dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
Size

1.6MB
MD5

522b3cc9b8e0565c5a2eb2d40b7a9513
SHA1

86d71ba007afecc0f28e9815086992099a13f2c4
SHA256

86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12
SHA512

a22e86028dc923064c045563341d3c144f9d3473935c8ebecf54e2a6ab4afb5b21d2cc0a80f92dc96ceb294dbbf2a33ebc48122079acb62f9ec140230e3e6c73
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2952	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2952	schtasks.exe	30

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral25/memory/2108-1-0x0000000000080000-0x0000000000222000-memory.dmp	dcrat
behavioral25/files/0x0005000000019641-25.dat	dcrat
behavioral25/files/0x0012000000012281-101.dat	dcrat
behavioral25/memory/316-147-0x0000000000DB0000-0x0000000000F52000-memory.dmp	dcrat
behavioral25/memory/2012-158-0x0000000001110000-0x00000000012B2000-memory.dmp	dcrat
behavioral25/memory/2840-170-0x0000000001130000-0x00000000012D2000-memory.dmp	dcrat
behavioral25/memory/1228-193-0x0000000000390000-0x0000000000532000-memory.dmp	dcrat
behavioral25/memory/2212-216-0x0000000000CC0000-0x0000000000E62000-memory.dmp	dcrat
behavioral25/memory/2268-228-0x0000000001380000-0x0000000001522000-memory.dmp	dcrat
behavioral25/memory/1636-251-0x0000000000340000-0x00000000004E2000-memory.dmp	dcrat
behavioral25/memory/2520-263-0x0000000000010000-0x00000000001B2000-memory.dmp	dcrat
behavioral25/memory/3008-275-0x0000000000020000-0x00000000001C2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1144	powershell.exe
1828	powershell.exe
964	powershell.exe
1960	powershell.exe
2872	powershell.exe
2324	powershell.exe
2192	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
316	dwm.exe
2012	dwm.exe
2840	dwm.exe
2332	dwm.exe
1228	dwm.exe
1964	dwm.exe
2212	dwm.exe
2268	dwm.exe
1980	dwm.exe
1636	dwm.exe
2520	dwm.exe
3008	dwm.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\cc11b995f2a76d	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\RCXA9B9.tmp	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\RCXA9BA.tmp	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\winlogon.exe	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\winlogon.exe	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\smss.exe	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File created	C:\Windows\Tasks\69ddcba757bf72	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File opened for modification	C:\Windows\Tasks\RCXB43E.tmp	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File opened for modification	C:\Windows\Tasks\RCXB4AC.tmp	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
File opened for modification	C:\Windows\Tasks\smss.exe	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe
3012	schtasks.exe
2736	schtasks.exe
2348	schtasks.exe
1680	schtasks.exe
332	schtasks.exe
2764	schtasks.exe
2708	schtasks.exe
3004	schtasks.exe
1964	schtasks.exe
2696	schtasks.exe
1388	schtasks.exe
1980	schtasks.exe
2904	schtasks.exe
1200	schtasks.exe
1752	schtasks.exe
1936	schtasks.exe
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
2192	powershell.exe
2872	powershell.exe
1828	powershell.exe
1144	powershell.exe
964	powershell.exe
1960	powershell.exe
2324	powershell.exe
316	dwm.exe
2012	dwm.exe
2840	dwm.exe
2332	dwm.exe
1228	dwm.exe
1964	dwm.exe
2212	dwm.exe
2268	dwm.exe
1980	dwm.exe
1636	dwm.exe
2520	dwm.exe
3008	dwm.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	316	dwm.exe
Token: SeDebugPrivilege	2012	dwm.exe
Token: SeDebugPrivilege	2840	dwm.exe
Token: SeDebugPrivilege	2332	dwm.exe
Token: SeDebugPrivilege	1228	dwm.exe
Token: SeDebugPrivilege	1964	dwm.exe
Token: SeDebugPrivilege	2212	dwm.exe
Token: SeDebugPrivilege	2268	dwm.exe
Token: SeDebugPrivilege	1980	dwm.exe
Token: SeDebugPrivilege	1636	dwm.exe
Token: SeDebugPrivilege	2520	dwm.exe
Token: SeDebugPrivilege	3008	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1144	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	49
PID 2108 wrote to memory of 1144	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	49
PID 2108 wrote to memory of 1144	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	49
PID 2108 wrote to memory of 2192	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	50
PID 2108 wrote to memory of 2192	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	50
PID 2108 wrote to memory of 2192	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	50
PID 2108 wrote to memory of 2324	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	51
PID 2108 wrote to memory of 2324	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	51
PID 2108 wrote to memory of 2324	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	51
PID 2108 wrote to memory of 2872	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	52
PID 2108 wrote to memory of 2872	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	52
PID 2108 wrote to memory of 2872	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	52
PID 2108 wrote to memory of 1960	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	54
PID 2108 wrote to memory of 1960	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	54
PID 2108 wrote to memory of 1960	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	54
PID 2108 wrote to memory of 964	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	57
PID 2108 wrote to memory of 964	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	57
PID 2108 wrote to memory of 964	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	57
PID 2108 wrote to memory of 1828	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	59
PID 2108 wrote to memory of 1828	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	59
PID 2108 wrote to memory of 1828	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	59
PID 2108 wrote to memory of 1620	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	63
PID 2108 wrote to memory of 1620	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	63
PID 2108 wrote to memory of 1620	2108	86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe	63
PID 1620 wrote to memory of 1888	1620	cmd.exe	65
PID 1620 wrote to memory of 1888	1620	cmd.exe	65
PID 1620 wrote to memory of 1888	1620	cmd.exe	65
PID 1620 wrote to memory of 316	1620	cmd.exe	66
PID 1620 wrote to memory of 316	1620	cmd.exe	66
PID 1620 wrote to memory of 316	1620	cmd.exe	66
PID 316 wrote to memory of 2736	316	dwm.exe	68
PID 316 wrote to memory of 2736	316	dwm.exe	68
PID 316 wrote to memory of 2736	316	dwm.exe	68
PID 316 wrote to memory of 2812	316	dwm.exe	69
PID 316 wrote to memory of 2812	316	dwm.exe	69
PID 316 wrote to memory of 2812	316	dwm.exe	69
PID 2736 wrote to memory of 2012	2736	WScript.exe	70
PID 2736 wrote to memory of 2012	2736	WScript.exe	70
PID 2736 wrote to memory of 2012	2736	WScript.exe	70
PID 2012 wrote to memory of 1884	2012	dwm.exe	71
PID 2012 wrote to memory of 1884	2012	dwm.exe	71
PID 2012 wrote to memory of 1884	2012	dwm.exe	71
PID 2012 wrote to memory of 2608	2012	dwm.exe	72
PID 2012 wrote to memory of 2608	2012	dwm.exe	72
PID 2012 wrote to memory of 2608	2012	dwm.exe	72
PID 1884 wrote to memory of 2840	1884	WScript.exe	73
PID 1884 wrote to memory of 2840	1884	WScript.exe	73
PID 1884 wrote to memory of 2840	1884	WScript.exe	73
PID 2840 wrote to memory of 3052	2840	dwm.exe	74
PID 2840 wrote to memory of 3052	2840	dwm.exe	74
PID 2840 wrote to memory of 3052	2840	dwm.exe	74
PID 2840 wrote to memory of 2364	2840	dwm.exe	75
PID 2840 wrote to memory of 2364	2840	dwm.exe	75
PID 2840 wrote to memory of 2364	2840	dwm.exe	75
PID 3052 wrote to memory of 2332	3052	WScript.exe	76
PID 3052 wrote to memory of 2332	3052	WScript.exe	76
PID 3052 wrote to memory of 2332	3052	WScript.exe	76
PID 2332 wrote to memory of 960	2332	dwm.exe	77
PID 2332 wrote to memory of 960	2332	dwm.exe	77
PID 2332 wrote to memory of 960	2332	dwm.exe	77
PID 2332 wrote to memory of 1828	2332	dwm.exe	78
PID 2332 wrote to memory of 1828	2332	dwm.exe	78
PID 2332 wrote to memory of 1828	2332	dwm.exe	78
PID 960 wrote to memory of 1228	960	WScript.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
"C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\ja-JP\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XRLuoqEfYg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1888
- - C:\Users\Default User\dwm.exe
    "C:\Users\Default User\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ee62617-f05b-4462-9263-a8b9c114427a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2619dcbf-73b0-47ce-8494-7560f5aebf60.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bf1afbd-4aaf-4eb2-9981-724c0f330156.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b981ac09-acd1-4360-8d42-6ab7ff6274a6.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffea083c-99a0-4b19-815e-b0d7838d18b1.vbs"
        12⤵
        
        PID:2704
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12ad4170-86ba-45b6-baa4-f3bca7ac3d1b.vbs"
        14⤵
        
        PID:2052
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6c0e2e7-50e6-414e-893f-4b0f9d0e7098.vbs"
        16⤵
        
        PID:708
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b4b2634-d01d-460e-bdbb-0f59013ae5bc.vbs"
        18⤵
        
        PID:1764
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be889714-18d3-4fa0-b1dc-12e0b244b169.vbs"
        20⤵
        
        PID:2196
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8efd9359-68d6-488e-b552-aedd3673c2d8.vbs"
        22⤵
        
        PID:1596
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f08996a-7da0-49fa-aa82-59049a062339.vbs"
        24⤵
        
        PID:2164
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0f6826e-715f-4608-8737-29a67689ccd9.vbs"
        26⤵
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c888f182-4dcb-4aeb-bf1c-0ca9b0aa99d3.vbs"
        26⤵
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c66275b9-4fa5-4653-acf4-8f7baace815a.vbs"
        24⤵
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6941654-789d-4057-9668-23275435b0db.vbs"
        22⤵
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3637debe-30b8-438f-b490-bf0b2f097ec4.vbs"
        20⤵
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41d03587-54a2-4318-8ce0-1f8ee8ef3c19.vbs"
        18⤵
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1effc2d-b7df-4e3a-a3c8-e7f485503318.vbs"
        16⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc98f7d0-54b6-47db-9f80-d5384a7bec2c.vbs"
        14⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1e6493b-678e-4bbd-96f0-2999ec4fdb7d.vbs"
        12⤵
        
        PID:816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a80da0e-6338-4813-9dba-9674ae71f3d5.vbs"
        10⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fcbfe8b-da0e-409c-b01f-00326661153e.vbs"
        8⤵
        
        PID:2364
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34e1ec01-bcad-4652-93fd-656df22cebda.vbs"
        6⤵
        
        PID:2608
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65140831-1b73-4aba-a91c-812ed0b870aa.vbs"
      4⤵
      PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe

Filesize
1.6MB

MD5
522b3cc9b8e0565c5a2eb2d40b7a9513

SHA1
86d71ba007afecc0f28e9815086992099a13f2c4

SHA256
86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12

SHA512
a22e86028dc923064c045563341d3c144f9d3473935c8ebecf54e2a6ab4afb5b21d2cc0a80f92dc96ceb294dbbf2a33ebc48122079acb62f9ec140230e3e6c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\12ad4170-86ba-45b6-baa4-f3bca7ac3d1b.vbs

Filesize
705B

MD5
b57d4eedfee72dbbc4243d470061c534

SHA1
95ec6600a080e7780ffd7f6e18772cd08dec9a51

SHA256
1443ef694d42377379c100f6cf394b83576098187940fb7e1b08ae7d555266a7

SHA512
cb184bdced1dbe4cc5bc2c00b43b95cf0c8c8719a9fdc3222cdb4c64e5ddbbe2c00458e0d16921a8979430b6cd59a8e057e8202829e272efab6a53f62a125cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2619dcbf-73b0-47ce-8494-7560f5aebf60.vbs

Filesize
705B

MD5
3dd5923948bfce06119b4dd5cac620a0

SHA1
5939db3a6603c442e75e3b6c85096243cafbc9bd

SHA256
c05959776b2ee079ad50fd76e745330af22c031c6961fbce5fcb5540d4bebf98

SHA512
1142eadec67c670a9997eade838b3f7cbc6f01f96645b959782ec6832f306c6dadc7a15c9fad2f643a63bd5f1c7660097e090cecaccb7d5e7217b454de808b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee62617-f05b-4462-9263-a8b9c114427a.vbs

Filesize
704B

MD5
58cb7cc0d63405a65d858ca5a7008f62

SHA1
9a458d7759c115691296895bbbb59f96443bff93

SHA256
30e7d863df41f2fecdf5630a6b27bb7525062f6fbd86c479263410abd39d704d

SHA512
f3a1722fd7844aa3d98d5c81a17351ed1c535fb0e96a8a427e15095a4093fd8646fa2340e559813446dcc3ad273b899b81cd8e817c600dfe71ce5b811d988174

Download Submit
C:\Users\Admin\AppData\Local\Temp\65140831-1b73-4aba-a91c-812ed0b870aa.vbs

Filesize
481B

MD5
9b2a836315f2199f07ee5c1a019c9b17

SHA1
09a1c7f55392eceabd896f75e0ee9872528bd3b2

SHA256
60dd34d625aaa35ce32617748cf1ca70c5aa71404e2ef37968ca7888a2f380f5

SHA512
a53d7be8b50a69f5b785c827caf67f4ab91c3537aca7040d6e572befe6c4bb90081c2d71b0372e21b5e80d8aca866cc3311a7aa6e9066ffea12a67f4373880cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bf1afbd-4aaf-4eb2-9981-724c0f330156.vbs

Filesize
705B

MD5
c75e07a8fce38dcd50668761528f016b

SHA1
0e833df60f8f4831d73ec6ae356dc0816aa7c97b

SHA256
71a158e806f8bc8799245f17c12e97c9ee52503caba3608b418d4a18a4c0bb65

SHA512
aa682d281b9c0d8ada5a21376ab2192f89bb91ef061334d38d5de2b7ab263ef285f59649e5796a0b0e6943699097cf4d3ce3d74d6cd974b44d1dba37f52b3e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b4b2634-d01d-460e-bdbb-0f59013ae5bc.vbs

Filesize
705B

MD5
dc31ca7e5288cb29e2219ecd38c7d5f0

SHA1
64de5dc2662482ebcb5201d97508aa18418d522f

SHA256
e13cf860c1d057c583f355a731a0d237ccf74cb2dd81dc6ac73078524984476b

SHA512
843e69f6b0801549cb2f2eaf88143610c425686cb0dd0fdd913c39e4a5f8b4f78af096734736db0da482686768aaa07e4177a3b748ea678a1128c955eca45868

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f08996a-7da0-49fa-aa82-59049a062339.vbs

Filesize
705B

MD5
8cd7f75470d6cc3a3401bccbbdd27c80

SHA1
758448563542375c91aaa16863d122da6d35e23f

SHA256
fb4d553e88de82462dabd73a43759ad26ea50b267fd93af1df371a61edff5538

SHA512
c494e1962d273f4c2ccbb37935de6b75470adacc61b129870938cae5a9e567bbfba0c7e22843aebc70b340470cb2691469220d95104990314bef022179d1b748

Download Submit
C:\Users\Admin\AppData\Local\Temp\8efd9359-68d6-488e-b552-aedd3673c2d8.vbs

Filesize
705B

MD5
3767c3f0c891995d7977676feae176ca

SHA1
f6b4f03143baa6dbdd21311f24759475ee43c9a7

SHA256
4ea7afdc260c5380d7fd0fe796f53d51d79bf0072652eb0921e5540a0b44c1d8

SHA512
a40ca687dae498b1d0b66e382fafb3cbab1935ab1f1e3e2bb29a3e1b31d12803f0e16bca4a9f963e42c144219fb6b6203da38ade694b55c303290639625d25b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XRLuoqEfYg.bat

Filesize
194B

MD5
08fe1a3a021542ecf0d1e3ce2a3c2092

SHA1
acf845d4f1040173628a63d448cb2e338f8eb593

SHA256
0a08dbe73dc58949bd42cf94612042bbbaa85e3efd7dc2dbf3be387b13636e58

SHA512
4262ef1a0c0919dfe0021f7dd9d1662b18cc5d053fd019b55e7fdba74ac67e1108c2d935c8d45aa3e8dbbaf57d52e623839f6c25d08b82e7a393699de3e05c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6c0e2e7-50e6-414e-893f-4b0f9d0e7098.vbs

Filesize
705B

MD5
7ec0c83cdfe727751f1f12d3a2b49664

SHA1
8d9cd4f886e33177da93fb85206b296108093a03

SHA256
bc2cc5aea76365fde71e9ffbef4ffa8a340e52df0058efa67d71e6e4a4c5e99a

SHA512
fba6376449a16eea062a4fbebf4154b8a619edadcc4a34166f9d8729bf00f55c0a6a2737b2ea94950989382d00eaaa282c489903f7c64a32d8bbb7007d171560

Download Submit
C:\Users\Admin\AppData\Local\Temp\b981ac09-acd1-4360-8d42-6ab7ff6274a6.vbs

Filesize
705B

MD5
28beaacdbdcc957a55ece173537c825d

SHA1
4679f3268a873431992c95e9f4e09865d403bf6e

SHA256
3b0a0fdb71ef7d477f508ef6f9a19b3c6343f22b8d4affcda676f4ff1b329153

SHA512
ea00de66b0704062c40c5282097a496735044dca072f9b48b16f29e8282a12c799c932a839e059796b70139e9dffe69cdcd4358cebc96cba40e598d7a0d95c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\be889714-18d3-4fa0-b1dc-12e0b244b169.vbs

Filesize
705B

MD5
213191031892c795899d4a237d48f54a

SHA1
ea75a757e9081a62046d47d0a3961ac3e3c5bdc7

SHA256
18055c646a7188b0effa6df01ab2378b965a14fcf3cef91a6eacde9fe007aaaa

SHA512
5dc6326d4c8644e29eecf56889f7f8f451c5306759e3073aa24a7301ac35391f53c4f043fa65f23348b0da90acb3e902f657b08033d9c9c67251c635f6daf286

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0f6826e-715f-4608-8737-29a67689ccd9.vbs

Filesize
705B

MD5
1408dc56a3de33f747b4fc6cf3813478

SHA1
ac07258636a6704b55757c58fb8f5b4084385ff1

SHA256
1108719dfb741caa105dc9843ebc7f6f6488988b0eec8b45a6e227250c0ad634

SHA512
c3d15ff46ca3b52aa888bdbfb126e14b59b06786d1a251d08c7c9085e15f5b00d15fd5e89cd8aab58f696fcd45c064b0f14c85d34896900c5f8091aff36f9a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffea083c-99a0-4b19-815e-b0d7838d18b1.vbs

Filesize
705B

MD5
69506bb96b80b5f561cb0d6e3ac17b66

SHA1
9f37a121d49d2a6ea772d605522c9c974dc49366

SHA256
6a3bb73e76af1d06dcf62b1c669023ed6a92f602a8cd602b9d83396f09412c18

SHA512
8bd9f259375077eab39dc55ab6032a41e08548cc50339443cda7ba5340ea024117afedc81f503006080bd0e4026fa15f692fa81a9747b9e3653aed86481456ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
99fa6d7fab552366a239fb2dee2fe2bf

SHA1
4f0a50cc5f25d11d1f36099f41651ec5f906fdc8

SHA256
71fa0c898de4622d7bec5e5122ae35f4689f889662d2afa6caf2f5385fed23c1

SHA512
93bb03b275a22d6a1154a43f6b2dd87389efd805edfd094fbce50a1cdeea519e6adc2cb37226052e2ea8a846470b32060f66d2f2a2664849592f908d83718487

Download Submit
C:\Windows\Tasks\smss.exe

Filesize
1.6MB

MD5
a68e1cca2c371f0ef7a8c72e8995c2a3

SHA1
73992539d835828c84b8ecf95cd561989f72b9dc

SHA256
2156f51e69435028ce74e2ee6e9f2dada1f5e34ca413e94547dd8842377e1fb8

SHA512
8e3f98c3f2e284fde5f642dfccbf62c464661f7162e60eb736de73f63531e8f9872908cd16d3a1961d317f03f493b3dd48d6709619ec3834db8ef3edcb5ca260

Download Submit
memory/316-147-0x0000000000DB0000-0x0000000000F52000-memory.dmp

Filesize
1.6MB

Download
memory/1228-193-0x0000000000390000-0x0000000000532000-memory.dmp

Filesize
1.6MB

Download
memory/1636-251-0x0000000000340000-0x00000000004E2000-memory.dmp

Filesize
1.6MB

Download
memory/2012-158-0x0000000001110000-0x00000000012B2000-memory.dmp

Filesize
1.6MB

Download
memory/2108-11-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/2108-13-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2108-1-0x0000000000080000-0x0000000000222000-memory.dmp

Filesize
1.6MB

Download
memory/2108-144-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-3-0x00000000005E0000-0x00000000005FC000-memory.dmp

Filesize
112KB

Download
memory/2108-4-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/2108-5-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/2108-7-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2108-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-8-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2108-9-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2108-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2108-12-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/2108-6-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/2108-10-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2108-14-0x0000000002090000-0x0000000002098000-memory.dmp

Filesize
32KB

Download
memory/2108-15-0x00000000020A0000-0x00000000020AA000-memory.dmp

Filesize
40KB

Download
memory/2108-16-0x00000000020B0000-0x00000000020BC000-memory.dmp

Filesize
48KB

Download
memory/2192-118-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2212-216-0x0000000000CC0000-0x0000000000E62000-memory.dmp

Filesize
1.6MB

Download
memory/2268-228-0x0000000001380000-0x0000000001522000-memory.dmp

Filesize
1.6MB

Download
memory/2520-263-0x0000000000010000-0x00000000001B2000-memory.dmp

Filesize
1.6MB

Download
memory/2840-170-0x0000000001130000-0x00000000012D2000-memory.dmp

Filesize
1.6MB

Download
memory/2872-117-0x000000001B8B0000-0x000000001BB92000-memory.dmp

Filesize
2.9MB

Download
memory/3008-275-0x0000000000020000-0x00000000001C2000-memory.dmp

Filesize
1.6MB

Download