dcrat | 000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
117s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Size

1.6MB
MD5

1e635900f25bb2891a42cf6d65ca80eb
SHA1

0c6e3ec0b571ee3d1504a4769a77405ba9a54edb
SHA256

0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef
SHA512

c3c215add9a07614b4fff768ac3aeea0ebbaa459e85d6f080aa3734d4eb0742536535c4156201299bbcf86f453acdfc961585eb2536790e58cecfd32db5772a8
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2608	schtasks.exe	30

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral29/memory/3004-1-0x0000000000370000-0x0000000000512000-memory.dmp	dcrat
behavioral29/files/0x000500000001a301-25.dat	dcrat
behavioral29/memory/1656-169-0x00000000003A0000-0x0000000000542000-memory.dmp	dcrat
behavioral29/memory/1596-180-0x00000000013A0000-0x0000000001542000-memory.dmp	dcrat
behavioral29/memory/2228-247-0x0000000000120000-0x00000000002C2000-memory.dmp	dcrat
behavioral29/memory/2188-259-0x00000000013C0000-0x0000000001562000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1260	powershell.exe
1484	powershell.exe
1488	powershell.exe
1756	powershell.exe
924	powershell.exe
892	powershell.exe
1112	powershell.exe
2192	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
1656	smss.exe
1596	smss.exe
2308	smss.exe
1652	smss.exe
2128	smss.exe
1252	smss.exe
2932	smss.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\en-US\explorer.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\RCX8938.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX8B3B.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX8B3C.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCX8D40.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\explorer.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\69ddcba757bf72	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files (x86)\Google\Temp\audiodg.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\audiodg.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files\Internet Explorer\en-US\7a0fd90576e088	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files (x86)\Google\Temp\42af1c969fbb7b	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\RCX8937.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCX8D41.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\tracing\6203df4a6bafc7	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Windows\Web\RCX82BB.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Windows\tracing\RCX84C0.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Windows\tracing\lsass.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Windows\Web\Idle.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Windows\Web\6ccacd8608530f	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Windows\Web\RCX82BC.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Windows\Web\Idle.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Windows\tracing\RCX84C1.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Windows\tracing\lsass.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
796	schtasks.exe
1912	schtasks.exe
2896	schtasks.exe
528	schtasks.exe
2848	schtasks.exe
1624	schtasks.exe
712	schtasks.exe
2704	schtasks.exe
2164	schtasks.exe
2168	schtasks.exe
2408	schtasks.exe
2684	schtasks.exe
2000	schtasks.exe
324	schtasks.exe
692	schtasks.exe
2220	schtasks.exe
2952	schtasks.exe
2516	schtasks.exe
2064	schtasks.exe
652	schtasks.exe
580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
2192	powershell.exe
1484	powershell.exe
892	powershell.exe
1756	powershell.exe
1112	powershell.exe
924	powershell.exe
1488	powershell.exe
1260	powershell.exe
1656	smss.exe
1596	smss.exe
2308	smss.exe
1652	smss.exe
2128	smss.exe
1252	smss.exe
2932	smss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1656	smss.exe
Token: SeDebugPrivilege	1596	smss.exe
Token: SeDebugPrivilege	2308	smss.exe
Token: SeDebugPrivilege	1652	smss.exe
Token: SeDebugPrivilege	2128	smss.exe
Token: SeDebugPrivilege	1252	smss.exe
Token: SeDebugPrivilege	2932	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1488	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	53
PID 3004 wrote to memory of 1488	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	53
PID 3004 wrote to memory of 1488	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	53
PID 3004 wrote to memory of 1484	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	54
PID 3004 wrote to memory of 1484	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	54
PID 3004 wrote to memory of 1484	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	54
PID 3004 wrote to memory of 1260	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	55
PID 3004 wrote to memory of 1260	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	55
PID 3004 wrote to memory of 1260	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	55
PID 3004 wrote to memory of 2192	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	56
PID 3004 wrote to memory of 2192	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	56
PID 3004 wrote to memory of 2192	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	56
PID 3004 wrote to memory of 1112	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	57
PID 3004 wrote to memory of 1112	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	57
PID 3004 wrote to memory of 1112	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	57
PID 3004 wrote to memory of 892	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	59
PID 3004 wrote to memory of 892	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	59
PID 3004 wrote to memory of 892	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	59
PID 3004 wrote to memory of 924	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	61
PID 3004 wrote to memory of 924	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	61
PID 3004 wrote to memory of 924	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	61
PID 3004 wrote to memory of 1756	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	63
PID 3004 wrote to memory of 1756	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	63
PID 3004 wrote to memory of 1756	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	63
PID 3004 wrote to memory of 2208	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	69
PID 3004 wrote to memory of 2208	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	69
PID 3004 wrote to memory of 2208	3004	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	69
PID 2208 wrote to memory of 1524	2208	cmd.exe	71
PID 2208 wrote to memory of 1524	2208	cmd.exe	71
PID 2208 wrote to memory of 1524	2208	cmd.exe	71
PID 2208 wrote to memory of 1656	2208	cmd.exe	72
PID 2208 wrote to memory of 1656	2208	cmd.exe	72
PID 2208 wrote to memory of 1656	2208	cmd.exe	72
PID 1656 wrote to memory of 2848	1656	smss.exe	73
PID 1656 wrote to memory of 2848	1656	smss.exe	73
PID 1656 wrote to memory of 2848	1656	smss.exe	73
PID 1656 wrote to memory of 1604	1656	smss.exe	74
PID 1656 wrote to memory of 1604	1656	smss.exe	74
PID 1656 wrote to memory of 1604	1656	smss.exe	74
PID 2848 wrote to memory of 1596	2848	WScript.exe	76
PID 2848 wrote to memory of 1596	2848	WScript.exe	76
PID 2848 wrote to memory of 1596	2848	WScript.exe	76
PID 1596 wrote to memory of 2772	1596	smss.exe	77
PID 1596 wrote to memory of 2772	1596	smss.exe	77
PID 1596 wrote to memory of 2772	1596	smss.exe	77
PID 1596 wrote to memory of 1028	1596	smss.exe	78
PID 1596 wrote to memory of 1028	1596	smss.exe	78
PID 1596 wrote to memory of 1028	1596	smss.exe	78
PID 2772 wrote to memory of 2308	2772	WScript.exe	79
PID 2772 wrote to memory of 2308	2772	WScript.exe	79
PID 2772 wrote to memory of 2308	2772	WScript.exe	79
PID 2308 wrote to memory of 1644	2308	smss.exe	80
PID 2308 wrote to memory of 1644	2308	smss.exe	80
PID 2308 wrote to memory of 1644	2308	smss.exe	80
PID 2308 wrote to memory of 596	2308	smss.exe	81
PID 2308 wrote to memory of 596	2308	smss.exe	81
PID 2308 wrote to memory of 596	2308	smss.exe	81
PID 1644 wrote to memory of 1652	1644	WScript.exe	82
PID 1644 wrote to memory of 1652	1644	WScript.exe	82
PID 1644 wrote to memory of 1652	1644	WScript.exe	82
PID 1652 wrote to memory of 3036	1652	smss.exe	83
PID 1652 wrote to memory of 3036	1652	smss.exe	83
PID 1652 wrote to memory of 3036	1652	smss.exe	83
PID 1652 wrote to memory of 2780	1652	smss.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
"C:\Users\Admin\AppData\Local\Temp\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AhxuXJBDwm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1524
- - C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe
    "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10465efc-f1a1-460b-b579-1e95f8eb8e90.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5128c178-d12a-4009-93e0-cab99efb3b36.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0b48735-f0a6-4179-ad18-729b6c16f9e1.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79e9d193-d234-4603-8c0e-652f12cf15e4.vbs"
        10⤵
        
        PID:3036
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5be77f64-86cc-4980-844a-934b18fa99ae.vbs"
        12⤵
        
        PID:2460
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81b83fd3-d7aa-4423-96ea-b81ca04d8110.vbs"
        14⤵
        
        PID:1564
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d4ffebf-bc5f-420f-ba69-455c701642de.vbs"
        16⤵
        
        PID:2168
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe"
        17⤵
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66bb2123-e047-45c0-a1f0-f0edd3534122.vbs"
        18⤵
        
        PID:2972
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe"
        19⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16716be3-7019-475f-99a6-e34681835082.vbs"
        20⤵
        
        PID:668
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe"
        21⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c95a8f9-5c1f-400b-9fd9-7ecb4425a27a.vbs"
        20⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\513099ed-4667-45d4-933f-5530b3b150c6.vbs"
        18⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86006bf9-2bb5-436d-b860-1290fc561a44.vbs"
        16⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b357c7a-ac11-4511-bebe-8732bb1cb599.vbs"
        14⤵
        
        PID:2436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c1003f8-fc7b-477d-8966-a8ba6153945a.vbs"
        12⤵
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da725d0a-4ba4-4f7a-a7a9-b6381c5d3907.vbs"
        10⤵
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfb55587-6d00-4aea-b93c-1d6c35a26a66.vbs"
        8⤵
        
        PID:596
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de212286-6ddf-4de9-86f8-b507f408017e.vbs"
        6⤵
        
        PID:1028
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3f359ba-4562-420d-aa7b-027b21877646.vbs"
      4⤵
      PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\tracing\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\smss.exe

Filesize
1.6MB

MD5
1e635900f25bb2891a42cf6d65ca80eb

SHA1
0c6e3ec0b571ee3d1504a4769a77405ba9a54edb

SHA256
0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef

SHA512
c3c215add9a07614b4fff768ac3aeea0ebbaa459e85d6f080aa3734d4eb0742536535c4156201299bbcf86f453acdfc961585eb2536790e58cecfd32db5772a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d4ffebf-bc5f-420f-ba69-455c701642de.vbs

Filesize
739B

MD5
3b00e6c6f42cb747c65161e02523b4a4

SHA1
bdae24316518da4862237e16e0f3570c54b8ab83

SHA256
63206f73f698c5bbe0a0a966f3d80c3fbc5bff6fcf9490b3273de52e66442f6f

SHA512
cf6aa869411e1e7cf96a33b132a3ff29b8ab6ea84dfa4560c26ab6ca5658918152c31fc13869640041652bb83bc8480683eb6435767205ec626cdfcb3fcc65f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10465efc-f1a1-460b-b579-1e95f8eb8e90.vbs

Filesize
739B

MD5
289b646e0245200021bcba2e8fb0e23b

SHA1
a2407248a62064aecbb20ca1e236f984ba95383c

SHA256
440016d4b7fed02d2627d3daa7d8fc71f988c50cc954c94ae4d16911633d8df8

SHA512
dd6c94e0aea00e1425c471a869d68b7c596ea3c77b885bb1e3687c78efd7257e68b6533cafbc92f57a24dcaadf7a62a334c555a779c30fce9da1c41cb041cef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\16716be3-7019-475f-99a6-e34681835082.vbs

Filesize
739B

MD5
ab072c1de4c73bc510bd74a336079869

SHA1
2bd08db894169364c488adf804a198072c390359

SHA256
264564ff64952b496e94744c49c322816f90277711002e258bafa7254e02fa92

SHA512
f1675eef6c03dcfd2f776e2bcb89246eabe32f92ccc3241bf3c861a9efb4b495b258bf7fae3c855706a8ac9c5147a6f28ec9c0bbc9b28b2a40c5124e72be8253

Download Submit
C:\Users\Admin\AppData\Local\Temp\5128c178-d12a-4009-93e0-cab99efb3b36.vbs

Filesize
739B

MD5
85d7593726883389ae05d7e30d6d805f

SHA1
3466d95716cb0d1866a11baf9995ebfc7587649c

SHA256
178f7fb5f8420135889fa954e2ce64aeea7de9446fbbc0220fd23bdbaecdc17e

SHA512
e077bc0d26bc979efd2ad22710afff2bfb4b2f035bc12966d0fb3b85b84cd601e319fcc2121f60563cd8aa4617eccf03869fbd5729bf59ce6705865ee64338db

Download Submit
C:\Users\Admin\AppData\Local\Temp\5be77f64-86cc-4980-844a-934b18fa99ae.vbs

Filesize
739B

MD5
41ddea9f3d65ada643bbaf35a340ecdc

SHA1
e8401f54f11e961ca1a53a41b80d2a4fd31e2833

SHA256
77dc3f37b1066b9a90d55a381f229190085235d9da949d104faf13b9dbc0cf9c

SHA512
e2eefbcdda249d718cd37d038e7ad6fdceaef001e945eb91fe54634881eab163054970f890fe1f080705f5ec81cf93f1c3185c9d0accbc811ddda6de2ed1fd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\66bb2123-e047-45c0-a1f0-f0edd3534122.vbs

Filesize
739B

MD5
b63abb9a5c5554e17ae59953926cf362

SHA1
a4ddc9b696fb313429086f3fb702f8aa97cce1ae

SHA256
5a8e67266cd37d9e706a5991fa0ddf96bfe46b11d112589819fa3ff2e96ee369

SHA512
55f5fdf50f5b7537798fe1b4d5f12aa37543ff3b9e04bce29a1212e29c48b5ce0e75e10292b2a7147a47f703ab39f5ae0310f258e038779b0040dd635b1ce030

Download Submit
C:\Users\Admin\AppData\Local\Temp\79e9d193-d234-4603-8c0e-652f12cf15e4.vbs

Filesize
739B

MD5
cf46679b8a18b799e1c316e1ccc53743

SHA1
ad61b3866a2e64ea026576acfd036e00918e1033

SHA256
baf42aee01041e471a15d129337e58be09a3676c8009450d8beb35d4db1ed91c

SHA512
0f00ef0406b3bf98826d72f7f2adc36422a201911f0327da93e5f08f2d5c4247edbe533e544446d31bdb3b3fbfb7cf7cc4e6451a21d4e4c1d1d2477cd21b4873

Download Submit
C:\Users\Admin\AppData\Local\Temp\81b83fd3-d7aa-4423-96ea-b81ca04d8110.vbs

Filesize
739B

MD5
084664ab6689963d0e56c83556c96e9e

SHA1
933aec5aea8ad3aee452b20fbf669211099bfb1d

SHA256
3742601ef2d807e5dce4f224b1630cb3aa1d7d6f5f85ee7044d5e98f7ceab2fd

SHA512
744a0a656ce9e48ff2850cc8bf63f002fc6951b8e4f7952c4205ee01c445c5ae2e182dab656fd5802dca018cda867b254bd380d3cee9fca355145070975dc976

Download Submit
C:\Users\Admin\AppData\Local\Temp\AhxuXJBDwm.bat

Filesize
228B

MD5
4d851a51c91d1251bdf0794fbe30e5a1

SHA1
ded3b381e6745132a287fa68965c105568bfe2db

SHA256
123fe81c059fedf1c37724bfa71ad1486e343996b385da310f89b7dbca1e2e60

SHA512
fe93f14afdd44dae68b8f47357274fd30b06d3dc9c715d170e28b1ff19ee7052fb49e42d8d6236b93b39a9f280ab412be6c9e67d5a915e18f4f878fbf3c69934

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3f359ba-4562-420d-aa7b-027b21877646.vbs

Filesize
515B

MD5
3dbf101db3e50a2c046b17fcb0852630

SHA1
905d85b9bf2851c35fc40a7a82f059fc44363aa5

SHA256
65afd401b0b98456557346b7f68bb1a108771aafa8664a6ede29db71ddd6bb81

SHA512
0e97091c9e54548a5b2a5bdf878267eb326fb65ee4c8efef1c84948fefd45b8f8f55b31782fa0b58ddfdb9a3d866f2465cf68463034151cf62c4d6124c6fd2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0b48735-f0a6-4179-ad18-729b6c16f9e1.vbs

Filesize
739B

MD5
acfbfcba32753242c0859c417e7e3962

SHA1
6f9fa31723a76e7dc7b7276e559f571eb6b77914

SHA256
97f0735ada3a09c638a25f11e2c9b36799f5ad214b35c21e0f4972cd33bdf2f9

SHA512
65b859e94cd51e80dea038201429ccfd608731323ccf5df7d48e578df47cbe00a2eb864c9feb0cbf95450329491bd4278ca4222b5da841f0a76a95af1c1e500c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5dd68e205c63df152ec773cf98006921

SHA1
48103df4c634c1631f209193570940ded3fddb79

SHA256
401dab7a7cab85286986f38ff9c3f0152df1f902991745caee69a7b02911a886

SHA512
faa9c426a8a9a151c32823148d8d9b91f975b2d8885e9b8b3c4bf85d8adcce8c2e67c3cf25f4b874fdc85334b55f036826c138a84f69483420a746513d8fa2cc

Download Submit
memory/1596-180-0x00000000013A0000-0x0000000001542000-memory.dmp

Filesize
1.6MB

Download
memory/1656-169-0x00000000003A0000-0x0000000000542000-memory.dmp

Filesize
1.6MB

Download
memory/1756-149-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2188-259-0x00000000013C0000-0x0000000001562000-memory.dmp

Filesize
1.6MB

Download
memory/2192-150-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2228-247-0x0000000000120000-0x00000000002C2000-memory.dmp

Filesize
1.6MB

Download
memory/3004-16-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/3004-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/3004-13-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/3004-129-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/3004-8-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/3004-14-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/3004-12-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/3004-9-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/3004-15-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/3004-0-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

Filesize
4KB

Download
memory/3004-5-0x00000000001F0000-0x0000000000206000-memory.dmp

Filesize
88KB

Download
memory/3004-6-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/3004-7-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/3004-4-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/3004-10-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/3004-2-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/3004-11-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/3004-1-0x0000000000370000-0x0000000000512000-memory.dmp

Filesize
1.6MB

Download