dcrat | 1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
Size

1.6MB
MD5

2cd96728fb8f5bef05b7c1d14200ffa0
SHA1

9c1ba4495ad7bb48aaac4123f62528ab80485c3e
SHA256

0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310
SHA512

aa6b10a50e766cc1203e05eb63eb6299cd528e836456368d3a2aa45dcf51cea26aa1380256e93e59245b0275d3568aeb8e9968e764c6d81483e77c258ea449f9
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2064	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2064	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral19/memory/2692-1-0x0000000000260000-0x0000000000402000-memory.dmp	dcrat
behavioral19/files/0x000500000001a4c3-25.dat	dcrat
behavioral19/files/0x000600000001a4bd-85.dat	dcrat
behavioral19/memory/3016-118-0x0000000000140000-0x00000000002E2000-memory.dmp	dcrat
behavioral19/memory/1752-141-0x0000000000D50000-0x0000000000EF2000-memory.dmp	dcrat
behavioral19/memory/832-153-0x0000000000E60000-0x0000000001002000-memory.dmp	dcrat
behavioral19/memory/2748-165-0x0000000000EE0000-0x0000000001082000-memory.dmp	dcrat
behavioral19/memory/2332-199-0x0000000000360000-0x0000000000502000-memory.dmp	dcrat
behavioral19/memory/2876-211-0x0000000000DC0000-0x0000000000F62000-memory.dmp	dcrat
behavioral19/memory/1016-234-0x00000000003F0000-0x0000000000592000-memory.dmp	dcrat
behavioral19/memory/872-246-0x0000000000240000-0x00000000003E2000-memory.dmp	dcrat
behavioral19/memory/1688-258-0x0000000001160000-0x0000000001302000-memory.dmp	dcrat
behavioral19/files/0x000a00000001a4d9-262.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2200	powershell.exe
2084	powershell.exe
2248	powershell.exe
2364	powershell.exe
2244	powershell.exe
1976	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
3016	System.exe
1752	System.exe
832	System.exe
2748	System.exe
1632	System.exe
1552	System.exe
2332	System.exe
2876	System.exe
1080	System.exe
1016	System.exe
872	System.exe
1688	System.exe
2448	System.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\f3b6ecef712a24	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX46B9.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX46BA.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files\Uninstall Information\spoolsv.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Program Files\Uninstall Information\spoolsv.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Registration\CRMLog\taskhost.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Windows\Registration\CRMLog\taskhost.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Windows\Registration\CRMLog\b75386f1303e64	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX492B.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX4999.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe
2148	schtasks.exe
2620	schtasks.exe
844	schtasks.exe
1204	schtasks.exe
3000	schtasks.exe
2776	schtasks.exe
2556	schtasks.exe
2184	schtasks.exe
1100	schtasks.exe
2344	schtasks.exe
1432	schtasks.exe
2264	schtasks.exe
2616	schtasks.exe
1764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
1976	powershell.exe
2248	powershell.exe
2200	powershell.exe
2244	powershell.exe
2364	powershell.exe
2084	powershell.exe
3016	System.exe
1752	System.exe
832	System.exe
2748	System.exe
1632	System.exe
1552	System.exe
2332	System.exe
2876	System.exe
1080	System.exe
1016	System.exe
872	System.exe
1688	System.exe
2448	System.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	3016	System.exe
Token: SeDebugPrivilege	1752	System.exe
Token: SeDebugPrivilege	832	System.exe
Token: SeDebugPrivilege	2748	System.exe
Token: SeDebugPrivilege	1632	System.exe
Token: SeDebugPrivilege	1552	System.exe
Token: SeDebugPrivilege	2332	System.exe
Token: SeDebugPrivilege	2876	System.exe
Token: SeDebugPrivilege	1080	System.exe
Token: SeDebugPrivilege	1016	System.exe
Token: SeDebugPrivilege	872	System.exe
Token: SeDebugPrivilege	1688	System.exe
Token: SeDebugPrivilege	2448	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2084	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	46
PID 2692 wrote to memory of 2084	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	46
PID 2692 wrote to memory of 2084	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	46
PID 2692 wrote to memory of 2248	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	47
PID 2692 wrote to memory of 2248	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	47
PID 2692 wrote to memory of 2248	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	47
PID 2692 wrote to memory of 2364	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	48
PID 2692 wrote to memory of 2364	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	48
PID 2692 wrote to memory of 2364	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	48
PID 2692 wrote to memory of 2244	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	49
PID 2692 wrote to memory of 2244	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	49
PID 2692 wrote to memory of 2244	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	49
PID 2692 wrote to memory of 1976	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	50
PID 2692 wrote to memory of 1976	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	50
PID 2692 wrote to memory of 1976	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	50
PID 2692 wrote to memory of 2200	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	51
PID 2692 wrote to memory of 2200	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	51
PID 2692 wrote to memory of 2200	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	51
PID 2692 wrote to memory of 3016	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	58
PID 2692 wrote to memory of 3016	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	58
PID 2692 wrote to memory of 3016	2692	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	58
PID 3016 wrote to memory of 2796	3016	System.exe	59
PID 3016 wrote to memory of 2796	3016	System.exe	59
PID 3016 wrote to memory of 2796	3016	System.exe	59
PID 3016 wrote to memory of 3044	3016	System.exe	60
PID 3016 wrote to memory of 3044	3016	System.exe	60
PID 3016 wrote to memory of 3044	3016	System.exe	60
PID 2796 wrote to memory of 1752	2796	WScript.exe	61
PID 2796 wrote to memory of 1752	2796	WScript.exe	61
PID 2796 wrote to memory of 1752	2796	WScript.exe	61
PID 1752 wrote to memory of 1408	1752	System.exe	62
PID 1752 wrote to memory of 1408	1752	System.exe	62
PID 1752 wrote to memory of 1408	1752	System.exe	62
PID 1752 wrote to memory of 2264	1752	System.exe	63
PID 1752 wrote to memory of 2264	1752	System.exe	63
PID 1752 wrote to memory of 2264	1752	System.exe	63
PID 1408 wrote to memory of 832	1408	WScript.exe	64
PID 1408 wrote to memory of 832	1408	WScript.exe	64
PID 1408 wrote to memory of 832	1408	WScript.exe	64
PID 832 wrote to memory of 2028	832	System.exe	65
PID 832 wrote to memory of 2028	832	System.exe	65
PID 832 wrote to memory of 2028	832	System.exe	65
PID 832 wrote to memory of 2232	832	System.exe	66
PID 832 wrote to memory of 2232	832	System.exe	66
PID 832 wrote to memory of 2232	832	System.exe	66
PID 2028 wrote to memory of 2748	2028	WScript.exe	67
PID 2028 wrote to memory of 2748	2028	WScript.exe	67
PID 2028 wrote to memory of 2748	2028	WScript.exe	67
PID 2748 wrote to memory of 2492	2748	System.exe	68
PID 2748 wrote to memory of 2492	2748	System.exe	68
PID 2748 wrote to memory of 2492	2748	System.exe	68
PID 2748 wrote to memory of 2276	2748	System.exe	69
PID 2748 wrote to memory of 2276	2748	System.exe	69
PID 2748 wrote to memory of 2276	2748	System.exe	69
PID 2492 wrote to memory of 1632	2492	WScript.exe	70
PID 2492 wrote to memory of 1632	2492	WScript.exe	70
PID 2492 wrote to memory of 1632	2492	WScript.exe	70
PID 1632 wrote to memory of 2644	1632	System.exe	71
PID 1632 wrote to memory of 2644	1632	System.exe	71
PID 1632 wrote to memory of 2644	1632	System.exe	71
PID 1632 wrote to memory of 2812	1632	System.exe	72
PID 1632 wrote to memory of 2812	1632	System.exe	72
PID 1632 wrote to memory of 2812	1632	System.exe	72
PID 2644 wrote to memory of 1552	2644	WScript.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
"C:\Users\Admin\AppData\Local\Temp\0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Users\Default User\System.exe
  "C:\Users\Default User\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfdfad2b-6ff6-4e83-b9f9-f5702c272d78.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Default User\System.exe
      "C:\Users\Default User\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a9f80ea-bea4-4aed-a743-87feaf146f98.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e445dfe2-599e-4736-9551-368a2f5beee0.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10ddd72b-0683-44d4-b788-2a8e9183972a.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4385b76-9e38-422c-a591-87437b1c74a0.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a733d8dc-3cdc-41b9-a2a6-b905eb1b0d38.vbs"
        13⤵
        
        PID:1432
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dee9c23e-4879-4ccb-81f5-a369fa93b482.vbs"
        15⤵
        
        PID:600
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\920fad4b-03d9-4ecc-b5de-d8d5a58699ba.vbs"
        17⤵
        
        PID:2004
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad64b631-68c0-4c80-8f93-a9bc656a61f4.vbs"
        19⤵
        
        PID:1736
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90f06f23-58ce-4ced-9022-2c60f6534c33.vbs"
        21⤵
        
        PID:2620
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a173debb-4bda-44f8-90d4-43b909158835.vbs"
        23⤵
        
        PID:1620
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94f17c8c-164f-4f42-9b09-4fa45afc9120.vbs"
        25⤵
        
        PID:2300
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1caaa433-54cb-4188-8068-89bf23f51560.vbs"
        27⤵
        
        PID:828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afc9d3d2-8daf-48f6-a9b3-56a70bae2dd9.vbs"
        27⤵
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ebadc1e-29e4-4a2b-b870-79a10e72051b.vbs"
        25⤵
        
        PID:908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\829550b8-d4b5-42c1-8a11-10541730451c.vbs"
        23⤵
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60f95baf-ef0b-4184-b8b4-ed213911699c.vbs"
        21⤵
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e330f740-1309-4e19-a83e-07281ea6210e.vbs"
        19⤵
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59e65bcd-3b67-462d-8ca0-fa86b8fa5512.vbs"
        17⤵
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b18eb361-d0be-4ad5-a5f2-e3dfe6f00a2c.vbs"
        15⤵
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81024b47-f342-4e7c-8de7-df6ae3a937e9.vbs"
        13⤵
        
        PID:492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4993f04-67d9-4acc-b8e4-aebf129b1484.vbs"
        11⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5323247f-ee37-47ef-a4af-2e7eec818e3b.vbs"
        9⤵
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e7aa2c2-454b-4cc4-a252-45e6d4d268f3.vbs"
        7⤵
        
        PID:2232
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3adbfac7-d865-4cbf-8f5c-04cdc90364a5.vbs"
        5⤵
        
        PID:2264
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f112d00a-1ad8-4832-b973-4c470dde1ec8.vbs"
    3⤵
    PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10ddd72b-0683-44d4-b788-2a8e9183972a.vbs

Filesize
708B

MD5
71617d9dcb4b20e2853a8f1c42186cfe

SHA1
17a3360ddaf7c0f14627f75ca4f9264198f64cb3

SHA256
14f1b2cd4c3d17acefc04af443f4750530c644caee2d22433b9dcb1baf51d66e

SHA512
b2dd2666f3cef1ebbc5668b63a122150d8409a44307b9e9849c9f84f228a5ce4e6804fe16538ae4074930f9235bc06436e6ce84c40f5aeb5c204660586cb5239

Download Submit
C:\Users\Admin\AppData\Local\Temp\1caaa433-54cb-4188-8068-89bf23f51560.vbs

Filesize
708B

MD5
3e5f35be9be8947bebb9ddcfa3b8bac3

SHA1
ecc277107b724e90a782e6258cf154d7743eaa7b

SHA256
53622bb28ae01ee857c5c6624eb48bd25eedfd11d3467cbd397ea116c63578d0

SHA512
fe9f9b8134eb338dc52f21b70c7330e8478eefa70e1c778a2fdfd529dff68ea98356d283812879e347b3699edb663c42aad356758e71c1459b3c07ce5e84573d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a9f80ea-bea4-4aed-a743-87feaf146f98.vbs

Filesize
708B

MD5
bcae17563dd213904ceb1ef6d044de81

SHA1
81e7abb79ef3bb6728924276acff7335af50e93c

SHA256
cae4697eae5947d0a632cd0179db2332c78df739a85644d666009220df8b4466

SHA512
b9d5f0cd8527c0a5ee177655868008d42605defb3b4343bb7ef1dcc1e2f6c5863ae10fa6c7f42ef859120d734c6f37df4eabc3926a4ffc35145e889a6e438acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\90f06f23-58ce-4ced-9022-2c60f6534c33.vbs

Filesize
708B

MD5
a3ba9bb898cd86405c6cf1c57f2a9c83

SHA1
38ae670b3a1c77318f828533a6637ac805963542

SHA256
044102ea2eb86e63bb6b140315f9616ca54e8722450418ee523ef086c74adb47

SHA512
96a6822eff1ddbf4651a367f05fddd8b1e481d49a99e6149c0097015e15f2700d9c22deb71b5572a271f3642dacc163af009152d4835c08447abc8f199a8bc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\920fad4b-03d9-4ecc-b5de-d8d5a58699ba.vbs

Filesize
708B

MD5
94a773205b8df072109d4e729619f456

SHA1
454081a7206cb20d63ea7589c422d4d52c741df9

SHA256
0abfbffeef58b5c5e89b68051886ee0b800ac965976276be70e3eb5679b5ba61

SHA512
1e1b2c726eaab85787df9bbdd6c5b4dd28b00c33deaba1ffb7e10d52c6a1c0cbc7aace4fb8539ac42b48953cf2f6dba82b35769ca32de76ec16e52e399fb11ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\94f17c8c-164f-4f42-9b09-4fa45afc9120.vbs

Filesize
708B

MD5
d3ea370503eb8ae1496d318304cd1843

SHA1
7d3c24a9ea39628acd27d19faa86fde701326aba

SHA256
fed3e5e912663cbf7fb43e801bfd66453a05fd1b06c4d7a141297db3a8f69524

SHA512
16304823daaf5232c9ab2e7500908b8d2458d7f5ab6f58981f2f0fb50d5648703b6c719c1d80eb85c2a612e39986b1813cfaca9dcdb024de5512320435218917

Download Submit
C:\Users\Admin\AppData\Local\Temp\a173debb-4bda-44f8-90d4-43b909158835.vbs

Filesize
707B

MD5
106bffd39b397716f5244f7f4aacb0cd

SHA1
10b429003ed9805282956178daeb301f49ebb17b

SHA256
79dfd123231bd69cf8b3bf2fd44334818653a91f1583bc3834898701343f7865

SHA512
bde7834ca3cfcecc9c594bb35f0fdb8b51c783afb1f4e00725c5be8d4497509becbcc39c6c29208adbf803aae854ef431e83e8846fbff9698355f664f48b7143

Download Submit
C:\Users\Admin\AppData\Local\Temp\a733d8dc-3cdc-41b9-a2a6-b905eb1b0d38.vbs

Filesize
708B

MD5
70b277ebffa846c3791b5648b111e6bf

SHA1
a9cb56eea81927d2b441e3277d3440efc536ec1c

SHA256
a589ad0ee389e20126bfeb7eff1eae608a1faf700132db97e0736853f652a8a7

SHA512
03029fcc7c0c0f628287ecef1e245135fe97589e5b61d70bc946df2001a46b6f9d265a54a24e92aa2bac3decfbf54458593924b346dbd27ad27ea216392c3012

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad64b631-68c0-4c80-8f93-a9bc656a61f4.vbs

Filesize
708B

MD5
6a8e5c69e43d8f45f83840745d567fc7

SHA1
9b7d3bc55b21797fc8c39c589b274ec856b0daf4

SHA256
99f29c34eef074333d39f4312a6121a837ac4aef68ad9d9776ea8c512369e3ae

SHA512
8f33f5c56c6b26840ba08ee5e84c2c26386656cb6351fe51c154ac3b2fec964cc987503c60b19d6e84aee81a89fec96148d6190fe7c695a115ecad41d1546bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfdfad2b-6ff6-4e83-b9f9-f5702c272d78.vbs

Filesize
708B

MD5
113f5c83acc448fca286051bae57b638

SHA1
57a4ae3ed3fbc54e374fbb6e37894c23b8b1b5ec

SHA256
e5fd3a3f6e86364586173bc5c6f25c3f2d01c325adec6e7fc0c358a7c10288c0

SHA512
96a7c60351bead3f3316cd1397574b638b5e03a35a954e6a7344db376c68827680651f17b27f5fdc852438d6b090caf0257da08060f9d1456a7adcaee3a420f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3f02db51028f0679d3bfb4b4a7f8a6682dc4e1c.exe

Filesize
1.6MB

MD5
b2dfd2ebd0515be0ea9b8ae1bdd575c5

SHA1
726f36f06712ff5d334d3dcc940a8e7dc1c852d3

SHA256
900cc53370d84464d35dbabb3caa55e577315d214547d2cb57282ba0ae3f4d54

SHA512
29f064c76a5c5ef2a1ad4e69ff4d6b619adc9c79376dfac381a17de1eb8a93cd9001693d16108636b8143e31e450aadba9376829273beca697403bb4a5777ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dee9c23e-4879-4ccb-81f5-a369fa93b482.vbs

Filesize
708B

MD5
754906014faa46448873bd9b32c69f24

SHA1
239c9722a1c533e3f75c988e4391f6c9d6203b23

SHA256
abce765979beeac5091cf2637e6df1317faf1bb8f124d58bafd3785e1fb3dc3a

SHA512
e9313e583cab02043a2e9a3e8f506fd443a0e90f016c29c741d0dea8ca4eb21059c37d568e34efbd3bc483db2a700bd7ccae3dc90d47d549319cd418640d5d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4385b76-9e38-422c-a591-87437b1c74a0.vbs

Filesize
708B

MD5
fa85e079d161690159088d06a2709faa

SHA1
2825fa56a8637cd51a368d79d87da47635db717c

SHA256
ce2f9f41cc4a8807887fb339f4429ba043af267faedc7376cda51192c5781ead

SHA512
d20f0c3c03a81c27669cd48f9f99d8bf82f328cb492c76c83c59dcdaa56e8fcc080e9782cc8e670fe67e2fc3e6ca22f842c900801a0444ae5f0f2b571f66a373

Download Submit
C:\Users\Admin\AppData\Local\Temp\e445dfe2-599e-4736-9551-368a2f5beee0.vbs

Filesize
707B

MD5
31cf4e42993e993993ce1f55f02ccb12

SHA1
c293a13c0ecad4c84f4f5fbcfaf04a26bbcc3920

SHA256
4d5941671071614e2048c434853c62d4788dec581086fb691b09a6dbffa61b28

SHA512
79d795565debb6d9aeac67ebdb029a2fcd9707d2b7c73191a218d5cc12261872dbe58d6a838cd69f1696458a8fc0c5c86aa44d42448de9d5c7780bd26f9815da

Download Submit
C:\Users\Admin\AppData\Local\Temp\f112d00a-1ad8-4832-b973-4c470dde1ec8.vbs

Filesize
484B

MD5
dd8d8393d5eb427a42f63e550083128e

SHA1
92acda129fec42948a79f00926672a92842e51f6

SHA256
43410a22acaa6397cf9cfa5b8a8a5e6c5d3063064443d8b34586babeb617c68f

SHA512
807b4a067d87570a66e84b24527ad2816702b7928bdb0a7c146b4abaea5cf994cd654a654cc8319c50a0d6f5525820a2ceb8ae4288ab78ac1f477354b2c7d321

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\38NOWXPPW3KREAXYCPT5.temp

Filesize
7KB

MD5
213fe1cbd074e78d3b8fa17d05232c0f

SHA1
a83f181befe5e183b79c9ec8382e2dc67267d6d0

SHA256
3e613712eaf7d45e24b526d0d361b8c06dd448dc702338aa280291dee8c37790

SHA512
954282b85825afa5cfa151acf810d82e950f8e0fdc78c3fa1fbe90b6f8f8163cfe3a0987f730c1154a8d77c4103d6994f83f4823018d9ca193997aef03675d74

Download Submit
C:\Windows\Registration\CRMLog\taskhost.exe

Filesize
1.6MB

MD5
2cd96728fb8f5bef05b7c1d14200ffa0

SHA1
9c1ba4495ad7bb48aaac4123f62528ab80485c3e

SHA256
0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310

SHA512
aa6b10a50e766cc1203e05eb63eb6299cd528e836456368d3a2aa45dcf51cea26aa1380256e93e59245b0275d3568aeb8e9968e764c6d81483e77c258ea449f9

Download Submit
C:\Windows\Registration\CRMLog\taskhost.exe

Filesize
1.6MB

MD5
223366619de39f0e45f06ecf1938989a

SHA1
2ec2cff64e88a4699b1b56af705b2027c19558bd

SHA256
f7a760a0024818d073791361962af85571e48775f54fe4dedb6d2b5c3483f823

SHA512
4650b4e2c647c3d499ed61ebde5f578b08401a52d11929266d187278f9891de477826913ba0efbf98ad78fb59f21eec2de164eaaf023783ce1eea6ea62503d64

Download Submit
memory/832-153-0x0000000000E60000-0x0000000001002000-memory.dmp

Filesize
1.6MB

Download
memory/872-246-0x0000000000240000-0x00000000003E2000-memory.dmp

Filesize
1.6MB

Download
memory/1016-234-0x00000000003F0000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/1688-258-0x0000000001160000-0x0000000001302000-memory.dmp

Filesize
1.6MB

Download
memory/1752-141-0x0000000000D50000-0x0000000000EF2000-memory.dmp

Filesize
1.6MB

Download
memory/1976-125-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1976-120-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2332-199-0x0000000000360000-0x0000000000502000-memory.dmp

Filesize
1.6MB

Download
memory/2692-14-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/2692-8-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/2692-119-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-11-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/2692-1-0x0000000000260000-0x0000000000402000-memory.dmp

Filesize
1.6MB

Download
memory/2692-15-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/2692-16-0x00000000022A0000-0x00000000022AC000-memory.dmp

Filesize
48KB

Download
memory/2692-12-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

Filesize
56KB

Download
memory/2692-13-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2692-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/2692-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2692-10-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2692-9-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/2692-6-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2692-7-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/2692-5-0x0000000000820000-0x0000000000836000-memory.dmp

Filesize
88KB

Download
memory/2692-4-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2748-165-0x0000000000EE0000-0x0000000001082000-memory.dmp

Filesize
1.6MB

Download
memory/2876-211-0x0000000000DC0000-0x0000000000F62000-memory.dmp

Filesize
1.6MB

Download
memory/3016-118-0x0000000000140000-0x00000000002E2000-memory.dmp

Filesize
1.6MB

Download