dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c8fa2e136e29f51a3670f440b9f0a0.exe
Size

2.5MB
MD5

86c8fa2e136e29f51a3670f440b9f0a0
SHA1

103d45983c01fc861cb7390afe5db10ff2892fc0
SHA256

da49bed9676a8352a71fdd38dc855a01ca72f5dd393a91e9d7ad71ef9a4f11eb
SHA512

7c5f74c7a041c38216dc4a7f1d60d1a622227b8cd5aea5c1c4d200a5ccfabd7cbd2a17b22ca2ff028fc45dd0373df8cf9a5998cbefe7873fa7f9eda7ad117ddb
SSDEEP

49152:BjLLQdzMIwA7G5ALF/CT2vyYSjEf+QSs5saA2R97oF/cZ8ekY4E7Jy:B2l7G5Auotf+Lg4ElM

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Windows\System32\sfc_os\sppsvc.exe		86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\sfc_os\0a1fd5f707cd16		86c8fa2e136e29f51a3670f440b9f0a0.exe
		2960	schtasks.exe
		2696	schtasks.exe
		2724	schtasks.exe
		2728	schtasks.exe
		2748	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2964	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2964	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2964	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2964	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2964	schtasks.exe	29

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1492	powershell.exe
3004	powershell.exe
816	powershell.exe
1464	powershell.exe
1120	powershell.exe
948	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1460	sppsvc.exe
2116	sppsvc.exe
2012	sppsvc.exe
2776	sppsvc.exe
1536	sppsvc.exe
828	sppsvc.exe
2936	sppsvc.exe
908	sppsvc.exe
1996	sppsvc.exe
3040	sppsvc.exe
1744	sppsvc.exe
3052	sppsvc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\sfc_os\\sppsvc.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Documents and Settings\\System.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\de\\csrss.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\NlsData0027\\taskhost.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Sidebar\\es-ES\\smss.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\NlsData0027\b75386f1303e64	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\NlsData0027\RCX55C7.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\NlsData0027\taskhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\sfc_os\sppsvc.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\NlsData0027\taskhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\sfc_os\RCX4D86.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\sfc_os\RCX4E04.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\NlsData0027\RCX553A.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\sfc_os\sppsvc.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\sfc_os\0a1fd5f707cd16	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\RCX5326.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\csrss.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCX57DB.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCX580A.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\csrss.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\69ddcba757bf72	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\RCX52A9.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\886983d96e3d3e	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
2748	schtasks.exe
2960	schtasks.exe
2696	schtasks.exe
2724	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1460	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
432	86c8fa2e136e29f51a3670f440b9f0a0.exe
1492	powershell.exe
948	powershell.exe
3004	powershell.exe
816	powershell.exe
1464	powershell.exe
1120	powershell.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe
1460	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	1460	sppsvc.exe
Token: SeDebugPrivilege	2116	sppsvc.exe
Token: SeDebugPrivilege	2012	sppsvc.exe
Token: SeDebugPrivilege	2776	sppsvc.exe
Token: SeDebugPrivilege	1536	sppsvc.exe
Token: SeDebugPrivilege	828	sppsvc.exe
Token: SeDebugPrivilege	2936	sppsvc.exe
Token: SeDebugPrivilege	908	sppsvc.exe
Token: SeDebugPrivilege	1996	sppsvc.exe
Token: SeDebugPrivilege	3040	sppsvc.exe
Token: SeDebugPrivilege	1744	sppsvc.exe
Token: SeDebugPrivilege	3052	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 1120	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	35
PID 432 wrote to memory of 1120	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	35
PID 432 wrote to memory of 1120	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	35
PID 432 wrote to memory of 948	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	36
PID 432 wrote to memory of 948	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	36
PID 432 wrote to memory of 948	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	36
PID 432 wrote to memory of 1492	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	37
PID 432 wrote to memory of 1492	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	37
PID 432 wrote to memory of 1492	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	37
PID 432 wrote to memory of 816	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	38
PID 432 wrote to memory of 816	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	38
PID 432 wrote to memory of 816	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	38
PID 432 wrote to memory of 3004	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	40
PID 432 wrote to memory of 3004	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	40
PID 432 wrote to memory of 3004	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	40
PID 432 wrote to memory of 1464	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	41
PID 432 wrote to memory of 1464	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	41
PID 432 wrote to memory of 1464	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	41
PID 432 wrote to memory of 2308	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	47
PID 432 wrote to memory of 2308	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	47
PID 432 wrote to memory of 2308	432	86c8fa2e136e29f51a3670f440b9f0a0.exe	47
PID 2308 wrote to memory of 840	2308	cmd.exe	49
PID 2308 wrote to memory of 840	2308	cmd.exe	49
PID 2308 wrote to memory of 840	2308	cmd.exe	49
PID 2308 wrote to memory of 1460	2308	cmd.exe	50
PID 2308 wrote to memory of 1460	2308	cmd.exe	50
PID 2308 wrote to memory of 1460	2308	cmd.exe	50
PID 2308 wrote to memory of 1460	2308	cmd.exe	50
PID 2308 wrote to memory of 1460	2308	cmd.exe	50
PID 1460 wrote to memory of 2464	1460	sppsvc.exe	51
PID 1460 wrote to memory of 2464	1460	sppsvc.exe	51
PID 1460 wrote to memory of 2464	1460	sppsvc.exe	51
PID 1460 wrote to memory of 2620	1460	sppsvc.exe	52
PID 1460 wrote to memory of 2620	1460	sppsvc.exe	52
PID 1460 wrote to memory of 2620	1460	sppsvc.exe	52
PID 2464 wrote to memory of 2116	2464	WScript.exe	53
PID 2464 wrote to memory of 2116	2464	WScript.exe	53
PID 2464 wrote to memory of 2116	2464	WScript.exe	53
PID 2464 wrote to memory of 2116	2464	WScript.exe	53
PID 2464 wrote to memory of 2116	2464	WScript.exe	53
PID 2116 wrote to memory of 2732	2116	sppsvc.exe	54
PID 2116 wrote to memory of 2732	2116	sppsvc.exe	54
PID 2116 wrote to memory of 2732	2116	sppsvc.exe	54
PID 2116 wrote to memory of 2692	2116	sppsvc.exe	55
PID 2116 wrote to memory of 2692	2116	sppsvc.exe	55
PID 2116 wrote to memory of 2692	2116	sppsvc.exe	55
PID 2732 wrote to memory of 2012	2732	WScript.exe	56
PID 2732 wrote to memory of 2012	2732	WScript.exe	56
PID 2732 wrote to memory of 2012	2732	WScript.exe	56
PID 2732 wrote to memory of 2012	2732	WScript.exe	56
PID 2732 wrote to memory of 2012	2732	WScript.exe	56
PID 2012 wrote to memory of 1264	2012	sppsvc.exe	57
PID 2012 wrote to memory of 1264	2012	sppsvc.exe	57
PID 2012 wrote to memory of 1264	2012	sppsvc.exe	57
PID 2012 wrote to memory of 872	2012	sppsvc.exe	58
PID 2012 wrote to memory of 872	2012	sppsvc.exe	58
PID 2012 wrote to memory of 872	2012	sppsvc.exe	58
PID 1264 wrote to memory of 2776	1264	WScript.exe	59
PID 1264 wrote to memory of 2776	1264	WScript.exe	59
PID 1264 wrote to memory of 2776	1264	WScript.exe	59
PID 1264 wrote to memory of 2776	1264	WScript.exe	59
PID 1264 wrote to memory of 2776	1264	WScript.exe	59
PID 2776 wrote to memory of 700	2776	sppsvc.exe	60
PID 2776 wrote to memory of 700	2776	sppsvc.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe
"C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe"
1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sfc_os\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsData0027\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kM5nbywaqV.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:840
- - C:\Windows\System32\sfc_os\sppsvc.exe
    "C:\Windows\System32\sfc_os\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fed2dac-eaeb-48f6-a868-7b515b8ad5ae.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\System32\sfc_os\sppsvc.exe
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b3f3331-1bcf-435d-8091-18af4b56aca8.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\088e6e58-fd88-46c0-855e-c7e6868b25d5.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9214d65-62b6-4d29-9e09-e7ea54b2569d.vbs"
        10⤵
        
        PID:700
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13c70590-2364-4ace-aead-e6383fbc27a4.vbs"
        12⤵
        
        PID:2992
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e82c2b78-3133-432d-bade-fd18692808a9.vbs"
        14⤵
        
        PID:1696
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d141c87-e13f-450e-949f-2d246f761f8c.vbs"
        16⤵
        
        PID:2144
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b93f5b2-b902-4715-b1e0-418234a4bbb8.vbs"
        18⤵
        
        PID:1976
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abcf18a8-232c-44ba-bab1-e5f843e47bd2.vbs"
        20⤵
        
        PID:2252
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d46b9cc8-8d6f-48dc-b147-fc9758aab385.vbs"
        22⤵
        
        PID:1816
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\074fb51e-fe79-4f2a-b16a-ba818ec83e83.vbs"
        24⤵
        
        PID:2372
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        
        C:\Windows\System32\sfc_os\sppsvc.exe
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e22acd9b-90aa-41ba-83f4-b44ddf7d5c82.vbs"
        26⤵
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b721f441-83b4-44b0-9ea2-95fb422ab105.vbs"
        26⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\702b4a1b-8f61-4ba2-9ab9-94f8c75a874d.vbs"
        24⤵
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\433a5dcc-b031-4074-b4a5-0ff1c486cc49.vbs"
        22⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\267e0f05-08c5-471e-b10f-9fd36a92ded0.vbs"
        20⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea113b40-1c0f-4ced-b0ac-8d3eaf2ddf09.vbs"
        18⤵
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\550f74f2-ba38-4f1f-86ac-264471fb23aa.vbs"
        16⤵
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e495bbff-7917-43c3-b05f-e9a4044e5d5f.vbs"
        14⤵
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\141e39a8-aa36-46b8-8874-7eda862df3f7.vbs"
        12⤵
        
        PID:676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f4b667c-8681-4de6-b14d-b0cd8023aef6.vbs"
        10⤵
        
        PID:1476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5eb0f1a5-7b11-437f-a4ef-3735f145fd5f.vbs"
        8⤵
        
        PID:872
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\977e52b7-6642-4da4-b27d-321001a7bb05.vbs"
        6⤵
        
        PID:2692
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4ba3436-3e9c-4c92-912b-f8a9f70e58ac.vbs"
      4⤵
      PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\sfc_os\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Documents and Settings\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsData0027\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe

Filesize
2.5MB

MD5
86c8fa2e136e29f51a3670f440b9f0a0

SHA1
103d45983c01fc861cb7390afe5db10ff2892fc0

SHA256
da49bed9676a8352a71fdd38dc855a01ca72f5dd393a91e9d7ad71ef9a4f11eb

SHA512
7c5f74c7a041c38216dc4a7f1d60d1a622227b8cd5aea5c1c4d200a5ccfabd7cbd2a17b22ca2ff028fc45dd0373df8cf9a5998cbefe7873fa7f9eda7ad117ddb

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\csrss.exe

Filesize
2.5MB

MD5
22ab5396ed459528b6d4480177b9e539

SHA1
038a27cc9a7049d8420f01f25727fdab5e516a9b

SHA256
8e15a055355d5fb5bba904b75c5a74eec942348876d089e0587a2aa66d2b0481

SHA512
84cf09ef4712e0589aa1581a7e70b15a95940cd89a8becb8fbfaaf8791fa08b2109b543cc08f19ec098c0005aeaa644e6d434f7db1bd970c3698d41c7f382c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\074fb51e-fe79-4f2a-b16a-ba818ec83e83.vbs

Filesize
713B

MD5
39fb12bf53b99b2982290485c872427f

SHA1
2d68f959f80cdaea403f6dcef90902ab677a6882

SHA256
c1ed6f29b70a0acb34a8a6a0e2f85dbf76a9f3387d009f48823b4211c4e14249

SHA512
add76028945bb53dbd9bb863fd2794892ebe67f2926ad2935da97b7e22323f30253813476bc923072dd327ec6c906f1a24520772429ef2548d540517ecb9bc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\088e6e58-fd88-46c0-855e-c7e6868b25d5.vbs

Filesize
713B

MD5
bbb987147227939e91d0e9cb01dc6142

SHA1
fa17a20c0482eabd405c129fdc710cbb02621a28

SHA256
a7857999e945ccbe1c948e7fdfcf4ae6fe30c07bc8d3b82a45c3c47ad86e8a46

SHA512
ec2c330273c9dd17b6e83fd043a815d33f2c183ff946acf25d0c4fcfeee84274a5a6ae356beec5d51f1a05babc6ce7bbec40afed5ea2cc645b70fa098cdf67ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b93f5b2-b902-4715-b1e0-418234a4bbb8.vbs

Filesize
712B

MD5
06d830c786ce375c94a43b32f16ba616

SHA1
1d543a0a9ab9d8e0cf5d9ae8169b554ac8566084

SHA256
0bdd0e3d77c6a356b9c09aa51f9f15470481f44174bd20a5fb1b90be8a330b13

SHA512
befb993fae7cf0173f15ea9909a5f71f123aba23446131d0e245391ae9a3b4e1255575081e0f3286641ada25bc78d53847ea5935d0b595605d290e8d54eb6eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\13c70590-2364-4ace-aead-e6383fbc27a4.vbs

Filesize
713B

MD5
c62251de217065b8cef4931e9e45c70b

SHA1
6cd18736769e1dd46d23b5b3fb707f878ba7fbd7

SHA256
589cc845a88e3d7da164447eedb1e33f121b4b5816771b4362cdb6ea089dd0b6

SHA512
8334b771ba25b3edd6a88a68b6ec9469cc5ab56e2135482dcad5b1272caf8b3fdd65b97b1db187d223f8f61a6cd9ef89d4ec5bfde62017293d864b40569f15e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b3f3331-1bcf-435d-8091-18af4b56aca8.vbs

Filesize
713B

MD5
3c30292438e8220c0d56371b5cd61af3

SHA1
2840d771128675b5d32997828873aa981506f62c

SHA256
0270d78dadbed5e1a9b67c661fef464c24a807c4d62bff085a5052a236f258d0

SHA512
bdefbe006f4d5919a9ba130004781094a5178ed7fb2046aa14bb16d9b7c6433c34a31181fbf857847cd72e9f140689461b541f9cd34510ccca4faba99a7bea27

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d141c87-e13f-450e-949f-2d246f761f8c.vbs

Filesize
713B

MD5
af82469c509e7d7d0d6f5e23cf410ead

SHA1
411b992bba3f731851e199f3d0ce8414c1a77da7

SHA256
2798e31a2296181cdfbaf0fb1e0f9778c53716ec01e15e72c4d7099500c0481f

SHA512
1388d4a3224b53abff66854b8ce6cb0e34d36476d7a74894b700cc4a269400b2832767bd75f2f7e061421091e4ccc06905d3752ff9c1e29e22e03c4af42e1254

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fed2dac-eaeb-48f6-a868-7b515b8ad5ae.vbs

Filesize
713B

MD5
c5a59b24e22d20d6294d4d353c3bc760

SHA1
67467ea326118deff67a4c65d0f420849ccc10d3

SHA256
82d6242a8e1f68b9e7803248bd25527e92497f52610ac3f3c600c21f1b8c847f

SHA512
60a6d6162ab3384952ebfe5437487faf38a90550879d3e3edf09daafdeb68ca5fc7c90c70d6c9c3f578d8c561e01cbd7982d35aa71d2c027be79cf2d61c67328

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ba3436-3e9c-4c92-912b-f8a9f70e58ac.vbs

Filesize
489B

MD5
636e4d234395de34e1049cf882a4db83

SHA1
615d1790d2dfd407fb70030e4006627c81003b9b

SHA256
a767b07b1659bba5488eea6a2bbc62aa68282d1dbcd4cb81414918e336d4d35d

SHA512
37d03209f43d4562535d43a9ab19ce87bb9eb60527f47172181f42dd272c1a0edfc41e3780373d5c98140e1c9d1d510a0cff3407b6d16e51bf355dda385a8345

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9214d65-62b6-4d29-9e09-e7ea54b2569d.vbs

Filesize
713B

MD5
a89570eafdca94e3f256858c9a9d9dcd

SHA1
2088373258267284d539a56f75e227dbff2a3dfd

SHA256
7a20a2e940f3f52958e415b52525947639de20c6547c26b3a232691b5496968a

SHA512
bbab5bcc1f2c3cf02142206114a12b855e8927ea1950bbb46e5e7a3df5ff31db90d5323d212ed8103d736405f1e563da38123279a33fd319978bf4d716e0c0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\abcf18a8-232c-44ba-bab1-e5f843e47bd2.vbs

Filesize
713B

MD5
28182ddce1b8edb2ca74f86b91421882

SHA1
5e65b08a268f1aebc59fe8c16aa8a46a10bc10bf

SHA256
f938928f14bf2921381b48fa917e32a431c967b9d8c1482ffeca0f7f4e1760c3

SHA512
fae91c41f220408d48ff784c86d423701355bcdfe26dcca727e812e06deb521b43104c6496ed13e764e276d44ca5e0abd20f7f82be2a97a5f840ad5055d8075c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d46b9cc8-8d6f-48dc-b147-fc9758aab385.vbs

Filesize
713B

MD5
851b5abab59be8db655d4b25f00e8941

SHA1
21edecc97b4f272661a619ac5df35fedeae9cb2a

SHA256
fd2bb99896a22c8b5af48679f335840186f620ac239682bef06fbab75f8096a6

SHA512
523f4ebeedfef3a6c885db44b78c2d7624047956c6de34a17a913b80ae0518c45ba060bbddf87e821e0f2e63b84e68c95d5fdddaffa75d150fd047469d1934f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e22acd9b-90aa-41ba-83f4-b44ddf7d5c82.vbs

Filesize
713B

MD5
9000d241527f140317e3b90e6040302e

SHA1
8aed4727cc84ff62ef2d223b8fc1c661a47c89a0

SHA256
196bd87d3fc4f5ea8ff4b55c54c52d72d14e5ab883dab8cd919a7627a2eab4ea

SHA512
488e8de04b4b8874c68f8fdc2145efb730378e59948a82b819feee753decf93dd84435c57a2e09be97630c54090b003f2519ca3384871d29b153625289c312b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e82c2b78-3133-432d-bade-fd18692808a9.vbs

Filesize
712B

MD5
39a21b59428964de7a77bd0f885f75ea

SHA1
dd8b7cb1f973f0cec4e9659a83b70b0dcb8e7472

SHA256
e44da67242b34c1e0e4ef52f9343ffb966577acff54c03e029522f884f3fd200

SHA512
b1d24e9ad1fde6f11945ed0d89eefc2c7c970554eab9b669eb1e9af449dc72d973603a21cc30ad713ab9b7f11726832871f41552a57b7d7c25ba0b8d0b885eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kM5nbywaqV.bat

Filesize
201B

MD5
71f09daa35b8b3d624ef2f209d835e74

SHA1
52f2fd3cadb93df2e135245e48c1cffb38890397

SHA256
a044a55e33acbbca50dc36fe2d1345af4ce7dd9d384b0733e479594a344544da

SHA512
96843abc0054d3b72dd21021b0add6a42b726d45880cba86edb8baebb250998b66e40ffc4e054dae0544ab6a8e06831dd23a7d7deb432fe2f2fb3e3f45ad72a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4c7bd0fb6e91cdb89b7f503dd3995188

SHA1
9f0a94d49f7c2c04f673827f8a3ba106f03808ca

SHA256
5b2be91fc9f418049987f6ca4e858ed6d6bcf2400dd5ead5ef74e7e842619bc8

SHA512
ba701cbd42b554d8975baa91d9f41199f56a50c4f1a421a61034f0ee529b704dfeef0f0d396a3f8cf09d56bad623e9d5d7039bf5367151620727b2a6e97d39ee

Download Submit
C:\Users\System.exe

Filesize
2.5MB

MD5
be0df4e9cbed9ad5b3549eefb993afa5

SHA1
61b4a2b5a041776b7d44e49ea78a916173eb0e03

SHA256
ab918a32a873f62f0fdbec5b2befc23418197cded7a98b1698cb17f9ba846d47

SHA512
fe2366d006622c897940d2c270cb37de712c8ece0a716f24c3ec8c3bb92b4af27d3e1641b2269e1f62d1adfb8cb0ba5e80babd52685b390183958361cf1b38db

Download Submit
C:\Windows\System32\NlsData0027\taskhost.exe

Filesize
2.5MB

MD5
c8e06b4976a331ed1e709172b86792d0

SHA1
9432df1bbc7c0cfc389a656d3cd984dfbc3bbf26

SHA256
50474dafc7947ca0982a87ee6e7f6b015d39beb457b672da3a6adc8a0406ed7e

SHA512
7a427348223e31b1b9e09af617b39a83b66ac0b29410baf1edd3dc5485315d0f3671b23638ff1c579e71ea9e11a8b8736128cb83e4b44f64beba0b7bf63baa31

Download Submit
C:\Windows\System32\sfc_os\sppsvc.exe

Filesize
2.5MB

MD5
07bba41650ea1f2788efef28fe72ee3f

SHA1
70cfb89a252e98cb59382fe06f0feee45670afaa

SHA256
60eed8a7020a34ca84b8bb6cc3da9e75735f7bb114b87c536088c800aa0f5425

SHA512
1275d472bbac35a415ef94ec30010aec55bd0ef81074f9f9782a212b1f60ca116466431bd465546576557a5efb1ea099d2a2f0a07dd725662b22346df8362333

Download Submit
memory/432-11-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download
memory/432-8-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/432-94-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

Filesize
4KB

Download
memory/432-9-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/432-16-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/432-13-0x0000000000C90000-0x0000000000C9A000-memory.dmp

Filesize
40KB

Download
memory/432-12-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/432-10-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/432-15-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/432-14-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/432-99-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/432-6-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/432-7-0x0000000000530000-0x0000000000586000-memory.dmp

Filesize
344KB

Download
memory/432-5-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/432-4-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/432-3-0x0000000000140000-0x000000000014C000-memory.dmp

Filesize
48KB

Download
memory/432-0-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

Filesize
4KB

Download
memory/432-2-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/432-1-0x0000000001370000-0x00000000015F6000-memory.dmp

Filesize
2.5MB

Download
memory/828-189-0x00000000005D0000-0x0000000000626000-memory.dmp

Filesize
344KB

Download
memory/828-190-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/908-215-0x00000000011A0000-0x0000000001426000-memory.dmp

Filesize
2.5MB

Download
memory/1460-127-0x0000000000BE0000-0x0000000000E66000-memory.dmp

Filesize
2.5MB

Download
memory/1460-128-0x000000001AEA0000-0x000000001AEF6000-memory.dmp

Filesize
344KB

Download
memory/1460-129-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/1492-124-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/1536-177-0x0000000000C90000-0x0000000000F16000-memory.dmp

Filesize
2.5MB

Download
memory/1744-251-0x00000000000D0000-0x0000000000356000-memory.dmp

Filesize
2.5MB

Download
memory/1996-227-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/2012-153-0x0000000000120000-0x00000000003A6000-memory.dmp

Filesize
2.5MB

Download
memory/2116-141-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

Filesize
72KB

Download
memory/2116-140-0x0000000000F70000-0x00000000011F6000-memory.dmp

Filesize
2.5MB

Download
memory/2776-165-0x00000000000E0000-0x0000000000366000-memory.dmp

Filesize
2.5MB

Download
memory/2936-203-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/2936-202-0x0000000000220000-0x00000000004A6000-memory.dmp

Filesize
2.5MB

Download
memory/3004-123-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/3040-239-0x00000000003D0000-0x0000000000656000-memory.dmp

Filesize
2.5MB

Download
memory/3052-263-0x0000000000E90000-0x0000000001116000-memory.dmp

Filesize
2.5MB

Download
memory/3052-264-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download