dcrat | a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152

Analysis

max time kernel
97s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
Size

3.2MB
MD5

1553f67a0859a3057cde01f77db9dbc0
SHA1

2cfe40d1fea16093e16c96a35f3240b98da9a5e1
SHA256

a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152
SHA512

4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5
SSDEEP

49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	3904	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	3904	schtasks.exe	86

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3860-1-0x0000000000D50000-0x000000000108C000-memory.dmp	dcrat
behavioral2/files/0x00070000000233f6-43.dat	dcrat
behavioral2/files/0x000700000001e65d-70.dat	dcrat
behavioral2/files/0x000f000000023347-92.dat	dcrat
behavioral2/memory/1564-268-0x0000000000170000-0x00000000004AC000-memory.dmp	dcrat

Detects executables packed with SmartAssembly 8 IoCs

resource	yara_rule
behavioral2/memory/3860-9-0x0000000003200000-0x0000000003210000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3860-13-0x0000000003240000-0x000000000324A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3860-21-0x000000001C470000-0x000000001C47C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3860-22-0x000000001C480000-0x000000001C48C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3860-24-0x000000001C4A0000-0x000000001C4AC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3860-26-0x000000001C5C0000-0x000000001C5CA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3860-30-0x000000001C700000-0x000000001C70C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3860-33-0x000000001C860000-0x000000001C86A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3400	powershell.exe
3168	powershell.exe
1932	powershell.exe
1752	powershell.exe
4680	powershell.exe
3560	powershell.exe
3264	powershell.exe
1632	powershell.exe
1528	powershell.exe
1796	powershell.exe
244	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 2 IoCs

pid	Process
1564	RuntimeBroker.exe
6020	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MSBuild\RCX381C.tmp	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RuntimeBroker.exe	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File created	C:\Program Files (x86)\MSBuild\RuntimeBroker.exe	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File created	C:\Program Files (x86)\MSBuild\9e8d7a4ca61bd9	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX379E.tmp	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Idle.exe	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File created	C:\Windows\assembly\6ccacd8608530f	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File created	C:\Windows\Speech\886983d96e3d3e	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File opened for modification	C:\Windows\assembly\RCX358A.tmp	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File opened for modification	C:\Windows\Speech\RCX3D41.tmp	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File created	C:\Windows\assembly\Idle.exe	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File created	C:\Windows\Speech\csrss.exe	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File opened for modification	C:\Windows\assembly\RCX3589.tmp	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File opened for modification	C:\Windows\Speech\RCX3CC3.tmp	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
File opened for modification	C:\Windows\Speech\csrss.exe	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1592	schtasks.exe
392	schtasks.exe
4704	schtasks.exe
4204	schtasks.exe
3792	schtasks.exe
1076	schtasks.exe
2436	schtasks.exe
2800	schtasks.exe
1056	schtasks.exe
4500	schtasks.exe
4452	schtasks.exe
3716	schtasks.exe
3552	schtasks.exe
4200	schtasks.exe
4968	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
244	powershell.exe
244	powershell.exe
1752	powershell.exe
1752	powershell.exe
3560	powershell.exe
3560	powershell.exe
1796	powershell.exe
1796	powershell.exe
3168	powershell.exe
3168	powershell.exe
1528	powershell.exe
1528	powershell.exe
4680	powershell.exe
4680	powershell.exe
1632	powershell.exe
1632	powershell.exe
3264	powershell.exe
3264	powershell.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3400	powershell.exe
3400	powershell.exe
3264	powershell.exe
1932	powershell.exe
1932	powershell.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
3400	powershell.exe
1932	powershell.exe
1528	powershell.exe
1796	powershell.exe
3560	powershell.exe
244	powershell.exe
3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
4680	powershell.exe
1752	powershell.exe
3168	powershell.exe
1632	powershell.exe
1564	RuntimeBroker.exe
1564	RuntimeBroker.exe
1564	RuntimeBroker.exe
1564	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1564	RuntimeBroker.exe
Token: SeDebugPrivilege	6020	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 1932	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	105
PID 3860 wrote to memory of 1932	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	105
PID 3860 wrote to memory of 1796	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	106
PID 3860 wrote to memory of 1796	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	106
PID 3860 wrote to memory of 1752	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	107
PID 3860 wrote to memory of 1752	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	107
PID 3860 wrote to memory of 1528	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	108
PID 3860 wrote to memory of 1528	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	108
PID 3860 wrote to memory of 3168	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	109
PID 3860 wrote to memory of 3168	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	109
PID 3860 wrote to memory of 1632	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	110
PID 3860 wrote to memory of 1632	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	110
PID 3860 wrote to memory of 3264	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	111
PID 3860 wrote to memory of 3264	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	111
PID 3860 wrote to memory of 3560	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	113
PID 3860 wrote to memory of 3560	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	113
PID 3860 wrote to memory of 3400	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	114
PID 3860 wrote to memory of 3400	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	114
PID 3860 wrote to memory of 4680	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	116
PID 3860 wrote to memory of 4680	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	116
PID 3860 wrote to memory of 244	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	117
PID 3860 wrote to memory of 244	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	117
PID 3860 wrote to memory of 1564	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	127
PID 3860 wrote to memory of 1564	3860	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe	127
PID 1564 wrote to memory of 5348	1564	RuntimeBroker.exe	129
PID 1564 wrote to memory of 5348	1564	RuntimeBroker.exe	129
PID 1564 wrote to memory of 5396	1564	RuntimeBroker.exe	130
PID 1564 wrote to memory of 5396	1564	RuntimeBroker.exe	130
PID 5348 wrote to memory of 6020	5348	WScript.exe	135
PID 5348 wrote to memory of 6020	5348	WScript.exe	135
PID 6020 wrote to memory of 1600	6020	RuntimeBroker.exe	136
PID 6020 wrote to memory of 1600	6020	RuntimeBroker.exe	136
PID 6020 wrote to memory of 3372	6020	RuntimeBroker.exe	137
PID 6020 wrote to memory of 3372	6020	RuntimeBroker.exe	137

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
"C:\Users\Admin\AppData\Local\Temp\a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:244
- C:\Program Files (x86)\MSBuild\RuntimeBroker.exe
  "C:\Program Files (x86)\MSBuild\RuntimeBroker.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1564
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a13119a6-cb34-4e8a-bdb1-bb1a4672aa93.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5348
  - - C:\Program Files (x86)\MSBuild\RuntimeBroker.exe
      "C:\Program Files (x86)\MSBuild\RuntimeBroker.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:6020
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d416d0ac-0eea-4f36-91fb-1c6364bb88d1.vbs"
        5⤵
        
        PID:1600
      - C:\Program Files (x86)\MSBuild\RuntimeBroker.exe
        
        "C:\Program Files (x86)\MSBuild\RuntimeBroker.exe"
        6⤵
        
        PID:5240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1c1fe13-f769-4d85-a3c1-d63ee2899e54.vbs"
        7⤵
        
        PID:5404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8f0c679-c47e-49bb-b864-a9f5e6cd8cc2.vbs"
        7⤵
        
        PID:5600
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41adea57-f8ce-4fcf-9ad5-b1ae6413810e.vbs"
        5⤵
        
        PID:3372
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10a6481c-b96d-4f4e-8729-13c0b0aa586b.vbs"
    3⤵
    PID:5396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\assembly\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Speech\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\RuntimeBroker.exe

Filesize
3.2MB

MD5
187dcfceeb378fabb5a2aad4f5f4be22

SHA1
8e031b914505e24bf50808bf45640db0fc7300c1

SHA256
d8e395612d1acd4475f13c2bdf076daadd8755e4753ee0d675d8683ee6ffa7ec

SHA512
c9bb1c7f5f4399d4e473b297c630880665c55f59c86751b1622f71895b75e6348343931e72ffba5076391ffa890307018c9a64ce9e098dad3f7cc44168233c39

Download Submit
C:\ProgramData\csrss.exe

Filesize
3.2MB

MD5
1553f67a0859a3057cde01f77db9dbc0

SHA1
2cfe40d1fea16093e16c96a35f3240b98da9a5e1

SHA256
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152

SHA512
4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\10a6481c-b96d-4f4e-8729-13c0b0aa586b.vbs

Filesize
500B

MD5
cb047628993dc2a9aa715f03246b20bd

SHA1
fd19901ddd1b86fffdfbe210006c7b4f7b936ff6

SHA256
90ec599be14b52091c840f766134c4f9c2e4bf995f71a74e9f9b8d75027767b4

SHA512
49089cc671bc57a44a75dc71a3f649bf69341f46640aabeb98ef2cd13d4af8aef6f3f4ccab5af7ebd07ee99f781325538db75680c3bcbf69303495cc952bc48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3smyilil.xso.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a13119a6-cb34-4e8a-bdb1-bb1a4672aa93.vbs

Filesize
724B

MD5
19c1fcd252674fd7cf28f536b6f5c11e

SHA1
c5d6f6b2e51da7da9b3e3eabb14a729277b36190

SHA256
0d342e0b1dab756e58daa0a3e277512210c8f653671894c9139bd8a09faf8859

SHA512
f77d9801506ca08fc23c5292f02c4dbf2582256a1f3a96ee4371af929d5c18772f798bcf7ef07b5be8cd3a71cb7f332e2873700fefe87c8df98b8d0fe7171011

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1c1fe13-f769-4d85-a3c1-d63ee2899e54.vbs

Filesize
724B

MD5
5f078c351854e4a04c88612b5089e73e

SHA1
40d2840eaef945b81101e5b865704c5453bc344d

SHA256
cfc58c8c315454084d39a66abf3ba3cd144b2a8490b64b3193ba648b7734f6c5

SHA512
309cd7c295ae5e4c525ca2edf1efaf21cfb64609728300312cbb9e6ad853f316183fbbcea1d1601818e69d14cf8ceb8e3919323e72cb9bbd032858f06f1faada

Download Submit
C:\Users\Admin\AppData\Local\Temp\d416d0ac-0eea-4f36-91fb-1c6364bb88d1.vbs

Filesize
724B

MD5
d87dce8d8a944d2f069916173b606f06

SHA1
986d7ea0d2028374053c8dbeb073c581efef67e4

SHA256
c6d88aaa3d6ad6f988da81c9573a10e30fac6d096aff8789144cb933e1be62d6

SHA512
d2b3189f0e88f3a272886c7ef88795e93fa2419369cc08cc8b7486884fe1c66ad73d90a92e3fe5ad7c860cd5caa453a0af2946eb61c5874edcbfa8909be4c987

Download Submit
C:\Windows\Speech\csrss.exe

Filesize
3.2MB

MD5
1cdc3fecb9ac2859c93c125102afef44

SHA1
c07ec6f2b971f6fa84ddffada072aa84b873fb3c

SHA256
bc97f05e303f67abcb26fbb4d39c246a59e01de044f1d8d8835c623906b16e82

SHA512
f64960533fa553e059ea325019fe9a53c4e5035e4fbf63fe99c270d1a20e74e719c95ec7eb3f95ea7263673570e3c77eee230f453fe1781c78ccf96d8496e65a

Download Submit
memory/244-170-0x0000017C34080000-0x0000017C340A2000-memory.dmp

Filesize
136KB

Download
memory/1564-269-0x000000001CCA0000-0x000000001CCF6000-memory.dmp

Filesize
344KB

Download
memory/1564-268-0x0000000000170000-0x00000000004AC000-memory.dmp

Filesize
3.2MB

Download
memory/3860-13-0x0000000003240000-0x000000000324A000-memory.dmp

Filesize
40KB

Download
memory/3860-25-0x000000001C5B0000-0x000000001C5B8000-memory.dmp

Filesize
32KB

Download
memory/3860-19-0x000000001C440000-0x000000001C452000-memory.dmp

Filesize
72KB

Download
memory/3860-20-0x000000001C9A0000-0x000000001CEC8000-memory.dmp

Filesize
5.2MB

Download
memory/3860-21-0x000000001C470000-0x000000001C47C000-memory.dmp

Filesize
48KB

Download
memory/3860-22-0x000000001C480000-0x000000001C48C000-memory.dmp

Filesize
48KB

Download
memory/3860-23-0x000000001C490000-0x000000001C49C000-memory.dmp

Filesize
48KB

Download
memory/3860-24-0x000000001C4A0000-0x000000001C4AC000-memory.dmp

Filesize
48KB

Download
memory/3860-26-0x000000001C5C0000-0x000000001C5CA000-memory.dmp

Filesize
40KB

Download
memory/3860-30-0x000000001C700000-0x000000001C70C000-memory.dmp

Filesize
48KB

Download
memory/3860-33-0x000000001C860000-0x000000001C86A000-memory.dmp

Filesize
40KB

Download
memory/3860-34-0x000000001C760000-0x000000001C76C000-memory.dmp

Filesize
48KB

Download
memory/3860-32-0x00007FF85A1F0000-0x00007FF85A4B9000-memory.dmp

Filesize
2.8MB

Download
memory/3860-31-0x000000001C710000-0x000000001C718000-memory.dmp

Filesize
32KB

Download
memory/3860-29-0x000000001C6F0000-0x000000001C6FE000-memory.dmp

Filesize
56KB

Download
memory/3860-28-0x000000001C6E0000-0x000000001C6E8000-memory.dmp

Filesize
32KB

Download
memory/3860-27-0x000000001C5D0000-0x000000001C5DE000-memory.dmp

Filesize
56KB

Download
memory/3860-18-0x000000001C430000-0x000000001C438000-memory.dmp

Filesize
32KB

Download
memory/3860-17-0x0000000003290000-0x000000000329C000-memory.dmp

Filesize
48KB

Download
memory/3860-16-0x0000000003280000-0x0000000003288000-memory.dmp

Filesize
32KB

Download
memory/3860-15-0x0000000003260000-0x000000000326C000-memory.dmp

Filesize
48KB

Download
memory/3860-14-0x000000001BDD0000-0x000000001BE26000-memory.dmp

Filesize
344KB

Download
memory/3860-0-0x00007FF85A1F0000-0x00007FF85A4B9000-memory.dmp

Filesize
2.8MB

Download
memory/3860-267-0x00007FF85A1F0000-0x00007FF85A4B9000-memory.dmp

Filesize
2.8MB

Download
memory/3860-9-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/3860-8-0x00000000031F0000-0x00000000031F8000-memory.dmp

Filesize
32KB

Download
memory/3860-10-0x0000000003210000-0x0000000003226000-memory.dmp

Filesize
88KB

Download
memory/3860-12-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/3860-11-0x0000000003230000-0x0000000003238000-memory.dmp

Filesize
32KB

Download
memory/3860-7-0x000000001BD80000-0x000000001BDD0000-memory.dmp

Filesize
320KB

Download
memory/3860-6-0x00000000031D0000-0x00000000031EC000-memory.dmp

Filesize
112KB

Download
memory/3860-5-0x00000000031C0000-0x00000000031C8000-memory.dmp

Filesize
32KB

Download
memory/3860-4-0x00000000031A0000-0x00000000031AE000-memory.dmp

Filesize
56KB

Download
memory/3860-3-0x0000000003190000-0x000000000319E000-memory.dmp

Filesize
56KB

Download
memory/3860-2-0x00007FF85A1F0000-0x00007FF85A4B9000-memory.dmp

Filesize
2.8MB

Download
memory/3860-1-0x0000000000D50000-0x000000000108C000-memory.dmp

Filesize
3.2MB

Download