dcrat | dfb61558c4fe802041d53dc777e82106afc9377cf60567e797296b1cd74aa402

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3e27c65c632c88eb12cef32cbaf4645.exe
Size

3.7MB
MD5

b3e27c65c632c88eb12cef32cbaf4645
SHA1

80a1aa9872bb18bf0e47da6f4a3c77729503739f
SHA256

dfb61558c4fe802041d53dc777e82106afc9377cf60567e797296b1cd74aa402
SHA512

4a17c489f663386f962835f4868ced34d0462e8b2f6f2c6c0f864178de42d5aeef5fc070392b8f9779704f8c4486ee7ae2cee22185183544f20cfa729f92095f
SSDEEP

49152:PbA31CZGtBT5fh8cPVlHiHXzufiQvFywW7sTUbqKKd71+Va6b7W6jerVuacXxtXe:PbZuBT5JNVxi3KfPQ9d78AacXEk+LVUO

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	420	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4124	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	4124	schtasks.exe	97

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	perfMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	perfMonitor.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000600000002323e-15.dat	dcrat
behavioral2/files/0x000600000002323e-16.dat	dcrat
behavioral2/memory/1720-17-0x0000000000A30000-0x0000000000D9A000-memory.dmp	dcrat
behavioral2/files/0x0006000000023247-59.dat	dcrat
behavioral2/files/0x000600000002324d-97.dat	dcrat
behavioral2/files/0x000600000002324d-98.dat	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	b3e27c65c632c88eb12cef32cbaf4645.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	perfMonitor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	Idle.exe

Executes dropped EXE 2 IoCs

pid	Process
1720	perfMonitor.exe
2060	Idle.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfMonitor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	perfMonitor.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	perfMonitor.exe
File created	C:\Program Files\WindowsApps\csrss.exe	perfMonitor.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe	perfMonitor.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5b884080fd4f94	perfMonitor.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6203df4a6bafc7	perfMonitor.exe
File created	C:\Program Files (x86)\Google\CrashReports\spoolsv.exe	perfMonitor.exe
File created	C:\Program Files (x86)\Google\CrashReports\f3b6ecef712a24	perfMonitor.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\sysmon.exe	perfMonitor.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsass.exe	perfMonitor.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\PrintDialog\ea1d8f6d871115	perfMonitor.exe
File created	C:\Windows\SKB\LanguageModels\fontdrvhost.exe	perfMonitor.exe
File created	C:\Windows\SKB\LanguageModels\5b884080fd4f94	perfMonitor.exe
File created	C:\Windows\PrintDialog\upfc.exe	perfMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4064	schtasks.exe
676	schtasks.exe
4428	schtasks.exe
1816	schtasks.exe
3108	schtasks.exe
2184	schtasks.exe
216	schtasks.exe
4588	schtasks.exe
4192	schtasks.exe
1964	schtasks.exe
2932	schtasks.exe
3660	schtasks.exe
3836	schtasks.exe
1132	schtasks.exe
2900	schtasks.exe
1052	schtasks.exe
3736	schtasks.exe
1804	schtasks.exe
2220	schtasks.exe
3376	schtasks.exe
3792	schtasks.exe
4728	schtasks.exe
1732	schtasks.exe
3516	schtasks.exe
4872	schtasks.exe
2376	schtasks.exe
4068	schtasks.exe
3316	schtasks.exe
3616	schtasks.exe
4024	schtasks.exe
1744	schtasks.exe
528	schtasks.exe
4836	schtasks.exe
2564	schtasks.exe
4312	schtasks.exe
2228	schtasks.exe
2152	schtasks.exe
4232	schtasks.exe
2284	schtasks.exe
2204	schtasks.exe
4196	schtasks.exe
4960	schtasks.exe
4144	schtasks.exe
420	schtasks.exe
2292	schtasks.exe
4308	schtasks.exe
4204	schtasks.exe
2044	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	b3e27c65c632c88eb12cef32cbaf4645.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	Idle.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
1720	perfMonitor.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe
2060	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2060	Idle.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	perfMonitor.exe
Token: SeDebugPrivilege	2060	Idle.exe
Token: SeBackupPrivilege	4000	vssvc.exe
Token: SeRestorePrivilege	4000	vssvc.exe
Token: SeAuditPrivilege	4000	vssvc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4004	2360	b3e27c65c632c88eb12cef32cbaf4645.exe	92
PID 2360 wrote to memory of 4004	2360	b3e27c65c632c88eb12cef32cbaf4645.exe	92
PID 2360 wrote to memory of 4004	2360	b3e27c65c632c88eb12cef32cbaf4645.exe	92
PID 2360 wrote to memory of 4324	2360	b3e27c65c632c88eb12cef32cbaf4645.exe	93
PID 2360 wrote to memory of 4324	2360	b3e27c65c632c88eb12cef32cbaf4645.exe	93
PID 2360 wrote to memory of 4324	2360	b3e27c65c632c88eb12cef32cbaf4645.exe	93
PID 4004 wrote to memory of 4940	4004	WScript.exe	94
PID 4004 wrote to memory of 4940	4004	WScript.exe	94
PID 4004 wrote to memory of 4940	4004	WScript.exe	94
PID 4940 wrote to memory of 1720	4940	cmd.exe	96
PID 4940 wrote to memory of 1720	4940	cmd.exe	96
PID 1720 wrote to memory of 2060	1720	perfMonitor.exe	145
PID 1720 wrote to memory of 2060	1720	perfMonitor.exe	145
PID 2060 wrote to memory of 3356	2060	Idle.exe	147
PID 2060 wrote to memory of 3356	2060	Idle.exe	147
PID 2060 wrote to memory of 3236	2060	Idle.exe	148
PID 2060 wrote to memory of 3236	2060	Idle.exe	148

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	perfMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	perfMonitor.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b3e27c65c632c88eb12cef32cbaf4645.exe
"C:\Users\Admin\AppData\Local\Temp\b3e27c65c632c88eb12cef32cbaf4645.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comweb\WJQNLTktExtEzRzmF.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\comweb\wAZLEh.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\comweb\perfMonitor.exe
      "C:\comweb\perfMonitor.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1720
    - - C:\comweb\Idle.exe
        
        "C:\comweb\Idle.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2060
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57979f5c-f77a-4541-b3f6-c909db9bfad1.vbs"
        6⤵
        
        PID:3356
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c00b466-f348-46aa-9f0a-d6808e8d2f07.vbs"
        6⤵
        
        PID:3236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comweb\file.vbs"
  2⤵
  PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\comweb\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\comweb\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\comweb\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\SKB\LanguageModels\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\SKB\LanguageModels\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\PrintDialog\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\PrintDialog\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\comweb\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\comweb\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\comweb\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\comweb\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\comweb\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\comweb\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe

Filesize
247KB

MD5
ba9d8385105ab1c024437466a079faf5

SHA1
851e4e9256264681f910adc55870adb5ff0f22a4

SHA256
4e33c379977a2211e9bade8fddf1c0cb7a3f42fa2a7ffe0632e56f32e76923d2

SHA512
3a5ec678cfd3f3c829833af8b802e77e746ebbf2ba5556ee2394bdb254a971de60efd0b090aac06a0f3843ca0ca16671fbdbd7944596a9dc15900c646841feed

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c00b466-f348-46aa-9f0a-d6808e8d2f07.vbs

Filesize
470B

MD5
56ab44ffecb242c24e0c882bc08f42a0

SHA1
6c601ba308253ec38f6084ee91c791c84d2c9bca

SHA256
beb7dcf84ab1c0a9f88097343cee9aa5f17b8751e9d9d18dfdbcd360459cebdd

SHA512
94a763b572d5f9dcd903192671830c291037f804dba939f7752552adb9fb25d8b568151247aeef2c8ba85f7e0e78309f8cad973a0ed6366472422109ad6654e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\57979f5c-f77a-4541-b3f6-c909db9bfad1.vbs

Filesize
694B

MD5
35815b7f2242ef47e436aa82f0d045ce

SHA1
4f2ab7e4acd54d31c6b6fbb5b5ff6b8f84fe6f40

SHA256
1063ed6bfab646ba65610703eee39d797d2fcccaf5b4f4f491f96de641e3c77a

SHA512
804ab55260ecf7613e9a4258c936fd6b688255a7d81f71863beb900235ec9785a5effccdc26c109367b3fd0d9283071b167f5244f1b507cb123ac353d859e3c3

Download Submit
C:\comweb\Idle.exe

Filesize
988KB

MD5
d0f38209d5ef215c795112d1d2e2600a

SHA1
26ad351db6a61c49b2a023d3090563e63b60674f

SHA256
3828445bc517cf4865cf765cfefaab04309f845388d2ee8260554b2dadedb8a1

SHA512
b186c7ce8b331464be39a1d7b0064722de43dd8590066b82b2e4ff9bcad92afb83e39979cdb3e63025efc8d228f2334ebe093e8e3188e18f2b39572ff8391f18

Download Submit
C:\comweb\Idle.exe

Filesize
878KB

MD5
eb9e47d0ed47c91f442bd193eeb7fcfe

SHA1
a80719a7575074973c419069ecc666970d247de8

SHA256
63c469d9f8604c0f98bcc8d17d605d4f99b7c374ff9e9ffe21aefb5619c8fb29

SHA512
2ee686e5bc72f30f593c045d6f0ddc556f558c032718dc606b83bda2ee155424535544fa1ee92f3b508cf18a95e750934de2e85a492b76772864aec88357f4e2

Download Submit
C:\comweb\WJQNLTktExtEzRzmF.vbe

Filesize
189B

MD5
d16733aaf8d56d9d781624aedf254f40

SHA1
ab730d9a5f03bee9ccc06e03779159101e6a8d5e

SHA256
248a0afbffe16a85424600dc674b39213b6a8543ccf50ae3b04ef90339e00fc6

SHA512
eb312960ffea878315d44434cb700b96a15d61da1a12d7f059c64377bda639bf354997a543c36ff117e85c7a446b62b05a164b0e124f687d9943f9e03b3fdae5

Download Submit
C:\comweb\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\comweb\perfMonitor.exe

Filesize
2.3MB

MD5
f63c3a7f4c9b512496c1e4aa36395b41

SHA1
9f764afac83e5f842164537cffd3caea1d959fb0

SHA256
9f8e2b762dc2b1174329da82fee48743d500582c19959323628423201cbb265b

SHA512
e02849eea9568f806de4a6f01fb27c6827e2d26c2d8ac8e9ae98733918583f7ec30440e2b536b712601c802c1e413781543a3508dfa6d14e1a77cf2e006ecd6a

Download Submit
C:\comweb\perfMonitor.exe

Filesize
2.1MB

MD5
65930e1311f788afe81d492da07e57e1

SHA1
c89f7520cba58050dc0a3f5bf251f31fc1a04513

SHA256
484f5ecadac3ea3bc629ef221effae2b4ec18a0e4ee3a26b88bab0405ee53e77

SHA512
e3feec293ad8d84a4865651380debfc31a4efef62da300ae92349578443954d7f6eb7884ecd0b5954475fb697c2e694d178a95686ed022242078bd42f0e25fb0

Download Submit
C:\comweb\wAZLEh.bat

Filesize
27B

MD5
91b82fc66629750d32192e4a70877af8

SHA1
316fe240b48e24116e8ec227b7b8b140669db6d0

SHA256
997a95f993ca0f1d52c5c7bf42b73fb4872902c7502ab9d7a06099a831148cd3

SHA512
5b008398d2c055aad62978f850c86b93c0e36a9515271b39bc2c107136499a0f1fbd32992b1d901ad192884312c47341357df88a17528eb1bddfd85530b18085

Download Submit
memory/1720-39-0x000000001C230000-0x000000001C242000-memory.dmp

Filesize
72KB

Download
memory/1720-43-0x000000001C280000-0x000000001C288000-memory.dmp

Filesize
32KB

Download
memory/1720-21-0x000000001B910000-0x000000001B91E000-memory.dmp

Filesize
56KB

Download
memory/1720-23-0x000000001BFE0000-0x000000001BFFC000-memory.dmp

Filesize
112KB

Download
memory/1720-24-0x000000001C050000-0x000000001C0A0000-memory.dmp

Filesize
320KB

Download
memory/1720-26-0x000000001C010000-0x000000001C020000-memory.dmp

Filesize
64KB

Download
memory/1720-28-0x000000001C040000-0x000000001C048000-memory.dmp

Filesize
32KB

Download
memory/1720-30-0x000000001C1A0000-0x000000001C1AC000-memory.dmp

Filesize
48KB

Download
memory/1720-32-0x000000001C2D0000-0x000000001C2E0000-memory.dmp

Filesize
64KB

Download
memory/1720-33-0x000000001C1D0000-0x000000001C1DA000-memory.dmp

Filesize
40KB

Download
memory/1720-31-0x000000001C1C0000-0x000000001C1C8000-memory.dmp

Filesize
32KB

Download
memory/1720-34-0x000000001C1E0000-0x000000001C236000-memory.dmp

Filesize
344KB

Download
memory/1720-29-0x000000001C1B0000-0x000000001C1C2000-memory.dmp

Filesize
72KB

Download
memory/1720-27-0x000000001C020000-0x000000001C036000-memory.dmp

Filesize
88KB

Download
memory/1720-25-0x000000001C000000-0x000000001C008000-memory.dmp

Filesize
32KB

Download
memory/1720-22-0x000000001BA80000-0x000000001BA88000-memory.dmp

Filesize
32KB

Download
memory/1720-35-0x000000001BCA0000-0x000000001BCAC000-memory.dmp

Filesize
48KB

Download
memory/1720-37-0x000000001BCC0000-0x000000001BCCC000-memory.dmp

Filesize
48KB

Download
memory/1720-19-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/1720-38-0x000000001BCD0000-0x000000001BCD8000-memory.dmp

Filesize
32KB

Download
memory/1720-36-0x000000001BCB0000-0x000000001BCB8000-memory.dmp

Filesize
32KB

Download
memory/1720-41-0x000000001C260000-0x000000001C26C000-memory.dmp

Filesize
48KB

Download
memory/1720-44-0x000000001C290000-0x000000001C29C000-memory.dmp

Filesize
48KB

Download
memory/1720-20-0x000000001B900000-0x000000001B90E000-memory.dmp

Filesize
56KB

Download
memory/1720-45-0x000000001C2A0000-0x000000001C2AC000-memory.dmp

Filesize
48KB

Download
memory/1720-42-0x000000001C270000-0x000000001C27C000-memory.dmp

Filesize
48KB

Download
memory/1720-40-0x000000001C810000-0x000000001CD38000-memory.dmp

Filesize
5.2MB

Download
memory/1720-47-0x000000001C2C0000-0x000000001C2CC000-memory.dmp

Filesize
48KB

Download
memory/1720-51-0x000000001C510000-0x000000001C51E000-memory.dmp

Filesize
56KB

Download
memory/1720-53-0x000000001C530000-0x000000001C53C000-memory.dmp

Filesize
48KB

Download
memory/1720-52-0x000000001C520000-0x000000001C528000-memory.dmp

Filesize
32KB

Download
memory/1720-54-0x000000001C540000-0x000000001C548000-memory.dmp

Filesize
32KB

Download
memory/1720-50-0x000000001C500000-0x000000001C508000-memory.dmp

Filesize
32KB

Download
memory/1720-56-0x000000001C550000-0x000000001C55C000-memory.dmp

Filesize
48KB

Download
memory/1720-55-0x000000001C650000-0x000000001C65A000-memory.dmp

Filesize
40KB

Download
memory/1720-49-0x000000001C4F0000-0x000000001C4FE000-memory.dmp

Filesize
56KB

Download
memory/1720-48-0x000000001C4E0000-0x000000001C4EA000-memory.dmp

Filesize
40KB

Download
memory/1720-46-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

Filesize
32KB

Download
memory/1720-102-0x00007FFC375E0000-0x00007FFC380A1000-memory.dmp

Filesize
10.8MB

Download
memory/1720-17-0x0000000000A30000-0x0000000000D9A000-memory.dmp

Filesize
3.4MB

Download
memory/1720-18-0x00007FFC375E0000-0x00007FFC380A1000-memory.dmp

Filesize
10.8MB

Download
memory/2060-103-0x0000000002B70000-0x0000000002B82000-memory.dmp

Filesize
72KB

Download
memory/2060-101-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/2060-100-0x00007FFC375E0000-0x00007FFC380A1000-memory.dmp

Filesize
10.8MB

Download
memory/2060-113-0x000000001DFD0000-0x000000001E192000-memory.dmp

Filesize
1.8MB

Download
memory/2060-152-0x00007FFC375E0000-0x00007FFC380A1000-memory.dmp

Filesize
10.8MB

Download