dcrat | 098a170344a4ca7efe3e0c8b48c25a64fe0570b68eb0f3032c229e81597c1fbc

Analysis

max time kernel
129s
max time network
154s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EasyAnti-CheatAnalyzer.exe
Size

2.6MB
MD5

6f4697ceaa48de87c8463be064a41834
SHA1

129b599295e013389255c16126ae64afd42c9cb4
SHA256

098a170344a4ca7efe3e0c8b48c25a64fe0570b68eb0f3032c229e81597c1fbc
SHA512

b9ff325866976ab0270224f3b512c45b8c5442fb58eff0b883fdf54babfa4845f95eb01d7c6f73d73e08fd59fd0c21d039bd75c318bb30e843c2bef861267c40
SSDEEP

49152:lQQovM4NUTzrWlUMtHE772hZD9gtGIOSzAYpk8xKFxNWMjZuW:lgM4NOYt0iK8IOScYpP8WcD

Score

10^/10

dcrat xworm discovery evasion execution infostealer persistence rat trojan

Malware Config

Extracted

Family

xworm

article-coal.gl.at.ply.gg:27263

main-although.gl.at.ply.gg:30970

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Xworm Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2576-27-0x00000000001D0000-0x00000000001EA000-memory.dmp	family_xworm
behavioral1/memory/2808-28-0x0000000000EB0000-0x0000000000EC8000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe	family_xworm
behavioral1/memory/1616-103-0x00000000002A0000-0x00000000002BA000-memory.dmp	family_xworm
behavioral1/memory/2488-107-0x0000000001250000-0x000000000126A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe	dcrat
\SurrogatewinDrivernetsvc\portproviderperf.exe	dcrat
behavioral1/memory/1300-55-0x0000000000020000-0x00000000002D6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2244	powershell.exe
1984	powershell.exe
544	powershell.exe
1100	powershell.exe
616	powershell.exe
756	powershell.exe
2852	powershell.exe
2384	powershell.exe

Disables Task Manager via registry modification
evasion

Drops startup file 4 IoCs

Processes:

Windows Driver Foundation.exesvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Windows Driver Foundation.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Windows Driver Foundation.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

Runtime Broker.exeWindows Driver Foundation.exesvchost.exeportproviderperf.exesvchost.exesvchost.exe

pid process

2916 Runtime Broker.exe
2808 Windows Driver Foundation.exe
2576 svchost.exe
1300 portproviderperf.exe
1616 svchost.exe
2488 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1412 cmd.exe
1412 cmd.exe

pid	process
2916	Runtime Broker.exe
2808	Windows Driver Foundation.exe
2576	svchost.exe
1300	portproviderperf.exe
1616	svchost.exe
2488	svchost.exe

pid	process
1412	cmd.exe
1412	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost.exe"	svchost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
3 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	ip-api.com
3	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Runtime Broker.exeWScript.execmd.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1168	PING.EXE
532	PING.EXE
2772	PING.EXE
3024	PING.EXE
2780	PING.EXE
896	PING.EXE
2836	PING.EXE
1964	PING.EXE
2980	PING.EXE
1284	PING.EXE
2232	PING.EXE
1536	PING.EXE
2004	PING.EXE
2592	PING.EXE
1008	PING.EXE
580	PING.EXE
3028	PING.EXE
1008	PING.EXE
2068	PING.EXE
2648	PING.EXE
1744	PING.EXE
2560	PING.EXE
692	PING.EXE
2960	PING.EXE
1668	PING.EXE
2376	PING.EXE
1212	PING.EXE
1512	PING.EXE
1092	PING.EXE
1712	PING.EXE
2264	PING.EXE
2332	PING.EXE
1992	PING.EXE
888	PING.EXE
2992	PING.EXE
2400	PING.EXE
1168	PING.EXE
1000	PING.EXE
2756	PING.EXE
1612	PING.EXE
1816	PING.EXE
304	PING.EXE
2516	PING.EXE
2244	PING.EXE
2548	PING.EXE
480	PING.EXE
2704	PING.EXE
1092	PING.EXE
2192	PING.EXE
1504	PING.EXE
2292	PING.EXE
2404	PING.EXE
1804	PING.EXE
3004	PING.EXE
2044	PING.EXE
2148	PING.EXE
2272	PING.EXE
2644	PING.EXE
2560	PING.EXE
596	PING.EXE
2356	PING.EXE
1980	PING.EXE
2372	PING.EXE
2080	PING.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2560 timeout.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1608 reg.exe

pid	process
2560	timeout.exe

pid	process
1608	reg.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

pid	process
3024	PING.EXE
2332	PING.EXE
2076	PING.EXE
2344	PING.EXE
2372	PING.EXE
2356	PING.EXE
2272	PING.EXE
1804	PING.EXE
2704	PING.EXE
1992	PING.EXE
2548	PING.EXE
1996	PING.EXE
2368	PING.EXE
1940	PING.EXE
888	PING.EXE
1964	PING.EXE
2080	PING.EXE
1588	PING.EXE
1092	PING.EXE
1352	PING.EXE
2780	PING.EXE
2360	PING.EXE
1388	PING.EXE
596	PING.EXE
2756	PING.EXE
2960	PING.EXE
1612	PING.EXE
2824	PING.EXE
692	PING.EXE
2560	PING.EXE
1980	PING.EXE
2992	PING.EXE
636	PING.EXE
2044	PING.EXE
1008	PING.EXE
2772	PING.EXE
1212	PING.EXE
1168	PING.EXE
2548	PING.EXE
2556	PING.EXE
1168	PING.EXE
2676	PING.EXE
2068	PING.EXE
2264	PING.EXE
1504	PING.EXE
2004	PING.EXE
2560	PING.EXE
2488	PING.EXE
2336	PING.EXE
3028	PING.EXE
2168	PING.EXE
2628	PING.EXE
304	PING.EXE
2244	PING.EXE
836	PING.EXE
1732	PING.EXE
2516	PING.EXE
2068	PING.EXE
2376	PING.EXE
2404	PING.EXE
1008	PING.EXE
580	PING.EXE
2980	PING.EXE
1392	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2796 schtasks.exe

pid	process
2796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exe

pid	process
2852	powershell.exe
756	powershell.exe
2244	powershell.exe
2384	powershell.exe
1984	powershell.exe
544	powershell.exe
616	powershell.exe
1100	powershell.exe
2576	svchost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Windows Driver Foundation.exesvchost.exepowershell.exepowershell.exeportproviderperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2808	Windows Driver Foundation.exe
Token: SeDebugPrivilege	2576	svchost.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	1300	portproviderperf.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2808	Windows Driver Foundation.exe
Token: SeDebugPrivilege	2576	svchost.exe
Token: SeDebugPrivilege	1616	svchost.exe
Token: SeDebugPrivilege	2488	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2576 svchost.exe

pid	process
2576	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EasyAnti-CheatAnalyzer.execmd.exeRuntime Broker.exeWindows Driver Foundation.exesvchost.exeWScript.execmd.exe

description	pid	process	target process
PID 2648 wrote to memory of 2748	2648	EasyAnti-CheatAnalyzer.exe	cmd.exe
PID 2648 wrote to memory of 2748	2648	EasyAnti-CheatAnalyzer.exe	cmd.exe
PID 2648 wrote to memory of 2748	2648	EasyAnti-CheatAnalyzer.exe	cmd.exe
PID 2748 wrote to memory of 2560	2748	cmd.exe	timeout.exe
PID 2748 wrote to memory of 2560	2748	cmd.exe	timeout.exe
PID 2748 wrote to memory of 2560	2748	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2916	2648	EasyAnti-CheatAnalyzer.exe	Runtime Broker.exe
PID 2648 wrote to memory of 2916	2648	EasyAnti-CheatAnalyzer.exe	Runtime Broker.exe
PID 2648 wrote to memory of 2916	2648	EasyAnti-CheatAnalyzer.exe	Runtime Broker.exe
PID 2648 wrote to memory of 2916	2648	EasyAnti-CheatAnalyzer.exe	Runtime Broker.exe
PID 2648 wrote to memory of 2808	2648	EasyAnti-CheatAnalyzer.exe	Windows Driver Foundation.exe
PID 2648 wrote to memory of 2808	2648	EasyAnti-CheatAnalyzer.exe	Windows Driver Foundation.exe
PID 2648 wrote to memory of 2808	2648	EasyAnti-CheatAnalyzer.exe	Windows Driver Foundation.exe
PID 2648 wrote to memory of 2576	2648	EasyAnti-CheatAnalyzer.exe	svchost.exe
PID 2648 wrote to memory of 2576	2648	EasyAnti-CheatAnalyzer.exe	svchost.exe
PID 2648 wrote to memory of 2576	2648	EasyAnti-CheatAnalyzer.exe	svchost.exe
PID 2916 wrote to memory of 3044	2916	Runtime Broker.exe	WScript.exe
PID 2916 wrote to memory of 3044	2916	Runtime Broker.exe	WScript.exe
PID 2916 wrote to memory of 3044	2916	Runtime Broker.exe	WScript.exe
PID 2916 wrote to memory of 3044	2916	Runtime Broker.exe	WScript.exe
PID 2748 wrote to memory of 1168	2748	cmd.exe	PING.EXE
PID 2748 wrote to memory of 1168	2748	cmd.exe	PING.EXE
PID 2748 wrote to memory of 1168	2748	cmd.exe	PING.EXE
PID 2748 wrote to memory of 1980	2748	cmd.exe	PING.EXE
PID 2748 wrote to memory of 1980	2748	cmd.exe	PING.EXE
PID 2748 wrote to memory of 1980	2748	cmd.exe	PING.EXE
PID 2808 wrote to memory of 756	2808	Windows Driver Foundation.exe	powershell.exe
PID 2808 wrote to memory of 756	2808	Windows Driver Foundation.exe	powershell.exe
PID 2808 wrote to memory of 756	2808	Windows Driver Foundation.exe	powershell.exe
PID 2576 wrote to memory of 2852	2576	svchost.exe	powershell.exe
PID 2576 wrote to memory of 2852	2576	svchost.exe	powershell.exe
PID 2576 wrote to memory of 2852	2576	svchost.exe	powershell.exe
PID 3044 wrote to memory of 1412	3044	WScript.exe	cmd.exe
PID 3044 wrote to memory of 1412	3044	WScript.exe	cmd.exe
PID 3044 wrote to memory of 1412	3044	WScript.exe	cmd.exe
PID 3044 wrote to memory of 1412	3044	WScript.exe	cmd.exe
PID 1412 wrote to memory of 1300	1412	cmd.exe	portproviderperf.exe
PID 1412 wrote to memory of 1300	1412	cmd.exe	portproviderperf.exe
PID 1412 wrote to memory of 1300	1412	cmd.exe	portproviderperf.exe
PID 1412 wrote to memory of 1300	1412	cmd.exe	portproviderperf.exe
PID 2748 wrote to memory of 2192	2748	cmd.exe	PING.EXE
PID 2748 wrote to memory of 2192	2748	cmd.exe	PING.EXE
PID 2748 wrote to memory of 2192	2748	cmd.exe	PING.EXE
PID 2576 wrote to memory of 2384	2576	svchost.exe	powershell.exe
PID 2576 wrote to memory of 2384	2576	svchost.exe	powershell.exe
PID 2576 wrote to memory of 2384	2576	svchost.exe	powershell.exe
PID 2808 wrote to memory of 2244	2808	Windows Driver Foundation.exe	powershell.exe
PID 2808 wrote to memory of 2244	2808	Windows Driver Foundation.exe	powershell.exe
PID 2808 wrote to memory of 2244	2808	Windows Driver Foundation.exe	powershell.exe
PID 2808 wrote to memory of 1984	2808	Windows Driver Foundation.exe	powershell.exe
PID 2808 wrote to memory of 1984	2808	Windows Driver Foundation.exe	powershell.exe
PID 2808 wrote to memory of 1984	2808	Windows Driver Foundation.exe	powershell.exe
PID 2576 wrote to memory of 544	2576	svchost.exe	powershell.exe
PID 2576 wrote to memory of 544	2576	svchost.exe	powershell.exe
PID 2576 wrote to memory of 544	2576	svchost.exe	powershell.exe
PID 2808 wrote to memory of 616	2808	Windows Driver Foundation.exe	powershell.exe
PID 2808 wrote to memory of 616	2808	Windows Driver Foundation.exe	powershell.exe
PID 2808 wrote to memory of 616	2808	Windows Driver Foundation.exe	powershell.exe
PID 2576 wrote to memory of 1100	2576	svchost.exe	powershell.exe
PID 2576 wrote to memory of 1100	2576	svchost.exe	powershell.exe
PID 2576 wrote to memory of 1100	2576	svchost.exe	powershell.exe
PID 2748 wrote to memory of 1008	2748	cmd.exe	PING.EXE
PID 2748 wrote to memory of 1008	2748	cmd.exe	PING.EXE
PID 2748 wrote to memory of 1008	2748	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EasyAnti-CheatAnalyzer.exe
"C:\Users\Admin\AppData\Local\Temp\EasyAnti-CheatAnalyzer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EasyAntiCheat.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2560

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1168

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:1980

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2192

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1008

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1612

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2548

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2556

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2628

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2824

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2560

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1168

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3004

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1816

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:532

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1980

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2780

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2360

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1000

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2400

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:836

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:304

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:2356

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2068

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2264

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2592

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2488

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2044

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:2032

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:2492

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2148

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:896

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1512

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2272

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:1500

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1732

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2332

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2368

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1940

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1008

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2756

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2704

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2836

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2648

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2676

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1992

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:2236

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2232

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2336

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1388

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:1584

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:580

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1964

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:1116

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1092

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1504

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:2012

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2372

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:692

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1536

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:2380

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2960

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1668

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:1784

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1284

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2516

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2004

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2376

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3028

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2980

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2076

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2168

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3024

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1712

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1588

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1392

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2244

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2080

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2772

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2548

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1996

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:2596

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2404

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:2628

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1212

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2560

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1744

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:2056

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:480

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2344

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:596

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2292

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2644

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1092

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:1504

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:888

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2356

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2992

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2068

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1804

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:636

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1352

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\FI5uMh3ETeLxf7f5t3w.vbe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\SurrogatewinDrivernetsvc\gA0MRjUus87.bat" "
4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1412

C:\SurrogatewinDrivernetsvc\portproviderperf.exe
"C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1608

C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Driver Foundation.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\taskeng.exe
taskeng.exe {2EA81006-DCA5-4FAB-B38A-D779CC2D27F1} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
1⤵
PID:1100

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SurrogatewinDrivernetsvc\FI5uMh3ETeLxf7f5t3w.vbe
Filesize
212B

MD5
bdae1284d1499c147434adaab8e15667

SHA1
b4ac30b9c6f0542067dffccee0794d4ea546b583

SHA256
26d933d81e56ceacb4cced22c680c22f4c12d2b4ce3a489303fc2aec67632f88

SHA512
3b86e7ba47b3b6041fe7e5aa9a7ffc3a0049ade5cbd6b3b58668c70c08513382373ef5c2432628a421076aade3de953af34423a80e6041cb110b248bb6ef31e3

Download Submit
C:\SurrogatewinDrivernetsvc\gA0MRjUus87.bat
Filesize
162B

MD5
e01ef91219b266b14d1ae415d30256d5

SHA1
cad006a2efee48fcad1166e7ce3bc118ff139808

SHA256
db58b3dde8508ecbe59d938545246355b52d9cdec29f76657b66638c4d7aeeb2

SHA512
7826ca4bda02431bff87c7c72bd1ea53bc769b8574302a37445318360326e5a89e309c35dbc8f9981ec35c5067b4a459195b78d0289f5d93f6ec54be4c3f1e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasyAntiCheat.bat
Filesize
659B

MD5
2d4e81e15ccf4579be60dc575f28ec72

SHA1
0312d732322ad6e0b3ea68462ba1ef4b24a3ddcb

SHA256
082f209b74dbcb68202df3759e716dcf7efe546dd267e472190ffcf0fbcfdaa7

SHA512
93e3861cd244f94baa80dc06448eb70e426d835dc0657ef5ce2501f85fe80b0dece67b87b2fe883cdb0640937e653c57859a9fe730d8386a6ccd2f699386e124

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
Filesize
3.0MB

MD5
e752ea010d6bb2c6afebe6d1f915feda

SHA1
a5737dfc7b7d6fa6509f3a0e79544b170d9476e2

SHA256
18e279bca944d2ba87ff29c8df967e27621db9e4a6a4914fe635e5b7e4d305d4

SHA512
01a203da6717e1b164c2f7002252bb08df6dcc8ed40e5d1f97cacf1b9371568a6a2b2b1ff4635f263854cd993cbc28d1177fd558565881c065cf595c05e6e866

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
Filesize
69KB

MD5
99088d7d8b409b4039b02295e64a686f

SHA1
f58dad3090854f8ab5cc3de89d6cdaeb151883d4

SHA256
a9f1d82a7954d86d746086969c0d7b7b5ca65ccfd0d6a375931a6826eca1a8c7

SHA512
a485b749f096a63bcc733b848317ceca918ee46516bcf17593c8358303a80aa0fb15c99b444fbeac02f79ac69c165e8a2fbb614265a56d99b5c098bd48d388b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
77KB

MD5
84f35bb606e5d8049b4c7d57d4a9148a

SHA1
385862c81fb695799b7cdd5199a212f8de2e1cb7

SHA256
6e3c920e6115f3b386883ef1d439eec2691923504b42d863bc43de929435f627

SHA512
dee62c8a3b5fadaec1ba91757de1bf78ce9caf4d9e9c5a4226997f15fb3e3387ce5e3bc2ff019a361b3a5b30b9e03246cfbccdf10f586f068d111988445e999d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LD9X4Y9QH02XZJT3HHG9.temp
Filesize
7KB

MD5
2836921189855c0431565563ec9e0fbe

SHA1
6a0384e2e078bb16bdeb1bd10f003feb4e97cf5f

SHA256
5a97cf07409ef96b51d3cdb4799d77128486624935d15727b8e787c6626281fc

SHA512
364eddbb549c1682c5af3fa2a78e3e119d3e7ed87573b878c6ee9950473506d820ce6e5f3168932d8b816243b08e311e660fb954968a164bfd256258a169981c

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\SurrogatewinDrivernetsvc\portproviderperf.exe
Filesize
2.7MB

MD5
51cbb36089b836f1cfe94e1ee88e344d

SHA1
66cfd5986f79d85be3d2424ac53d6e0b484f2791

SHA256
9e81ddf406a5afea06ef9d412ee55c58d39a609ea7c5464378a5b5ab96670998

SHA512
39ad09295cc6171646d508cb81503e17dac4bda780f482a09a72b3cf80b2a37ab6e097c298970d3bac41a6b20514481fac1eb53b71d27a9e89769074dfc8d52b

Download Submit
memory/1300-55-0x0000000000020000-0x00000000002D6000-memory.dmp

Filesize
2.7MB

Download
memory/1300-80-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1616-103-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/1984-73-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2244-67-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2384-66-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2488-107-0x0000000001250000-0x000000000126A000-memory.dmp

Filesize
104KB

Download
memory/2576-27-0x00000000001D0000-0x00000000001EA000-memory.dmp

Filesize
104KB

Download
memory/2648-29-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmp

Filesize
4KB

Download
memory/2648-22-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-1-0x000000013FF20000-0x00000001401BA000-memory.dmp

Filesize
2.6MB

Download
memory/2808-28-0x0000000000EB0000-0x0000000000EC8000-memory.dmp

Filesize
96KB

Download
memory/2852-50-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2852-49-0x000000001B480000-0x000000001B762000-memory.dmp

Filesize
2.9MB

Download