dcrat | 56eaeb544a5b324a1b498dc1839a346277ea0ba6840f6d5ceb898b823f14d2d5

Analysis

max time kernel
54s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

729c059086bce232a39d74a0b680bfed.exe
Size

885KB
MD5

729c059086bce232a39d74a0b680bfed
SHA1

832281677409fc0e150bdf6132be849824a265ea
SHA256

7a7f0076056b3e2b93a330a8af8df9d43f43a83b50931f2888f0db411c8e2024
SHA512

ca3f47323cc5018608c1c466f4805569df73523a6dcc6367f77bfd6d6a36393937222c0f0dfa89a748dc0406f40fc385761cef432aac1a9cd8d41857b6136c0d
SSDEEP

12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6096	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	3272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3272	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral6/memory/4280-1-0x0000000000D80000-0x0000000000E64000-memory.dmp	dcrat
behavioral6/files/0x00070000000242ed-19.dat	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	729c059086bce232a39d74a0b680bfed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 5 IoCs

pid	Process
3180	csrss.exe
5720	csrss.exe
4344	csrss.exe
820	csrss.exe
1408	csrss.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\RCX82F9.tmp	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files\Windows Defender\RCX82FA.tmp	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files\Google\Chrome\Application\StartMenuExperienceHost.exe	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files\Google\Chrome\Application\55b276f4edf653	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files\VideoLAN\VLC\skins\csrss.exe	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files\VideoLAN\VLC\skins\886983d96e3d3e	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files\Windows Defender\29c1c3cc0f7685	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX82A3.tmp	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RCX82E9.tmp	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files\Windows Defender\unsecapp.exe	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX82B4.tmp	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RCX82D8.tmp	729c059086bce232a39d74a0b680bfed.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\System\csrss.exe	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Windows\Vss\Writers\System\886983d96e3d3e	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCX82C7.tmp	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCX82D7.tmp	729c059086bce232a39d74a0b680bfed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	729c059086bce232a39d74a0b680bfed.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3700	schtasks.exe
1712	schtasks.exe
5028	schtasks.exe
5064	schtasks.exe
5060	schtasks.exe
4676	schtasks.exe
4780	schtasks.exe
4832	schtasks.exe
1080	schtasks.exe
4884	schtasks.exe
5080	schtasks.exe
4768	schtasks.exe
3844	schtasks.exe
6096	schtasks.exe
2644	schtasks.exe
4616	schtasks.exe
4936	schtasks.exe
4556	schtasks.exe
4820	schtasks.exe
4924	schtasks.exe
4892	schtasks.exe
4852	schtasks.exe
5000	schtasks.exe
2108	schtasks.exe
2924	schtasks.exe
3620	schtasks.exe
820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4280	729c059086bce232a39d74a0b680bfed.exe
4280	729c059086bce232a39d74a0b680bfed.exe
4280	729c059086bce232a39d74a0b680bfed.exe
4280	729c059086bce232a39d74a0b680bfed.exe
4280	729c059086bce232a39d74a0b680bfed.exe
4280	729c059086bce232a39d74a0b680bfed.exe
4280	729c059086bce232a39d74a0b680bfed.exe
4280	729c059086bce232a39d74a0b680bfed.exe
4280	729c059086bce232a39d74a0b680bfed.exe
4280	729c059086bce232a39d74a0b680bfed.exe
4280	729c059086bce232a39d74a0b680bfed.exe
3180	csrss.exe
5720	csrss.exe
4344	csrss.exe
820	csrss.exe
1408	csrss.exe
1408	csrss.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	729c059086bce232a39d74a0b680bfed.exe
Token: SeDebugPrivilege	3180	csrss.exe
Token: SeDebugPrivilege	5720	csrss.exe
Token: SeDebugPrivilege	4344	csrss.exe
Token: SeDebugPrivilege	820	csrss.exe
Token: SeDebugPrivilege	1408	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 3528	4280	729c059086bce232a39d74a0b680bfed.exe	116
PID 4280 wrote to memory of 3528	4280	729c059086bce232a39d74a0b680bfed.exe	116
PID 3528 wrote to memory of 2720	3528	cmd.exe	118
PID 3528 wrote to memory of 2720	3528	cmd.exe	118
PID 3528 wrote to memory of 3180	3528	cmd.exe	122
PID 3528 wrote to memory of 3180	3528	cmd.exe	122
PID 3180 wrote to memory of 3232	3180	csrss.exe	123
PID 3180 wrote to memory of 3232	3180	csrss.exe	123
PID 3180 wrote to memory of 2416	3180	csrss.exe	124
PID 3180 wrote to memory of 2416	3180	csrss.exe	124
PID 3232 wrote to memory of 5720	3232	WScript.exe	127
PID 3232 wrote to memory of 5720	3232	WScript.exe	127
PID 5720 wrote to memory of 1504	5720	csrss.exe	128
PID 5720 wrote to memory of 1504	5720	csrss.exe	128
PID 5720 wrote to memory of 3288	5720	csrss.exe	129
PID 5720 wrote to memory of 3288	5720	csrss.exe	129
PID 1504 wrote to memory of 4344	1504	WScript.exe	132
PID 1504 wrote to memory of 4344	1504	WScript.exe	132
PID 4344 wrote to memory of 4296	4344	csrss.exe	133
PID 4344 wrote to memory of 4296	4344	csrss.exe	133
PID 4344 wrote to memory of 212	4344	csrss.exe	134
PID 4344 wrote to memory of 212	4344	csrss.exe	134
PID 4296 wrote to memory of 820	4296	WScript.exe	135
PID 4296 wrote to memory of 820	4296	WScript.exe	135
PID 820 wrote to memory of 4864	820	csrss.exe	138
PID 820 wrote to memory of 4864	820	csrss.exe	138
PID 820 wrote to memory of 3712	820	csrss.exe	139
PID 820 wrote to memory of 3712	820	csrss.exe	139
PID 4864 wrote to memory of 1408	4864	WScript.exe	144
PID 4864 wrote to memory of 1408	4864	WScript.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\729c059086bce232a39d74a0b680bfed.exe
"C:\Users\Admin\AppData\Local\Temp\729c059086bce232a39d74a0b680bfed.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bBLgENpHy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2720
- - C:\Windows\Vss\Writers\System\csrss.exe
    "C:\Windows\Vss\Writers\System\csrss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec140233-e2c6-4537-a798-afb79341d7eb.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3232
    - - C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5720
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\894b639d-3411-4910-ba78-b272d2bd5734.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3651bf7-a3ed-4a14-b78c-a4f00c89e476.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d4ffe6b-83bb-41d7-a0fa-00e428bfdd6e.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68f6dd94-d500-4723-a0ab-83876a264fa2.vbs"
        12⤵
        
        PID:3392
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        13⤵
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\491d71b7-b1c4-4403-9635-a173e833966d.vbs"
        14⤵
        
        PID:5348
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        15⤵
        
        PID:4268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7089ea2d-b999-45d3-ac4f-53ce945c6425.vbs"
        16⤵
        
        PID:2576
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        17⤵
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b27001c6-e10f-4b46-a024-e87dfa7319ac.vbs"
        18⤵
        
        PID:2580
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        19⤵
        
        PID:6080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed89787e-35bc-4024-8ee7-1659b606ea84.vbs"
        20⤵
        
        PID:1812
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        21⤵
        
        PID:5268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1efd4e5a-67e9-4f3b-b627-afc281653efb.vbs"
        22⤵
        
        PID:4620
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        23⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\365659bc-1a22-4339-8084-fd71f52f05d9.vbs"
        24⤵
        
        PID:5956
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        25⤵
        
        PID:3908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ba8582d-0b9f-41cb-b57f-7ca14ad498a7.vbs"
        26⤵
        
        PID:5604
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        27⤵
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e58e46d5-2a57-4e0c-89af-b7ce97620809.vbs"
        28⤵
        
        PID:4360
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        29⤵
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c5450ec-940b-469e-85df-f88acb98ca53.vbs"
        30⤵
        
        PID:1040
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        31⤵
        
        PID:4228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc4fe9b9-36d7-4c6b-b82a-74ccb25b6885.vbs"
        32⤵
        
        PID:1584
        
        C:\Windows\Vss\Writers\System\csrss.exe
        
        C:\Windows\Vss\Writers\System\csrss.exe
        33⤵
        
        PID:4896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b453ef2-7e66-429a-90a8-5c74281118fe.vbs"
        34⤵
        
        PID:4956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4ab0404-bdba-45d5-9c1a-a55c16f0c55d.vbs"
        34⤵
        
        PID:5128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0218b757-2b28-457b-822c-8e95d9e79654.vbs"
        32⤵
        
        PID:5852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dae5497-e447-4c7b-abd2-fefd19f0ddb8.vbs"
        30⤵
        
        PID:748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\accffc2a-2e14-40b0-a52a-13bc003e6c5c.vbs"
        28⤵
        
        PID:5400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddcf665d-a65e-40ab-a8d1-fa9829342439.vbs"
        26⤵
        
        PID:1156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e40338eb-b20e-4d74-859d-203996f85bc7.vbs"
        24⤵
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09d8106a-408f-495a-be4a-e06d1a4f7a81.vbs"
        22⤵
        
        PID:4952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7fe04ad-2a44-4093-baf0-0a44a74c1315.vbs"
        20⤵
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d8fee10-a684-44e5-8f83-00abf4323578.vbs"
        18⤵
        
        PID:436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67a6511a-0db5-4661-9f31-69218d191223.vbs"
        16⤵
        
        PID:4512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42983bd1-d4d6-48ee-86ba-8cb56736d867.vbs"
        14⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eeca168f-d90b-49a9-8922-d8934f6ed3cd.vbs"
        12⤵
        
        PID:5868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91c1bc75-49d9-4743-896b-440c89a85f11.vbs"
        10⤵
        
        PID:3712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0189ed0f-3908-4860-84ff-25a72cc5732e.vbs"
        8⤵
        
        PID:212
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54803fc6-6224-4196-bca2-4423ff953ae0.vbs"
        6⤵
        
        PID:3288
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57e74de6-bcf9-40d7-a43c-d3c3a6dcdf5a.vbs"
      4⤵
      PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\f9532e701a889cdd91b8\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\skins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1efd4e5a-67e9-4f3b-b627-afc281653efb.vbs

Filesize
715B

MD5
91488c8f1e42efe552d6a5df2ddf6dc8

SHA1
b44d12674d8824b6fddc962afe574f3f32882afe

SHA256
d79f6cd1841d20d074281a1942fd41650668fde2126f982ffeef436bd7913ece

SHA512
02c65f21e190d22a74ba499bcd7db01f142326a9ce21cdea3fb03422e2b913b78fcbf621a6bd59371f39b5157be16557f88a1e281bdfea76869a539c7f98dd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d4ffe6b-83bb-41d7-a0fa-00e428bfdd6e.vbs

Filesize
714B

MD5
fc0885a401a6172ad33b4bc398288594

SHA1
a5f50dfaebc7cd18b2e49f67e1392f7618c6e2b3

SHA256
5e74f07c7fff5b52c12c5f722e6bb83f7f7b1b69cf8d4729c5b575267945f314

SHA512
7d4c5abee713815fa65ffd2dff232a728b728b04e0bf9dfa56517fe66623123425db5c5f190b4d478f59bb58e5a9dc99ab4fee6b6ced4140b19981cb6225407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\365659bc-1a22-4339-8084-fd71f52f05d9.vbs

Filesize
715B

MD5
0489200aaacdcb46c502e43a2f2dc8c5

SHA1
55715a7cce85600e3593b6a23e4105bb10a1ccf0

SHA256
7822ee22332c4845b6905b3dae4d566425e41d6fe74ade5e6f54b69ff20e2bf5

SHA512
5ace994b19800eb927a3f004f6d3b3afb97bd988d02d48d6b6155abffdc054a46314487c197544971baddee45e88d1aa9b6f02ef948fd344bb6c2d57a01ef87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ba8582d-0b9f-41cb-b57f-7ca14ad498a7.vbs

Filesize
715B

MD5
afa6f05435b3a294d042f402c78f1954

SHA1
c5905a29c2b36d36ff7074c2e1f06f6e1f6c6810

SHA256
2832b5b0d45884b63050581d341fa6ecf496dd184220b9efabde7034b01674fd

SHA512
6b4f6b6903d1aa2fbf23937735801730984cde0ee6dfdf28ae9f380fad0839a7dcf57000a82a9c30ac96a65dfc20b1d6b605459e6f5f59d336933428cb62d512

Download Submit
C:\Users\Admin\AppData\Local\Temp\491d71b7-b1c4-4403-9635-a173e833966d.vbs

Filesize
715B

MD5
00a084066f40a4f5a702fbb714c9e46d

SHA1
7697e374fb17f4a2fea000311a152fc3baa8b6e1

SHA256
71b39466c8aee5ae85bd7e2e444071ec453ed77e3de8401e02476a81813a6356

SHA512
7daf9808736c7b8d2128ca362a20a6810f86fe033eaf1e2ceebe68c18149aeea033dcdc5f5dea8e6c035922a9c6ea220a8ea811676b70565fa671df3a2ca74a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\57e74de6-bcf9-40d7-a43c-d3c3a6dcdf5a.vbs

Filesize
491B

MD5
f5ab08a1f096f0976067b9ea9fae4e56

SHA1
4a16e5c387a063ff85ec1fd9bb60ead8a7f9d44c

SHA256
f62a4c89694c285605c93fb750c0672377413824ca6a6dc087aa938e678322e3

SHA512
a2ffdab2f6c73e7641d3c04137a8a7ef908e653679292e0c1bb1d97bfe83d509832fe84e40b755bcec8febaf92c7b42abba5400b5f0f3113e803ecd33bc0ce0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\68f6dd94-d500-4723-a0ab-83876a264fa2.vbs

Filesize
715B

MD5
3965c8879af25c151d522e7db372137c

SHA1
b18120d8683f5441a2b3de74b29af52c9dbff9c9

SHA256
414956e1b00eae1f289b71f408d487c6e4f807ec281e93ac711e261d13284413

SHA512
966e9918611b37ac25caa6e409276fd0fff54afec29141c193263d2dbee9017e0d5e0905c6b9937b33b6ef45a21f9c81498752ebfb95941bbf0c265b43f5ecbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7089ea2d-b999-45d3-ac4f-53ce945c6425.vbs

Filesize
715B

MD5
2af001c67a5ff64ef38ae90d68eb95e9

SHA1
7d63189863b2ced6c18387a0785f2be3e2e6bb73

SHA256
e6ab15defa9ab4a6eda63b95dfa7897a0ab8be19312a3b93433d003c67f519b1

SHA512
03ac1956f4d9a0c20a84db9c38f472e80a7bc694c0e4b6c5d233f8f9eadc4321b5fa2c79ced6593ddf5065184b0bde9b57c78d8e4359253aabfc6c5d81473da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bBLgENpHy.bat

Filesize
204B

MD5
543752841ae626c935b6279ae06f6afe

SHA1
248a9622adabb963e31d98c2e5a597d23eba678f

SHA256
b3b0f104df5944709eee9186d4feba180e0763c12aaceb3fe67f744c8768809f

SHA512
4aedf9cf975c0fffee58f05317e6f312e9f7e671b762c6c218746b6a1c2d772e1c621edbaa410682f8028e06c271145ec82a9a4c0fb4081238247651b5986c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\894b639d-3411-4910-ba78-b272d2bd5734.vbs

Filesize
715B

MD5
df95e2a731c1e82334b8155be4365309

SHA1
d158405e1267dfcc7128cd6c0a9fadba17335767

SHA256
8b3a3df31d55879f7c82332b45cc9c933ebaf2caaf4cb3a4e75e0f63b5fa9469

SHA512
d7df65eeb4f099c59683f85a12f359bea4d835374f8cf70289c94c63ed1698d9eed8f29bf8dd34b166a1f81873f93a4f162dfd09d36e62312311c6c2dfb11143

Download Submit
C:\Users\Admin\AppData\Local\Temp\b27001c6-e10f-4b46-a024-e87dfa7319ac.vbs

Filesize
715B

MD5
d3b34be5fcb383c6cae3b9b96ab97643

SHA1
07111bbb40d001f736490f3d0cce81fafe9a8121

SHA256
e041450e3a0a8d540bd0fdee8d20246ab5f8d079c6d71784b2a1064142922b77

SHA512
125f032985ac47f3c3ea654d80ec7680961d1b3884d28d2f9889181676ec235cc7184fb97a68e67a68293df47a05a07ff7dd8587ea4d9b66a7381838d88edd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3651bf7-a3ed-4a14-b78c-a4f00c89e476.vbs

Filesize
715B

MD5
d9f78bf6709986ed6f406b24f1f83204

SHA1
7ceae85b3dea12b2bd64c59d3ae34c01d560136a

SHA256
a171030cb65f6463ed2b6a34de0842d62431e99da84babe88e3a286065c2e5e0

SHA512
1a5c33e52ea2c524fd1701ad101b474e7e94db2faed752d311c8bb0be20d142b2b48edbc957947372030fc5f72db542ddc8c74ae9d54a13f5487083515bb7270

Download Submit
C:\Users\Admin\AppData\Local\Temp\d97aaef5ec674872b25e0e00f0306155c15a7d13.exe

Filesize
885KB

MD5
838fa62c7b3f10bcd271c9c82ff8cbfa

SHA1
5d698e2b74bfcc149f2935d0e3bb9d440ffe61df

SHA256
43f00d484adc38a321e6e5b6e82604f51e9608f509f0dbe2769fa9ca8c0dffb2

SHA512
3dc3fcb22104fd4285430b763b3bc010e0d7e5a07517f36575897f1ef1602c74b7f14cfd67f83268db0ddd4c0d08d258fed2d5a3ff9d9784bda0695c3f48e2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58e46d5-2a57-4e0c-89af-b7ce97620809.vbs

Filesize
715B

MD5
0f296d56f3f850ebc28092772a77d423

SHA1
3e115bfecc90dc61adc630ee7d4971b32a96c328

SHA256
fbe80fb6054d5ce547bc7f3f7d7dbaab158e3a3ebd768ae9ce20dee78587ad48

SHA512
bf991c3c0e2696ab0dc47eac450aa85645968cc8c03bc5cb27af14ef90b7c7271e02fa786d0dfc1cdfaaf119d5688351513da5f076bc93e26c20f840e258c885

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec140233-e2c6-4537-a798-afb79341d7eb.vbs

Filesize
715B

MD5
9106dec40139d389f340fc11b1d6f524

SHA1
0703961321eaecb3c0e9ff240bda83c0c6c40615

SHA256
7215e2abed5e23a35191de8644f75978b31942e20194e0b21882f1716005c4b6

SHA512
64927cb7d61e69555064de55f906d58e1e9fec654f15e35fa15f2de4d26195f5e1710d731d0109f4728fabb6bb934df24df5ab013b27869be6f6f0fa27d19006

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed89787e-35bc-4024-8ee7-1659b606ea84.vbs

Filesize
715B

MD5
f2e9a5599107c7d43713bd5f992e0568

SHA1
a60beebc3df665d4b3339958b336a835890fb1b4

SHA256
46b38738c3f2a23e55afd76717c22b994035af588aedc46278ac18c1a4d8c425

SHA512
1fa0cce90ce05f01fb2f977ffd3aca696e27a62b3d9e3b2caa9e51f262b322f90d3a173e2769524c2bfd75f1c9ba49b02d486e78fd0320b21dc457bbd34af700

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc4fe9b9-36d7-4c6b-b82a-74ccb25b6885.vbs

Filesize
715B

MD5
46e04633f1b0f6d886950c53a7e0e2f3

SHA1
34dbfbbb5b2b04338a0e46e1dedc1c9084dd9e11

SHA256
0c4ac233382424ff25c86f29112bceacb56ae50ec5c435e4fd187e28ded5874a

SHA512
8d499169fb2c795346516d7c109adb1f2e53cb4cb7c25c2239472776d4ccced056548ee704fa5085ddb95863d5b8bafc04983382e3f5c99f0341ada55da91f35

Download Submit
C:\Windows\Vss\Writers\System\csrss.exe

Filesize
885KB

MD5
729c059086bce232a39d74a0b680bfed

SHA1
832281677409fc0e150bdf6132be849824a265ea

SHA256
7a7f0076056b3e2b93a330a8af8df9d43f43a83b50931f2888f0db411c8e2024

SHA512
ca3f47323cc5018608c1c466f4805569df73523a6dcc6367f77bfd6d6a36393937222c0f0dfa89a748dc0406f40fc385761cef432aac1a9cd8d41857b6136c0d

Download Submit
memory/4280-9-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/4280-6-0x0000000003070000-0x0000000003086000-memory.dmp

Filesize
88KB

Download
memory/4280-7-0x0000000003090000-0x000000000309A000-memory.dmp

Filesize
40KB

Download
memory/4280-0-0x00007FFEED733000-0x00007FFEED735000-memory.dmp

Filesize
8KB

Download
memory/4280-10-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

Filesize
48KB

Download
memory/4280-4-0x000000001BF60000-0x000000001BFB0000-memory.dmp

Filesize
320KB

Download
memory/4280-8-0x000000001BAC0000-0x000000001BACE000-memory.dmp

Filesize
56KB

Download
memory/4280-5-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/4280-3-0x0000000002F30000-0x0000000002F4C000-memory.dmp

Filesize
112KB

Download
memory/4280-2-0x00007FFEED730000-0x00007FFEEE1F1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-140-0x00007FFEED730000-0x00007FFEEE1F1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-1-0x0000000000D80000-0x0000000000E64000-memory.dmp

Filesize
912KB

Download