dcrat | a4284047b5ad4975355bf13b74b8919a0de2a3cc6166f4569ef42662f40ae2d1

Analysis

max time kernel
122s
max time network
152s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Size

783KB
MD5

aaf95178efb97f6d4e0f58d7e6841f40
SHA1

bf9705ab690b363ec7c85053bdcdef02b4621d86
SHA256

a4284047b5ad4975355bf13b74b8919a0de2a3cc6166f4569ef42662f40ae2d1
SHA512

70bb3d92c0a4e74e3ef330bca053fe658f9d56bc323b3a9d5f326f7e3f0d29fdea3f9b6e91d1a9a20693807c760ede297b87d034030d14dc2784407ea0270b88
SSDEEP

12288:mqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:m+OQbpbgsFdAyQvzSqaq8q

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2192	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2516-1-0x0000000000010000-0x00000000000DA000-memory.dmp	dcrat
behavioral1/files/0x0006000000016cf6-57.dat	dcrat
behavioral1/files/0x00070000000167f7-135.dat	dcrat
behavioral1/files/0x00070000000167f7-136.dat	dcrat
behavioral1/memory/2396-137-0x0000000001250000-0x000000000131A000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2396	explorer.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\""	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\twunk_32\\explorer.exe\""	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\PerfLogs\\Admin\\audiodg.exe\""	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\dhcpcore\\sppsvc.exe\""	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\""	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\korwbrkr\\spoolsv.exe\""	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\schemas\\System.exe\""	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\gpupdate\\sppsvc.exe\""	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\dhcpcore\RCX1895.tmp	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File created	C:\Windows\System32\gpupdate\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File created	C:\Windows\System32\dhcpcore\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File created	C:\Windows\System32\dhcpcore\sppsvc.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File created	C:\Windows\System32\korwbrkr\spoolsv.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File created	C:\Windows\System32\korwbrkr\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File opened for modification	C:\Windows\System32\gpupdate\RCX1009.tmp	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File opened for modification	C:\Windows\System32\dhcpcore\sppsvc.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File opened for modification	C:\Windows\System32\korwbrkr\RCX1C9C.tmp	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File created	C:\Windows\System32\gpupdate\sppsvc.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File opened for modification	C:\Windows\System32\gpupdate\sppsvc.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File opened for modification	C:\Windows\System32\korwbrkr\spoolsv.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c99120d96dace90a3f93f329dcad63	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX120C.tmp	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\twunk_32\explorer.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File created	C:\Windows\twunk_32\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File created	C:\Windows\schemas\System.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File created	C:\Windows\schemas\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File opened for modification	C:\Windows\twunk_32\RCX1420.tmp	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File opened for modification	C:\Windows\twunk_32\explorer.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File opened for modification	C:\Windows\schemas\RCX1EA0.tmp	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
File opened for modification	C:\Windows\schemas\System.exe	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2612	schtasks.exe
2656	schtasks.exe
2864	schtasks.exe
2592	schtasks.exe
2484	schtasks.exe
2008	schtasks.exe
2000	schtasks.exe
1992	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	explorer.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Token: SeDebugPrivilege	2396	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1072	2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe	39
PID 2516 wrote to memory of 1072	2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe	39
PID 2516 wrote to memory of 1072	2516	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe	39
PID 1072 wrote to memory of 2296	1072	cmd.exe	41
PID 1072 wrote to memory of 2296	1072	cmd.exe	41
PID 1072 wrote to memory of 2296	1072	cmd.exe	41
PID 1072 wrote to memory of 2396	1072	cmd.exe	42
PID 1072 wrote to memory of 2396	1072	cmd.exe	42
PID 1072 wrote to memory of 2396	1072	cmd.exe	42

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.aaf95178efb97f6d4e0f58d7e6841f40.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5hNgkZOXUr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2296
- - C:\Windows\twunk_32\explorer.exe
    "C:\Windows\twunk_32\explorer.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\gpupdate\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twunk_32\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\PerfLogs\Admin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\dhcpcore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\korwbrkr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\schemas\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ae3dd2f52f6b464823477d41e31d0a3

SHA1
68caf07b0aefa6f33beb81dba8a2cbcb3d21e12a

SHA256
1f56437c33269cf75227272a1090d01a087d64601083a153d7a43e57d769c70c

SHA512
c999f6d8b10aa2b9804f7b1d852f392736e05a4472de2dfe267c9f690d93cd0ab46e50d228d9db5370fae7905647e428484f9f32f7cd84a1d23a4c4142587a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\5hNgkZOXUr.bat

Filesize
196B

MD5
75187541a399cbd8b107461863bae3aa

SHA1
1ff36f31f3fad11cd615485506f44e45bfb64c3b

SHA256
a37dda54084c28e9f5e9fe9eff1810410252cf533188ca81bbafc40b8dd1d1f7

SHA512
ed91364307d4cf2111fdc5bca70926397468a74e00ad0b2aaedbcdec7309713b7d3ca6e61b823e36de6751ee6217754e70fd6cd8cfbf48f26f379036d4ac4bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F05.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3F85.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\System32\dhcpcore\sppsvc.exe

Filesize
783KB

MD5
aaf95178efb97f6d4e0f58d7e6841f40

SHA1
bf9705ab690b363ec7c85053bdcdef02b4621d86

SHA256
a4284047b5ad4975355bf13b74b8919a0de2a3cc6166f4569ef42662f40ae2d1

SHA512
70bb3d92c0a4e74e3ef330bca053fe658f9d56bc323b3a9d5f326f7e3f0d29fdea3f9b6e91d1a9a20693807c760ede297b87d034030d14dc2784407ea0270b88

Download Submit
C:\Windows\twunk_32\explorer.exe

Filesize
783KB

MD5
aaf95178efb97f6d4e0f58d7e6841f40

SHA1
bf9705ab690b363ec7c85053bdcdef02b4621d86

SHA256
a4284047b5ad4975355bf13b74b8919a0de2a3cc6166f4569ef42662f40ae2d1

SHA512
70bb3d92c0a4e74e3ef330bca053fe658f9d56bc323b3a9d5f326f7e3f0d29fdea3f9b6e91d1a9a20693807c760ede297b87d034030d14dc2784407ea0270b88

Download Submit
C:\Windows\twunk_32\explorer.exe

Filesize
783KB

MD5
aaf95178efb97f6d4e0f58d7e6841f40

SHA1
bf9705ab690b363ec7c85053bdcdef02b4621d86

SHA256
a4284047b5ad4975355bf13b74b8919a0de2a3cc6166f4569ef42662f40ae2d1

SHA512
70bb3d92c0a4e74e3ef330bca053fe658f9d56bc323b3a9d5f326f7e3f0d29fdea3f9b6e91d1a9a20693807c760ede297b87d034030d14dc2784407ea0270b88

Download Submit
memory/2396-202-0x000000001AFB0000-0x000000001B030000-memory.dmp

Filesize
512KB

Download
memory/2396-221-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2396-137-0x0000000001250000-0x000000000131A000-memory.dmp

Filesize
808KB

Download
memory/2396-140-0x000000001AFB0000-0x000000001B030000-memory.dmp

Filesize
512KB

Download
memory/2396-139-0x000000001AFB0000-0x000000001B030000-memory.dmp

Filesize
512KB

Download
memory/2396-138-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-31-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-36-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-10-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2516-11-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/2516-12-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2516-13-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/2516-14-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2516-16-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2516-15-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/2516-17-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2516-18-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2516-19-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2516-20-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2516-21-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2516-22-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2516-23-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-24-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-25-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-26-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-27-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-28-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-8-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2516-32-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-33-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-34-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-35-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-37-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-9-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/2516-38-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-39-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-40-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-41-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-42-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-43-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-44-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-45-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-46-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-47-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-48-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-53-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-54-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-65-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-75-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-103-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-118-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-7-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2516-4-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/2516-6-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2516-5-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2516-3-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2516-2-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-1-0x0000000000010000-0x00000000000DA000-memory.dmp

Filesize
808KB

Download
memory/2516-0-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-131-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-133-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2516-134-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download