dcrat | 894a461e0d709023ba6ec45f748b38a79ae12cf398702244ef2ffa93dd644133

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
Size

1.6MB
MD5

ea4af16c25f7941503efcfb413ecb310
SHA1

dddca77691de109f0dc9c9680d3680950b4bfa51
SHA256

ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947
SHA512

08354124b35e61ff4b153bcf1615cc1e9320f8fb9e92e0ee56eb5e2e29d2153386822d4131a34488304b8073a697afb2a46952ea819511199b1a010ae20123e8
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2784	schtasks.exe	31

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral13/memory/2332-1-0x0000000000CD0000-0x0000000000E72000-memory.dmp	dcrat
behavioral13/files/0x000500000001960e-25.dat	dcrat
behavioral13/files/0x0005000000019fb9-42.dat	dcrat
behavioral13/files/0x0011000000012033-89.dat	dcrat
behavioral13/memory/2640-149-0x00000000008F0000-0x0000000000A92000-memory.dmp	dcrat
behavioral13/memory/3040-160-0x0000000000010000-0x00000000001B2000-memory.dmp	dcrat
behavioral13/memory/908-172-0x0000000000D60000-0x0000000000F02000-memory.dmp	dcrat
behavioral13/memory/2152-195-0x0000000000030000-0x00000000001D2000-memory.dmp	dcrat
behavioral13/memory/1268-207-0x0000000000050000-0x00000000001F2000-memory.dmp	dcrat
behavioral13/memory/2396-219-0x0000000001210000-0x00000000013B2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1232	powershell.exe
692	powershell.exe
2612	powershell.exe
2608	powershell.exe
1536	powershell.exe
1304	powershell.exe
956	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2640	wininit.exe
3040	wininit.exe
908	wininit.exe
1696	wininit.exe
2152	wininit.exe
1268	wininit.exe
2396	wininit.exe
2928	wininit.exe
896	wininit.exe
3004	wininit.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\101b941d020240	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXE03C.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXE0AA.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\56085415360792	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Windows\AppPatch\es-ES\wininit.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Windows\AppPatch\es-ES\56085415360792	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\L2Schemas\RCXDA2E.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\L2Schemas\wininit.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\AppPatch\es-ES\RCXDE38.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\AppPatch\es-ES\wininit.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Windows\L2Schemas\wininit.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\L2Schemas\RCXDA2D.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\AppPatch\es-ES\RCXDE37.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2200	schtasks.exe
2988	schtasks.exe
2636	schtasks.exe
2704	schtasks.exe
2796	schtasks.exe
2980	schtasks.exe
3020	schtasks.exe
3032	schtasks.exe
2144	schtasks.exe
2688	schtasks.exe
2904	schtasks.exe
2632	schtasks.exe
3040	schtasks.exe
2780	schtasks.exe
2920	schtasks.exe
2840	schtasks.exe
2848	schtasks.exe
2648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
2612	powershell.exe
692	powershell.exe
2608	powershell.exe
956	powershell.exe
1304	powershell.exe
1536	powershell.exe
1232	powershell.exe
2640	wininit.exe
3040	wininit.exe
908	wininit.exe
1696	wininit.exe
2152	wininit.exe
1268	wininit.exe
2396	wininit.exe
2928	wininit.exe
896	wininit.exe
3004	wininit.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	2640	wininit.exe
Token: SeDebugPrivilege	3040	wininit.exe
Token: SeDebugPrivilege	908	wininit.exe
Token: SeDebugPrivilege	1696	wininit.exe
Token: SeDebugPrivilege	2152	wininit.exe
Token: SeDebugPrivilege	1268	wininit.exe
Token: SeDebugPrivilege	2396	wininit.exe
Token: SeDebugPrivilege	2928	wininit.exe
Token: SeDebugPrivilege	896	wininit.exe
Token: SeDebugPrivilege	3004	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2608	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	50
PID 2332 wrote to memory of 2608	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	50
PID 2332 wrote to memory of 2608	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	50
PID 2332 wrote to memory of 2612	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	51
PID 2332 wrote to memory of 2612	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	51
PID 2332 wrote to memory of 2612	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	51
PID 2332 wrote to memory of 692	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	53
PID 2332 wrote to memory of 692	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	53
PID 2332 wrote to memory of 692	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	53
PID 2332 wrote to memory of 1232	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	54
PID 2332 wrote to memory of 1232	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	54
PID 2332 wrote to memory of 1232	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	54
PID 2332 wrote to memory of 956	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	57
PID 2332 wrote to memory of 956	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	57
PID 2332 wrote to memory of 956	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	57
PID 2332 wrote to memory of 1304	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	58
PID 2332 wrote to memory of 1304	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	58
PID 2332 wrote to memory of 1304	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	58
PID 2332 wrote to memory of 1536	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	59
PID 2332 wrote to memory of 1536	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	59
PID 2332 wrote to memory of 1536	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	59
PID 2332 wrote to memory of 2520	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	64
PID 2332 wrote to memory of 2520	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	64
PID 2332 wrote to memory of 2520	2332	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	64
PID 2520 wrote to memory of 2568	2520	cmd.exe	66
PID 2520 wrote to memory of 2568	2520	cmd.exe	66
PID 2520 wrote to memory of 2568	2520	cmd.exe	66
PID 2520 wrote to memory of 2640	2520	cmd.exe	67
PID 2520 wrote to memory of 2640	2520	cmd.exe	67
PID 2520 wrote to memory of 2640	2520	cmd.exe	67
PID 2640 wrote to memory of 2700	2640	wininit.exe	68
PID 2640 wrote to memory of 2700	2640	wininit.exe	68
PID 2640 wrote to memory of 2700	2640	wininit.exe	68
PID 2640 wrote to memory of 2952	2640	wininit.exe	69
PID 2640 wrote to memory of 2952	2640	wininit.exe	69
PID 2640 wrote to memory of 2952	2640	wininit.exe	69
PID 2700 wrote to memory of 3040	2700	WScript.exe	70
PID 2700 wrote to memory of 3040	2700	WScript.exe	70
PID 2700 wrote to memory of 3040	2700	WScript.exe	70
PID 3040 wrote to memory of 1616	3040	wininit.exe	71
PID 3040 wrote to memory of 1616	3040	wininit.exe	71
PID 3040 wrote to memory of 1616	3040	wininit.exe	71
PID 3040 wrote to memory of 236	3040	wininit.exe	72
PID 3040 wrote to memory of 236	3040	wininit.exe	72
PID 3040 wrote to memory of 236	3040	wininit.exe	72
PID 1616 wrote to memory of 908	1616	WScript.exe	73
PID 1616 wrote to memory of 908	1616	WScript.exe	73
PID 1616 wrote to memory of 908	1616	WScript.exe	73
PID 908 wrote to memory of 2420	908	wininit.exe	74
PID 908 wrote to memory of 2420	908	wininit.exe	74
PID 908 wrote to memory of 2420	908	wininit.exe	74
PID 908 wrote to memory of 1296	908	wininit.exe	75
PID 908 wrote to memory of 1296	908	wininit.exe	75
PID 908 wrote to memory of 1296	908	wininit.exe	75
PID 2420 wrote to memory of 1696	2420	WScript.exe	76
PID 2420 wrote to memory of 1696	2420	WScript.exe	76
PID 2420 wrote to memory of 1696	2420	WScript.exe	76
PID 1696 wrote to memory of 840	1696	wininit.exe	77
PID 1696 wrote to memory of 840	1696	wininit.exe	77
PID 1696 wrote to memory of 840	1696	wininit.exe	77
PID 1696 wrote to memory of 1040	1696	wininit.exe	78
PID 1696 wrote to memory of 1040	1696	wininit.exe	78
PID 1696 wrote to memory of 1040	1696	wininit.exe	78
PID 840 wrote to memory of 2152	840	WScript.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
"C:\Users\Admin\AppData\Local\Temp\ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\es-ES\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\in2KLgOhRm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2568
- - C:\Windows\AppPatch\es-ES\wininit.exe
    "C:\Windows\AppPatch\es-ES\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f808e28-4c42-4c3c-b9a8-37f5f3aad8d2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\AppPatch\es-ES\wininit.exe
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\390d9011-c6a6-4e23-a203-fb8716db047c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c978a9d-a84e-4c0e-b668-aa4cbca01a0d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0a37f3e-7c6e-4e60-ba4b-1d31aa4a88c5.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15bdb1da-5db8-4eaa-95d5-8a77e2827e4b.vbs"
        12⤵
        
        PID:2932
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b5b2b5f-157c-420e-80ab-a9390d9dcc32.vbs"
        14⤵
        
        PID:1020
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63c3592e-fa47-43ae-948f-09d3b7733e5c.vbs"
        16⤵
        
        PID:2172
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce96e611-f296-4efc-ba03-75b65e4cd2db.vbs"
        18⤵
        
        PID:768
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99525b1a-5673-4e4b-9a50-e1d72cee458c.vbs"
        20⤵
        
        PID:1300
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        
        C:\Windows\AppPatch\es-ES\wininit.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b2d223a-d344-423e-bc70-0a38e0218d9d.vbs"
        22⤵
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbe6a1e3-1a6a-40fb-8710-11a1b37df4ff.vbs"
        22⤵
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\466e4e1c-4a94-4b81-b501-f11fd9953690.vbs"
        20⤵
        
        PID:2252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d1849d7-1132-4bbe-b60f-21770100ac0f.vbs"
        18⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22080a08-1325-4167-92c7-22bb5f1f24ad.vbs"
        16⤵
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54a47cdf-04a4-4788-9639-a1ad639c2a89.vbs"
        14⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d32e1df0-c3a1-446c-b7ef-a8d6e2ebe7cb.vbs"
        12⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adc7f143-f8e8-4a9f-82eb-e5ecee5384b4.vbs"
        10⤵
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8031fc4-318e-4460-9ca6-25ecadea2c1b.vbs"
        8⤵
        
        PID:1296
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77872d1f-1fc3-4c52-97ce-2a055a00083c.vbs"
        6⤵
        
        PID:236
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\050c8718-2593-4c25-9dc0-2257884220d9.vbs"
      4⤵
      PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\AppPatch\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe

Filesize
1.6MB

MD5
a18e9e95ba1c76a650464f4187084e9a

SHA1
461ff3a0a6ee357effdebf3103a4e2414eb641c2

SHA256
88fa26497fc2b5c93192510e67374b172d4fbaf43522760f17d15cc33b418548

SHA512
27d71c9715e61ed841b28a9433f004d6a3b42f479de7cb0eb53862eeecb0d93878c7048b7b37952ee12bfc690635b4c3347e7494388b2a99fd858f98d0ea4e77

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe

Filesize
1.6MB

MD5
ea4af16c25f7941503efcfb413ecb310

SHA1
dddca77691de109f0dc9c9680d3680950b4bfa51

SHA256
ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947

SHA512
08354124b35e61ff4b153bcf1615cc1e9320f8fb9e92e0ee56eb5e2e29d2153386822d4131a34488304b8073a697afb2a46952ea819511199b1a010ae20123e8

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe

Filesize
1.6MB

MD5
e67469bdc8ce926598fd6424236db715

SHA1
2187691a729100ef0163d0b499c352a727c9047e

SHA256
16b3e409bdf8d2fa4c4d64b72b82df0bd2d23adc1a43e979b79f0c1090e07366

SHA512
6b70a7532c80f4d55bdc5b48bde011da0bbe7dad556ef425b66a361892f20984ddf5cf490f9a4ea27c2c02835020f6929fdbe3d39cdb843fc5d9ce19676ed5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\050c8718-2593-4c25-9dc0-2257884220d9.vbs

Filesize
489B

MD5
a3ba4ad39518de91ebb44d0e5a3e1c61

SHA1
9d4e513bc463582d280e57264de56421ea3a573d

SHA256
637058d54dfaf8f469d09955ef2b232ae03853c59c9fc20fffd32266df6497ed

SHA512
b73f1034e3801bb8e56a24c3790076039fc58933dd7d981ed774e8b71a5a8df148e0b6679ee22755ff0123d9a9a48073bc8f88dc0907a85acfe3aebe9ff833a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\15bdb1da-5db8-4eaa-95d5-8a77e2827e4b.vbs

Filesize
713B

MD5
1057be45b7957727f4651151cbfae053

SHA1
4a88a3561f4a11c055c101e60965dd815762600b

SHA256
219ad8afc61e87c6c5c591442a4fff040212daff3697b33edcc69936c7119943

SHA512
3c968d7368cbad571d245bc61144032b638164de71b2545a8f4dfb03c4139e207ffa86e8858e26fa848d2c235e95ce68bbb31d8b9a58b058461493da5661eb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b2d223a-d344-423e-bc70-0a38e0218d9d.vbs

Filesize
713B

MD5
dfad56c75074e6a91d9f6151caf701a3

SHA1
a73243c3f5e6052063cea8c082c8948dbad2aa2a

SHA256
1cad6201b45c6143b37a810ecaabcc838ca08afc9c0f7c1ea6f7314193eda686

SHA512
feb8ef32768f9cc1bb377603933adb176bafdf6c15dc3d605a85c56757f34ad55d762e6667ba01f57bb6dc3d9a4ba2528ad857e25660782a8972403c950f8bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\390d9011-c6a6-4e23-a203-fb8716db047c.vbs

Filesize
713B

MD5
2b30d3706f8c8f0a18fd786120c5bf8e

SHA1
36cace268fee14d303c84db66517a2cf3f6150b2

SHA256
8dbd4ff021806ab4dfa6a4fd87935c47ec3f42ae71236479634bb72ed164e7c6

SHA512
68f95036909d5ed603488556815098e2128768367221c47d100840aa56c7a93fc8950b0e8130fdfdb40117c5a85533438ef4cadbdd78316d983157bd347b5edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f808e28-4c42-4c3c-b9a8-37f5f3aad8d2.vbs

Filesize
713B

MD5
5acee143cd2e4f958f4bcd7747ecf6c9

SHA1
8d8e4f221c30612705acc8ea21b67f0d7f6c5427

SHA256
3373e6c26447601194e6524c17aac1a0a1f8489e2656fff0104cb88794f1845c

SHA512
490c23485d617bb698dc33540ebf8736d1e9def83746db0848814553623ed51e3338518e82910633bbe83f5c51530a645fb0639910cbafff6e263e39961677c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\63c3592e-fa47-43ae-948f-09d3b7733e5c.vbs

Filesize
713B

MD5
8789a354287be98d76df395593407a25

SHA1
efded91535eb8888e10458b5c57ddf61ff4e5dcb

SHA256
159f891e7e5d47d8f36e964758c6518db299e00919132a6ec1bac7a7cb519ad7

SHA512
59d8f302153e677bbb8e7f89b0557166c6614fe73141ae9283774607d4872aa8f2ad10b7b203530d9c577a8d86ac0f28f5ab48a51da7e8b55546aa9da96442cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c978a9d-a84e-4c0e-b668-aa4cbca01a0d.vbs

Filesize
712B

MD5
b829a222a49faaa7794ad7ad5652adac

SHA1
79c68d9dc689d8e3068e9648ad8d5fe72851a5ff

SHA256
a558de47348f11b3c33fb45193706bd048f736c5b9cb0d108aed6bf4e30b5d04

SHA512
c0ac12d7a79a809ae402476f9420fa7cb047de3533901c7732222b859a0c2c587ce45e4e6708e32ddfad8d3fc847fd53883fa3571a6969f148b033642879abf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\99525b1a-5673-4e4b-9a50-e1d72cee458c.vbs

Filesize
712B

MD5
6466d24506e1a0cd3a56341571e11c94

SHA1
fc9121e38cc701fa9d9855a197f9caa92966c537

SHA256
2e7894aa794611ea2e8c8a3538cd6a595cd8ea379ec1b49c9f97856e2417de77

SHA512
86de55877120829c075502a8037212102978d3cd3b16d7627ab33de1834d25613ca93a4444aedcb89816191cd7103f3ab18a74e295a0247d0f462f12cba1aaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b5b2b5f-157c-420e-80ab-a9390d9dcc32.vbs

Filesize
713B

MD5
eee8c1d8a1be2bb496912898d204106c

SHA1
4030f9bb6fe50ca0972e2c7776839bd930f24bd5

SHA256
8123aeeade29222ca1097ef833edfd361858dd4150d038b8b419fbece9bbd347

SHA512
9ebf43c1890f220ca684f00123814fd15ce46652b4d3cacf546e8584f8d5c95f08698120e981b898e40e3065f2bdf8c62006ef90a0f1ca059c90b93446bbf097

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0a37f3e-7c6e-4e60-ba4b-1d31aa4a88c5.vbs

Filesize
713B

MD5
022942b6125c6ef9dd12e577636e1b46

SHA1
3a92e7d34eb686d5683985b876617fe2e3bddd99

SHA256
fc246f4291df4d6a04ab767f41cdf83b1332b6f2a60e13c159655739621136fa

SHA512
5e27ea2c8983548147c087bd00b87a2049ba2b2fc2a4b2d799c3e460be76cf1cf3aec3df1941d4f2acef979ed444c0bc9d1cc128c333ebd00e1d7c3d9b88dc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce96e611-f296-4efc-ba03-75b65e4cd2db.vbs

Filesize
713B

MD5
ff102135f30db5a0494562c868e8002b

SHA1
617087f0d219b41ec03b2ab724d33b11512d9a4d

SHA256
9f781a0319640245c0f674c558a76536ff44e64b4d35fc5d22123737c185c411

SHA512
211d77072b65797fa1329ea28758fc946246bbeca99c0a28fc8e1dc244fe55701cf482bf3fffc327b04e0b1a0f172a934f829b410ee6a17aa3afa57623fb2c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\in2KLgOhRm.bat

Filesize
202B

MD5
9063a5448fe032601813979b85ea77b6

SHA1
255dc59b700444a726e4985962e7d380c79dd91d

SHA256
dfbbf03e35050a01bf5a5aceffd50b8c60f3f3c25029a838c88fcba51cb5d953

SHA512
2b94fdf874f2a81af9e909a9d6330d76e383c247918da181f2a6f657a2c531f90256128c3bf9d12adac70f4bbd23ea5683b520bedc5df25dd84056638d7539a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a5dbae604aa25a5181bc3681863152c7

SHA1
dd764b20ddcd037f42e1f0d77015e1d38227e8c3

SHA256
b919ab1447567969fcb9fbbb4cb199ed3cb5790d231614aa9bf09dbee818a132

SHA512
09346713ad7373e0a8477c7d0e18830fcd86445417dd82882c1a97af60d14bbc5192da6559befa4fd758fe7e120965319750313d43a2021897777232db64db88

Download Submit
memory/908-172-0x0000000000D60000-0x0000000000F02000-memory.dmp

Filesize
1.6MB

Download
memory/1268-207-0x0000000000050000-0x00000000001F2000-memory.dmp

Filesize
1.6MB

Download
memory/2152-195-0x0000000000030000-0x00000000001D2000-memory.dmp

Filesize
1.6MB

Download
memory/2332-11-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/2332-16-0x0000000002290000-0x000000000229C000-memory.dmp

Filesize
48KB

Download
memory/2332-1-0x0000000000CD0000-0x0000000000E72000-memory.dmp

Filesize
1.6MB

Download
memory/2332-138-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2332-14-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/2332-2-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2332-3-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2332-10-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/2332-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2332-4-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2332-13-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/2332-7-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/2332-12-0x0000000000870000-0x000000000087E000-memory.dmp

Filesize
56KB

Download
memory/2332-9-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2332-15-0x0000000002280000-0x000000000228A000-memory.dmp

Filesize
40KB

Download
memory/2332-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-8-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2332-5-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2396-219-0x0000000001210000-0x00000000013B2000-memory.dmp

Filesize
1.6MB

Download
memory/2612-140-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2612-139-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2640-149-0x00000000008F0000-0x0000000000A92000-memory.dmp

Filesize
1.6MB

Download
memory/3040-160-0x0000000000010000-0x00000000001B2000-memory.dmp

Filesize
1.6MB

Download