dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Size

2.5MB
MD5

3dbf7d9fdfd5a0151f1003095ba9655c
SHA1

4f5de06a720298a5e32660fd0f56733ad611060f
SHA256

86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26
SHA512

3405c202bad0e95f18341f8c664f94626bec55db6ef9c15ff9a5b6cb2632e73375fec802d64e5ca3b924829ec1729c06f01fcb9a5013ac22d5b5b437812eb2ef
SSDEEP

49152:qGVFTkAxSKOfsx79ZnGGHMgVj2x+0XrSqWsn+fz+pV6ZKvTYnp:qGVyWNGGN2sqWs+fz+pVZTYp

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2844	schtasks.exe
2036	schtasks.exe
2724	schtasks.exe
2736	schtasks.exe
3068	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2836	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2848	powershell.exe
2712	powershell.exe
3000	powershell.exe
2976	powershell.exe
2908	powershell.exe
2916	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
876	smss.exe
1672	smss.exe
2732	smss.exe
2060	smss.exe
2796	smss.exe
1964	smss.exe
2440	smss.exe
1224	smss.exe
760	smss.exe
1728	smss.exe
1200	smss.exe
1948	smss.exe
1888	smss.exe
1312	smss.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\ProgramData\\Favorites\\spoolsv.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\mfps\\lsass.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\NlsData004a\\smss.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\C_28592\\lsass.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\mfps\RCXB89B.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\NlsData004a\RCXBB1E.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\C_28592\RCXBD31.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\C_28592\lsass.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\mfps\RCXB89C.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\mfps\lsass.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\NlsData004a\smss.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\C_28592\RCXBD32.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\C_28592\lsass.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\mfps\6203df4a6bafc7	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\NlsData004a\69ddcba757bf72	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\C_28592\6203df4a6bafc7	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\NlsData004a\RCXBB1D.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\mfps\lsass.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\NlsData004a\smss.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe
3068	schtasks.exe
2844	schtasks.exe
2036	schtasks.exe
2724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2712	powershell.exe
2908	powershell.exe
2976	powershell.exe
3000	powershell.exe
2916	powershell.exe
2848	powershell.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
876	smss.exe
1672	smss.exe
1672	smss.exe
1672	smss.exe
1672	smss.exe
1672	smss.exe
1672	smss.exe
1672	smss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	876	smss.exe
Token: SeDebugPrivilege	1672	smss.exe
Token: SeDebugPrivilege	2732	smss.exe
Token: SeDebugPrivilege	2060	smss.exe
Token: SeDebugPrivilege	2796	smss.exe
Token: SeDebugPrivilege	1964	smss.exe
Token: SeDebugPrivilege	2440	smss.exe
Token: SeDebugPrivilege	1224	smss.exe
Token: SeDebugPrivilege	760	smss.exe
Token: SeDebugPrivilege	1728	smss.exe
Token: SeDebugPrivilege	1200	smss.exe
Token: SeDebugPrivilege	1948	smss.exe
Token: SeDebugPrivilege	1888	smss.exe
Token: SeDebugPrivilege	1312	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2848	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	36
PID 2548 wrote to memory of 2848	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	36
PID 2548 wrote to memory of 2848	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	36
PID 2548 wrote to memory of 2712	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	37
PID 2548 wrote to memory of 2712	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	37
PID 2548 wrote to memory of 2712	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	37
PID 2548 wrote to memory of 2976	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	38
PID 2548 wrote to memory of 2976	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	38
PID 2548 wrote to memory of 2976	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	38
PID 2548 wrote to memory of 3000	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	39
PID 2548 wrote to memory of 3000	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	39
PID 2548 wrote to memory of 3000	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	39
PID 2548 wrote to memory of 2908	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	41
PID 2548 wrote to memory of 2908	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	41
PID 2548 wrote to memory of 2908	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	41
PID 2548 wrote to memory of 2916	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	42
PID 2548 wrote to memory of 2916	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	42
PID 2548 wrote to memory of 2916	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	42
PID 2548 wrote to memory of 2356	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	48
PID 2548 wrote to memory of 2356	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	48
PID 2548 wrote to memory of 2356	2548	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	48
PID 2356 wrote to memory of 2384	2356	cmd.exe	50
PID 2356 wrote to memory of 2384	2356	cmd.exe	50
PID 2356 wrote to memory of 2384	2356	cmd.exe	50
PID 2356 wrote to memory of 876	2356	cmd.exe	52
PID 2356 wrote to memory of 876	2356	cmd.exe	52
PID 2356 wrote to memory of 876	2356	cmd.exe	52
PID 876 wrote to memory of 1204	876	smss.exe	53
PID 876 wrote to memory of 1204	876	smss.exe	53
PID 876 wrote to memory of 1204	876	smss.exe	53
PID 876 wrote to memory of 344	876	smss.exe	54
PID 876 wrote to memory of 344	876	smss.exe	54
PID 876 wrote to memory of 344	876	smss.exe	54
PID 1204 wrote to memory of 1672	1204	WScript.exe	55
PID 1204 wrote to memory of 1672	1204	WScript.exe	55
PID 1204 wrote to memory of 1672	1204	WScript.exe	55
PID 1672 wrote to memory of 2840	1672	smss.exe	56
PID 1672 wrote to memory of 2840	1672	smss.exe	56
PID 1672 wrote to memory of 2840	1672	smss.exe	56
PID 1672 wrote to memory of 2736	1672	smss.exe	57
PID 1672 wrote to memory of 2736	1672	smss.exe	57
PID 1672 wrote to memory of 2736	1672	smss.exe	57
PID 2840 wrote to memory of 2732	2840	WScript.exe	58
PID 2840 wrote to memory of 2732	2840	WScript.exe	58
PID 2840 wrote to memory of 2732	2840	WScript.exe	58
PID 2732 wrote to memory of 760	2732	smss.exe	59
PID 2732 wrote to memory of 760	2732	smss.exe	59
PID 2732 wrote to memory of 760	2732	smss.exe	59
PID 2732 wrote to memory of 2956	2732	smss.exe	60
PID 2732 wrote to memory of 2956	2732	smss.exe	60
PID 2732 wrote to memory of 2956	2732	smss.exe	60
PID 760 wrote to memory of 2060	760	WScript.exe	61
PID 760 wrote to memory of 2060	760	WScript.exe	61
PID 760 wrote to memory of 2060	760	WScript.exe	61
PID 2060 wrote to memory of 2580	2060	smss.exe	62
PID 2060 wrote to memory of 2580	2060	smss.exe	62
PID 2060 wrote to memory of 2580	2060	smss.exe	62
PID 2060 wrote to memory of 280	2060	smss.exe	63
PID 2060 wrote to memory of 280	2060	smss.exe	63
PID 2060 wrote to memory of 280	2060	smss.exe	63
PID 2580 wrote to memory of 2796	2580	WScript.exe	64
PID 2580 wrote to memory of 2796	2580	WScript.exe	64
PID 2580 wrote to memory of 2796	2580	WScript.exe	64
PID 2796 wrote to memory of 984	2796	smss.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
"C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Favorites\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mfps\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsData004a\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\C_28592\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqWesVGraS.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2384
- - C:\Windows\System32\NlsData004a\smss.exe
    "C:\Windows\System32\NlsData004a\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b36dadc-38e3-4927-a5a7-0495b5fd6856.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8384bdd7-2ae8-402a-b501-5481f7463947.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9f1c705-6f20-4275-b174-97756fda852e.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0df96364-4150-4dcb-9d0b-950654f4164f.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bede6833-eb13-4ce0-8395-d5a475da399b.vbs"
        12⤵
        
        PID:984
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43a0f98d-c0d1-4fc6-98d9-8b757f6182e4.vbs"
        14⤵
        
        PID:1020
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e0d5ce0-fec6-4e63-8ead-c6710a4fec54.vbs"
        16⤵
        
        PID:1788
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\697eb767-b564-461b-8c9d-91b5f754a240.vbs"
        18⤵
        
        PID:2148
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34a7a8c9-a8e6-48fe-a365-8ad5daeb6a1d.vbs"
        20⤵
        
        PID:2788
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17e386dc-fb3f-476b-b3b0-3eb14ca3447c.vbs"
        22⤵
        
        PID:324
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33679443-b019-489d-ad76-6c7986430986.vbs"
        24⤵
        
        PID:2816
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25378a40-d01c-4531-b16e-2410cc71d0b0.vbs"
        26⤵
        
        PID:1348
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2673c3fb-a9e8-4acc-ae76-342a72d05c16.vbs"
        28⤵
        
        PID:944
        
        C:\Windows\System32\NlsData004a\smss.exe
        
        C:\Windows\System32\NlsData004a\smss.exe
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b917769-17a9-4e26-8ea0-beec8fc5a4f8.vbs"
        30⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31436c6e-34a8-49fa-91ca-3c04125dac2b.vbs"
        30⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85818727-30c5-4b73-aa56-464e1d758a7e.vbs"
        28⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8eeb31a-61d1-4352-8738-9b33fe84709c.vbs"
        26⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3e0bd9b-b8c3-452b-ac41-4da77dce1403.vbs"
        24⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\140b7af4-b7e7-49b6-98a4-6e185edbdb78.vbs"
        22⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\191eabfb-f579-4465-9682-954bc97a7efc.vbs"
        20⤵
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b1033c6-2dea-4edf-9def-78fa004babf2.vbs"
        18⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0aaa466-c8df-4061-b108-3c2caa492631.vbs"
        16⤵
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcfe05f2-bb80-4fa5-b94e-3870062526ad.vbs"
        14⤵
        
        PID:624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\426e8850-8d32-49e7-a778-1b7afe473b0b.vbs"
        12⤵
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98ebecaa-eecf-4ae1-9650-e0f20e5480b7.vbs"
        10⤵
        
        PID:280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\395ba391-3d8d-4781-b46c-e302d3cd27e0.vbs"
        8⤵
        
        PID:2956
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0ab0f9b-8717-4cff-9979-0cc3532d7d3c.vbs"
        6⤵
        
        PID:2736
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1390754-0f23-4044-98ee-a07c426fb083.vbs"
      4⤵
      PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ProgramData\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\mfps\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\NlsData004a\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\C_28592\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0df96364-4150-4dcb-9d0b-950654f4164f.vbs

Filesize
716B

MD5
9b27e2c97e0a0cd1e1f9ea29d271ab33

SHA1
6e823343c7bf31b3cae4f9ecfa827c70e0910d3b

SHA256
803158d248a7eb4513722e3b06de95a92f5cbbfefcf02b76a18b1c0ebca5a852

SHA512
b8aeb7314db701aced4e4a353456df2c8cf4b54457e668a1758143d5343f24fb4cb997a4dc653e2a4a27f09d35130baa1868bd3fceaa3793acdd173f6492d5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\17e386dc-fb3f-476b-b3b0-3eb14ca3447c.vbs

Filesize
716B

MD5
b7730b232d92a9f22b5e42d0c269e801

SHA1
86168c1a6558d0415d2acb469863bf5d59be9292

SHA256
f4757c967a8d38bc6f9fbce41b573ac8491b7e0571ae5ea659dc0edf1d4ee8b3

SHA512
37af9e278f23abc07c32f2676349a653a2482e76aa96e38dcee368ec35aa4a6d3ebe7aa3efba23e11748fa18828fae2a452e051222afd04a98eb4ff2b49b5b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\25378a40-d01c-4531-b16e-2410cc71d0b0.vbs

Filesize
716B

MD5
38b30c07a7d6b6cc80f25fab96a0e8c8

SHA1
7c4ef2f57be1dd1888166d6006dd0f4ef6571988

SHA256
e3fb3499c0b8f3f7230cd4abefc22e74c9d2f7f22f89a3331a242d3a852ee36e

SHA512
cff95747b14a96dd54c32be3a255887a736a480b11767ad2e4b1db216db79f37ec45f4a074d63320dd6938c3a8018dc2f67c965750d0f2e1b32945aa62050121

Download Submit
C:\Users\Admin\AppData\Local\Temp\2673c3fb-a9e8-4acc-ae76-342a72d05c16.vbs

Filesize
716B

MD5
fd51440030ccceed2200a813d4c7cfb7

SHA1
97221b5ab0df0e6ae1ccee1c54a1b7e2d4bbe2ce

SHA256
e8df15ad60a37381c43e9b1b0020efc932bd7946c42627d004e21f7086b925fb

SHA512
a328fe7f8b4c1edcbc9e17822001ee848a22e4e395f1b2ca04c300f2b1165fb985f562c7867f805678d5f38ef4e80cf759e09c641221105a53ee1e8b2c882714

Download Submit
C:\Users\Admin\AppData\Local\Temp\33679443-b019-489d-ad76-6c7986430986.vbs

Filesize
716B

MD5
70bdb3b1100810b7535e44257846c49c

SHA1
ea2c4d4f047df05c2a40dae9310e2271a26ddb76

SHA256
639036003d50b1e9e8f4dcbefaa3a3164b58abad0a84a85d623cdb3c18ad8487

SHA512
860a9cdbd9b4ce8d216a8592e5b7337793a6eddac23d1d686f83982a901737fd66efedcd3ee00b55fec272662ead46ea6c9fc039a9cc4f256a26cbb74bb6b114

Download Submit
C:\Users\Admin\AppData\Local\Temp\34a7a8c9-a8e6-48fe-a365-8ad5daeb6a1d.vbs

Filesize
715B

MD5
6ec8a4114a8e930e30e7c1e0b7a0baed

SHA1
48b58944213dba282bd52999a6d223afcf6d9efd

SHA256
f842d2955a334a595ccbc1b4dac6dd1046c93bda7cfb7baa5e784c5fbe436f8e

SHA512
e0301074e8f6c963c6540775b1a64158263896d976dd37b81a781d0f96506ea4f92ad27eb636d7b9d8060d3d268d01efc000a189519f3de301cea499509d77c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\43a0f98d-c0d1-4fc6-98d9-8b757f6182e4.vbs

Filesize
716B

MD5
993fd6da05771bd154b1a842a76cac28

SHA1
5146ae7f08eb60e2a3747b08dd21cdbe4877ccc3

SHA256
036dbeaea2a35c32f028c33efc0ae93db025e6bd83c7a278a6a79ca093fabf3b

SHA512
38f861e7530027788c2a8924e8b50713aeefc3317026bbf3707f26e3ed6c30a15bc1d27495d7f16f2c9817fc51e3e495368845c9f9e8b6e17f3b0f52a8c7100b

Download Submit
C:\Users\Admin\AppData\Local\Temp\697eb767-b564-461b-8c9d-91b5f754a240.vbs

Filesize
716B

MD5
0116b49134630d6c8a1d816de8ba33ad

SHA1
17fdcdb4af55c8e3b76e089b8b909e22c6e2ba63

SHA256
ad380ac76d1b26a659dd3f92aa0801771db14dcae0e20909758ec7c27c33191d

SHA512
c149e02707899817023400042be82ab4819a9ad0346ac1a4b02029683c6bbc0595ccd596fba86147797437fd832c6ec25906af87a5670d708c77b8c5fcf60f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e0d5ce0-fec6-4e63-8ead-c6710a4fec54.vbs

Filesize
716B

MD5
a73576e28fd7c7820075378eb782ba84

SHA1
f750cc7c8719861a39c9da1ad412dd224e4dde8b

SHA256
905ac7e72cbe8d359b2a291b87246c8d33299dda40039813c282712215113d9f

SHA512
05d5f4810d483f60d8aaae033c80e1064b3a978f959bfeb4c7258e2308bc093ec00cf7be2600eb1e959490c0046ec23a83ac7cd0891f0e2427e4fdd7239a9109

Download Submit
C:\Users\Admin\AppData\Local\Temp\8384bdd7-2ae8-402a-b501-5481f7463947.vbs

Filesize
716B

MD5
f975b10b440014969651d63664cee884

SHA1
cb7261d111f36e979afb3cd993aa7a910558a069

SHA256
b12bf158490673fc71a245acb41fcbf4e55c022f6a65f311b5766fe9f8c0c4c4

SHA512
cd17d7a1cb8e6b2af46fffa238500b6215f6c2839efe9dc3bcdb4a85246a4cf9ff746b05d30cea0a8c2593f0564117af3244cc4a7187f855f3d1bd2583e7dc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b36dadc-38e3-4927-a5a7-0495b5fd6856.vbs

Filesize
715B

MD5
da6e775775afb53b9ac296799d0e1bf8

SHA1
b9b12030e46402781e40028d4c2028cf44417743

SHA256
04eb015fc7ef46ff9d27b5dbb88f20c86f80addfc4a89528f68e4b783ea111ab

SHA512
f90ad74f07a23780d9723eb2223fe59497da051002e37e9297480be3fe730f712a667b02298170138267d8603506724e0cbd1298473a28f48f4c61a8512c87b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b917769-17a9-4e26-8ea0-beec8fc5a4f8.vbs

Filesize
716B

MD5
568b8b0090bfbd99498cf43d3f9dd29a

SHA1
dd787fec9cc484a8961653fc4433b10e10fa68d6

SHA256
61286771e8a037e0d4f770611d8c9e3cb3c587fd0eba8515c305dfa06a313b79

SHA512
a9d0e5d5d1451cd938b4f16189984a492507b9b4e02456f3fc226c75626fac64129ff53d109336ac79f650a9b49ad378c90e1f12f5e1f151b973bb9b34bdfdc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqWesVGraS.bat

Filesize
204B

MD5
80ee9796ccdd50bfda8f0307dcf0a788

SHA1
b32d29d2a69f23c628e727cc0bc209b6af5b4e90

SHA256
eb36b98aa4b9118174e3320d65fefd702413945e52135879cf23060a7e72446b

SHA512
34810f01b1f685490e3b168508ecf22fcdc4e5d0de14bbc6c81bdfcf4963cdddd2741f921259199d37830332e52667d86a6ccb2656fe68d35aae0c347bb56f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bede6833-eb13-4ce0-8395-d5a475da399b.vbs

Filesize
716B

MD5
087fe69b99b1855a22e10dfd3d566f5b

SHA1
ceebb2797ed41fb6acbffb24b3552c3119442830

SHA256
ef59cabeb22fe528bef49980dd00c1abfe843788f29922bfedf665db3a69f84a

SHA512
1948bd97f00d2685f61737899094edaf4bd01f5e806c02bedd2a18fac427d3f507d39f202f43c0d30f175928f24389c9265b939cbf18089fb1abf3b6ae3d34e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1390754-0f23-4044-98ee-a07c426fb083.vbs

Filesize
492B

MD5
6313e0400d1f8888e7c1a7cfd315b25d

SHA1
d243e4062a12fbff1fe13310bec91a70cabde9d3

SHA256
ce363328c379e1ceff2b66a282abb736aa81ba9a17bf46593ee860e98f4fef80

SHA512
f16950937e638898f3cd8902282e5b507dba639756f07cb5de9ba364fcb78981d9f8312493040fd372e7b955ec92912ea1e4b7a2d6277af9e34198047f436f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9f1c705-6f20-4275-b174-97756fda852e.vbs

Filesize
716B

MD5
a189415bd35677c2ed71bf67c1056191

SHA1
7e0353bb3993d38b6a62f58bf43677a57a46c69f

SHA256
053b9939e99b4daad6f369d59dc8e7505e2062d8f2875edde02f3524d37146e1

SHA512
05596d760e2b656ea05ec1f74911d541ef3424c3e50b865a9d9d9d90039be20088aa66d867aed642b954fa0fd036aa4715cf8ac98a10f304775c871a5b0b5150

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7fd00c065916d7ce902a274def58bf40

SHA1
b1e10809eb9d9a49024f6a9243f9dc050da6850a

SHA256
f463f46076fbde837b63cc3762559b5abba65542e1f5c23456982e22b6cb30c5

SHA512
72361144a3879f9a2ae0e0eca2e18483621596c189f1a5f71cc64b94298f59ff7c27905b92d204cd1566ea781ec862254d450ad3bcd78d5fa47012abb675a212

Download Submit
C:\Users\Public\Favorites\spoolsv.exe

Filesize
2.5MB

MD5
380055b718f9fcdc475f9fa74b56eeb9

SHA1
91d77a4186c731551b53c24db9432ffeef543270

SHA256
95b4bea74c84bd248d356123a31f0ae821987fd249e528a2013793d5c3a4a48a

SHA512
e256cec363e9b01e798f08d70af82e4640975b05284ff4bd88c2e7b513f061c163dd92419de886ad17af2cb4709b5d6decb7a6daafd499600e04974e8f3a646a

Download Submit
C:\Windows\System32\C_28592\lsass.exe

Filesize
2.5MB

MD5
3dbf7d9fdfd5a0151f1003095ba9655c

SHA1
4f5de06a720298a5e32660fd0f56733ad611060f

SHA256
86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26

SHA512
3405c202bad0e95f18341f8c664f94626bec55db6ef9c15ff9a5b6cb2632e73375fec802d64e5ca3b924829ec1729c06f01fcb9a5013ac22d5b5b437812eb2ef

Download Submit
memory/876-128-0x0000000000C70000-0x0000000000EF6000-memory.dmp

Filesize
2.5MB

Download
memory/876-129-0x0000000002420000-0x0000000002476000-memory.dmp

Filesize
344KB

Download
memory/876-130-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/1200-245-0x0000000001350000-0x00000000015D6000-memory.dmp

Filesize
2.5MB

Download
memory/1312-281-0x00000000008C0000-0x0000000000916000-memory.dmp

Filesize
344KB

Download
memory/1312-280-0x00000000003F0000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1672-141-0x0000000001210000-0x0000000001496000-memory.dmp

Filesize
2.5MB

Download
memory/1888-268-0x00000000003E0000-0x0000000000666000-memory.dmp

Filesize
2.5MB

Download
memory/1964-188-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2060-164-0x00000000007E0000-0x00000000007F2000-memory.dmp

Filesize
72KB

Download
memory/2440-200-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2548-6-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/2548-93-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-13-0x000000001AD80000-0x000000001AD8A000-memory.dmp

Filesize
40KB

Download
memory/2548-10-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2548-1-0x0000000000E20000-0x00000000010A6000-memory.dmp

Filesize
2.5MB

Download
memory/2548-11-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/2548-14-0x000000001AD70000-0x000000001AD7C000-memory.dmp

Filesize
48KB

Download
memory/2548-9-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2548-15-0x000000001AE90000-0x000000001AE98000-memory.dmp

Filesize
32KB

Download
memory/2548-8-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/2548-7-0x0000000000570000-0x00000000005C6000-memory.dmp

Filesize
344KB

Download
memory/2548-12-0x000000001AD60000-0x000000001AD6C000-memory.dmp

Filesize
48KB

Download
memory/2548-5-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/2548-0-0x000007FEF64F3000-0x000007FEF64F4000-memory.dmp

Filesize
4KB

Download
memory/2548-4-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/2548-3-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2548-16-0x000000001AEA0000-0x000000001AEAA000-memory.dmp

Filesize
40KB

Download
memory/2548-2-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-104-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2712-103-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2796-176-0x00000000004A0000-0x00000000004F6000-memory.dmp

Filesize
344KB

Download