dcrat | 08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2023 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a58202c976291d628df312bcd090e5e.exe
Size

1.1MB
MD5

0a58202c976291d628df312bcd090e5e
SHA1

d8b5759fde291c74e38a405c1dcc1f6cfa22fa63
SHA256

08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7
SHA512

e98f581fa1e22538dd4b271480319f6d9fe7ef7544f9d5b508d18c202329f0d63805a3fe476d97d249b370f7ea3e4353de2d2099b64c5a707af229c86cf512fd
SSDEEP

12288:El+4Tcyct/JWT7yckBlepmbMsBXYHOWyAh5+djVyKDGpiRe7FaS+ug82qGeJ3btU:Zyc5JWackYm7dZ1Oq2nn2qPJ3btV3+f

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	180	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3504	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3504	schtasks.exe	87

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2208-0-0x0000000000740000-0x0000000000860000-memory.dmp	dcrat
behavioral2/files/0x0008000000023081-17.dat	dcrat
behavioral2/files/0x00080000000224f3-130.dat	dcrat
behavioral2/files/0x0008000000023081-349.dat	dcrat
behavioral2/files/0x0008000000023081-350.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	0a58202c976291d628df312bcd090e5e.exe

Executes dropped EXE 1 IoCs

pid	Process
5656	backgroundTaskHost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a58202c976291d628df312bcd090e5e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\9e8d7a4ca61bd9	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\RCXEA91.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXFDCC.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCX1E4.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCX1F4.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\backgroundTaskHost.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files\WindowsPowerShell\Modules\eddb19405b7ce1	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\eddb19405b7ce1	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\9e8d7a4ca61bd9	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXF81B.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files\WindowsPowerShell\Modules\backgroundTaskHost.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\RuntimeBroker.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\RCXEAB1.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXFDAC.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RuntimeBroker.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXF80A.tmp	0a58202c976291d628df312bcd090e5e.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\ja-JP\936ce0a08db208	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\RCXEF19.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\RCXEF2A.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\0a58202c976291d628df312bcd090e5e.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\0a58202c976291d628df312bcd090e5e.exe	0a58202c976291d628df312bcd090e5e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3948	schtasks.exe
2164	schtasks.exe
4268	schtasks.exe
3920	schtasks.exe
548	schtasks.exe
700	schtasks.exe
848	schtasks.exe
3356	schtasks.exe
2100	schtasks.exe
1424	schtasks.exe
180	schtasks.exe
776	schtasks.exe
920	schtasks.exe
4740	schtasks.exe
4392	schtasks.exe
4448	schtasks.exe
2160	schtasks.exe
3180	schtasks.exe
3988	schtasks.exe
632	schtasks.exe
1712	schtasks.exe
2084	schtasks.exe
4224	schtasks.exe
4028	schtasks.exe
4812	schtasks.exe
4824	schtasks.exe
1500	schtasks.exe
2912	schtasks.exe
4928	schtasks.exe
644	schtasks.exe
4400	schtasks.exe
4292	schtasks.exe
3024	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	0a58202c976291d628df312bcd090e5e.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2208	0a58202c976291d628df312bcd090e5e.exe
2208	0a58202c976291d628df312bcd090e5e.exe
2208	0a58202c976291d628df312bcd090e5e.exe
2208	0a58202c976291d628df312bcd090e5e.exe
2208	0a58202c976291d628df312bcd090e5e.exe
2208	0a58202c976291d628df312bcd090e5e.exe
2208	0a58202c976291d628df312bcd090e5e.exe
2208	0a58202c976291d628df312bcd090e5e.exe
2208	0a58202c976291d628df312bcd090e5e.exe
2216	powershell.exe
2216	powershell.exe
2664	powershell.exe
2664	powershell.exe
4292	powershell.exe
4292	powershell.exe
3136	powershell.exe
3136	powershell.exe
4392	powershell.exe
4392	powershell.exe
576	powershell.exe
576	powershell.exe
628	powershell.exe
628	powershell.exe
180	powershell.exe
180	powershell.exe
1164	powershell.exe
1164	powershell.exe
3828	powershell.exe
3828	powershell.exe
1424	powershell.exe
1424	powershell.exe
848	powershell.exe
848	powershell.exe
3136	powershell.exe
2216	powershell.exe
4392	powershell.exe
3828	powershell.exe
2664	powershell.exe
628	powershell.exe
4292	powershell.exe
576	powershell.exe
1424	powershell.exe
848	powershell.exe
1164	powershell.exe
180	powershell.exe
5656	backgroundTaskHost.exe
5656	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	0a58202c976291d628df312bcd090e5e.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	180	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	5656	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 4392	2208	0a58202c976291d628df312bcd090e5e.exe	125
PID 2208 wrote to memory of 4392	2208	0a58202c976291d628df312bcd090e5e.exe	125
PID 2208 wrote to memory of 2216	2208	0a58202c976291d628df312bcd090e5e.exe	148
PID 2208 wrote to memory of 2216	2208	0a58202c976291d628df312bcd090e5e.exe	148
PID 2208 wrote to memory of 628	2208	0a58202c976291d628df312bcd090e5e.exe	147
PID 2208 wrote to memory of 628	2208	0a58202c976291d628df312bcd090e5e.exe	147
PID 2208 wrote to memory of 4292	2208	0a58202c976291d628df312bcd090e5e.exe	146
PID 2208 wrote to memory of 4292	2208	0a58202c976291d628df312bcd090e5e.exe	146
PID 2208 wrote to memory of 1424	2208	0a58202c976291d628df312bcd090e5e.exe	145
PID 2208 wrote to memory of 1424	2208	0a58202c976291d628df312bcd090e5e.exe	145
PID 2208 wrote to memory of 576	2208	0a58202c976291d628df312bcd090e5e.exe	144
PID 2208 wrote to memory of 576	2208	0a58202c976291d628df312bcd090e5e.exe	144
PID 2208 wrote to memory of 1164	2208	0a58202c976291d628df312bcd090e5e.exe	143
PID 2208 wrote to memory of 1164	2208	0a58202c976291d628df312bcd090e5e.exe	143
PID 2208 wrote to memory of 180	2208	0a58202c976291d628df312bcd090e5e.exe	142
PID 2208 wrote to memory of 180	2208	0a58202c976291d628df312bcd090e5e.exe	142
PID 2208 wrote to memory of 2664	2208	0a58202c976291d628df312bcd090e5e.exe	141
PID 2208 wrote to memory of 2664	2208	0a58202c976291d628df312bcd090e5e.exe	141
PID 2208 wrote to memory of 848	2208	0a58202c976291d628df312bcd090e5e.exe	140
PID 2208 wrote to memory of 848	2208	0a58202c976291d628df312bcd090e5e.exe	140
PID 2208 wrote to memory of 3828	2208	0a58202c976291d628df312bcd090e5e.exe	132
PID 2208 wrote to memory of 3828	2208	0a58202c976291d628df312bcd090e5e.exe	132
PID 2208 wrote to memory of 3136	2208	0a58202c976291d628df312bcd090e5e.exe	127
PID 2208 wrote to memory of 3136	2208	0a58202c976291d628df312bcd090e5e.exe	127
PID 2208 wrote to memory of 2844	2208	0a58202c976291d628df312bcd090e5e.exe	150
PID 2208 wrote to memory of 2844	2208	0a58202c976291d628df312bcd090e5e.exe	150
PID 2844 wrote to memory of 2528	2844	cmd.exe	152
PID 2844 wrote to memory of 2528	2844	cmd.exe	152
PID 2844 wrote to memory of 5656	2844	cmd.exe	155
PID 2844 wrote to memory of 5656	2844	cmd.exe	155

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a58202c976291d628df312bcd090e5e.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a58202c976291d628df312bcd090e5e.exe
"C:\Users\Admin\AppData\Local\Temp\0a58202c976291d628df312bcd090e5e.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q9ioHZo225.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2528
- - C:\odt\backgroundTaskHost.exe
    "C:\odt\backgroundTaskHost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a58202c976291d628df312bcd090e5e0" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\ja-JP\0a58202c976291d628df312bcd090e5e.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a58202c976291d628df312bcd090e5e" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\0a58202c976291d628df312bcd090e5e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a58202c976291d628df312bcd090e5e0" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\ja-JP\0a58202c976291d628df312bcd090e5e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
120B

MD5
18f9595eb7e05c17f74f6ad1b88bdcd9

SHA1
243446141a031b8ac0f85f5756cf782e92ad972d

SHA256
9c12a527d7e71d80aba8b404c4aa53781d87f58fcf031e081d15af40bf5dbd08

SHA512
c56bfc4f4ddb111f557fd19039ca3cb2f2fe744477d82a54b1f3b02f0099826898b20a4f7ec589ceac09b00eec07f3c7491e8fbcd2b64cf94ec9809538238d9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2ce5f364d6f19da44a34ce23f13e28b

SHA1
a7fc544cc9e62c759c0b0aeaecf324d7196a127e

SHA256
443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

SHA512
fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2ce5f364d6f19da44a34ce23f13e28b

SHA1
a7fc544cc9e62c759c0b0aeaecf324d7196a127e

SHA256
443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

SHA512
fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2ce5f364d6f19da44a34ce23f13e28b

SHA1
a7fc544cc9e62c759c0b0aeaecf324d7196a127e

SHA256
443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

SHA512
fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2ce5f364d6f19da44a34ce23f13e28b

SHA1
a7fc544cc9e62c759c0b0aeaecf324d7196a127e

SHA256
443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

SHA512
fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2ce5f364d6f19da44a34ce23f13e28b

SHA1
a7fc544cc9e62c759c0b0aeaecf324d7196a127e

SHA256
443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

SHA512
fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2ce5f364d6f19da44a34ce23f13e28b

SHA1
a7fc544cc9e62c759c0b0aeaecf324d7196a127e

SHA256
443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

SHA512
fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_crdelmvx.ers.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\q9ioHZo225.bat

Filesize
194B

MD5
ad9dcfa5bd27d4694b2a646169beda76

SHA1
305060cd5e236527f6627bf5bf8a77061c1d593a

SHA256
d27e0a6bdd35da053cef0aca3f086435d263333dd03f4096c6b08e07911a7ede

SHA512
f4b1e4d0b0276f4cfe60f261783f706fc2a7b4ca7469f60f5ae38e30bc883e5c2f0d49402a5cf748d7bb0e48d4523f2e479acbc831d2522196051976ba121ba9

Download Submit
C:\odt\backgroundTaskHost.exe

Filesize
1.1MB

MD5
0a58202c976291d628df312bcd090e5e

SHA1
d8b5759fde291c74e38a405c1dcc1f6cfa22fa63

SHA256
08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7

SHA512
e98f581fa1e22538dd4b271480319f6d9fe7ef7544f9d5b508d18c202329f0d63805a3fe476d97d249b370f7ea3e4353de2d2099b64c5a707af229c86cf512fd

Download Submit
C:\odt\backgroundTaskHost.exe

Filesize
1.1MB

MD5
0a58202c976291d628df312bcd090e5e

SHA1
d8b5759fde291c74e38a405c1dcc1f6cfa22fa63

SHA256
08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7

SHA512
e98f581fa1e22538dd4b271480319f6d9fe7ef7544f9d5b508d18c202329f0d63805a3fe476d97d249b370f7ea3e4353de2d2099b64c5a707af229c86cf512fd

Download Submit
C:\odt\backgroundTaskHost.exe

Filesize
1.1MB

MD5
0a58202c976291d628df312bcd090e5e

SHA1
d8b5759fde291c74e38a405c1dcc1f6cfa22fa63

SHA256
08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7

SHA512
e98f581fa1e22538dd4b271480319f6d9fe7ef7544f9d5b508d18c202329f0d63805a3fe476d97d249b370f7ea3e4353de2d2099b64c5a707af229c86cf512fd

Download Submit
C:\odt\explorer.exe

Filesize
1.1MB

MD5
f37640046c2da44ad24a3eab157d5a75

SHA1
6cb99334213f1d4fcf979e2bb00f73b6e8ba6f62

SHA256
d0c6b06c0920b9af2a444f8225b352bacbb1f40e88b4210a2f751c93a40e96c6

SHA512
ae84d1f66e10bb00a891745c670ebc7d0d0d5e883ab2ef2c3f26cccb2a0249e18d1d0fdbebba4b120b6e3dfdc689a454410c52b25366a7c6beb3168b9ea26142

Download Submit
memory/180-312-0x0000021E73210000-0x0000021E73220000-memory.dmp

Filesize
64KB

Download
memory/180-304-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/180-338-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/576-343-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/576-316-0x00000204BD110000-0x00000204BD120000-memory.dmp

Filesize
64KB

Download
memory/576-300-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/628-339-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/628-309-0x000001F777D50000-0x000001F777D60000-memory.dmp

Filesize
64KB

Download
memory/628-173-0x000001F777D90000-0x000001F777DB2000-memory.dmp

Filesize
136KB

Download
memory/628-299-0x000001F777D50000-0x000001F777D60000-memory.dmp

Filesize
64KB

Download
memory/628-297-0x000001F777D50000-0x000001F777D60000-memory.dmp

Filesize
64KB

Download
memory/628-295-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/848-296-0x0000018E13220000-0x0000018E13230000-memory.dmp

Filesize
64KB

Download
memory/848-311-0x0000018E13220000-0x0000018E13230000-memory.dmp

Filesize
64KB

Download
memory/848-298-0x0000018E13220000-0x0000018E13230000-memory.dmp

Filesize
64KB

Download
memory/848-294-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/1164-305-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/1164-314-0x0000015F76920000-0x0000015F76930000-memory.dmp

Filesize
64KB

Download
memory/1164-345-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/1164-302-0x0000015F76920000-0x0000015F76930000-memory.dmp

Filesize
64KB

Download
memory/1424-292-0x00000170DD770000-0x00000170DD780000-memory.dmp

Filesize
64KB

Download
memory/1424-168-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/1424-344-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/1424-310-0x00000170DD770000-0x00000170DD780000-memory.dmp

Filesize
64KB

Download
memory/1424-301-0x00000170DD770000-0x00000170DD780000-memory.dmp

Filesize
64KB

Download
memory/1424-172-0x00000170DD770000-0x00000170DD780000-memory.dmp

Filesize
64KB

Download
memory/2208-174-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/2208-7-0x0000000002A60000-0x0000000002A6C000-memory.dmp

Filesize
48KB

Download
memory/2208-1-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/2208-2-0x000000001B470000-0x000000001B480000-memory.dmp

Filesize
64KB

Download
memory/2208-3-0x0000000001120000-0x000000000112E000-memory.dmp

Filesize
56KB

Download
memory/2208-0-0x0000000000740000-0x0000000000860000-memory.dmp

Filesize
1.1MB

Download
memory/2208-4-0x0000000001130000-0x0000000001138000-memory.dmp

Filesize
32KB

Download
memory/2208-5-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2208-6-0x0000000002AA0000-0x0000000002AAA000-memory.dmp

Filesize
40KB

Download
memory/2208-109-0x000000001B470000-0x000000001B480000-memory.dmp

Filesize
64KB

Download
memory/2208-8-0x0000000002A70000-0x0000000002A7C000-memory.dmp

Filesize
48KB

Download
memory/2208-60-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-332-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-313-0x000001F02F800000-0x000001F02F810000-memory.dmp

Filesize
64KB

Download
memory/2216-164-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-165-0x000001F02F800000-0x000001F02F810000-memory.dmp

Filesize
64KB

Download
memory/2216-166-0x000001F02F800000-0x000001F02F810000-memory.dmp

Filesize
64KB

Download
memory/2664-240-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/2664-256-0x000002544F8B0000-0x000002544F8C0000-memory.dmp

Filesize
64KB

Download
memory/2664-342-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/2664-270-0x000002544F8B0000-0x000002544F8C0000-memory.dmp

Filesize
64KB

Download
memory/3136-337-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-306-0x000001AD7E660000-0x000001AD7E670000-memory.dmp

Filesize
64KB

Download
memory/3136-303-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-171-0x000001AD7E660000-0x000001AD7E670000-memory.dmp

Filesize
64KB

Download
memory/3136-167-0x000001AD7E660000-0x000001AD7E670000-memory.dmp

Filesize
64KB

Download
memory/3828-290-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/3828-341-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/3828-291-0x000002A176D40000-0x000002A176D50000-memory.dmp

Filesize
64KB

Download
memory/3828-293-0x000002A176D40000-0x000002A176D50000-memory.dmp

Filesize
64KB

Download
memory/3828-315-0x000002A176D40000-0x000002A176D50000-memory.dmp

Filesize
64KB

Download
memory/4292-194-0x000001FBB02C0000-0x000001FBB02D0000-memory.dmp

Filesize
64KB

Download
memory/4292-308-0x000001FBB02C0000-0x000001FBB02D0000-memory.dmp

Filesize
64KB

Download
memory/4292-184-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-250-0x000001FBB02C0000-0x000001FBB02D0000-memory.dmp

Filesize
64KB

Download
memory/4392-170-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-307-0x0000019654E70000-0x0000019654E80000-memory.dmp

Filesize
64KB

Download
memory/4392-340-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download