dcrat | 2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
Size

3.0MB
MD5

7930c72a0629b7d98cae323593175068
SHA1

3b53d631f69d7c1315b66c6c5ea43fc2dfb5d947
SHA256

2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88
SHA512

4053cf95786a933209f4ace73d7ae693816b288c8aa04bff3e2458e29e57d745710aabab70a86ff32ebedff3fe8f1be10c2976a659784de4c896017f0a9e30e8
SSDEEP

49152:AZ2fRPDpkR3/hESpjo4uLDI3KoSPq3cXtFvOUcx3twYvr0G56/FBwzpTZoKh:07ZJ89LDSKrq3iGnnw+1YXw9OK

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5128	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5192	5704	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	5704	schtasks.exe	96

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/752-13-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat

Detects executables containing bas64 encoded gzip files 1 IoCs

resource	yara_rule
behavioral2/memory/752-13-0x0000000000400000-0x0000000000648000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Detects executables packed with SmartAssembly 3 IoCs

resource	yara_rule
behavioral2/memory/6084-10-0x0000000005D30000-0x0000000005D3A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/752-27-0x0000000006F70000-0x0000000006F80000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/752-39-0x0000000007200000-0x000000000720A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3288	powershell.exe
4488	powershell.exe
4208	powershell.exe
4812	powershell.exe
5976	powershell.exe
2560	powershell.exe
1500	powershell.exe
5496	powershell.exe
3108	powershell.exe
920	powershell.exe
532	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	taskhostw.exe

Executes dropped EXE 6 IoCs

pid	Process
4476	taskhostw.exe
5660	taskhostw.exe
5020	taskhostw.exe
3212	taskhostw.exe
2884	taskhostw.exe
4176	taskhostw.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	ip-api.com
72	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6084 set thread context of 752	6084	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	103
PID 4476 set thread context of 5020	4476	taskhostw.exe	148
PID 3212 set thread context of 4176	3212	taskhostw.exe	157

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXF5A5.tmp	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXF391.tmp	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\7a0fd90576e088	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXF390.tmp	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXF623.tmp	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\9e8d7a4ca61bd9	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4524	schtasks.exe
5192	schtasks.exe
3376	schtasks.exe
3484	schtasks.exe
3992	schtasks.exe
2364	schtasks.exe
1848	schtasks.exe
2660	schtasks.exe
2968	schtasks.exe
3148	schtasks.exe
4356	schtasks.exe
5128	schtasks.exe
2664	schtasks.exe
2224	schtasks.exe
4396	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
3108	powershell.exe
3108	powershell.exe
2560	powershell.exe
2560	powershell.exe
5496	powershell.exe
5496	powershell.exe
3288	powershell.exe
3288	powershell.exe
5976	powershell.exe
5976	powershell.exe
1500	powershell.exe
1500	powershell.exe
4488	powershell.exe
4812	powershell.exe
4488	powershell.exe
4812	powershell.exe
4208	powershell.exe
4208	powershell.exe
920	powershell.exe
920	powershell.exe
532	powershell.exe
532	powershell.exe
5496	powershell.exe
2560	powershell.exe
3108	powershell.exe
4488	powershell.exe
3288	powershell.exe
5976	powershell.exe
920	powershell.exe
1500	powershell.exe
4812	powershell.exe
4208	powershell.exe
532	powershell.exe
4476	taskhostw.exe
4476	taskhostw.exe
5020	taskhostw.exe
5020	taskhostw.exe
5020	taskhostw.exe
5020	taskhostw.exe
5020	taskhostw.exe
3212	taskhostw.exe
3212	taskhostw.exe
4176	taskhostw.exe
4176	taskhostw.exe
4176	taskhostw.exe
4176	taskhostw.exe
4176	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	5496	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	5976	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	4476	taskhostw.exe
Token: SeDebugPrivilege	5020	taskhostw.exe
Token: SeDebugPrivilege	3212	taskhostw.exe
Token: SeDebugPrivilege	4176	taskhostw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6084 wrote to memory of 752	6084	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	103
PID 6084 wrote to memory of 752	6084	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	103
PID 6084 wrote to memory of 752	6084	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	103
PID 6084 wrote to memory of 752	6084	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	103
PID 6084 wrote to memory of 752	6084	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	103
PID 6084 wrote to memory of 752	6084	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	103
PID 6084 wrote to memory of 752	6084	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	103
PID 6084 wrote to memory of 752	6084	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	103
PID 752 wrote to memory of 1500	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	119
PID 752 wrote to memory of 1500	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	119
PID 752 wrote to memory of 1500	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	119
PID 752 wrote to memory of 4488	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	120
PID 752 wrote to memory of 4488	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	120
PID 752 wrote to memory of 4488	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	120
PID 752 wrote to memory of 3108	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	121
PID 752 wrote to memory of 3108	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	121
PID 752 wrote to memory of 3108	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	121
PID 752 wrote to memory of 3288	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	122
PID 752 wrote to memory of 3288	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	122
PID 752 wrote to memory of 3288	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	122
PID 752 wrote to memory of 5496	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	123
PID 752 wrote to memory of 5496	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	123
PID 752 wrote to memory of 5496	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	123
PID 752 wrote to memory of 4208	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	124
PID 752 wrote to memory of 4208	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	124
PID 752 wrote to memory of 4208	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	124
PID 752 wrote to memory of 5976	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	126
PID 752 wrote to memory of 5976	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	126
PID 752 wrote to memory of 5976	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	126
PID 752 wrote to memory of 4812	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	127
PID 752 wrote to memory of 4812	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	127
PID 752 wrote to memory of 4812	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	127
PID 752 wrote to memory of 920	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	128
PID 752 wrote to memory of 920	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	128
PID 752 wrote to memory of 920	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	128
PID 752 wrote to memory of 2560	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	129
PID 752 wrote to memory of 2560	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	129
PID 752 wrote to memory of 2560	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	129
PID 752 wrote to memory of 532	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	130
PID 752 wrote to memory of 532	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	130
PID 752 wrote to memory of 532	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	130
PID 752 wrote to memory of 5448	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	141
PID 752 wrote to memory of 5448	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	141
PID 752 wrote to memory of 5448	752	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	141
PID 5448 wrote to memory of 5184	5448	cmd.exe	143
PID 5448 wrote to memory of 5184	5448	cmd.exe	143
PID 5448 wrote to memory of 5184	5448	cmd.exe	143
PID 5184 wrote to memory of 6132	5184	w32tm.exe	144
PID 5184 wrote to memory of 6132	5184	w32tm.exe	144
PID 5448 wrote to memory of 4476	5448	cmd.exe	145
PID 5448 wrote to memory of 4476	5448	cmd.exe	145
PID 5448 wrote to memory of 4476	5448	cmd.exe	145
PID 4476 wrote to memory of 5660	4476	taskhostw.exe	147
PID 4476 wrote to memory of 5660	4476	taskhostw.exe	147
PID 4476 wrote to memory of 5660	4476	taskhostw.exe	147
PID 4476 wrote to memory of 5020	4476	taskhostw.exe	148
PID 4476 wrote to memory of 5020	4476	taskhostw.exe	148
PID 4476 wrote to memory of 5020	4476	taskhostw.exe	148
PID 4476 wrote to memory of 5020	4476	taskhostw.exe	148
PID 4476 wrote to memory of 5020	4476	taskhostw.exe	148
PID 4476 wrote to memory of 5020	4476	taskhostw.exe	148
PID 4476 wrote to memory of 5020	4476	taskhostw.exe	148
PID 4476 wrote to memory of 5020	4476	taskhostw.exe	148
PID 5020 wrote to memory of 1868	5020	taskhostw.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
"C:\Users\Admin\AppData\Local\Temp\2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:6084
- C:\Users\Admin\AppData\Local\Temp\2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
  "C:\Users\Admin\AppData\Local\Temp\2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ueHfbtHnbI.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5448
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5184
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:6132
  - - C:\Users\Default User\taskhostw.exe
      "C:\Users\Default User\taskhostw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Users\Default User\taskhostw.exe
        
        "C:\Users\Default User\taskhostw.exe"
        5⤵
        Executes dropped EXE
        
        PID:5660
    - - C:\Users\Default User\taskhostw.exe
        
        "C:\Users\Default User\taskhostw.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46cf896a-d9de-4d21-a7a5-33f85810f51e.vbs"
        6⤵
        
        PID:1868
        
        C:\Users\Default User\taskhostw.exe
        
        "C:\Users\Default User\taskhostw.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
        
        C:\Users\Default User\taskhostw.exe
        
        "C:\Users\Default User\taskhostw.exe"
        8⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Users\Default User\taskhostw.exe
        
        "C:\Users\Default User\taskhostw.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db88d42a-afe1-46bf-af0e-a402002fe083.vbs"
        9⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8a67f40-4e71-4951-adff-2a27b8d62cc0.vbs"
        9⤵
        
        PID:3176
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f64e913-16e0-4703-896e-0d0e06f55a1c.vbs"
        6⤵
        
        PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe

Filesize
3.0MB

MD5
7930c72a0629b7d98cae323593175068

SHA1
3b53d631f69d7c1315b66c6c5ea43fc2dfb5d947

SHA256
2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88

SHA512
4053cf95786a933209f4ace73d7ae693816b288c8aa04bff3e2458e29e57d745710aabab70a86ff32ebedff3fe8f1be10c2976a659784de4c896017f0a9e30e8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe

Filesize
3.0MB

MD5
604d3c4127a9647229d02e038d64da70

SHA1
a05565714709e76c18f1c3fa7f128e8bedfb8001

SHA256
8548200b431f2fb817c1368917c73030f948ad4b3a7b7fbcd32a336f212beb0e

SHA512
8d589fd915195d9796da9142e4991959d6480ee7302a49c2b215f79cf501d934ef3fb36306c3069e85d83a6fa8964e1cfaa73a89823cb788928c4b035a640277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe.log

Filesize
1KB

MD5
95b0eabd8c9c516fc2d8632ff8f4dc10

SHA1
8118b2b54184a5add848198f36a905b9a511940e

SHA256
1ad8f00e485dbebe5a1f40f60b9e588e6563c4feef20b8134f335b3e16208dc3

SHA512
60147da0bc922f18e2eeae00dc7dda1caa432df6ed0f853cd4757535bf371536902c1ce1bc40db167540bbc79dedf9a742498fab5bafcbd1053c4b2dd9c79e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cfbd10ce901a445ec627cc22b6159a3c

SHA1
4a6e5e0327c29bdcf18d5d7fd46f066d90e49110

SHA256
44f453bbd3d4abacf5e9c269f7a82e74bfe6aacdd17c42ea02d3e98cb73280b4

SHA512
29c39419158d75a8f0fa2d8a33a6e904e7b5cc4d5dc3269237b104fb4a1146f2a5ff46d3d045f4cdb44c91cf4d77005284b949c82805e273a47f140f6c3251a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9edf8152726b53e2e5b021670d1ee0fd

SHA1
eed1f5b70ff00795ffc8dbe9435a2842589b4b26

SHA256
7f004a2ac453aa0e0556fb704130588d63926086e15567631b3433bb81a734bf

SHA512
9a78a6804c6a8eb029fe50b3651019727e03ac7f92c7e9cd3591fa011adfcd1eaffadd4e132043a17baad851e6bd4fecb46e8ef620e007bd6044284747778f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f0c633d43bc278f457464889e81dccae

SHA1
139f596ff568f2ddd495e064b70e32268ec0c244

SHA256
71b937f717e35f4f5f5b1fc3e18eb99119f6d8e4e1df1da391570d728c54ef1e

SHA512
aeb84f0b0ec88a130fbf6fdae693ff6b4e2dc495fe16337993145fba476039ec4b2cd134deaf5512d67b0e0a596e95441928a26d11fad119a89002b24257e1ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
13af17ac0a12773fd5212d5e3b100ed6

SHA1
0709bcfc4120e277ba5de6cb4a4b2850bc203901

SHA256
7f33e01030c0eacd45d35b55c08f77fe85106d3ccd63865dc0f2f6f0036303aa

SHA512
8de6026c3af882cd65f0bd95d39fe9c40b894be827237d66cb9ce87ce678d0218ee818ccb4b82eddfbf2e01c589fe60c44740ca8fcb714dc3b0bcba5e7b60b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
796B

MD5
525e02935c6299c720105958b56e492b

SHA1
be0c0d269f73949ae23d715da9cf2a846274d2e1

SHA256
ecca9a5afb2b92a4bb62fe4caef4806c52f2f89a3ec0f08a61f4a62c000eb7af

SHA512
405185227d91d0d57b31e160c005cc093dcd81afb6c953472481d61dee94597fad4fd909d43cfa43531caf71ea20ab1cadb204d2293d2b16ff9b082e9683ceae

Download Submit
C:\Users\Admin\AppData\Local\Temp\46cf896a-d9de-4d21-a7a5-33f85810f51e.vbs

Filesize
711B

MD5
027e655638a18e760269093577cf280d

SHA1
6a6de3b78ab59d1164d5352e7adb133bca2f3201

SHA256
ded944f7ac42debf06a46407d262fb834fd806c14009892e2ab9f6a2ea89c01e

SHA512
587ed447caf948dc9ab40a507a3ee973167292fa288aebd88bdeabd0141891b26afe198a85ff6ded078215bb5310c4ae21fdf36ed521439189dd867f82c72d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f64e913-16e0-4703-896e-0d0e06f55a1c.vbs

Filesize
487B

MD5
c914f1150f202e84b6a6cce744a4ed46

SHA1
9efabef21def2fa6e9e317acaad7f7eb2adfb20c

SHA256
9aeedab92f9649841932053be72782f0befbc2b7d73549ce78a984cdcfbe8efd

SHA512
0afbf6554d7d7320df2636f8f0066520a14f6496f2b2d60268b11932fd88365c1f011781880ac6c5761470b8698e976c262a68013befaeaa8970cce1a502f550

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_csejyugs.ojp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\db88d42a-afe1-46bf-af0e-a402002fe083.vbs

Filesize
711B

MD5
3bd7b0efb6372c3320fcdf4ba1c0b7ab

SHA1
161bdf7aca5ff8c10b828244a69253b9aba2bca7

SHA256
b03d64023c9a140de8f9c997a84aed7ddc947cccf55f1d2e928c32c7669e34de

SHA512
4c166f379dcd7652493bf3f9359538d113b6392f20c35dbaf38e5b267f5dbcc216b08b1ca63b032c866a1b5b3c1ab5c56bb594a3644416d22772fe109bc5c8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ueHfbtHnbI.bat

Filesize
200B

MD5
9aa120606b3097c3bbdebaeb6e1e526f

SHA1
da3b4f0500f00f280b8aba03695aa0a4d8a9bf22

SHA256
7f9dcd60e329139ea1dd655b22ab68d5de0ca46313e88219efdf47f1315ec14a

SHA512
fbb6c4d2c5dcb84fe9325abd190d6564af5b7bb27aa2f256fbc6392b4243b694c27d6d5916b678c3f1ffe30ccd3b2f64cb4e7be9b26bc1a48295bbf601295617

Download Submit
memory/532-355-0x0000000007800000-0x000000000781A000-memory.dmp

Filesize
104KB

Download
memory/532-316-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/752-40-0x00000000072C0000-0x00000000072CE000-memory.dmp

Filesize
56KB

Download
memory/752-36-0x0000000007170000-0x0000000007182000-memory.dmp

Filesize
72KB

Download
memory/752-19-0x00000000030D0000-0x00000000030DE000-memory.dmp

Filesize
56KB

Download
memory/752-20-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/752-21-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/752-22-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/752-23-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/752-24-0x0000000003150000-0x000000000316C000-memory.dmp

Filesize
112KB

Download
memory/752-25-0x0000000006FA0000-0x0000000006FF0000-memory.dmp

Filesize
320KB

Download
memory/752-26-0x0000000006F60000-0x0000000006F68000-memory.dmp

Filesize
32KB

Download
memory/752-28-0x0000000006F80000-0x0000000006F96000-memory.dmp

Filesize
88KB

Download
memory/752-29-0x0000000007000000-0x0000000007008000-memory.dmp

Filesize
32KB

Download
memory/752-27-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/752-30-0x0000000007160000-0x000000000716C000-memory.dmp

Filesize
48KB

Download
memory/752-31-0x0000000007080000-0x00000000070D6000-memory.dmp

Filesize
344KB

Download
memory/752-32-0x0000000007120000-0x000000000712C000-memory.dmp

Filesize
48KB

Download
memory/752-35-0x0000000007150000-0x0000000007158000-memory.dmp

Filesize
32KB

Download
memory/752-34-0x0000000007140000-0x000000000714C000-memory.dmp

Filesize
48KB

Download
memory/752-33-0x0000000007130000-0x0000000007138000-memory.dmp

Filesize
32KB

Download
memory/752-13-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/752-37-0x0000000008F30000-0x000000000945C000-memory.dmp

Filesize
5.2MB

Download
memory/752-38-0x00000000071F0000-0x00000000071FC000-memory.dmp

Filesize
48KB

Download
memory/752-43-0x0000000007300000-0x000000000730C000-memory.dmp

Filesize
48KB

Download
memory/752-42-0x00000000072F0000-0x00000000072F8000-memory.dmp

Filesize
32KB

Download
memory/752-41-0x00000000072E0000-0x00000000072E8000-memory.dmp

Filesize
32KB

Download
memory/752-18-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/752-39-0x0000000007200000-0x000000000720A000-memory.dmp

Filesize
40KB

Download
memory/752-126-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/752-16-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/920-346-0x00000000072D0000-0x00000000072EA000-memory.dmp

Filesize
104KB

Download
memory/920-335-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/1500-296-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/2560-125-0x0000000004FF0000-0x0000000005618000-memory.dmp

Filesize
6.2MB

Download
memory/2560-347-0x0000000007120000-0x000000000712A000-memory.dmp

Filesize
40KB

Download
memory/2560-257-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/3108-255-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/3288-248-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/4208-295-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/4488-127-0x0000000005660000-0x0000000005682000-memory.dmp

Filesize
136KB

Download
memory/4488-128-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/4488-233-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/4488-232-0x00000000075A0000-0x00000000075D2000-memory.dmp

Filesize
200KB

Download
memory/4488-244-0x0000000007580000-0x000000000759E000-memory.dmp

Filesize
120KB

Download
memory/4488-356-0x0000000007C70000-0x0000000007C78000-memory.dmp

Filesize
32KB

Download
memory/4488-129-0x0000000006020000-0x0000000006374000-memory.dmp

Filesize
3.3MB

Download
memory/4488-256-0x00000000077F0000-0x0000000007893000-memory.dmp

Filesize
652KB

Download
memory/4488-123-0x0000000003040000-0x0000000003076000-memory.dmp

Filesize
216KB

Download
memory/4812-306-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/4812-354-0x0000000007550000-0x0000000007564000-memory.dmp

Filesize
80KB

Download
memory/4812-353-0x0000000007540000-0x000000000754E000-memory.dmp

Filesize
56KB

Download
memory/5496-230-0x0000000005C00000-0x0000000005C1E000-memory.dmp

Filesize
120KB

Download
memory/5496-231-0x0000000005C20000-0x0000000005C6C000-memory.dmp

Filesize
304KB

Download
memory/5496-345-0x0000000007570000-0x0000000007BEA000-memory.dmp

Filesize
6.5MB

Download
memory/5496-243-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/5976-349-0x0000000007C00000-0x0000000007C11000-memory.dmp

Filesize
68KB

Download
memory/5976-245-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/5976-348-0x0000000007C80000-0x0000000007D16000-memory.dmp

Filesize
600KB

Download
memory/6084-0-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/6084-17-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/6084-11-0x0000000008D80000-0x0000000008FFA000-memory.dmp

Filesize
2.5MB

Download
memory/6084-10-0x0000000005D30000-0x0000000005D3A000-memory.dmp

Filesize
40KB

Download
memory/6084-12-0x000000000A1F0000-0x000000000A464000-memory.dmp

Filesize
2.5MB

Download
memory/6084-9-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/6084-8-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/6084-7-0x0000000005D00000-0x0000000005D16000-memory.dmp

Filesize
88KB

Download
memory/6084-6-0x0000000005D60000-0x0000000005DFC000-memory.dmp

Filesize
624KB

Download
memory/6084-5-0x0000000005A30000-0x0000000005A3A000-memory.dmp

Filesize
40KB

Download
memory/6084-4-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/6084-3-0x0000000005A80000-0x0000000005B12000-memory.dmp

Filesize
584KB

Download
memory/6084-2-0x0000000005F90000-0x0000000006534000-memory.dmp

Filesize
5.6MB

Download
memory/6084-1-0x0000000000D20000-0x0000000001030000-memory.dmp

Filesize
3.1MB

Download