Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.2MB

  • MD5

    3e821d4b4af33a23f64c69db57770955

  • SHA1

    019742e345c39bd10f6c9bc4c1af4c2e94a5fca0

  • SHA256

    5ad5f24becf8b8653b7708edc35779128eb8cc84ddebf362121c603fd2caed04

  • SHA512

    6e7f8ea74092bbb4659f24ec629e1483fb95cf682f5eda65300cc38369848cd60512ce79cd7aa5ae70d09fba420e8de6be3841306cf3302317a69d143c114160

  • SSDEEP

    24576:U2G/nvxW3Ww0teLTGJTb/Ka2FVx0Q5eRvuiNLzrejv:UbA30yTGF/KvVd5eTNS7

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 17 IoCs
    persistence
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 32 IoCs
    persistence
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4916
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\BridgeWin\kBRJ5zb6pFGWil.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\BridgeWin\containerRuntime.exe
          "C:\BridgeWin\containerRuntime.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Checks computer location settings
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\containerRuntime.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\access_output\SppExtComObj.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2256
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1016
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4272
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Registry.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\WmiPrvSE.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\WaaSMedicAgent.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\conhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\upfc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\dwm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1272
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4756
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xGjpCn5Cps.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4364
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:5324
              • C:\Recovery\WindowsRE\Idle.exe
                "C:\Recovery\WindowsRE\Idle.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:5824
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4760
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3128
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\odt\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\access_output\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4356
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\access_output\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\plugins\access_output\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\odt\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\WaaSMedicAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\WaaSMedicAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\WaaSMedicAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\de-DE\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4080
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:460
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4196
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4244
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4324
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4304
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4296

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\BridgeWin\containerRuntime.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit
    • C:\BridgeWin\containerRuntime.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit
    • C:\BridgeWin\kBRJ5zb6pFGWil.bat
      Filesize

      35B

      MD5

      064d44ddf49217a25ad5ec14b334e0f8

      SHA1

      092f4a63df14672e90e8001a9bb6000315fb29d6

      SHA256

      a1962a0cd9c290da9a9d7bb34828fae854a8994127fcbe219e4d6a7b499274c4

      SHA512

      342448a993e8f8713918fe64c15f1c117ee1dd5e80de3ea78a026802895733b5024169ea9daf2eaf102005b27a6b48772b6122d28875d686d305cfd412c17acb

      Download Submit
    • C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbe
      Filesize

      200B

      MD5

      c33c80ec8b8c3cdef3f528ea621be889

      SHA1

      10b010cc2b37daf6fd01031c4d2af8d684cc6953

      SHA256

      a2492c835a66b1e833bfebfa669e8366d66ae7ac9b6aedf35adf5c24b2bd6fdc

      SHA512

      d947f93f0f86d1c02b791c932febe41b2c0e58cc3842ca361d006ad79cffff3b0313be31eaaaa8610216ae936b1a24e680d97e0ad7da0ccf28f6804e63a156af

      Download Submit
    • C:\Recovery\WindowsRE\Idle.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit
    • C:\Recovery\WindowsRE\Idle.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e8ce785f8ccc6d202d56fefc59764945

      SHA1

      ca032c62ddc5e0f26d84eff9895eb87f14e15960

      SHA256

      d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

      SHA512

      66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e8ce785f8ccc6d202d56fefc59764945

      SHA1

      ca032c62ddc5e0f26d84eff9895eb87f14e15960

      SHA256

      d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

      SHA512

      66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e8ce785f8ccc6d202d56fefc59764945

      SHA1

      ca032c62ddc5e0f26d84eff9895eb87f14e15960

      SHA256

      d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

      SHA512

      66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e8ce785f8ccc6d202d56fefc59764945

      SHA1

      ca032c62ddc5e0f26d84eff9895eb87f14e15960

      SHA256

      d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

      SHA512

      66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      aaaac7c68d2b7997ed502c26fd9f65c2

      SHA1

      7c5a3731300d672bf53c43e2f9e951c745f7fbdf

      SHA256

      8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

      SHA512

      c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      aaaac7c68d2b7997ed502c26fd9f65c2

      SHA1

      7c5a3731300d672bf53c43e2f9e951c745f7fbdf

      SHA256

      8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

      SHA512

      c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      22fbec4acba323d04079a263526cef3c

      SHA1

      eb8dd0042c6a3f20087a7d2391eaf48121f98740

      SHA256

      020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

      SHA512

      fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      17fbfbe3f04595e251287a6bfcdc35de

      SHA1

      b576aabfd5e6d5799d487011506ed1ae70688987

      SHA256

      2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

      SHA512

      449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      17fbfbe3f04595e251287a6bfcdc35de

      SHA1

      b576aabfd5e6d5799d487011506ed1ae70688987

      SHA256

      2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

      SHA512

      449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      17fbfbe3f04595e251287a6bfcdc35de

      SHA1

      b576aabfd5e6d5799d487011506ed1ae70688987

      SHA256

      2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

      SHA512

      449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xGjpCn5Cps.bat
      Filesize

      195B

      MD5

      dcebd13e2a6e297069a9cb15a9a077ef

      SHA1

      f14a4aa6d345da5b469159a2919c6f5aff2b3965

      SHA256

      a9f977629ad225c627116f1cee8c787fa35af8a61fa7989877438cff14dee2ac

      SHA512

      800586a667daf618e2c48f9896c191d41663796a7b5ad909debcd9ac6e1b51d26538a020d5e36d844f172c94e89acdc233c745cf02d8990b2f460f24d8b23ebc

      Download Submit
    • memory/924-159-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/924-157-0x000002AA0AF70000-0x000002AA0AF92000-memory.dmp
      Filesize

      136KB

      Download
    • memory/924-185-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/924-141-0x0000000000000000-mapping.dmp
      Download
    • memory/1016-194-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1016-162-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1016-142-0x0000000000000000-mapping.dmp
      Download
    • memory/1036-161-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1036-182-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1036-143-0x0000000000000000-mapping.dmp
      Download
    • memory/1272-216-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1272-181-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1272-158-0x0000000000000000-mapping.dmp
      Download
    • memory/2028-139-0x00000000009C0000-0x0000000000AB0000-memory.dmp
      Filesize

      960KB

      Download
    • memory/2028-140-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2028-167-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2028-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2256-164-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2256-144-0x0000000000000000-mapping.dmp
      Download
    • memory/2256-199-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2664-180-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2664-217-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2664-156-0x0000000000000000-mapping.dmp
      Download
    • memory/2916-171-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2916-203-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2916-149-0x0000000000000000-mapping.dmp
      Download
    • memory/3596-146-0x0000000000000000-mapping.dmp
      Download
    • memory/3596-168-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3596-197-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3692-147-0x0000000000000000-mapping.dmp
      Download
    • memory/3692-166-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3692-196-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3988-174-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3988-153-0x0000000000000000-mapping.dmp
      Download
    • memory/3988-208-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4148-187-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4148-160-0x0000000000000000-mapping.dmp
      Download
    • memory/4148-176-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4268-198-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4268-151-0x0000000000000000-mapping.dmp
      Download
    • memory/4268-172-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4272-189-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4272-165-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4272-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4364-163-0x0000000000000000-mapping.dmp
      Download
    • memory/4564-169-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4564-205-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4564-148-0x0000000000000000-mapping.dmp
      Download
    • memory/4692-178-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4692-152-0x0000000000000000-mapping.dmp
      Download
    • memory/4692-211-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4736-150-0x0000000000000000-mapping.dmp
      Download
    • memory/4736-204-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4736-170-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4756-175-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4756-155-0x0000000000000000-mapping.dmp
      Download
    • memory/4756-210-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4760-179-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4760-213-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4760-154-0x0000000000000000-mapping.dmp
      Download
    • memory/4916-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4932-135-0x0000000000000000-mapping.dmp
      Download
    • memory/5324-177-0x0000000000000000-mapping.dmp
      Download
    • memory/5824-218-0x0000000000000000-mapping.dmp
      Download
    • memory/5824-221-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5824-222-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp
      Filesize

      10.8MB

      Download