dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
152s
max time network
161s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86513494c7861a5a0c9f1c0fb478e36d.exe
Size

2.5MB
MD5

86513494c7861a5a0c9f1c0fb478e36d
SHA1

0e7ef50b5b4d51bda8789151b444505e4fdec51f
SHA256

80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794
SHA512

e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff
SSDEEP

49152:bcuxJ/hk+7ZklWBJPxWMbKdZeQUj5xqJb6TquwYhx19ZyBNDGE:bcsSFlWBJJVbKkl2z/YhryBNDn

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Windows\System32\blb_ps\101b941d020240		86513494c7861a5a0c9f1c0fb478e36d.exe
		2800	schtasks.exe
		2684	schtasks.exe
File created	C:\Windows\System32\blb_ps\lsm.exe		86513494c7861a5a0c9f1c0fb478e36d.exe
		2928	schtasks.exe
		2776	schtasks.exe
		2768	schtasks.exe
		2876	schtasks.exe
		2824	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2784	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3052	powershell.exe
3032	powershell.exe
852	powershell.exe
2852	powershell.exe
1028	powershell.exe
2360	powershell.exe
2964	powershell.exe
2996	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2252	lsm.exe
2684	lsm.exe
1952	lsm.exe
2052	lsm.exe
1164	lsm.exe
1684	lsm.exe
1604	lsm.exe
1764	lsm.exe
672	lsm.exe
2808	lsm.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\xmlprovi\\services.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\lsm.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\wmi\\WMIADAP.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\winlogon.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\NlsData0049\\dllhost.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\blb_ps\\lsm.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\wbem\wmi\RCXA26.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\wbem\wmi\RCXAA4.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\NlsData0049\RCXFB6.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\blb_ps\lsm.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\NlsData0049\dllhost.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\xmlprovi\RCX504.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\xmlprovi\RCX582.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\NlsData0049\RCX1034.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\xmlprovi\services.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\wbem\wmi\75a57c1bdf437c	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\blb_ps\RCX274.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\xmlprovi\services.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\NlsData0049\dllhost.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\xmlprovi\c5b4cb5e9653cc	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\wbem\wmi\WMIADAP.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\NlsData0049\5940a34987c991	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\blb_ps\RCX263.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\wbem\wmi\WMIADAP.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\blb_ps\lsm.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\blb_ps\101b941d020240	86513494c7861a5a0c9f1c0fb478e36d.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\101b941d020240	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\RCX795.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\RCX813.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe	86513494c7861a5a0c9f1c0fb478e36d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2800	schtasks.exe
2824	schtasks.exe
2684	schtasks.exe
2928	schtasks.exe
2776	schtasks.exe
2768	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
3032	powershell.exe
1028	powershell.exe
2852	powershell.exe
2964	powershell.exe
3052	powershell.exe
852	powershell.exe
2564	86513494c7861a5a0c9f1c0fb478e36d.exe
2360	powershell.exe
2996	powershell.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe
2252	lsm.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	86513494c7861a5a0c9f1c0fb478e36d.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2252	lsm.exe
Token: SeDebugPrivilege	2684	lsm.exe
Token: SeDebugPrivilege	1952	lsm.exe
Token: SeDebugPrivilege	2052	lsm.exe
Token: SeDebugPrivilege	1164	lsm.exe
Token: SeDebugPrivilege	1684	lsm.exe
Token: SeDebugPrivilege	1604	lsm.exe
Token: SeDebugPrivilege	1764	lsm.exe
Token: SeDebugPrivilege	672	lsm.exe
Token: SeDebugPrivilege	2808	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2964	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	39
PID 2564 wrote to memory of 2964	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	39
PID 2564 wrote to memory of 2964	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	39
PID 2564 wrote to memory of 2996	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	40
PID 2564 wrote to memory of 2996	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	40
PID 2564 wrote to memory of 2996	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	40
PID 2564 wrote to memory of 3052	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	42
PID 2564 wrote to memory of 3052	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	42
PID 2564 wrote to memory of 3052	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	42
PID 2564 wrote to memory of 3032	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	43
PID 2564 wrote to memory of 3032	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	43
PID 2564 wrote to memory of 3032	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	43
PID 2564 wrote to memory of 2852	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	44
PID 2564 wrote to memory of 2852	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	44
PID 2564 wrote to memory of 2852	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	44
PID 2564 wrote to memory of 852	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	46
PID 2564 wrote to memory of 852	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	46
PID 2564 wrote to memory of 852	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	46
PID 2564 wrote to memory of 1028	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	48
PID 2564 wrote to memory of 1028	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	48
PID 2564 wrote to memory of 1028	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	48
PID 2564 wrote to memory of 2360	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	49
PID 2564 wrote to memory of 2360	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	49
PID 2564 wrote to memory of 2360	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	49
PID 2564 wrote to memory of 2252	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	55
PID 2564 wrote to memory of 2252	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	55
PID 2564 wrote to memory of 2252	2564	86513494c7861a5a0c9f1c0fb478e36d.exe	55
PID 2252 wrote to memory of 2764	2252	lsm.exe	56
PID 2252 wrote to memory of 2764	2252	lsm.exe	56
PID 2252 wrote to memory of 2764	2252	lsm.exe	56
PID 2252 wrote to memory of 3060	2252	lsm.exe	57
PID 2252 wrote to memory of 3060	2252	lsm.exe	57
PID 2252 wrote to memory of 3060	2252	lsm.exe	57
PID 2764 wrote to memory of 2684	2764	WScript.exe	58
PID 2764 wrote to memory of 2684	2764	WScript.exe	58
PID 2764 wrote to memory of 2684	2764	WScript.exe	58
PID 2684 wrote to memory of 2312	2684	lsm.exe	59
PID 2684 wrote to memory of 2312	2684	lsm.exe	59
PID 2684 wrote to memory of 2312	2684	lsm.exe	59
PID 2684 wrote to memory of 2640	2684	lsm.exe	60
PID 2684 wrote to memory of 2640	2684	lsm.exe	60
PID 2684 wrote to memory of 2640	2684	lsm.exe	60
PID 2312 wrote to memory of 1952	2312	WScript.exe	61
PID 2312 wrote to memory of 1952	2312	WScript.exe	61
PID 2312 wrote to memory of 1952	2312	WScript.exe	61
PID 1952 wrote to memory of 648	1952	lsm.exe	62
PID 1952 wrote to memory of 648	1952	lsm.exe	62
PID 1952 wrote to memory of 648	1952	lsm.exe	62
PID 1952 wrote to memory of 2236	1952	lsm.exe	63
PID 1952 wrote to memory of 2236	1952	lsm.exe	63
PID 1952 wrote to memory of 2236	1952	lsm.exe	63
PID 648 wrote to memory of 2052	648	WScript.exe	64
PID 648 wrote to memory of 2052	648	WScript.exe	64
PID 648 wrote to memory of 2052	648	WScript.exe	64
PID 2052 wrote to memory of 2528	2052	lsm.exe	65
PID 2052 wrote to memory of 2528	2052	lsm.exe	65
PID 2052 wrote to memory of 2528	2052	lsm.exe	65
PID 2052 wrote to memory of 1744	2052	lsm.exe	66
PID 2052 wrote to memory of 1744	2052	lsm.exe	66
PID 2052 wrote to memory of 1744	2052	lsm.exe	66
PID 2528 wrote to memory of 1164	2528	WScript.exe	67
PID 2528 wrote to memory of 1164	2528	WScript.exe	67
PID 2528 wrote to memory of 1164	2528	WScript.exe	67
PID 1164 wrote to memory of 800	1164	lsm.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe
"C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe"
1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\blb_ps\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\xmlprovi\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\wmi\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsData0049\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe
  "C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cb5792b-933d-4831-9e88-ea9b7d93fbf2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe
      "C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\044e41fc-6655-423f-85fa-c5a6b34833cf.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe
        
        "C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de86b3aa-dca7-4088-839b-1713c12e97d2.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe
        
        "C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db035baf-2a3c-4d49-9ed1-08d85d9a6693.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe
        
        "C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4072fab-c3a6-4879-9295-370ccfae20c7.vbs"
        11⤵
        
        PID:800
        
        C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe
        
        "C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed4f65b5-ac47-45dc-975e-0d2230b0c220.vbs"
        13⤵
        
        PID:2252
        
        C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe
        
        "C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ab57e40-97c4-4e8f-80fe-f5751dfca2f0.vbs"
        15⤵
        
        PID:1716
        
        C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe
        
        "C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e202aec-607e-4b85-9a3b-0cf44a63b062.vbs"
        17⤵
        
        PID:1728
        
        C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe
        
        "C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5efc9d16-9624-4ded-9d97-ca5c4cc33b49.vbs"
        19⤵
        
        PID:2920
        
        C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe
        
        "C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75342f6f-aa76-4a01-8e85-d466d0362994.vbs"
        21⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c9a79c5-f5eb-4dbd-b773-7352efd437cf.vbs"
        21⤵
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2540ebed-1eba-4280-af15-98004313776a.vbs"
        19⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59ddf08e-dbc2-45f0-aeae-4c834a5eb2c9.vbs"
        17⤵
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fb5839d-c7c6-44cc-88fa-f5c071936091.vbs"
        15⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2281426-9613-479c-8cdf-aeb9a8304fb2.vbs"
        13⤵
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\666eea8f-c6fe-44a0-b542-0d3f3a4d4f15.vbs"
        11⤵
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\509b777c-285b-4b8b-bb05-9102044c4ece.vbs"
        9⤵
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca59387-5930-4c83-afd6-3ec5b4df5db3.vbs"
        7⤵
        
        PID:2236
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a655ae63-7871-4fe9-bcfe-6f8449d77bce.vbs"
        5⤵
        
        PID:2640
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d7a959d-7dc6-4e3c-a661-215e03b5888b.vbs"
    3⤵
    PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\blb_ps\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\xmlprovi\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wmi\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsData0049\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\Visualizations\lsm.exe

Filesize
2.5MB

MD5
de8cccff859771564043457f770569dc

SHA1
78b5bfb9e2430081e6c7470919146761caf3c8f2

SHA256
91e0f56f8987cde6f24828ac44a4dbb8fcbd4fd9eac8fcbf6819899e83d1c92e

SHA512
f4437ffa3db6dfa107834857c9d9a9001d39130574838ecd98df2183aef8aa432260b88eeb6d0c10246c718a26ea04b7e023d2db5497ef137a138ca14f80a7b7

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe

Filesize
2.5MB

MD5
86513494c7861a5a0c9f1c0fb478e36d

SHA1
0e7ef50b5b4d51bda8789151b444505e4fdec51f

SHA256
80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794

SHA512
e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\044e41fc-6655-423f-85fa-c5a6b34833cf.vbs

Filesize
742B

MD5
335279524cc9f71f06355c53a6006c5b

SHA1
6da11dae13202f5e0df376c0199036dc7ace74d0

SHA256
d09cd8a2a443e344be3ffaf735930edf734311cfdbc40a49b10ee62f655575d1

SHA512
904680cbc5c9e4772ab91ae34caa20d196b815d9edc35b217be51d303c4d36c6637daf9e1bd39f33c1064e10cfd965b110a71a9c8b6c1375b448748e906f244e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5efc9d16-9624-4ded-9d97-ca5c4cc33b49.vbs

Filesize
741B

MD5
b211491796b41af86f7f6c41aee4daa3

SHA1
5d693cc46b7d60a29ba9a938a0d71d7689a266fd

SHA256
637b92b43c6ef35a81b9c78f63ebd2f094d9c540bcebb417bb83d44b5868a119

SHA512
970180f4ef9b44d7d875ee5271084e51cb62d014375b433a903db06ba0cad6b12087819094a108d6a66041d8416449a9661de8ff86671a5ba82d2c505441951a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e202aec-607e-4b85-9a3b-0cf44a63b062.vbs

Filesize
742B

MD5
7d9b2bbbf10d149fea6ea4ed9f7928e4

SHA1
7c805881afd8040c59861602474489504eb8ea7a

SHA256
f0d7530b6092536596aff68b987589385632a586bb04a9a98aea7be483b83b7a

SHA512
f8e531d0529f49104dc209ecf875796dfa5598783f26a52ffa1f566b80fb86db426d857a04cf8021ec4e80bbb6d42bdf0e99a20c4e03c9af97fa866422238085

Download Submit
C:\Users\Admin\AppData\Local\Temp\75342f6f-aa76-4a01-8e85-d466d0362994.vbs

Filesize
742B

MD5
9361c8be34edb9e997863be0bc4ee8e6

SHA1
9508c71db1a5815df744b7ef6f9a964f58bfb9be

SHA256
5909aaa70c2a7f791e0c021c5204cecae1d98bc6b5e551037f8e6aa488306cfc

SHA512
d3a71d0d881d3366bf57a96bd0cd82e2a6bb335369699e976248a6c52479cdf201c1884bdc0884022215cbdd3f810a57cee40d203cdd181541b14eab21cc0ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ab57e40-97c4-4e8f-80fe-f5751dfca2f0.vbs

Filesize
742B

MD5
508d30ae946ae8921911e349fdadd1ad

SHA1
c5bd81187b14d3dfc5c8f916a463037272c2da37

SHA256
68312c44c28efdcb4f59aa6f5e530c37e480e126e1c8ab1318b3e491bd86badc

SHA512
080baf77f42e4ee2ad6ec436751fd2abfa8acd235194f6c68d7afbb47ff3c72506db30b47c17049e292e069e73b3992b37b7e7e003614881067a02a1493c883f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d7a959d-7dc6-4e3c-a661-215e03b5888b.vbs

Filesize
518B

MD5
495f5aab2107055d5cf9c80a0eafd781

SHA1
29297b898bffb6b028c159ccc524519345bfaace

SHA256
d03ff9140c3f8cc79844de58d53b4ae128e6029f4e97c060c9db60c2297e5c9c

SHA512
6ea98ada8f657f020570fcdabe3a1cc9b4f0fda7b874cc3d90ca22336ccd1cecb3d617d4c24344e8e3a8118efb01fc4c85288a9ab9d1d1138230ec4345c395e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cb5792b-933d-4831-9e88-ea9b7d93fbf2.vbs

Filesize
742B

MD5
6b5bd034d2c90c5205ba21262ba63b44

SHA1
06ad1943bbfcbcc9b17f10cd9dbbe0b370ae6410

SHA256
506faba0b1ec3ac83a20169188c8636a783cab7cd92a60484f4efb3f017c2737

SHA512
bbb12fce2cf94a39a0b4fd79b8a3f1638265c8ff31be9c51deedda42f83193edf66873e869869f8686d54a755c318e281284cf3e87c7c4cf34bf7876d05320f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4072fab-c3a6-4879-9295-370ccfae20c7.vbs

Filesize
742B

MD5
3cd565f639936112fcd754f396e61aa9

SHA1
b7faefa6823b0696a26990ceece6451985574e2f

SHA256
6458302dd60f5a213d5e6a2d2933a375195afe602e21fa5027a5012bf37748c8

SHA512
2343ca803340f63d196ec66e27c1736c965d277718359013d3de97581089c05dc39808eafa2444dbccb85d197345eaec2fdee1817e25b52d64590b90cb2e01c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\db035baf-2a3c-4d49-9ed1-08d85d9a6693.vbs

Filesize
742B

MD5
1e583ca51d9f16f4317c7c9379648ed5

SHA1
58e66dd2472f50fc40ae9624b68e8469b8b269d8

SHA256
af82198431c1bc20da8c01c81171f4068b58c2fb86b91ee0e38b2a3c69c6eb89

SHA512
1aee6b41240d2df52d5b613aae910e105e8c1eac273dc518f44e37594c7918893404687d01393d75501fa60dc999a134d236626e80d34ae25e49341c10281030

Download Submit
C:\Users\Admin\AppData\Local\Temp\de86b3aa-dca7-4088-839b-1713c12e97d2.vbs

Filesize
742B

MD5
7996c9bb5b8e7ad200f6a75f3e16ccf7

SHA1
6713ba88a76f2422a79c9b9978e317569e5a2520

SHA256
740d7cb3562ad84577a8ac543fe4fb14567e9dfed490b14d34229e8b96bdac64

SHA512
919761acfdde57f7c0ab6cdf4bf1b877997a822d45edb61e4fde6fd5f901447835fbab5a2e8d363c9c7169d1d7f593e355947fa74e72c601c63ec98ede2c305f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed4f65b5-ac47-45dc-975e-0d2230b0c220.vbs

Filesize
742B

MD5
aebad316503311bd81d845c55a668a3c

SHA1
5576fa23c5c029f98443c43ab657284939f2548c

SHA256
46e62c0a2abbac931f346ddf00b0ff04a20691e49b434b115e1aae472bf528a5

SHA512
85a74302ab44be60371cfaa8ad2e2d192ecb3c17a2ebcedc453c89824a3ddd1f52b89ba17d3f9358c13df7311e94d0696ebc49d28ef344fca6db0c5a2ca918ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a41db0895da95adfc5f7349b57f9ba72

SHA1
a4596c313bcf7e0af4826f49c36f51577f723ea1

SHA256
38946edacdb0f2eb3b6e1243e5833fabd7485237120f3897536cf0ca99fb1014

SHA512
d17f0b37d18276c6b73aefb29d83ffa7dfa2b916cd533747067a751f6a25035c7d68be5a7d6699ed7d651ca875b69f0e78c90852c2cd7a8d13339078f843381a

Download Submit
C:\Windows\System32\NlsData0049\dllhost.exe

Filesize
2.5MB

MD5
6c90c4e67946d872179c3d810e480bdb

SHA1
a150417db1d81e4e306c600f732d664ee9077560

SHA256
368f3369535c827df3d815b30a565329be194d7ec1fc83e07e18ecd0364c50db

SHA512
181320bcba05b1dda8e68d6115e480f81022e67143997b4a5dfa04c3f547198c8bb27786dd8817b15a14832920a520074ba884f134c8de8faded51dceb23e8c8

Download Submit
C:\Windows\System32\xmlprovi\services.exe

Filesize
2.5MB

MD5
7683805a0aee0a48e2cdf1e23701afbb

SHA1
3b6608913d9a61d204aede00587dcb754ef33441

SHA256
1c67225edab117e39fedfe902eab03c1f8142d0df3b14162be1bb174b0a5a484

SHA512
7d529f021533b132b9825d3b541304afcdd68db702321652eee8572d236612ee41e517f95e06aaf10f544439a629fd7d2c351a69f7dc5754b47684b157d1a9f9

Download Submit
memory/672-264-0x0000000000800000-0x0000000000A86000-memory.dmp

Filesize
2.5MB

Download
memory/672-265-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/1164-215-0x0000000001320000-0x00000000015A6000-memory.dmp

Filesize
2.5MB

Download
memory/1164-216-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1604-239-0x00000000002C0000-0x0000000000546000-memory.dmp

Filesize
2.5MB

Download
memory/1604-240-0x0000000002430000-0x0000000002486000-memory.dmp

Filesize
344KB

Download
memory/1764-252-0x0000000000150000-0x00000000003D6000-memory.dmp

Filesize
2.5MB

Download
memory/1952-190-0x0000000000210000-0x0000000000496000-memory.dmp

Filesize
2.5MB

Download
memory/2052-202-0x0000000000F50000-0x00000000011D6000-memory.dmp

Filesize
2.5MB

Download
memory/2052-203-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download
memory/2252-166-0x0000000000780000-0x00000000007D6000-memory.dmp

Filesize
344KB

Download
memory/2252-162-0x00000000011D0000-0x0000000001456000-memory.dmp

Filesize
2.5MB

Download
memory/2564-13-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/2564-11-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/2564-165-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-1-0x0000000000CE0000-0x0000000000F66000-memory.dmp

Filesize
2.5MB

Download
memory/2564-2-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-3-0x0000000000140000-0x000000000014C000-memory.dmp

Filesize
48KB

Download
memory/2564-115-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-38-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

Filesize
4KB

Download
memory/2564-16-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download
memory/2564-15-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2564-14-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2564-0-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

Filesize
4KB

Download
memory/2564-12-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2564-4-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2564-10-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2564-9-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/2564-8-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2564-7-0x00000000005C0000-0x0000000000616000-memory.dmp

Filesize
344KB

Download
memory/2564-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2564-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2684-178-0x0000000002200000-0x0000000002256000-memory.dmp

Filesize
344KB

Download
memory/2684-177-0x0000000000220000-0x00000000004A6000-memory.dmp

Filesize
2.5MB

Download
memory/2808-277-0x0000000000B60000-0x0000000000DE6000-memory.dmp

Filesize
2.5MB

Download
memory/2808-278-0x0000000000410000-0x0000000000466000-memory.dmp

Filesize
344KB

Download
memory/3032-164-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/3032-163-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download