7b-814c-584433d18762.vbs"
        8⤵
        
        PID:868
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f559c328-24bb-4e8c-8a08-89b7ff0aa8ad.vbs"
        6⤵
        
        PID:1504
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2382027d-6da3-4a01-a122-2f65c4f32d18.vbs"
      4⤵
      PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Documents and Settings\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\msvcp120_clr0400\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\fc\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\msscp\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0912aed6-3096-44b7-b006-fe209ccc21bc.vbs

Filesize
720B

MD5
a1b702dee84f0f9fcdfcfb5a6b4cdc8e

SHA1
072433652282acb19908154710cb0f80a189d36d

SHA256
885bc81740ba8a506afa42da6635428bd714b5cfcb071f3000a101137a540040

SHA512
8e8e86752e77b027f65df7aa2991d5f3869f8dedaf1ada8728f0e09b46b6c9e8c92e98bcedc60c17ac9ef1f32c0d16c1ea5945166636cd9edb8bd27a95ba2cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2382027d-6da3-4a01-a122-2f65c4f32d18.vbs

Filesize
496B

MD5
13792ea44cef271c9b754919988b019d

SHA1
242939d9e711b79628c793a4dc8765bdfd016f3e

SHA256
b9da3616efbf803193966a9842807a31a77a66f0ebbf8f77448d966b2cb7d27d

SHA512
3f287d6efa46c8d12c4bba6c9d7e91b62f90664b2e7ba9cb28c8c8a8d891617836a54d3f7eff36693cead894bdd89844537841be1261dad851e38da118341ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ba7d8d5-7311-4e26-8572-c55d51bf62ad.vbs

Filesize
720B

MD5
f09083b227d6b7864789c08876651387

SHA1
1b08019e2562d06ec23171a3b179125bbee4b3bd

SHA256
84f7772cd61518ae6ad658f08956458072dd7083bbf72f5659ad3eef10f62360

SHA512
ec72a825f17ad96bd8ec814ea8365a2142ac8352b431c07ffbe99811dcb89df3fd684b2eeb20042faa6a6b6b1683af5921ad4ed1c19a0b2045b4b5505b26395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f6a0c3f-614a-4ac3-8d4e-5aa9e9399587.vbs

Filesize
720B

MD5
ba70dab051250a00543c4320cd61331f

SHA1
1d5f731a6027b52c32ced585cb6fd00da8754f4d

SHA256
c6e4e502f067ae995c4759b7d270fce27e81b88f44a2153e0a97c6a239925bd3

SHA512
bf6beebcc28206480f704774caf7f85e4b603257f2e7f11ef01a7fb582c344d613e2be297ae1658a991291585043500237d8a5c431b09709878fc6cc308bb32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4eee5486-18fe-4ded-bfee-241ed589e90e.vbs

Filesize
719B

MD5
b1e1529152a5d38033813321c2fc90a9

SHA1
a797787d542dcad218041bd0a6bf57dab36e7c20

SHA256
178047634418cb5a71407ad382b077f10eabd402a7ab4267dd123f09b22d3278

SHA512
6f83d66dc1a4612dda09d6c8243b0ed143347d2cbbfade060b96d83ca6090dbad865e59e364e5448dfab23e827dc6d51926effa8789d8f9d89a4ca220b878b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\5487a8cf-3337-4dc4-9343-de46308d3ed0.vbs

Filesize
720B

MD5
fce901445cc6ac4fe7998cd9b579c5ae

SHA1
4814c2f55520244aa3fda05f895b793202043d14

SHA256
91fdd6b427bef119d544d60c1b615528f80369cf2397f7ef296823de2a1aa6cf

SHA512
b4ea04f9ce2e72d60760d6783b82b76ea4dbc92cc3d849932043cd22a8b266b9a5b3c1193ad1346baa91f79e57b1560543ad0f5da8eb0d66839f5c8ec67dc5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\63786b6c-65d9-4f66-9807-32bde309e5e6.vbs

Filesize
719B

MD5
8a90755c98252b6c591c41a7dd0793b1

SHA1
39b0c71564d696688926588b2bbb355537544378

SHA256
22abdb58860a8089bfbe3a1e38a66979112f7c903f3bd51432f9b38e16c79ff1

SHA512
660c48357b69333e12770df789a0c7cc1e8ad486860fd7d7e72a9ec370b2e2131e86a993979f047fb8d8a6e489ff4ed005c7fdcbfe30f45b857c12501a3f37a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a7fcc4d-1727-4e8b-8f16-ec13df581c1e.vbs

Filesize
719B

MD5
9d82f32f4cd57c69c4b15d45efbc0729

SHA1
76a22358c7686a7b294146c5cc55e9b36a43d83b

SHA256
1a58a03075334bbdecf61a3087672a03541c465a0124132a6f21d597a6de4219

SHA512
ab2d1e4a0a1ebd2beb432d5280eb80ad947976446886602bbcf2f3b67252b6a8acc42722a7d64a0d056cea09a1df826386ad3150fa0742a2237fd095b146a9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fa0aa03-d3b6-468e-b0aa-22fa7ea4fa8b.vbs

Filesize
720B

MD5
7469c428988ffea71b6a9fd9bff6f9f2

SHA1
9b3228ed4a8ef0205614dbf969adf09b12a268a8

SHA256
c6e86df4553e0007d1811d78915a6baeb7a06ecc63e45b005c1f3cebd73becbb

SHA512
77bd0443434a82f82a52ccca3e3dd66209dd8df91212f5a9ab9e89bab435e35457c4c57ff913e6d672c1fb671a1f3dbd3770d113af4b98d8f403cafc4d94940f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQUtZ6bgFh.bat

Filesize
208B

MD5
21cb9c7bb1d59b6eee27d5c157c61e19

SHA1
2b8a8e06d12245f47c59e66dd36740f7b91fe2fe

SHA256
504cb1cee0a6b29d19e25934a7f17364ec531d5daf779e54c64c1ccb301afc7c

SHA512
fed8c8a84ab6f7c7e5cdbd6abc859b97216bb5b578b61012f4437e5cee97e6fc221d4479bd8d1e51d206e39208f52a517c0139babdb0b9a67ea0f778f0fd1040

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXBC6D.tmp

Filesize
2.5MB

MD5
1e5801255eb014a44c56370d9c7e5019

SHA1
9000eacf24a374e6e8512dce6deaae28454ea422

SHA256
eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a

SHA512
d2ba4e8022ba845a124c676b928358b99365691a3b6c4cdc0b488c184325e0cc29bd43ef54833b5c7c527beceab407d96d4d89050bcb6f19fdbc65f7456f8ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3973d68-91b8-455a-bf08-41b283cf5ef2.vbs

Filesize
720B

MD5
aff0c059c040f86830bc54056e3c63a3

SHA1
a0b50cfa9c4cc82793688cf20f305d7c14161af4

SHA256
74d7bc557956bef5a47b4f888921a183584121a61878f486e2609f5cdad3bc5e

SHA512
b98584fc3114eff9ea77f8817de0df0e3472c275793c9fce47e825d852b5ccd7ecbe8738fe6299606c1a1677d8ceb7230e0966cf4500e176a6eb2f486c1650e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcdfe518-2f50-47f2-9ae4-5235415b536b.vbs

Filesize
720B

MD5
4f9530511c15718358098aa13f5a3d9a

SHA1
c287f06870fbd6e227c42c4a8e8896828992634f

SHA256
5a9ee27f6def229d479dce9083aab6e7057ef57e6e82ec4b63c82eca7287b0d0

SHA512
22e142731aa564b759c33a44f349dbd4051919de47207807bb30e8cba9df56b601b9ba65d59d0b0af2e5d9a212299ecababb0b81a9646c51108f229ee12d33a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdf8fef716bf3e942d05318f49c0144d2733610b.exe

Filesize
2.5MB

MD5
3ccd91a31c7049e9434c35b70b819be4

SHA1
1988ae0387c42902680d3d2d869768e4dff5a248

SHA256
2daecf677e6d791d9f08257c76940aaa68f83ef50267b721ff6a55ba9ba51ce8

SHA512
887e2f7457b85bc4688aa7bf4e8eca9e76aa690191df62b111b9139e7165cd12af8f990aaece2598f720a823c978b9b4441f0216671665cd6361d8108c0fb6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\be5491ba-acfb-491a-8e9e-d764e9cdbd18.vbs

Filesize
720B

MD5
8cee8a5495b09bb2a8ebacccfeaf40a6

SHA1
8cf3ee7056d2bb78dc8ea739090a73881c07f269

SHA256
f05bc6cc7fc03a58eb54be731a43adc6c8823bfabed3175dd5d775bd1e00964f

SHA512
8874ff30d5e60b1f47baace4715012c27ccc58f71b6ea4a3ef93064b4338b52fd2e9d3ec5fb6817421fe0b78a5bc5e2ce4b542e266f46ac66b9be30637bc048b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eee6da94-23c7-41ea-8d45-1df066f5eb8b.vbs

Filesize
720B

MD5
ad90d0a19d0cf151f44f382949c20d7e

SHA1
b81f1b889fc28029c2183fddf391243a0d7d9aa2

SHA256
2ab8df7e790b2f99e3cf1ad57975259b2f6b982542aadf7bfffe6e56f8b11aea

SHA512
e10f3420c2602039708a562ccf9ff673470d01e6cb22dbd7a3530793ee8631352eced614bb47c8c5e772e042139bded622fcf74c9d3ad63af60accad5158b7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef0ea87d-95ca-4ac6-91d7-d47f49a59e66.vbs

Filesize
720B

MD5
f2e1e76791a8961e7172b50f39dc68a0

SHA1
375aea2d6e0ba7edbc78ef60da4cd68983df863a

SHA256
d774dbb946bfa42041da83e21d00a1c631bc7786bfb97e58e577b0e3e7ced058

SHA512
f7f4c9de58e43b763ec74845c8ac93fa42e3f0b484424d6530d19c2acb8b8983e4e340fe59eb1efee1821b8dc74c5d2e6fbdf3dc2615d5501b7dd61d6dfb83bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2a4136faa15ae25b0d5763f7cd639370

SHA1
f6a47aabf1081d7282cca6ada0baf8ee2c24f95d

SHA256
64e85413c5aa782468a785ee5b2570e7cd0765d7fb0fc730328436c05a240415

SHA512
73a95033aee14e57b75178f80a3e4dbf8f65bcb0c65cdfda64187e3eae64f30d3c346f561a49855672a2a3dc97b1df7cb0681aa9e003ba2d99a50e66a055345d

Download Submit
C:\Windows\System32\fc\lsm.exe

Filesize
2.5MB

MD5
7726c4f95a229e981aa4d36e3610275d

SHA1
144d907380e74dd068ecc028f6413d4bdfdb2ecf

SHA256
a275893a3d72939702b487b06f681aca3adac7829a142d6dc14b76f8c7199239

SHA512
9357d10d9202ddcea5b8b5b08603d063841657c1d8219cec7d8a8dba64612b1c6cda7227c7eeb78c98bd9a5586aa248cfe65376048e6b061eecd349d236b6677

Download Submit
memory/484-119-0x00000000001C0000-0x0000000000446000-memory.dmp

Filesize
2.5MB

Download
memory/484-120-0x0000000000750000-0x00000000007A6000-memory.dmp

Filesize
344KB

Download
memory/680-145-0x0000000001200000-0x0000000001486000-memory.dmp

Filesize
2.5MB

Download
memory/864-107-0x0000000000F40000-0x00000000011C6000-memory.dmp

Filesize
2.5MB

Download
memory/864-108-0x0000000000B20000-0x0000000000B76000-memory.dmp

Filesize
344KB

Download
memory/1588-253-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/1692-181-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1692-180-0x00000000000B0000-0x0000000000336000-memory.dmp

Filesize
2.5MB

Download
memory/2040-216-0x0000000000F80000-0x0000000001206000-memory.dmp

Filesize
2.5MB

Download
memory/2128-229-0x0000000000860000-0x0000000000872000-memory.dmp

Filesize
72KB

Download
memory/2128-228-0x0000000000370000-0x00000000005F6000-memory.dmp

Filesize
2.5MB

Download
memory/2324-204-0x0000000000080000-0x0000000000306000-memory.dmp

Filesize
2.5MB

Download
memory/2464-9-0x0000000000930000-0x0000000000942000-memory.dmp

Filesize
72KB

Download
memory/2464-14-0x0000000002230000-0x000000000223C000-memory.dmp

Filesize
48KB

Download
memory/2464-12-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/2464-1-0x0000000000060000-0x00000000002E6000-memory.dmp

Filesize
2.5MB

Download
memory/2464-11-0x0000000002210000-0x000000000221A000-memory.dmp

Filesize
40KB

Download
memory/2464-2-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2464-10-0x0000000002200000-0x000000000220A000-memory.dmp

Filesize
40KB

Download
memory/2464-86-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2464-8-0x0000000000920000-0x0000000000928000-memory.dmp

Filesize
32KB

Download
memory/2464-13-0x0000000002240000-0x000000000224A000-memory.dmp

Filesize
40KB

Download
memory/2464-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2464-7-0x00000000008C0000-0x0000000000916000-memory.dmp

Filesize
344KB

Download
memory/2464-6-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/2464-3-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2464-5-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2464-15-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2464-4-0x0000000000890000-0x00000000008AC000-memory.dmp

Filesize
112KB

Download
memory/2464-16-0x0000000002260000-0x000000000226A000-memory.dmp

Filesize
40KB

Download
memory/2684-240-0x00000000010E0000-0x0000000001366000-memory.dmp

Filesize
2.5MB

Download
memory/2684-241-0x00000000010D0000-0x00000000010E2000-memory.dmp

Filesize
72KB

Download
memory/2708-133-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2708-132-0x0000000001060000-0x00000000012E6000-memory.dmp

Filesize
2.5MB

Download
memory/2736-87-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/2736-84-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2816-157-0x00000000003E0000-0x0000000000436000-memory.dmp

Filesize
344KB

Download