dcrat | ec57a5693533b024615c157ec0e3867b2eb73a65a12c20501ef8ff00ffd8f65c

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ce67df193db91ca606ca62cfd5ffef2.exe
Size

2.5MB
MD5

7ce67df193db91ca606ca62cfd5ffef2
SHA1

f02ff6e498478d340865f7f4626ec0485d091b0c
SHA256

7b562c692b687673085ad7a1d3a85ce903c930d8b17da8a09cdfc7e382b5f719
SHA512

5aa42516fe917bed086d7e89d691c01cff876cc4fe50756c4e8bdd899511b04deccb5ecd5f980ea7843f63e4547093b81a892762da17119762f20a960a9e76a2
SSDEEP

49152:KGVFTkAxSKOfsx79ZnGGHMgVj2x+0XrSqWsn+fz+pV6ZKvTYnp:KGVyWNGGN2sqWs+fz+pVZTYp

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2612	schtasks.exe
2916	schtasks.exe
2760	schtasks.exe
2716	schtasks.exe
2560	schtasks.exe
2700	schtasks.exe
2532	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2752	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2940	powershell.exe
2928	powershell.exe
2720	powershell.exe
2428	powershell.exe
2880	powershell.exe
2392	powershell.exe
1648	powershell.exe
2184	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1664	sppsvc.exe
2504	sppsvc.exe
1484	sppsvc.exe
2140	sppsvc.exe
1648	sppsvc.exe
2444	sppsvc.exe
1076	sppsvc.exe
1296	sppsvc.exe
2940	sppsvc.exe
2640	sppsvc.exe
3068	sppsvc.exe
264	sppsvc.exe
2276	sppsvc.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\sdhcinst\\taskhost.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\fontsub\\sppsvc.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\tsbyuv\\csrss.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Desktop\\Idle.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\Idle.exe\""	7ce67df193db91ca606ca62cfd5ffef2.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\sdhcinst\RCX261B.tmp	7ce67df193db91ca606ca62cfd5ffef2.exe
File opened for modification	C:\Windows\System32\sdhcinst\taskhost.exe	7ce67df193db91ca606ca62cfd5ffef2.exe
File opened for modification	C:\Windows\System32\fontsub\RCX2A92.tmp	7ce67df193db91ca606ca62cfd5ffef2.exe
File opened for modification	C:\Windows\System32\sdhcinst\RCX261C.tmp	7ce67df193db91ca606ca62cfd5ffef2.exe
File opened for modification	C:\Windows\System32\fontsub\sppsvc.exe	7ce67df193db91ca606ca62cfd5ffef2.exe
File opened for modification	C:\Windows\System32\tsbyuv\RCX2E9C.tmp	7ce67df193db91ca606ca62cfd5ffef2.exe
File created	C:\Windows\System32\sdhcinst\b75386f1303e64	7ce67df193db91ca606ca62cfd5ffef2.exe
File created	C:\Windows\System32\tsbyuv\886983d96e3d3e	7ce67df193db91ca606ca62cfd5ffef2.exe
File opened for modification	C:\Windows\System32\tsbyuv\csrss.exe	7ce67df193db91ca606ca62cfd5ffef2.exe
File created	C:\Windows\System32\fontsub\0a1fd5f707cd16	7ce67df193db91ca606ca62cfd5ffef2.exe
File created	C:\Windows\System32\tsbyuv\csrss.exe	7ce67df193db91ca606ca62cfd5ffef2.exe
File opened for modification	C:\Windows\System32\fontsub\RCX2A93.tmp	7ce67df193db91ca606ca62cfd5ffef2.exe
File opened for modification	C:\Windows\System32\tsbyuv\RCX2E9B.tmp	7ce67df193db91ca606ca62cfd5ffef2.exe
File created	C:\Windows\System32\sdhcinst\taskhost.exe	7ce67df193db91ca606ca62cfd5ffef2.exe
File created	C:\Windows\System32\fontsub\sppsvc.exe	7ce67df193db91ca606ca62cfd5ffef2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2916	schtasks.exe
2760	schtasks.exe
2716	schtasks.exe
2560	schtasks.exe
2700	schtasks.exe
2532	schtasks.exe
2612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2880	powershell.exe
2940	powershell.exe
2928	powershell.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2428	powershell.exe
2184	powershell.exe
1648	powershell.exe
2720	powershell.exe
2108	7ce67df193db91ca606ca62cfd5ffef2.exe
2392	powershell.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
1664	sppsvc.exe
2504	sppsvc.exe
2504	sppsvc.exe
2504	sppsvc.exe
2504	sppsvc.exe
2504	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	7ce67df193db91ca606ca62cfd5ffef2.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1664	sppsvc.exe
Token: SeDebugPrivilege	2504	sppsvc.exe
Token: SeDebugPrivilege	1484	sppsvc.exe
Token: SeDebugPrivilege	2140	sppsvc.exe
Token: SeDebugPrivilege	1648	sppsvc.exe
Token: SeDebugPrivilege	2444	sppsvc.exe
Token: SeDebugPrivilege	1076	sppsvc.exe
Token: SeDebugPrivilege	1296	sppsvc.exe
Token: SeDebugPrivilege	2940	sppsvc.exe
Token: SeDebugPrivilege	2640	sppsvc.exe
Token: SeDebugPrivilege	3068	sppsvc.exe
Token: SeDebugPrivilege	264	sppsvc.exe
Token: SeDebugPrivilege	2276	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2880	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	40
PID 2108 wrote to memory of 2880	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	40
PID 2108 wrote to memory of 2880	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	40
PID 2108 wrote to memory of 2392	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	41
PID 2108 wrote to memory of 2392	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	41
PID 2108 wrote to memory of 2392	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	41
PID 2108 wrote to memory of 1648	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	42
PID 2108 wrote to memory of 1648	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	42
PID 2108 wrote to memory of 1648	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	42
PID 2108 wrote to memory of 2184	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	44
PID 2108 wrote to memory of 2184	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	44
PID 2108 wrote to memory of 2184	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	44
PID 2108 wrote to memory of 2428	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	46
PID 2108 wrote to memory of 2428	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	46
PID 2108 wrote to memory of 2428	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	46
PID 2108 wrote to memory of 2928	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	47
PID 2108 wrote to memory of 2928	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	47
PID 2108 wrote to memory of 2928	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	47
PID 2108 wrote to memory of 2940	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	48
PID 2108 wrote to memory of 2940	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	48
PID 2108 wrote to memory of 2940	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	48
PID 2108 wrote to memory of 2720	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	49
PID 2108 wrote to memory of 2720	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	49
PID 2108 wrote to memory of 2720	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	49
PID 2108 wrote to memory of 1664	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	56
PID 2108 wrote to memory of 1664	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	56
PID 2108 wrote to memory of 1664	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	56
PID 2108 wrote to memory of 1664	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	56
PID 2108 wrote to memory of 1664	2108	7ce67df193db91ca606ca62cfd5ffef2.exe	56
PID 1664 wrote to memory of 2656	1664	sppsvc.exe	57
PID 1664 wrote to memory of 2656	1664	sppsvc.exe	57
PID 1664 wrote to memory of 2656	1664	sppsvc.exe	57
PID 1664 wrote to memory of 2600	1664	sppsvc.exe	58
PID 1664 wrote to memory of 2600	1664	sppsvc.exe	58
PID 1664 wrote to memory of 2600	1664	sppsvc.exe	58
PID 2656 wrote to memory of 2504	2656	WScript.exe	59
PID 2656 wrote to memory of 2504	2656	WScript.exe	59
PID 2656 wrote to memory of 2504	2656	WScript.exe	59
PID 2656 wrote to memory of 2504	2656	WScript.exe	59
PID 2656 wrote to memory of 2504	2656	WScript.exe	59
PID 2504 wrote to memory of 2376	2504	sppsvc.exe	60
PID 2504 wrote to memory of 2376	2504	sppsvc.exe	60
PID 2504 wrote to memory of 2376	2504	sppsvc.exe	60
PID 2504 wrote to memory of 2856	2504	sppsvc.exe	61
PID 2504 wrote to memory of 2856	2504	sppsvc.exe	61
PID 2504 wrote to memory of 2856	2504	sppsvc.exe	61
PID 2376 wrote to memory of 1484	2376	WScript.exe	62
PID 2376 wrote to memory of 1484	2376	WScript.exe	62
PID 2376 wrote to memory of 1484	2376	WScript.exe	62
PID 2376 wrote to memory of 1484	2376	WScript.exe	62
PID 2376 wrote to memory of 1484	2376	WScript.exe	62
PID 1484 wrote to memory of 388	1484	sppsvc.exe	63
PID 1484 wrote to memory of 388	1484	sppsvc.exe	63
PID 1484 wrote to memory of 388	1484	sppsvc.exe	63
PID 1484 wrote to memory of 2372	1484	sppsvc.exe	64
PID 1484 wrote to memory of 2372	1484	sppsvc.exe	64
PID 1484 wrote to memory of 2372	1484	sppsvc.exe	64
PID 388 wrote to memory of 2140	388	WScript.exe	65
PID 388 wrote to memory of 2140	388	WScript.exe	65
PID 388 wrote to memory of 2140	388	WScript.exe	65
PID 388 wrote to memory of 2140	388	WScript.exe	65
PID 388 wrote to memory of 2140	388	WScript.exe	65
PID 2140 wrote to memory of 1256	2140	sppsvc.exe	66
PID 2140 wrote to memory of 1256	2140	sppsvc.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ce67df193db91ca606ca62cfd5ffef2.exe
"C:\Users\Admin\AppData\Local\Temp\7ce67df193db91ca606ca62cfd5ffef2.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7ce67df193db91ca606ca62cfd5ffef2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sdhcinst\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fontsub\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\tsbyuv\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Desktop\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\fontsub\sppsvc.exe
  "C:\Windows\System32\fontsub\sppsvc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dfdb160-d9a7-4302-9a9b-cd37b5c93b12.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\System32\fontsub\sppsvc.exe
      C:\Windows\System32\fontsub\sppsvc.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e89ead49-ad03-42af-9743-4ed48a5d0ffb.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
      - C:\Windows\System32\fontsub\sppsvc.exe
        
        C:\Windows\System32\fontsub\sppsvc.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20f373d5-1832-46ad-9175-d86e9ea4c231.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\System32\fontsub\sppsvc.exe
        
        C:\Windows\System32\fontsub\sppsvc.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9db41c7-3772-4fb0-8b78-bd252e2a044b.vbs"
        9⤵
        
        PID:1256
        
        C:\Windows\System32\fontsub\sppsvc.exe
        
        C:\Windows\System32\fontsub\sppsvc.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\667fc886-9a38-4d81-b66e-4af79e3a6d2a.vbs"
        11⤵
        
        PID:1604
        
        C:\Windows\System32\fontsub\sppsvc.exe
        
        C:\Windows\System32\fontsub\sppsvc.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47aaba69-2fb8-4d34-8463-23a3575f0717.vbs"
        13⤵
        
        PID:3000
        
        C:\Windows\System32\fontsub\sppsvc.exe
        
        C:\Windows\System32\fontsub\sppsvc.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b30fd1ad-1f9f-4b4d-938d-ab88d575c43f.vbs"
        15⤵
        
        PID:2504
        
        C:\Windows\System32\fontsub\sppsvc.exe
        
        C:\Windows\System32\fontsub\sppsvc.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9baac548-cafc-4392-a348-55ea685b5326.vbs"
        17⤵
        
        PID:2964
        
        C:\Windows\System32\fontsub\sppsvc.exe
        
        C:\Windows\System32\fontsub\sppsvc.exe
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af09f3c7-2d9e-442c-ae27-72efb05fd9a3.vbs"
        19⤵
        
        PID:2816
        
        C:\Windows\System32\fontsub\sppsvc.exe
        
        C:\Windows\System32\fontsub\sppsvc.exe
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52f83ecf-937c-4fd1-be63-a695368261b4.vbs"
        21⤵
        
        PID:1588
        
        C:\Windows\System32\fontsub\sppsvc.exe
        
        C:\Windows\System32\fontsub\sppsvc.exe
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6048a654-2e61-4992-81ff-f1af4896b9fc.vbs"
        23⤵
        
        PID:1112
        
        C:\Windows\System32\fontsub\sppsvc.exe
        
        C:\Windows\System32\fontsub\sppsvc.exe
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68ba4db6-1e7a-4c41-9e89-de2a27b13cee.vbs"
        25⤵
        
        PID:2348
        
        C:\Windows\System32\fontsub\sppsvc.exe
        
        C:\Windows\System32\fontsub\sppsvc.exe
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d1b4118-b5b2-4627-9cb2-d0a790d4670b.vbs"
        27⤵
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d4fb9c8-b9d5-4177-8201-dc97cb3831dc.vbs"
        27⤵
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c3fed4b-9c03-4c6f-be38-694ce52a6b8f.vbs"
        25⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9bb6916-ba76-404f-907e-5d71fed223e3.vbs"
        23⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8992eda-4315-437c-b4ab-3c3a23fc0980.vbs"
        21⤵
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dca388ab-0718-401e-89ec-ce13ecd6452f.vbs"
        19⤵
        
        PID:940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e12931e-7cca-4282-b97c-61aa5dfba499.vbs"
        17⤵
        
        PID:1700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f0d01c8-d35a-4aa9-a180-f361736ca5f3.vbs"
        15⤵
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d381cb3e-df31-469c-9eb3-aeb1372c5111.vbs"
        13⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ac5d506-2480-4540-85f8-4b97f953cdfc.vbs"
        11⤵
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\943faafc-672d-4df6-a063-259ffaa7fa9e.vbs"
        9⤵
        
        PID:608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85170a9d-2a1d-44e3-912a-029db214ffdb.vbs"
        7⤵
        
        PID:2372
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e206cd70-c3ad-414d-b36a-b6f609f607d3.vbs"
        5⤵
        
        PID:2856
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efa9c784-ef9e-4dd5-8568-8ed11244d39c.vbs"
    3⤵
    PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\sdhcinst\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\fontsub\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\tsbyuv\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe

Filesize
2.5MB

MD5
899d316f24c342d676e06d659709363a

SHA1
52f485983f53cee643f7c986d0dacd934d0aa2f6

SHA256
c906d91bf654a48ac33ba5e6e9182b92d7f36f462e3757f3a03689bb894d42b8

SHA512
45dd7ba6385a858de776d4e0c0418bb0f743cab9840808481edaafbd5c814bd31f2cdd0e47009979c3a8969c2feb0cc830fa15af33f157d7b7e4ca91a2de0680

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe

Filesize
2.5MB

MD5
7ce67df193db91ca606ca62cfd5ffef2

SHA1
f02ff6e498478d340865f7f4626ec0485d091b0c

SHA256
7b562c692b687673085ad7a1d3a85ce903c930d8b17da8a09cdfc7e382b5f719

SHA512
5aa42516fe917bed086d7e89d691c01cff876cc4fe50756c4e8bdd899511b04deccb5ecd5f980ea7843f63e4547093b81a892762da17119762f20a960a9e76a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\20f373d5-1832-46ad-9175-d86e9ea4c231.vbs

Filesize
714B

MD5
6b468e15a3fe5f2c2a87e015704786f3

SHA1
51139ecd0d24b1dc65d7ffc7b39824b651adaea0

SHA256
58d17e07695441c320c3dc3ee37a918b1d991429b7269c7308691e6e316223c8

SHA512
c854cc6b8d978caa00ed7c7abdeb9bdd6e76cd4113428f3301ad74c5e4db2b6d3bb75887ea35fe3b0006344680184afc275201f2f90260b69273901c0cfc0796

Download Submit
C:\Users\Admin\AppData\Local\Temp\47aaba69-2fb8-4d34-8463-23a3575f0717.vbs

Filesize
714B

MD5
e9727371c1bce350573520c499bb5193

SHA1
ae480690b3d9f1ca3904b352c17662390e7d29b1

SHA256
3770530908b4a2e820f34d948256a15e9924268a3d3bf1888ad1138333811a68

SHA512
01d131f1e94c96779bed677b6f4f2e800282e22cebdabc18d69120f21e1918cfac0b2c315f9cc920d34617e90e9bd716008097df00de5a85b93acc37df9dc176

Download Submit
C:\Users\Admin\AppData\Local\Temp\52f83ecf-937c-4fd1-be63-a695368261b4.vbs

Filesize
714B

MD5
5d79d414c84a65240a8ea7cc837c0878

SHA1
3986f570da4f6c7af194794ebdcc61c6e504dbce

SHA256
a960d4027083b1fb43c78ebb6b983f23c16b8f04e1195e0505e98116ff3771ab

SHA512
261451c16d7f596faf1c231dd9fce9002d3bf060a7fc1e7c68a4db9b5c2d49c24c01979c7c497e26702a8625ccb5a08a26ca6a215acc680414344dd4538a3716

Download Submit
C:\Users\Admin\AppData\Local\Temp\6048a654-2e61-4992-81ff-f1af4896b9fc.vbs

Filesize
714B

MD5
0f1fa536703fa16863149636ec4a4883

SHA1
a0dede2ea8cb61dc043765f2449d34c03e3b81d6

SHA256
865640fac9ffe96c1e24c8d78362db10c9297a005c9956762c5a0e535f55d70f

SHA512
f0a4d4ea66951e601366bd2ab626d0de7c3d27151a9c7bd8e1fe17729ac418751e5292a67f61abe51b39c5d69978667cc765be172ccb2b42ecca68653f299378

Download Submit
C:\Users\Admin\AppData\Local\Temp\667fc886-9a38-4d81-b66e-4af79e3a6d2a.vbs

Filesize
714B

MD5
e932b7ad1d24037f8ad38e8dad8a8d3c

SHA1
8b023985035ce8759bcdb50c32d8e2c0d6887f3e

SHA256
24aff30a3868c7f81355fcd0e276797a69f35c402146ed4893152cd0df67dad9

SHA512
c7fddec6e15d3cff69befc7dc3c2b9f6e7c7343f9cfc6eee167129a232c1f721c35bb792761fbc57964fc9453faebda2929a437a249355a1ad7e79a2f4f66898

Download Submit
C:\Users\Admin\AppData\Local\Temp\68ba4db6-1e7a-4c41-9e89-de2a27b13cee.vbs

Filesize
713B

MD5
5a0002f1dff77cd853b1116c29f2c30b

SHA1
b08c67549fb936a43f82d20c3d6cc9a5bf86a1ce

SHA256
91c27b5d71ec77ead242b0b228ebc585cfbd36cc6f856125dede6e5328b96249

SHA512
6293363f252a3ff92ac5dfbcca14bd6621dafafc106cd3d0ea8282f2b41c062c9df226a165d9c02e4d3992a72231babd326b072ebf4b81d54a7a8b829509af4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9baac548-cafc-4392-a348-55ea685b5326.vbs

Filesize
714B

MD5
e68d12a02f59af08e1f8bb9759856749

SHA1
e530be5acc5d848efd52308167869e160f4f4a6b

SHA256
35e3eb30e08040e5b9794c0f033c22e22e16a33ccb38ce26089540438836d1d7

SHA512
e808ada6d0bf8052e4896c2a10853fa5f8207fa5384fc8d986604e09d2df73a54cb0df7d4f1e048cf43d511239dc3d99025c65d8b5270939eaf928fd13bd0012

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d1b4118-b5b2-4627-9cb2-d0a790d4670b.vbs

Filesize
714B

MD5
a95727bdf89403902facde29e543643c

SHA1
644803b0c256b73cb8d39c71c31ce45ee1de856e

SHA256
091e70fb29873c40bd514763df76b4c8bf33c376b2687ec7534b8580e55d2330

SHA512
854e554343c6617e30a73a1c92d4f49aec197417f0cdb6b4a18a51f43d388943dd05c97e7ec29eb9b0e164248abaaa270f59ba76c69fdb563bbeba34a9390f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dfdb160-d9a7-4302-9a9b-cd37b5c93b12.vbs

Filesize
714B

MD5
a4f012bd0ed26fa68d14d27eed17339f

SHA1
b3d32deb81ab9f851d8a181eb67ae56d831a8e08

SHA256
ffc78d09e5c07ad0b64102d168a9e246db21c7e6a228924b1c947cf9508642ee

SHA512
0808632ba75e27a7d52a52c36048b66c97b971be6650b4a8efcab9bb2f297131d35d7a46db1d94eeaf3fc723fab83240246c1e4305a971263d2ac80ab4211ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\af09f3c7-2d9e-442c-ae27-72efb05fd9a3.vbs

Filesize
714B

MD5
206aaa1e15041ab01418ee1d7cbb3b61

SHA1
51585e4f7a1486c6c1539c261be3127ca95a29d7

SHA256
ec0e9febe7c35585aae41bc9ad20ce3efbed930c5d12beb2a571b31362c120d0

SHA512
d2723bc942fc34abe11895a55bd5a45ba06fdb4809f7093a633a3064dbf3a2b9ee6778a74bfb3bb813eb82359ad9c6784aa6f01f2739ee3d438420ec1339920b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b30fd1ad-1f9f-4b4d-938d-ab88d575c43f.vbs

Filesize
714B

MD5
71b8632d3adc36054a07cbcf26316540

SHA1
c978c2ab576a7e70a657d0083f3d085045fc2693

SHA256
45ec5073b8ad3b461c70908869b7c4371fbe2b39ab8ac9ba6f4034510070f1b9

SHA512
eb6d5fc9dc04cea3d9f90fc8a400d44c95d24b0efa2c4eb853a8ac36c73fc157a41dbfd82848a7b27c3d39438e247f1a0fe70ba4c25d6b98fe4afe40e969c144

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9db41c7-3772-4fb0-8b78-bd252e2a044b.vbs

Filesize
714B

MD5
b80797d3814c9715b4a015035d0221b5

SHA1
87bd4562d2d35d36a29398f46d4ee44779ea5084

SHA256
1249eee774d51bcd323bbe001a55afb9821545a41828310197eaef44fb350374

SHA512
5df085f512f54dc89e84a575ebe5ed340900975afaefc67599ff6d47c77f894f972aa6a7ae72e8e9f113e6bbaf81cd948e30c9baaccedfb1c20a8bed35f8f06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e89ead49-ad03-42af-9743-4ed48a5d0ffb.vbs

Filesize
714B

MD5
52e5efd16762392913dfaa93c20de1ee

SHA1
2e72d444ca3c17fec73753f91cbc875727970800

SHA256
c31812dd77dbaead19f1f851356992bbbe91669387e82c5c483d2a0d8965fa08

SHA512
da549cb445238ea2f1ceab3abb0e9e2d45a378da3312fb8a6173959537a8b915a6e26bd6b4a99d3a93bb0ae6fd038127a84941db6dac95bfb7ad635092bf0e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\efa9c784-ef9e-4dd5-8568-8ed11244d39c.vbs

Filesize
490B

MD5
f79b7d4e34e592f7e6414d8b6e7dc0a9

SHA1
f8fe0220b04681207cfe852688cd68f2400d1666

SHA256
f7fb2f9d453d7608a21dab9b0d16669bc71edb66401fc832768d411d817d7c5b

SHA512
67a9362eb4d5dc6080cf1b753da4b12716a1b6e79d30a3e6bfb632fa186713822d38251bee905cfb4fbfb74ce8a411f34921088b5c6274dbd8d61a8862185286

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3C2YT0IJD74B33K86JE0.temp

Filesize
7KB

MD5
aa2835dc8e622252adbe17ac6289e186

SHA1
966984d7288782af8da7038fbdec077fd9adf752

SHA256
4b5d18e7db4f061bb60c7cc73adeae052d98d20457520a7648e990f98f866748

SHA512
fd8f05b3a3e1cd80eda1139c9c62638dd63f7827928d86e73f8381fdae5c2616111e6699faf26306545d3ea54c09216f23f1e00510c586606d6b93bf5c95b090

Download Submit
memory/264-299-0x00000000008E0000-0x0000000000B66000-memory.dmp

Filesize
2.5MB

Download
memory/264-300-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/1296-250-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/1484-191-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/1648-215-0x00000000013D0000-0x0000000001656000-memory.dmp

Filesize
2.5MB

Download
memory/1664-168-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1664-156-0x0000000000830000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download
memory/2108-10-0x0000000002340000-0x000000000234A000-memory.dmp

Filesize
40KB

Download
memory/2108-2-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-15-0x000000001AED0000-0x000000001AED8000-memory.dmp

Filesize
32KB

Download
memory/2108-1-0x0000000000CB0000-0x0000000000F36000-memory.dmp

Filesize
2.5MB

Download
memory/2108-14-0x000000001AEC0000-0x000000001AECC000-memory.dmp

Filesize
48KB

Download
memory/2108-167-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-13-0x0000000002370000-0x000000000237A000-memory.dmp

Filesize
40KB

Download
memory/2108-16-0x000000001AEE0000-0x000000001AEEA000-memory.dmp

Filesize
40KB

Download
memory/2108-12-0x0000000002360000-0x000000000236C000-memory.dmp

Filesize
48KB

Download
memory/2108-6-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/2108-11-0x0000000002350000-0x000000000235A000-memory.dmp

Filesize
40KB

Download
memory/2108-3-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2108-4-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

Filesize
112KB

Download
memory/2108-9-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/2108-0-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

Filesize
4KB

Download
memory/2108-8-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/2108-5-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/2108-7-0x0000000000C40000-0x0000000000C96000-memory.dmp

Filesize
344KB

Download
memory/2140-203-0x0000000000360000-0x00000000005E6000-memory.dmp

Filesize
2.5MB

Download
memory/2276-312-0x00000000011D0000-0x0000000001456000-memory.dmp

Filesize
2.5MB

Download
memory/2444-227-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2504-179-0x0000000000E20000-0x00000000010A6000-memory.dmp

Filesize
2.5MB

Download
memory/2640-275-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2640-274-0x0000000000A90000-0x0000000000D16000-memory.dmp

Filesize
2.5MB

Download
memory/2880-138-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2880-139-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2940-262-0x0000000000150000-0x00000000003D6000-memory.dmp

Filesize
2.5MB

Download
memory/3068-287-0x0000000000390000-0x0000000000616000-memory.dmp

Filesize
2.5MB

Download