Overview

overview

10

Static

static

10

4b5d342b8c...86.exe

windows7-x64

9

4b5d342b8c...86.exe

windows10-2004-x64

9

4bb452a3de...a3.exe

windows7-x64

10

4bb452a3de...a3.exe

windows10-2004-x64

7

4bbf1f33d0...4d.exe

windows7-x64

8

4bbf1f33d0...4d.exe

windows10-2004-x64

8

4bc17871c1...64.exe

windows7-x64

10

4bc17871c1...64.exe

windows10-2004-x64

10

4be84836f6...c8.exe

windows7-x64

10

4be84836f6...c8.exe

windows10-2004-x64

10

4c2f38b994...d5.exe

windows7-x64

10

4c2f38b994...d5.exe

windows10-2004-x64

10

4c948e4226...26.exe

windows7-x64

10

4c948e4226...26.exe

windows10-2004-x64

10

4ca1d61a24...2e.exe

windows7-x64

10

4ca1d61a24...2e.exe

windows10-2004-x64

10

4cc3e6fe69...22.exe

windows7-x64

10

4cc3e6fe69...22.exe

windows10-2004-x64

10

4cf9706999...8e.exe

windows7-x64

10

4cf9706999...8e.exe

windows10-2004-x64

10

4d8cd82fa6...d5.exe

windows7-x64

10

4d8cd82fa6...d5.exe

windows10-2004-x64

10

4d947659fe...19.exe

windows7-x64

10

4d947659fe...19.exe

windows10-2004-x64

10

4dac62ad00...ec.exe

windows7-x64

10

4dac62ad00...ec.exe

windows10-2004-x64

10

4dde57eed0...7b.exe

windows7-x64

10

4dde57eed0...7b.exe

windows10-2004-x64

10

4e1fdde317...d3.exe

windows7-x64

10

4e1fdde317...d3.exe

windows10-2004-x64

10

4e248cce2f...a7.exe

windows7-x64

10

4e248cce2f...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c948e42267877c379b01be5faa66926.exe

  • Size

    5.9MB

  • MD5

    4c948e42267877c379b01be5faa66926

  • SHA1

    282254e3ab196c9810c8bdf74f3fe00977bfa120

  • SHA256

    63a4873a5658c4de311b5952d39969115f434f90c14d18a991dbc475b03ce8a7

  • SHA512

    776483f78e6f9634551ce06d87e8fad9a58afbd962d62eb6176f2e5d05bf3c77a026af2b2e0a36c22957141de18ce085e9084aafb0c3ca3436270395f6fc5612

  • SSDEEP

    98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw47:hyeU11Rvqmu8TWKnF6N/1wK

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat 30 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 15 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 10 IoCs
    defense_evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 15 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c948e42267877c379b01be5faa66926.exe
    "C:\Users\Admin\AppData\Local\Temp\4c948e42267877c379b01be5faa66926.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/7330c8a20692d0b35002ea5a/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/f170d29a37c9c9775251/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4024
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:6084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5272
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5744
    • C:\Users\Admin\AppData\Local\Temp\4c948e42267877c379b01be5faa66926.exe
      "C:\Users\Admin\AppData\Local\Temp\4c948e42267877c379b01be5faa66926.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1008
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4412
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:5624
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/7330c8a20692d0b35002ea5a/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1416
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2980
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/f170d29a37c9c9775251/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3668
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1788
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        PID:312
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4380
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:244
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:5536
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vvMw8C99ll.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:3224
          • C:\Windows\security\ApplicationId\PolicyManagement\RuntimeBroker.exe
            "C:\Windows\security\ApplicationId\PolicyManagement\RuntimeBroker.exe"
            4⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:4132
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1757ffd-9d9b-4969-8fa1-d992487b813b.vbs"
              5⤵
                PID:4024
                • C:\Windows\security\ApplicationId\PolicyManagement\RuntimeBroker.exe
                  C:\Windows\security\ApplicationId\PolicyManagement\RuntimeBroker.exe
                  6⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:1440
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\612f4014-6007-4556-9b68-242438484615.vbs"
                    7⤵
                      PID:1988
                      • C:\Windows\security\ApplicationId\PolicyManagement\RuntimeBroker.exe
                        C:\Windows\security\ApplicationId\PolicyManagement\RuntimeBroker.exe
                        8⤵
                        • UAC bypass
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:4436
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3331c3d-f65e-41d1-8fc1-e2cb28009033.vbs"
                          9⤵
                            PID:5936
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9497cb03-d3a8-4003-893a-387b8670df11.vbs"
                            9⤵
                              PID:2592
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\142134ab-564b-4813-8fb4-0269c80801ae.vbs"
                          7⤵
                            PID:1424
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c356f7d-c7d0-4ec4-9879-5727962420a7.vbs"
                        5⤵
                          PID:5668
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1592
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1776
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3188
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5412
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5936
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4800
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4976
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4824
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4780
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4932
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1072
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5028
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1268
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2052
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3644
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4792
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3160
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5900
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\f170d29a37c9c9775251\SearchApp.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1632
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\SearchApp.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4080
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\f170d29a37c9c9775251\SearchApp.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1392
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\RuntimeBroker.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:820
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:832
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5996
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "4c948e42267877c379b01be5faa669264" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\4c948e42267877c379b01be5faa66926.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2280
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "4c948e42267877c379b01be5faa66926" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\4c948e42267877c379b01be5faa66926.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1616
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "4c948e42267877c379b01be5faa669264" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\4c948e42267877c379b01be5faa66926.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5220

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe
                  Filesize

                  5.9MB

                  MD5

                  7673f8f68b31a338a032e75976ed5161

                  SHA1

                  d145272fd1898488eb6de5aa8eaeae7e13259aac

                  SHA256

                  1a7f4443f4a1a0764fbb920e9cec82209fade62c87fa1b6541c38d3617cf88bc

                  SHA512

                  41124197b130be2dce3d618ea7494e49c89d70ff7d88f49a7d06b3b2f22768aedaa0cb558a382d144cc2aae66a93ce50d63167369bc683cca09bd720f9a0830e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\4c948e42267877c379b01be5faa66926.exe.log
                  Filesize

                  1KB

                  MD5

                  612072f28dae34eb75a144057666a2ba

                  SHA1

                  3b965a3b1b492b77c9cdbc86e04898bdd4eb948c

                  SHA256

                  ee0e6893ee76e6e771eea4116de524ce047ccdd04c7d6267a52b4a8e8198db26

                  SHA512

                  b0e397c2dac42d19f0864c223d6f2f74149de7d1d6f1e67d5da99695ac9ad1f6019d0ac392852d4c285182f97fec708dc01d0a6e5a8646d06e0da3ab863cd07f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
                  Filesize

                  1KB

                  MD5

                  229da4b4256a6a948830de7ee5f9b298

                  SHA1

                  8118b8ddc115689ca9dc2fe8c244350333c5ba8b

                  SHA256

                  3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

                  SHA512

                  3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  c667bc406c30dedf08683212c4a204b5

                  SHA1

                  4d713119a8483f32461a45e8291a2b8dc1fc4e7d

                  SHA256

                  0789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf

                  SHA512

                  1f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  e69ced0a44ced088c3954d6ae03796e7

                  SHA1

                  ef4cac17b8643fb57424bb56907381a555a8cb92

                  SHA256

                  49ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108

                  SHA512

                  15ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  75b793d8785da13700a6ebd48c30d77d

                  SHA1

                  b7d004bac69f44d9c847a49933d1df3e4dafd5db

                  SHA256

                  ab63179aa6eded5be6820711bfa2b7a9ba0184e6247a9a2aa1ebd839aba08a6b

                  SHA512

                  37e43c7b8d21173bc02237c5e1871a79ec95a96984671eeb5f9863dfce157f5f2bc90a6102b1beac6c8c8f928aa5b5094ae822d953f3833ea4e119ec664d4070

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  a0a5a1b68ad6facd1636fe5f5e1c4359

                  SHA1

                  e4fee6d6a2476904d9ba14d9045341df3616ca4a

                  SHA256

                  7257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a

                  SHA512

                  1b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  48b2b59bd1016475be4de4e087bb8169

                  SHA1

                  ecf9263187e29dc612224a6e1a4c5243ed110040

                  SHA256

                  df0e6548235499fc2881ef422771ee034eb86dadbcecb94f4c324ea1a0a7a209

                  SHA512

                  2186e40f82a80a3a89ec630c4d148b9f10424888635632e188eb32fc3f2d91e9a59fdf205810f4d33d3319cf35f9fcb8808c89ab7f7d553296c3969c1a1feb03

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  8e4ff3a0909baedcb1b0262ff5e552ca

                  SHA1

                  1034224ce0c0e39fb81789be9ed6d710c4ec0b7d

                  SHA256

                  caaf38168b7d72e42d0aed40b07f268d3a8b8155c3c9ca10beb19b0155ff1abe

                  SHA512

                  24727aeeeb0a295b8ae9753a29242e299f38eb43e60dd72744e13d08a6bfcd77b8e639da7d266e077dec58c96540a65638cbfe688b9a0a89c990ff4085507644

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  48cc83090af5044d78cf2989a7d1bb25

                  SHA1

                  07ba570b04aebed6bff26cbc66fa5ac4d9f249eb

                  SHA256

                  c4060076432eea989d904304add15c3ec175073a5250fe858808d3b0e70a38a9

                  SHA512

                  85d732b6c4b316f53faa692dfdbb36359d158421a7a696d434d01535dca032bde8656bee09ffaabe6d457335acc6496a36effafc41caf9800eb3438891e6ab9d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  3e242d3c4b39d344f66c494424020c61

                  SHA1

                  194e596f33d54482e7880e91dc05e0d247a46399

                  SHA256

                  f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

                  SHA512

                  27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  9a2c763c5ff40e18e49ad63c7c3b0088

                  SHA1

                  4b289ea34755323fa869da6ad6480d8d12385a36

                  SHA256

                  517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

                  SHA512

                  3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  150616521d490e160cd33b97d678d206

                  SHA1

                  71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78

                  SHA256

                  94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827

                  SHA512

                  7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  3c625954a51c4bbd8141206b00f6fc0a

                  SHA1

                  4128cb2f9d2984844e303e2e330e448334e5c273

                  SHA256

                  952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

                  SHA512

                  3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  66c1af19164d3b08179f388a26c2bde9

                  SHA1

                  599bb2101a033126bc82001419b94a3467fe86f2

                  SHA256

                  48950437c36bb693eae5049f0eef84824d76169e0cd736590b401b0713be3b30

                  SHA512

                  5b575918813e354824c07ac91ea7c1fb121d903065d1f2cab92393ae215825b1392c50f8658a5c482c6a1fdd9922b1f29f9f34fe53a584169285cbe0ea10a17b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  6019bc03fe1dc3367a67c76d08b55399

                  SHA1

                  3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

                  SHA256

                  7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

                  SHA512

                  6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\4c356f7d-c7d0-4ec4-9879-5727962420a7.vbs
                  Filesize

                  520B

                  MD5

                  bdd3db06304d975d47c6771ba6ddd51c

                  SHA1

                  90918f03ca1e532f501f4f91ffc6423422473308

                  SHA256

                  cf2ebd70cdc9df22b769dbe27fb1bda0cd312e80fa0869706a95ba56f172c677

                  SHA512

                  e617c9486a5eb3b9d3aaa73c313f56a85d3954f994a9fd565a2532b2e37553b7f04a0ac4e20e58c11d549a592d867931bec905a37e68fa595f6edee97e6ef2a8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\4c948e42267877c379b01be5faa66926.exe
                  Filesize

                  5.9MB

                  MD5

                  4c948e42267877c379b01be5faa66926

                  SHA1

                  282254e3ab196c9810c8bdf74f3fe00977bfa120

                  SHA256

                  63a4873a5658c4de311b5952d39969115f434f90c14d18a991dbc475b03ce8a7

                  SHA512

                  776483f78e6f9634551ce06d87e8fad9a58afbd962d62eb6176f2e5d05bf3c77a026af2b2e0a36c22957141de18ce085e9084aafb0c3ca3436270395f6fc5612

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\612f4014-6007-4556-9b68-242438484615.vbs
                  Filesize

                  744B

                  MD5

                  016703ac910be7f4e5ba4addd1b1889e

                  SHA1

                  b052ac1eabb352d323463eee174870000417a95e

                  SHA256

                  40fbc849075b713811d2ada849f971addb92840c52d357c7b0c2b2103103d8f0

                  SHA512

                  bd22c4ebe58374ae56ac8a15f1cbda958a7c5ecdde8f22c59e31cf4d4d44700e9ce91146a63ba36f47e62e763599574e11c4c3f353229d4f2999078a92ae34cd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zg0rzxf.hxt.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\b1757ffd-9d9b-4969-8fa1-d992487b813b.vbs
                  Filesize

                  744B

                  MD5

                  0bbdb195b75e2c3c380c9bff992ffaca

                  SHA1

                  568092c82e742d358a529f45413c5427d94b7b97

                  SHA256

                  cc02142c5dfa609e4b1f850021f23d23abfe2b2574de2cc71160d4b55a688d35

                  SHA512

                  c75cc33fe96a34abf78fb14ac50db5e77b6839699d40ac954f83a70d188f9d991eb2e6a26a327eb832013673243e53c2ab2f2b40404ee7943853bd0d4690e5a0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\b3331c3d-f65e-41d1-8fc1-e2cb28009033.vbs
                  Filesize

                  744B

                  MD5

                  d86aa94613e61ae6ff1144bc89059b3f

                  SHA1

                  0b0cfd24bcdefac6ea7ea11fcf63a2ad99d4132b

                  SHA256

                  f71841c6c423a4867f2ccc50a95062f76288e89d295fadb6e56df08ee772eb52

                  SHA512

                  a87837235902bcb80751cd4ae5951bbf39b73430ec758e791639aeaac89d444f100acef12a5e76b7a96f60ea033e271919cd7b71bdb003b17077c80f2bb6372f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\vvMw8C99ll.bat
                  Filesize

                  233B

                  MD5

                  f267508427f1d6f787b086fc3373f439

                  SHA1

                  4d6b8e9fc6b4a2ded39c4d0abb4a3f0c43fbf6e8

                  SHA256

                  fbad416d94d697fa1905690604c18beac73a25bf66ceef51f8f055d13ef71940

                  SHA512

                  7fe35f492a5e4ee1a3cb15340f1eeefc8f36afd574606f97e282fb21a7add8f5a10e836b00e039994e2180620f24b23dba9a640648eab635cf2f9dfec01b07bc

                  Download Submit

                • memory/1008-259-0x000000001DB50000-0x000000001DB62000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1440-426-0x000000001EAB0000-0x000000001EAC2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2796-146-0x000001A34B420000-0x000001A34B442000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/4132-412-0x000000001E980000-0x000000001E992000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/5204-17-0x000000001D460000-0x000000001D46A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/5204-21-0x000000001D4E0000-0x000000001D4EC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5204-32-0x000000001D690000-0x000000001D69C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5204-31-0x000000001D680000-0x000000001D688000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5204-36-0x000000001D7D0000-0x000000001D7DE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/5204-35-0x000000001D7C0000-0x000000001D7C8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5204-34-0x000000001D7B0000-0x000000001D7BE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/5204-33-0x000000001D6A0000-0x000000001D6AA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/5204-38-0x000000001D7F0000-0x000000001D7FC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5204-37-0x000000001D7E0000-0x000000001D7E8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5204-39-0x000000001D800000-0x000000001D808000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5204-40-0x000000001D810000-0x000000001D81A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/5204-41-0x000000001D820000-0x000000001D82C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5204-29-0x000000001D560000-0x000000001D56C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5204-28-0x000000001D550000-0x000000001D558000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5204-27-0x000000001D540000-0x000000001D54C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5204-26-0x000000001D530000-0x000000001D53C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5204-230-0x00007FFF94390000-0x00007FFF94E51000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/5204-25-0x000000001DA60000-0x000000001DF88000-memory.dmp

                  Filesize

                  5.2MB

                  Download

                • memory/5204-24-0x000000001D500000-0x000000001D512000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/5204-22-0x000000001D4F0000-0x000000001D4F8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5204-30-0x000000001D570000-0x000000001D57C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5204-20-0x000000001D4D0000-0x000000001D4D8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5204-19-0x000000001D4C0000-0x000000001D4CC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5204-18-0x000000001D470000-0x000000001D4C6000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/5204-0-0x00007FFF94393000-0x00007FFF94395000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/5204-16-0x000000001D440000-0x000000001D450000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/5204-15-0x000000001D430000-0x000000001D438000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5204-14-0x000000001D450000-0x000000001D45C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5204-9-0x000000001B9C0000-0x000000001B9C8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5204-11-0x000000001B9E0000-0x000000001B9F6000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/5204-12-0x000000001BA00000-0x000000001BA08000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5204-13-0x000000001BA10000-0x000000001BA22000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/5204-10-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/5204-8-0x000000001D2E0000-0x000000001D330000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/5204-7-0x0000000002F30000-0x0000000002F4C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/5204-6-0x0000000002F20000-0x0000000002F28000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5204-5-0x0000000002F00000-0x0000000002F0E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/5204-4-0x0000000002EF0000-0x0000000002EFE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/5204-3-0x00007FFF94390000-0x00007FFF94E51000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/5204-2-0x00000000016F0000-0x00000000016F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5204-1-0x0000000000570000-0x0000000000E68000-memory.dmp

                  Filesize

                  9.0MB

                  Download