dcrat | 5c63933553e1452d634beb2b295333e4db5742e571322d823648d4e5c94b2828

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
Size

1.6MB
MD5

ec20848f83db3017eaf15c4f841fddc5
SHA1

3f46877c232c250f7538c26b863497d7c0ffd538
SHA256

7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23
SHA512

d00d7f760f5966860a0eb4233c9d5b0bcdd2c28ccc64099e5fd728b15c08b524aed4f897244415815d31526a4ca8e5779bf137522610d9565abed8cf9fafa03e
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2796	schtasks.exe	30

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral15/memory/3068-1-0x0000000000BD0000-0x0000000000D72000-memory.dmp	dcrat
behavioral15/files/0x0005000000019438-25.dat	dcrat
behavioral15/files/0x000500000001963a-40.dat	dcrat
behavioral15/memory/3028-125-0x00000000010A0000-0x0000000001242000-memory.dmp	dcrat
behavioral15/memory/3004-136-0x0000000001140000-0x00000000012E2000-memory.dmp	dcrat
behavioral15/memory/1904-148-0x0000000000150000-0x00000000002F2000-memory.dmp	dcrat
behavioral15/memory/2568-160-0x0000000000DA0000-0x0000000000F42000-memory.dmp	dcrat
behavioral15/memory/2948-172-0x0000000000230000-0x00000000003D2000-memory.dmp	dcrat
behavioral15/memory/2944-185-0x00000000011B0000-0x0000000001352000-memory.dmp	dcrat
behavioral15/memory/2460-197-0x0000000000240000-0x00000000003E2000-memory.dmp	dcrat
behavioral15/memory/2980-209-0x0000000000340000-0x00000000004E2000-memory.dmp	dcrat
behavioral15/memory/2352-221-0x00000000000A0000-0x0000000000242000-memory.dmp	dcrat
behavioral15/memory/2612-233-0x0000000000DC0000-0x0000000000F62000-memory.dmp	dcrat
behavioral15/memory/1680-245-0x0000000000F60000-0x0000000001102000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2456	powershell.exe
1048	powershell.exe
2284	powershell.exe
688	powershell.exe
980	powershell.exe
3020	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
3028	Idle.exe
3004	Idle.exe
1904	Idle.exe
2568	Idle.exe
2948	Idle.exe
3052	Idle.exe
2944	Idle.exe
2460	Idle.exe
2980	Idle.exe
2352	Idle.exe
2612	Idle.exe
1680	Idle.exe
892	Idle.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe
2724	schtasks.exe
2652	schtasks.exe
1744	schtasks.exe
1972	schtasks.exe
1492	schtasks.exe
2772	schtasks.exe
2616	schtasks.exe
1836	schtasks.exe
296	schtasks.exe
2880	schtasks.exe
2504	schtasks.exe
2944	schtasks.exe
2468	schtasks.exe
1788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
2456	powershell.exe
1048	powershell.exe
3020	powershell.exe
980	powershell.exe
688	powershell.exe
2284	powershell.exe
3028	Idle.exe
3004	Idle.exe
1904	Idle.exe
2568	Idle.exe
2948	Idle.exe
2944	Idle.exe
2460	Idle.exe
2980	Idle.exe
2352	Idle.exe
2612	Idle.exe
1680	Idle.exe
892	Idle.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	3028	Idle.exe
Token: SeDebugPrivilege	3004	Idle.exe
Token: SeDebugPrivilege	1904	Idle.exe
Token: SeDebugPrivilege	2568	Idle.exe
Token: SeDebugPrivilege	2948	Idle.exe
Token: SeDebugPrivilege	2944	Idle.exe
Token: SeDebugPrivilege	2460	Idle.exe
Token: SeDebugPrivilege	2980	Idle.exe
Token: SeDebugPrivilege	2352	Idle.exe
Token: SeDebugPrivilege	2612	Idle.exe
Token: SeDebugPrivilege	1680	Idle.exe
Token: SeDebugPrivilege	892	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 688	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	46
PID 3068 wrote to memory of 688	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	46
PID 3068 wrote to memory of 688	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	46
PID 3068 wrote to memory of 980	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	47
PID 3068 wrote to memory of 980	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	47
PID 3068 wrote to memory of 980	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	47
PID 3068 wrote to memory of 3020	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	48
PID 3068 wrote to memory of 3020	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	48
PID 3068 wrote to memory of 3020	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	48
PID 3068 wrote to memory of 1048	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	50
PID 3068 wrote to memory of 1048	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	50
PID 3068 wrote to memory of 1048	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	50
PID 3068 wrote to memory of 2456	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	51
PID 3068 wrote to memory of 2456	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	51
PID 3068 wrote to memory of 2456	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	51
PID 3068 wrote to memory of 2284	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	56
PID 3068 wrote to memory of 2284	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	56
PID 3068 wrote to memory of 2284	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	56
PID 3068 wrote to memory of 3028	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	58
PID 3068 wrote to memory of 3028	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	58
PID 3068 wrote to memory of 3028	3068	7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe	58
PID 3028 wrote to memory of 2484	3028	Idle.exe	59
PID 3028 wrote to memory of 2484	3028	Idle.exe	59
PID 3028 wrote to memory of 2484	3028	Idle.exe	59
PID 3028 wrote to memory of 2992	3028	Idle.exe	60
PID 3028 wrote to memory of 2992	3028	Idle.exe	60
PID 3028 wrote to memory of 2992	3028	Idle.exe	60
PID 2484 wrote to memory of 3004	2484	WScript.exe	62
PID 2484 wrote to memory of 3004	2484	WScript.exe	62
PID 2484 wrote to memory of 3004	2484	WScript.exe	62
PID 3004 wrote to memory of 1776	3004	Idle.exe	63
PID 3004 wrote to memory of 1776	3004	Idle.exe	63
PID 3004 wrote to memory of 1776	3004	Idle.exe	63
PID 3004 wrote to memory of 1996	3004	Idle.exe	64
PID 3004 wrote to memory of 1996	3004	Idle.exe	64
PID 3004 wrote to memory of 1996	3004	Idle.exe	64
PID 1776 wrote to memory of 1904	1776	WScript.exe	65
PID 1776 wrote to memory of 1904	1776	WScript.exe	65
PID 1776 wrote to memory of 1904	1776	WScript.exe	65
PID 1904 wrote to memory of 288	1904	Idle.exe	66
PID 1904 wrote to memory of 288	1904	Idle.exe	66
PID 1904 wrote to memory of 288	1904	Idle.exe	66
PID 1904 wrote to memory of 580	1904	Idle.exe	67
PID 1904 wrote to memory of 580	1904	Idle.exe	67
PID 1904 wrote to memory of 580	1904	Idle.exe	67
PID 288 wrote to memory of 2568	288	WScript.exe	68
PID 288 wrote to memory of 2568	288	WScript.exe	68
PID 288 wrote to memory of 2568	288	WScript.exe	68
PID 2568 wrote to memory of 2192	2568	Idle.exe	69
PID 2568 wrote to memory of 2192	2568	Idle.exe	69
PID 2568 wrote to memory of 2192	2568	Idle.exe	69
PID 2568 wrote to memory of 2432	2568	Idle.exe	70
PID 2568 wrote to memory of 2432	2568	Idle.exe	70
PID 2568 wrote to memory of 2432	2568	Idle.exe	70
PID 2192 wrote to memory of 2948	2192	WScript.exe	71
PID 2192 wrote to memory of 2948	2192	WScript.exe	71
PID 2192 wrote to memory of 2948	2192	WScript.exe	71
PID 2948 wrote to memory of 2292	2948	Idle.exe	72
PID 2948 wrote to memory of 2292	2948	Idle.exe	72
PID 2948 wrote to memory of 2292	2948	Idle.exe	72
PID 2948 wrote to memory of 2696	2948	Idle.exe	73
PID 2948 wrote to memory of 2696	2948	Idle.exe	73
PID 2948 wrote to memory of 2696	2948	Idle.exe	73
PID 2292 wrote to memory of 3052	2292	WScript.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe
"C:\Users\Admin\AppData\Local\Temp\7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
  "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ee96119-71e3-4860-9e1c-c5ceecfa111b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
      C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ff03f89-5381-411d-a6fc-162770daf14d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa60a21f-fa72-43b3-9d64-5cfa4088894e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6824191-4d15-4384-8ee7-01fc5851f8c8.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7ee8eab-e315-4861-a486-744f623ca6fe.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        12⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc170875-df6b-48a0-9717-1b06240190bb.vbs"
        13⤵
        
        PID:1720
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dcee104-c221-431d-b3f5-74237eb23f3c.vbs"
        15⤵
        
        PID:1556
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d549ce1c-5fc8-4b7b-b6fc-93cbecdaf075.vbs"
        17⤵
        
        PID:1480
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c28414b1-8d89-4f9b-8c5c-9729fdcfe8e8.vbs"
        19⤵
        
        PID:2284
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c264a1f-61b4-41bd-a476-7c572bd38138.vbs"
        21⤵
        
        PID:2020
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99477ce8-e323-4b23-98e9-61271f4718fe.vbs"
        23⤵
        
        PID:2924
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82c58a52-5694-4392-9187-ecfb51ddd60b.vbs"
        25⤵
        
        PID:2252
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\310eb7d4-d2f1-444a-a8eb-3c62c1112ed3.vbs"
        27⤵
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\819cb0f9-3578-4cd5-8409-7a61b8554162.vbs"
        27⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e8c221d-c94d-4a0d-887d-bc53fd9da4b7.vbs"
        25⤵
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd1ac0be-181c-48aa-88b3-16034e34b73d.vbs"
        23⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b641ac2-d8e0-4ff7-b924-e82f0a199f97.vbs"
        21⤵
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cba01db4-5873-4ea5-9b2d-e75f89306b9f.vbs"
        19⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea3a87da-da85-4559-bca6-4e99735f4598.vbs"
        17⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a36fda1-a302-4417-8cf9-8f542f68455c.vbs"
        15⤵
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e7e7999-d72e-4474-9067-fdd5e6318d98.vbs"
        13⤵
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\303b4ea5-e2c0-41d7-a3d3-cf2299d4d519.vbs"
        11⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0cf0f1e-0c82-447b-9d5f-33a9261e8ddd.vbs"
        9⤵
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c40cef37-4b66-42e5-8992-2f5719013c1e.vbs"
        7⤵
        
        PID:580
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41d85ad6-04e1-4df0-be3f-8d61f3966146.vbs"
        5⤵
        
        PID:1996
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f89476c2-1485-489e-9cae-f522a7ea2e56.vbs"
    3⤵
    PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe

Filesize
1.6MB

MD5
0dd5e2c463f3bd692ba2369a60577889

SHA1
7c099d9b2dcd3ca90cd72790dfa5e6459a8c7af5

SHA256
1260e78ac19923ea9fe7c3a8b6186ccf130638c9ebc5f1594b81d22aa6bb5340

SHA512
41227cf2765d4b838d654e9d4bdf771754e9063037bca17f0f08de2aae1681310dc1b595e5344769fedec3bad4314243c18d5c3af52bc7e448cc7578ad6cd63f

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe

Filesize
1.6MB

MD5
ec20848f83db3017eaf15c4f841fddc5

SHA1
3f46877c232c250f7538c26b863497d7c0ffd538

SHA256
7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23

SHA512
d00d7f760f5966860a0eb4233c9d5b0bcdd2c28ccc64099e5fd728b15c08b524aed4f897244415815d31526a4ca8e5779bf137522610d9565abed8cf9fafa03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\310eb7d4-d2f1-444a-a8eb-3c62c1112ed3.vbs

Filesize
732B

MD5
2da0ad2cf411d02f45b926eaaf0ab682

SHA1
d381dbc73d4fb97daee2f3e20409f85b2a4f093d

SHA256
6c571173078980f930fea988cad3499b8429a102aaf0d9b5155fb2bf8dd611d2

SHA512
851ca6bef42b27ab2d08638992738c8c24c118184056e20f7fa9516bb141303898fa593f1114e1c86cc8954d9775b56401f74f2431070e63971fa6e2039b1c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c264a1f-61b4-41bd-a476-7c572bd38138.vbs

Filesize
733B

MD5
f32e02498bafb741ab48e58da9842101

SHA1
251786b2d537f5832b28ed56755eca03be94e538

SHA256
5ead8ed061163c714886ab687869c9d64de4f2a00b824c2b7c2e553487e38c43

SHA512
659753528507748efd9d51bc4dfe0d79d82ff06ac4b0b24ffd3510e496bf9618c5445df6fb8b230bccc59b3f9938a8426c8637ff636ed1f78b22465c5bb01f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ff03f89-5381-411d-a6fc-162770daf14d.vbs

Filesize
733B

MD5
ed46ea2c3dacdff2a09e54cca8df92b3

SHA1
34e7f7f012df6aeec13022438ea456752f03a053

SHA256
bd1dce066fbbbf4003f648270f27b733dcaf119576e838dec96f502e57a035f4

SHA512
0d0e0157d0395fb34fabd697171bfb19655da6905784738b6e3241f11040bdae80932392f60c97ad1c3bbde511aad725fd177fbd22556c33d7e13dc645936921

Download Submit
C:\Users\Admin\AppData\Local\Temp\82c58a52-5694-4392-9187-ecfb51ddd60b.vbs

Filesize
733B

MD5
4a0eb64d90a8a06cbccc4634b805a083

SHA1
04c9b148e00eb80410cf22827e5847fdc68967fb

SHA256
8e2b799c6533d56cb732e6e46acb8b4e807cb970a6a265bffe860d50c2e5eba3

SHA512
358855186471eaebf507fe48861df1ee9b819a8c1340df8ddaee69bf737efef995dadbbe7b6584bbbdf994866b412391b89a05cf22d2fb92b8ab46c8f19ec408

Download Submit
C:\Users\Admin\AppData\Local\Temp\99477ce8-e323-4b23-98e9-61271f4718fe.vbs

Filesize
733B

MD5
ccec98322354e1885fb7bbae24ff78c5

SHA1
e464dc5dd2459f9a2829220685ca4a02e37c525c

SHA256
522b3c610764d3bf9752b33e60cef59cb1608c6f5e10dc450bfbbdec6c793dbd

SHA512
697edbb7d733aba62a29e51dd0d2173878cc60afef2c419acc37c92d1a76192cc966ded27a4bcc4f41cc9444bbbb3d0741692c7759a8d52b94a0a12ddb48857b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dcee104-c221-431d-b3f5-74237eb23f3c.vbs

Filesize
733B

MD5
ddc0cc81f49adfa8846852ae1ad002a1

SHA1
059b2eee4b97fdb355c94984ba3ad0a0b33f3159

SHA256
9737240602096b8066acfd635f31d2825db917e3bb438aeb05c4086f4b1c1c2f

SHA512
15276799c91dacb98c2a276b721bc9a6f36c07c7450e484ef7d6e350cbbd1307a691cb11d5c30f0a9781c5c9ca426178e33e169caca07823daaf6130d5bad721

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ee96119-71e3-4860-9e1c-c5ceecfa111b.vbs

Filesize
733B

MD5
d37f1e4a7e96478cd94c40b11ba4ca18

SHA1
1d323f05594dd7905b8bd1984fb062e1b2406cfc

SHA256
3f7f87eeb72f8afd6e250403aeac0e59283a7a6a21e5add99af6aaebbfa552e6

SHA512
20a5c70912e33eb14ce60cc915f684daff7fa79b97e4e4c279dfd72c50155a7a39f382d832da6dff3152a1a9e066824acea531171c61a1a0992d7977ee58b13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7ee8eab-e315-4861-a486-744f623ca6fe.vbs

Filesize
733B

MD5
be3b7e31c9baee2e288522f70f1f965c

SHA1
da89dbf3655cfbc401e5f41647a754ec6ede3000

SHA256
4f6b22666f456caaab836d12d3856640bcc742fbfad1487910458d11f70a9e44

SHA512
3386c43b6325d29f07d4ccce75b211341300d916385ba70efde066a4bd928f6ef24e6864b5e1e06f9620fee8f0c5dd2306732077f5b67eb26b9272afa11c59f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c28414b1-8d89-4f9b-8c5c-9729fdcfe8e8.vbs

Filesize
733B

MD5
2778298d2a808c37025a5a0b6b77a614

SHA1
2ff1603ce930ecf64a5d48f872c337aa01e2aa4a

SHA256
e95e388146ba35fb0a93d1deb8acf1e047b2123f4b7ef3bb17a8914e24501541

SHA512
0ef4bf2184de3c9069911687e13c9f9e72a996fa3f7358f9764954d9ab3094444c2bd11010a6bf087c30934df6716eb09662f595be1ee3444229c586c35e2755

Download Submit
C:\Users\Admin\AppData\Local\Temp\d549ce1c-5fc8-4b7b-b6fc-93cbecdaf075.vbs

Filesize
733B

MD5
568d29b072df12cd67d380f5612baae1

SHA1
f216726b454100ffcaecf8be1b9c8a0568ff4426

SHA256
2998577312a4402303ca39f56d10ac08c2dcdcd4c9f7bb71987a86efde1b94ca

SHA512
810c4edb44d08528f5fb51f19e6a51a7699f222f06c7d54896b50989fa60b0b9cd31bf830c6f8936df96affab09d057fe292f9872a5c4d583a815f0a074a97d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6824191-4d15-4384-8ee7-01fc5851f8c8.vbs

Filesize
733B

MD5
409642cc5e772bebeae3c524b0836ce9

SHA1
b70d1a03b54d8aac5021a30d64f329dd9ede40a1

SHA256
813cacf5899d8a894a3b0b6e72a478b8393488215db5134fdc8a75defb16817b

SHA512
76c37e3c5a6711a7e23d004e1821e9b6e77cb2949a9a3006a99c04fde09ad167147842d99fa710871684b1e57a530236f53d0a5c12289fde9de01ac590193c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f89476c2-1485-489e-9cae-f522a7ea2e56.vbs

Filesize
509B

MD5
58dc25c64d7c1eac535dd1b301ae30a5

SHA1
dfbbf4bce79d91d925f7e9fff994e99c3e07403f

SHA256
5eea1ec3502dd8c4a9de0a3b0101256f064e8751f7db6d6ef2842ee1568f064e

SHA512
ca331fd8ee1459e8d098d0693ebd14298d1cf6cf1b1cf192c24ca7b626b344d1af69fc89abe8c04b4794e8c5f9eff0e5485121bf73f96b6a792c3c4f767cadbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa60a21f-fa72-43b3-9d64-5cfa4088894e.vbs

Filesize
733B

MD5
d54569301d941ef55796cf70416b5d5b

SHA1
0898e7d15656ccaa28bf5fb70b5598c969560740

SHA256
41bb56ed3e008efbb3ed51e07b94ccfcf54fa5e9da03efabda2e11f16b096d5b

SHA512
1b46060c9fba68aaff7173125f9dd75b680902f045ba9cb959e6ce4490bd847a948d420ba1c4a1806f13944c4f79cd261678d52b7df48713cca37da9015107b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
340b6c7caed1a307340768ad31352afe

SHA1
fa4fb2c946abb44aae08eb1f6ff85b950e6daf6e

SHA256
e54f5b01e625b42bc424c99d3b992f91cb1231b0b804f612df28151cbb6b0044

SHA512
a482cc628cd0f223594e9e6a49ea9ece8d19a7fb6e747a4203ebe57a2419d00d0b6b8660e33ae12077d46e67fd946c54820f57360c234c4a2b6d9bac723dedbe

Download Submit
memory/1048-109-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1048-104-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1680-245-0x0000000000F60000-0x0000000001102000-memory.dmp

Filesize
1.6MB

Download
memory/1904-148-0x0000000000150000-0x00000000002F2000-memory.dmp

Filesize
1.6MB

Download
memory/2352-221-0x00000000000A0000-0x0000000000242000-memory.dmp

Filesize
1.6MB

Download
memory/2460-197-0x0000000000240000-0x00000000003E2000-memory.dmp

Filesize
1.6MB

Download
memory/2568-160-0x0000000000DA0000-0x0000000000F42000-memory.dmp

Filesize
1.6MB

Download
memory/2612-233-0x0000000000DC0000-0x0000000000F62000-memory.dmp

Filesize
1.6MB

Download
memory/2944-185-0x00000000011B0000-0x0000000001352000-memory.dmp

Filesize
1.6MB

Download
memory/2948-172-0x0000000000230000-0x00000000003D2000-memory.dmp

Filesize
1.6MB

Download
memory/2980-209-0x0000000000340000-0x00000000004E2000-memory.dmp

Filesize
1.6MB

Download
memory/3004-136-0x0000000001140000-0x00000000012E2000-memory.dmp

Filesize
1.6MB

Download
memory/3028-125-0x00000000010A0000-0x0000000001242000-memory.dmp

Filesize
1.6MB

Download
memory/3068-124-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Filesize
9.9MB

Download
memory/3068-0-0x000007FEF5A83000-0x000007FEF5A84000-memory.dmp

Filesize
4KB

Download
memory/3068-16-0x000000001A820000-0x000000001A82C000-memory.dmp

Filesize
48KB

Download
memory/3068-15-0x000000001A810000-0x000000001A81A000-memory.dmp

Filesize
40KB

Download
memory/3068-14-0x000000001A800000-0x000000001A808000-memory.dmp

Filesize
32KB

Download
memory/3068-13-0x000000001A7F0000-0x000000001A7F8000-memory.dmp

Filesize
32KB

Download
memory/3068-12-0x000000001A7E0000-0x000000001A7EE000-memory.dmp

Filesize
56KB

Download
memory/3068-11-0x000000001A7D0000-0x000000001A7DA000-memory.dmp

Filesize
40KB

Download
memory/3068-10-0x000000001A7C0000-0x000000001A7CC000-memory.dmp

Filesize
48KB

Download
memory/3068-9-0x0000000002310000-0x000000000231C000-memory.dmp

Filesize
48KB

Download
memory/3068-8-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/3068-7-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/3068-6-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/3068-5-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download
memory/3068-4-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/3068-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/3068-2-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Filesize
9.9MB

Download
memory/3068-1-0x0000000000BD0000-0x0000000000D72000-memory.dmp

Filesize
1.6MB

Download