dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

855deb7775f714f1fc46d29fea8008d7.exe
Size

1.6MB
MD5

855deb7775f714f1fc46d29fea8008d7
SHA1

421d56096458fc456190f7c8d13fa3435c051264
SHA256

795cdb953a299acec277e31a6c97b38acdc44dfca7a2ce6bda2785a48bdfafdf
SHA512

7fd5597d07dd4597262a6122c3b165b0624d99ee9d222f448e2161c07bcef791a08be95bf52eb4cf37c8105e53855bf96d1bf026d887cb3ef85d132c07b40d99
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral9/memory/764-1-0x0000000001310000-0x00000000014B2000-memory.dmp	dcrat
behavioral9/files/0x0005000000019612-25.dat	dcrat
behavioral9/files/0x000500000001a492-46.dat	dcrat
behavioral9/files/0x001d00000001235b-129.dat	dcrat
behavioral9/memory/2052-187-0x00000000008B0000-0x0000000000A52000-memory.dmp	dcrat
behavioral9/memory/968-198-0x0000000001170000-0x0000000001312000-memory.dmp	dcrat
behavioral9/memory/2636-210-0x00000000011F0000-0x0000000001392000-memory.dmp	dcrat
behavioral9/memory/2928-222-0x0000000000330000-0x00000000004D2000-memory.dmp	dcrat
behavioral9/memory/588-234-0x00000000013E0000-0x0000000001582000-memory.dmp	dcrat
behavioral9/memory/2704-268-0x0000000000220000-0x00000000003C2000-memory.dmp	dcrat
behavioral9/memory/916-280-0x00000000008D0000-0x0000000000A72000-memory.dmp	dcrat
behavioral9/memory/2260-292-0x0000000000C10000-0x0000000000DB2000-memory.dmp	dcrat
behavioral9/memory/2764-304-0x00000000003A0000-0x0000000000542000-memory.dmp	dcrat
behavioral9/memory/3024-316-0x0000000000390000-0x0000000000532000-memory.dmp	dcrat
behavioral9/memory/2164-328-0x00000000009A0000-0x0000000000B42000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2696	powershell.exe
1656	powershell.exe
2556	powershell.exe
2500	powershell.exe
2032	powershell.exe
1348	powershell.exe
1796	powershell.exe
1252	powershell.exe
1808	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2052	Idle.exe
968	Idle.exe
2636	Idle.exe
2928	Idle.exe
588	Idle.exe
2920	Idle.exe
948	Idle.exe
2704	Idle.exe
916	Idle.exe
2260	Idle.exe
2764	Idle.exe
3024	Idle.exe
2164	Idle.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\bin\plugin2\101b941d020240	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\RCXF325.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\lsm.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\RCXF324.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXF528.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXF597.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\lsm.exe	855deb7775f714f1fc46d29fea8008d7.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\lsm.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Windows\Migration\WTR\101b941d020240	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Windows\Migration\WTR\RCXE90C.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Windows\Migration\WTR\RCXE90D.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Windows\Migration\WTR\lsm.exe	855deb7775f714f1fc46d29fea8008d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2200	schtasks.exe
524	schtasks.exe
2320	schtasks.exe
2124	schtasks.exe
2632	schtasks.exe
1984	schtasks.exe
1140	schtasks.exe
1904	schtasks.exe
2852	schtasks.exe
2220	schtasks.exe
2968	schtasks.exe
2940	schtasks.exe
2600	schtasks.exe
1996	schtasks.exe
1888	schtasks.exe
2440	schtasks.exe
2884	schtasks.exe
2880	schtasks.exe
3000	schtasks.exe
3008	schtasks.exe
3016	schtasks.exe
2784	schtasks.exe
3012	schtasks.exe
2716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
764	855deb7775f714f1fc46d29fea8008d7.exe
1656	powershell.exe
2696	powershell.exe
1252	powershell.exe
2556	powershell.exe
1348	powershell.exe
1796	powershell.exe
2500	powershell.exe
2032	powershell.exe
1808	powershell.exe
2052	Idle.exe
968	Idle.exe
2636	Idle.exe
2928	Idle.exe
588	Idle.exe
2920	Idle.exe
948	Idle.exe
2704	Idle.exe
916	Idle.exe
2260	Idle.exe
2764	Idle.exe
3024	Idle.exe
2164	Idle.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	855deb7775f714f1fc46d29fea8008d7.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2052	Idle.exe
Token: SeDebugPrivilege	968	Idle.exe
Token: SeDebugPrivilege	2636	Idle.exe
Token: SeDebugPrivilege	2928	Idle.exe
Token: SeDebugPrivilege	588	Idle.exe
Token: SeDebugPrivilege	2920	Idle.exe
Token: SeDebugPrivilege	948	Idle.exe
Token: SeDebugPrivilege	2704	Idle.exe
Token: SeDebugPrivilege	916	Idle.exe
Token: SeDebugPrivilege	2260	Idle.exe
Token: SeDebugPrivilege	2764	Idle.exe
Token: SeDebugPrivilege	3024	Idle.exe
Token: SeDebugPrivilege	2164	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2556	764	855deb7775f714f1fc46d29fea8008d7.exe	56
PID 764 wrote to memory of 2556	764	855deb7775f714f1fc46d29fea8008d7.exe	56
PID 764 wrote to memory of 2556	764	855deb7775f714f1fc46d29fea8008d7.exe	56
PID 764 wrote to memory of 1656	764	855deb7775f714f1fc46d29fea8008d7.exe	57
PID 764 wrote to memory of 1656	764	855deb7775f714f1fc46d29fea8008d7.exe	57
PID 764 wrote to memory of 1656	764	855deb7775f714f1fc46d29fea8008d7.exe	57
PID 764 wrote to memory of 1796	764	855deb7775f714f1fc46d29fea8008d7.exe	58
PID 764 wrote to memory of 1796	764	855deb7775f714f1fc46d29fea8008d7.exe	58
PID 764 wrote to memory of 1796	764	855deb7775f714f1fc46d29fea8008d7.exe	58
PID 764 wrote to memory of 1348	764	855deb7775f714f1fc46d29fea8008d7.exe	60
PID 764 wrote to memory of 1348	764	855deb7775f714f1fc46d29fea8008d7.exe	60
PID 764 wrote to memory of 1348	764	855deb7775f714f1fc46d29fea8008d7.exe	60
PID 764 wrote to memory of 2032	764	855deb7775f714f1fc46d29fea8008d7.exe	61
PID 764 wrote to memory of 2032	764	855deb7775f714f1fc46d29fea8008d7.exe	61
PID 764 wrote to memory of 2032	764	855deb7775f714f1fc46d29fea8008d7.exe	61
PID 764 wrote to memory of 2696	764	855deb7775f714f1fc46d29fea8008d7.exe	63
PID 764 wrote to memory of 2696	764	855deb7775f714f1fc46d29fea8008d7.exe	63
PID 764 wrote to memory of 2696	764	855deb7775f714f1fc46d29fea8008d7.exe	63
PID 764 wrote to memory of 2500	764	855deb7775f714f1fc46d29fea8008d7.exe	64
PID 764 wrote to memory of 2500	764	855deb7775f714f1fc46d29fea8008d7.exe	64
PID 764 wrote to memory of 2500	764	855deb7775f714f1fc46d29fea8008d7.exe	64
PID 764 wrote to memory of 1808	764	855deb7775f714f1fc46d29fea8008d7.exe	65
PID 764 wrote to memory of 1808	764	855deb7775f714f1fc46d29fea8008d7.exe	65
PID 764 wrote to memory of 1808	764	855deb7775f714f1fc46d29fea8008d7.exe	65
PID 764 wrote to memory of 1252	764	855deb7775f714f1fc46d29fea8008d7.exe	66
PID 764 wrote to memory of 1252	764	855deb7775f714f1fc46d29fea8008d7.exe	66
PID 764 wrote to memory of 1252	764	855deb7775f714f1fc46d29fea8008d7.exe	66
PID 764 wrote to memory of 2064	764	855deb7775f714f1fc46d29fea8008d7.exe	74
PID 764 wrote to memory of 2064	764	855deb7775f714f1fc46d29fea8008d7.exe	74
PID 764 wrote to memory of 2064	764	855deb7775f714f1fc46d29fea8008d7.exe	74
PID 2064 wrote to memory of 2620	2064	cmd.exe	76
PID 2064 wrote to memory of 2620	2064	cmd.exe	76
PID 2064 wrote to memory of 2620	2064	cmd.exe	76
PID 2064 wrote to memory of 2052	2064	cmd.exe	77
PID 2064 wrote to memory of 2052	2064	cmd.exe	77
PID 2064 wrote to memory of 2052	2064	cmd.exe	77
PID 2052 wrote to memory of 2488	2052	Idle.exe	78
PID 2052 wrote to memory of 2488	2052	Idle.exe	78
PID 2052 wrote to memory of 2488	2052	Idle.exe	78
PID 2052 wrote to memory of 2076	2052	Idle.exe	79
PID 2052 wrote to memory of 2076	2052	Idle.exe	79
PID 2052 wrote to memory of 2076	2052	Idle.exe	79
PID 2488 wrote to memory of 968	2488	WScript.exe	80
PID 2488 wrote to memory of 968	2488	WScript.exe	80
PID 2488 wrote to memory of 968	2488	WScript.exe	80
PID 968 wrote to memory of 1764	968	Idle.exe	81
PID 968 wrote to memory of 1764	968	Idle.exe	81
PID 968 wrote to memory of 1764	968	Idle.exe	81
PID 968 wrote to memory of 860	968	Idle.exe	82
PID 968 wrote to memory of 860	968	Idle.exe	82
PID 968 wrote to memory of 860	968	Idle.exe	82
PID 1764 wrote to memory of 2636	1764	WScript.exe	83
PID 1764 wrote to memory of 2636	1764	WScript.exe	83
PID 1764 wrote to memory of 2636	1764	WScript.exe	83
PID 2636 wrote to memory of 2204	2636	Idle.exe	84
PID 2636 wrote to memory of 2204	2636	Idle.exe	84
PID 2636 wrote to memory of 2204	2636	Idle.exe	84
PID 2636 wrote to memory of 2628	2636	Idle.exe	85
PID 2636 wrote to memory of 2628	2636	Idle.exe	85
PID 2636 wrote to memory of 2628	2636	Idle.exe	85
PID 2204 wrote to memory of 2928	2204	WScript.exe	86
PID 2204 wrote to memory of 2928	2204	WScript.exe	86
PID 2204 wrote to memory of 2928	2204	WScript.exe	86
PID 2928 wrote to memory of 1848	2928	Idle.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe
"C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\plugin2\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lohe5CmuHk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2620
- - C:\Users\Admin\SendTo\Idle.exe
    "C:\Users\Admin\SendTo\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9c5ee35-02ba-4c0a-b06f-9dac1bd75848.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\696b4921-4744-48ff-a87b-922927bced8b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\506f4182-7c57-4063-812f-0845b7616e1a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19be82bb-b854-4a9c-9e04-1178442f89f4.vbs"
        10⤵
        
        PID:1848
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d515345-dcca-4f92-9740-4f676f88b6a9.vbs"
        12⤵
        
        PID:2528
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\871287ef-b86b-4516-bb3f-11f5cabf2be9.vbs"
        14⤵
        
        PID:884
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b51176b-99e5-4a1d-954e-d580bad0ce03.vbs"
        16⤵
        
        PID:2748
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c0a0a5d-6be0-4e8e-9b3d-4f4749f989b0.vbs"
        18⤵
        
        PID:2340
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56b33cfe-4bab-4aca-88eb-d2b70a9e0e39.vbs"
        20⤵
        
        PID:2344
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78ca04fc-a9d4-40be-b153-a07748afd50d.vbs"
        22⤵
        
        PID:2560
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9060508a-e3a1-45d1-af07-ca92450809b0.vbs"
        24⤵
        
        PID:2672
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8c88973-6ef0-4d7c-b6ec-a93d83dc2c13.vbs"
        26⤵
        
        PID:2940
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d870a0d-b40d-44d2-ac24-8e761c3f1585.vbs"
        26⤵
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02d51095-a377-45d6-84c0-eda53331ced7.vbs"
        24⤵
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d946a66-ca44-4fa1-866b-e838297e0fab.vbs"
        22⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4870095c-d9e1-4cfa-ba4d-31670c5fedf7.vbs"
        20⤵
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4186e68-6467-4385-bd68-0f6266b330ff.vbs"
        18⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78962bce-7a07-40fa-95a0-3428a98e2230.vbs"
        16⤵
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60d3049a-fa4b-48d9-86f8-df602f6b41ed.vbs"
        14⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ae5fc21-51ec-4191-90cf-b7a374ac2755.vbs"
        12⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c77c74c4-7816-4125-bd93-0650a9d4257d.vbs"
        10⤵
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1cf6166-26f7-49f2-8971-6845b1bb3c02.vbs"
        8⤵
        
        PID:2628
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18125fae-c586-4314-bbea-270f16e7ce8a.vbs"
        6⤵
        
        PID:860
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbaf7ea8-dc02-44bd-ae2e-f3ec0c0749a6.vbs"
      4⤵
      PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\plugin2\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\bin\plugin2\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

Filesize
1.6MB

MD5
ac5df5c70589f95435aea997b58e764f

SHA1
01617094ca676511bf2a888e25ba039fee8559e0

SHA256
61349ab7fa5aba81eeeee017e2908c8a484ef5380a121c830a063d974928c0d0

SHA512
993c3d659917a67f73614742226d06c1a78df6f55769d8d3386b80a5479756fdc9403768fa78f86a30fe85b41f788ec0849cd065e485c6e924513613b62363c5

Download Submit
C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe

Filesize
1.6MB

MD5
1d9a6670fef016f00b19751ddc380471

SHA1
58c4c081991dc12334181a43a7df86f6a32d5e4b

SHA256
c117e202e4e73d216315314bf49a1d3b426c6183146641530c0a25dda93f3518

SHA512
09fd8e14a84574509c8a6ee5217f54ea93c527d5805318e1aa4c0e9351fbb18e64bc5342450689a31108735e58c28556142713620fde5a861543182534e12bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\19be82bb-b854-4a9c-9e04-1178442f89f4.vbs

Filesize
706B

MD5
0df4e50fb6afb441d90c366ff30ee131

SHA1
4af033cbe50f78d162b158014d1f52ea5b7d110c

SHA256
f36f6a212c8324dce225141d40f030792bd0f7a4b9e5324a8d4c5060757e9261

SHA512
a6268285d97308c0b4112648c30aff14b33365579a3e96131dd09763c5146329c4b71c9280d0ecd15673be90f1a2794e449960a8edd0afeff32345979d2b890d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c0a0a5d-6be0-4e8e-9b3d-4f4749f989b0.vbs

Filesize
706B

MD5
525cd67f3bc9953ce1195f9ae8f53201

SHA1
72985435f13588cd156edb64a8e90e3550270069

SHA256
239334e7be4855c4c4e32d858112727797f44848d19349ee5f2155ba9b20bd49

SHA512
6d52c719d16b60003d596626a26efcffbd30f9570c3930af2d6c25e5d86ae240cb56da9dc5b3da0fb7e5c5371ef6279ab3d9f8d6138e68b87a63f45c168e0ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\506f4182-7c57-4063-812f-0845b7616e1a.vbs

Filesize
706B

MD5
cea691692bc4c046533611f545b4cab8

SHA1
c3004b3a78275759fc5f988656bb94c8f7155ea9

SHA256
e98fe5449ba65965b10597d46b8ec2416fcd15ce34ae272c7e2ce1c3e3783278

SHA512
b8eba980cedb8c42843362e0ecd9de0c791041c4276eefbb70bd058ed2f15cef42494e618efd9e6d11dc85c7e5b036246331d6a2183e487c281920702d04153f

Download Submit
C:\Users\Admin\AppData\Local\Temp\56b33cfe-4bab-4aca-88eb-d2b70a9e0e39.vbs

Filesize
705B

MD5
2ddf622026553d0b355882def6e269f3

SHA1
a2309fdab0802c1c7da31a4cacacd70af1858620

SHA256
c7ffb32b7ac2b44622b171cc27f3e16f279398a13342123d86ebf0fa3248a60b

SHA512
b2b93e4a4d2c7d8495490eb8130cf432d9e066fa70a9f163e14fcb8505770ca17727cb7bca0078c38276c3b18b2cad8417a42fe3a15a4460c18ac557b634e095

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b51176b-99e5-4a1d-954e-d580bad0ce03.vbs

Filesize
705B

MD5
4548c65155193ae23430a19f0a917dc4

SHA1
883d8661ecff027e96a1cbc1e4875c05020a608b

SHA256
eaa8fafb3558e99aa25e9387c91e9854dfef98a8df411a6aedbae6be5c904fc8

SHA512
be4d5c0657834dfd3f3f3d82ff60f9ace0a769fec6878294a13e5700c5655bf029e1f124fbf6b81e863223f2fea4b64941356f946049d7b9ad090408e4773edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\696b4921-4744-48ff-a87b-922927bced8b.vbs

Filesize
705B

MD5
766b676d5437497b76cdd2a2de8f5bcd

SHA1
dd1365e9da8709bbe08881d36ae3180d4ce3128d

SHA256
27034cfc901c8f27c4b2308c0183bcdcec0b6ef1246a4442e2620a06935aeb7f

SHA512
f43c2fb85a30c503e8d4c3cd25f5674fd49431093985b9cd32f0745a0391466c55abc1e7ee9184744a27a45702fd82cf0b612cec57ff2dee03bb0466b004b5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d515345-dcca-4f92-9740-4f676f88b6a9.vbs

Filesize
705B

MD5
7e0ea182f88b7768878efa766c2d488b

SHA1
27f18b592219ba4cdeaf30a572a17bfd9e1c2cc7

SHA256
127d7118454008389ac3d2f366d7b665232fdb176f257fe9e3b36ad69667aec6

SHA512
965e05216e43cd402d82bb041a77788eb0a55e1f9246a249c2312c1490ceec2e27944e28d5bad1b7f4f62ed80913acd18f455233e79d98f32190652d2908f6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\78ca04fc-a9d4-40be-b153-a07748afd50d.vbs

Filesize
706B

MD5
53a1e9e063f94b897e94cbcc686f6ef8

SHA1
75ca761d620e3aae975484c3565946969cf06074

SHA256
72304b828259ee1379968d8a83d2048c8923ba4949ca21e5837091277096600b

SHA512
98bcb5f63074a7f080a08d3e686030e2fd960dc7399c472990f92cce5c46c0cf2841fa1e16f1291710ec98465d7e60dbed2e726c25d3ea0640e5d44b78d8739b

Download Submit
C:\Users\Admin\AppData\Local\Temp\871287ef-b86b-4516-bb3f-11f5cabf2be9.vbs

Filesize
706B

MD5
ae3cc5df3ace1b152b5872baa2a4955d

SHA1
61c5cd7a2b3104255ea32f2ac95c7b93fbe54404

SHA256
a18529c52fe2043bc35d385747155ca151a439f2fa581e586df9c9a4fc29cd19

SHA512
863e63cd56108b274facf5b61383eca52881c1193853aa17ab956f446cba6687fd539d35489f58b7312215f8460d140328d442073401dccc8178d2c3de6ccab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9060508a-e3a1-45d1-af07-ca92450809b0.vbs

Filesize
706B

MD5
8aa59d0aa4b05c07b057acf15cbb9a4b

SHA1
5836c6ad91079785886e1b2e7681b9d651589114

SHA256
027b5ebf1a4f95d854612d00c8b0d5c8130369978498cb25532422269fe2e680

SHA512
aac2b2a8804574c7b26705a4baffa2133ef706fed68b4f295433b5a5bb2f93dbbc20fef46243f86c38fe395be0648270f60104d353c69230d5ef503df95dd58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lohe5CmuHk.bat

Filesize
195B

MD5
3dd6a00bab6340db6924a3d02ff70273

SHA1
570268f726e362bfdd9c15924a16f06a6fb96a09

SHA256
88c5b47d2f3324ead64b3d742932cb68d66a941e1769cb9fb9b234ab624282d4

SHA512
86ace738ae4d63312cdfd347b2d01326f2d39249c447e5cabd049cee1738614782dd72fafd7c7a09123161620a733954bce119e443d7640591344917ff035032

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8c88973-6ef0-4d7c-b6ec-a93d83dc2c13.vbs

Filesize
706B

MD5
01f13015bf59d5617858febe570db440

SHA1
a903c0675272ed4793ba0d40f91285be6d282da5

SHA256
704d73b84806055247639defc8ba828a1677d16d080451c003f0f8ac64b9f543

SHA512
8eb53bfa69c1a934eca7c8554baec862fccfdeebee183f2996f3134338450584dd1443a0fe3a4f2ca1635e9022774fcde442b156f48fa34b12afd7a319d9f532

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbaf7ea8-dc02-44bd-ae2e-f3ec0c0749a6.vbs

Filesize
482B

MD5
7805c0023e97dc1654ea89da6201b237

SHA1
6bff1fdf4e9a4bb4ae5ca2688432c109c96a6db1

SHA256
be166fc44a09f74d418a4103ad4038b8b037731fe9043bf30346fdcfd0dd3ee7

SHA512
6833b8f2c0f36d90d4af9b43828f4a74e6a221d64f62ca18a1d052e63341cb39d5d3b12815e511985012690ed367ba86c9dc09e25ddec70ce43e90dd4da26e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9c5ee35-02ba-4c0a-b06f-9dac1bd75848.vbs

Filesize
706B

MD5
4fcc405fd5436856df043e2b0263e923

SHA1
cf971696849618a1079a2d950fecd36617934e83

SHA256
292495293c8313d99b575849fea1e909109ad91379f52d28b046e4547b8fd768

SHA512
3105166ed74774b08b8ddede43094e4ee014a30372650950ff9f0b3bec4466f8507230cffaeae98e7c1c8a3e952f25294bd4f9b853db9656015a862c42aeb872

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
130cb763e1222f9547d7e14a56c4857f

SHA1
7bc4d98fb6b9b3d025ed08d87ae1996d99c5b729

SHA256
3f7854fd1ea9e3250b16c636768d08448e6307f577b142d4e036f29eca6b9d07

SHA512
2f9265fcb3403b82fc98d4cec4ad889f32d7b13db42ac3f073657a1cfc4a2eab90ba29a1ad5ca3ce0b865b53789a2f6a4c9f371c369e06ea2a5ec9cd3b90510b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Idle.exe

Filesize
1.6MB

MD5
855deb7775f714f1fc46d29fea8008d7

SHA1
421d56096458fc456190f7c8d13fa3435c051264

SHA256
795cdb953a299acec277e31a6c97b38acdc44dfca7a2ce6bda2785a48bdfafdf

SHA512
7fd5597d07dd4597262a6122c3b165b0624d99ee9d222f448e2161c07bcef791a08be95bf52eb4cf37c8105e53855bf96d1bf026d887cb3ef85d132c07b40d99

Download Submit
memory/588-234-0x00000000013E0000-0x0000000001582000-memory.dmp

Filesize
1.6MB

Download
memory/764-13-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/764-14-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/764-1-0x0000000001310000-0x00000000014B2000-memory.dmp

Filesize
1.6MB

Download
memory/764-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/764-5-0x0000000000B20000-0x0000000000B36000-memory.dmp

Filesize
88KB

Download
memory/764-165-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/764-4-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/764-6-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/764-7-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/764-8-0x0000000000770000-0x0000000000778000-memory.dmp

Filesize
32KB

Download
memory/764-11-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/764-10-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/764-12-0x0000000000C20000-0x0000000000C2E000-memory.dmp

Filesize
56KB

Download
memory/764-9-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/764-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/764-3-0x0000000000750000-0x000000000076C000-memory.dmp

Filesize
112KB

Download
memory/764-15-0x0000000000C90000-0x0000000000C9A000-memory.dmp

Filesize
40KB

Download
memory/764-16-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/916-280-0x00000000008D0000-0x0000000000A72000-memory.dmp

Filesize
1.6MB

Download
memory/968-198-0x0000000001170000-0x0000000001312000-memory.dmp

Filesize
1.6MB

Download
memory/1656-146-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1656-148-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2052-187-0x00000000008B0000-0x0000000000A52000-memory.dmp

Filesize
1.6MB

Download
memory/2164-328-0x00000000009A0000-0x0000000000B42000-memory.dmp

Filesize
1.6MB

Download
memory/2260-292-0x0000000000C10000-0x0000000000DB2000-memory.dmp

Filesize
1.6MB

Download
memory/2636-210-0x00000000011F0000-0x0000000001392000-memory.dmp

Filesize
1.6MB

Download
memory/2704-268-0x0000000000220000-0x00000000003C2000-memory.dmp

Filesize
1.6MB

Download
memory/2764-304-0x00000000003A0000-0x0000000000542000-memory.dmp

Filesize
1.6MB

Download
memory/2928-222-0x0000000000330000-0x00000000004D2000-memory.dmp

Filesize
1.6MB

Download
memory/3024-316-0x0000000000390000-0x0000000000532000-memory.dmp

Filesize
1.6MB

Download