dcrat | 34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AimWare.exe
Size

3.9MB
MD5

3fc02228a6229bc91c086bc24899361b
SHA1

3d33e93f771a1c77f2f01c2e15d52307f88d3bf0
SHA256

34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710
SHA512

1dbaeaa5855fca79ddb44f0570e5e4282347919d1629d32a6df1f9bce0f198e38ebb461f68518754116a3fa650e6e4f9541ff09ca067b10218962c162fd7ef99
SSDEEP

98304:Vbbzx+3YGfZNMGFWmkukCbYvziRNPRmB58hSKHO:Vd+1RNXFWuksaf7

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	664	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	664	schtasks.exe	92

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023416-15.dat	dcrat
behavioral2/memory/2712-17-0x0000000000690000-0x0000000000A3C000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Comref.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Comref.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Comref.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Comref.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	AimWare.exe

Executes dropped EXE 4 IoCs

pid	Process
2712	Comref.exe
5032	Comref.exe
932	Comref.exe
3136	Comref.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Comref.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\wininit.exe	Comref.exe
File created	C:\Program Files\7-Zip\56085415360792	Comref.exe
File created	C:\Program Files\Java\RuntimeBroker.exe	Comref.exe
File created	C:\Program Files\Java\9e8d7a4ca61bd9	Comref.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\Comref.exe	Comref.exe
File created	C:\Windows\SoftwareDistribution\Download\e13942d087a07a	Comref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AimWare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	AimWare.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	Comref.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	Comref.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	Comref.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3136	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4788	schtasks.exe
1168	schtasks.exe
968	schtasks.exe
3652	schtasks.exe
1128	schtasks.exe
2644	schtasks.exe
2196	schtasks.exe
4420	schtasks.exe
2636	schtasks.exe
4320	schtasks.exe
4508	schtasks.exe
4100	schtasks.exe
3912	schtasks.exe
2212	schtasks.exe
2128	schtasks.exe
1608	schtasks.exe
1204	schtasks.exe
4248	schtasks.exe
4304	schtasks.exe
3692	schtasks.exe
2432	schtasks.exe
1628	schtasks.exe
4704	schtasks.exe
3244	schtasks.exe
2156	schtasks.exe
544	schtasks.exe
4124	schtasks.exe
4860	schtasks.exe
3464	schtasks.exe
4956	schtasks.exe
1684	schtasks.exe
4396	schtasks.exe
1484	schtasks.exe
3956	schtasks.exe
4460	schtasks.exe
2848	schtasks.exe
2964	schtasks.exe
4284	schtasks.exe
4172	schtasks.exe
4456	schtasks.exe
2344	schtasks.exe
2968	schtasks.exe
4864	schtasks.exe
4000	schtasks.exe
1416	schtasks.exe
2300	schtasks.exe
2784	schtasks.exe
2216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2712	Comref.exe
2712	Comref.exe
2712	Comref.exe
2712	Comref.exe
2712	Comref.exe
2712	Comref.exe
2712	Comref.exe
5032	Comref.exe
932	Comref.exe
3136	Comref.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	Comref.exe
Token: SeDebugPrivilege	5032	Comref.exe
Token: SeDebugPrivilege	932	Comref.exe
Token: SeDebugPrivilege	3136	Comref.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 932	3220	AimWare.exe	86
PID 3220 wrote to memory of 932	3220	AimWare.exe	86
PID 3220 wrote to memory of 932	3220	AimWare.exe	86
PID 3220 wrote to memory of 4040	3220	AimWare.exe	87
PID 3220 wrote to memory of 4040	3220	AimWare.exe	87
PID 3220 wrote to memory of 4040	3220	AimWare.exe	87
PID 932 wrote to memory of 3292	932	WScript.exe	88
PID 932 wrote to memory of 3292	932	WScript.exe	88
PID 932 wrote to memory of 3292	932	WScript.exe	88
PID 3292 wrote to memory of 2712	3292	cmd.exe	91
PID 3292 wrote to memory of 2712	3292	cmd.exe	91
PID 2712 wrote to memory of 5032	2712	Comref.exe	141
PID 2712 wrote to memory of 5032	2712	Comref.exe	141
PID 3292 wrote to memory of 3136	3292	cmd.exe	142
PID 3292 wrote to memory of 3136	3292	cmd.exe	142
PID 3292 wrote to memory of 3136	3292	cmd.exe	142
PID 5032 wrote to memory of 4100	5032	Comref.exe	144
PID 5032 wrote to memory of 4100	5032	Comref.exe	144
PID 5032 wrote to memory of 436	5032	Comref.exe	145
PID 5032 wrote to memory of 436	5032	Comref.exe	145
PID 4100 wrote to memory of 932	4100	WScript.exe	155
PID 4100 wrote to memory of 932	4100	WScript.exe	155
PID 932 wrote to memory of 1924	932	Comref.exe	156
PID 932 wrote to memory of 1924	932	Comref.exe	156
PID 932 wrote to memory of 224	932	Comref.exe	157
PID 932 wrote to memory of 224	932	Comref.exe	157
PID 1924 wrote to memory of 3136	1924	WScript.exe	166
PID 1924 wrote to memory of 3136	1924	WScript.exe	166
PID 3136 wrote to memory of 2032	3136	Comref.exe	167
PID 3136 wrote to memory of 2032	3136	Comref.exe	167
PID 3136 wrote to memory of 968	3136	Comref.exe	168
PID 3136 wrote to memory of 968	3136	Comref.exe	168

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AimWare.exe
"C:\Users\Admin\AppData\Local\Temp\AimWare.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\pIqe6hsiC.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\BlockPortWinDhcp\Comref.exe
      "C:\BlockPortWinDhcp\Comref.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2712
    - - C:\Users\Default\Downloads\Comref.exe
        
        "C:\Users\Default\Downloads\Comref.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5032
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52844a1d-f450-4f62-977a-3709ff77b761.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Users\Default\Downloads\Comref.exe
        
        C:\Users\Default\Downloads\Comref.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\057bfe6f-c820-4e98-9ec2-06b6e1e82407.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Users\Default\Downloads\Comref.exe
        
        C:\Users\Default\Downloads\Comref.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b92b88a1-36a1-44b8-a7e3-28cb9548ff0b.vbs"
        10⤵
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07029850-43cb-45a5-bdc0-07036906ef5e.vbs"
        10⤵
        
        PID:968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c8db7f7-afa5-44bd-b37f-ad2e7c6aeeff.vbs"
        8⤵
        
        PID:224
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04354a97-b857-475d-afa3-365a24b13d71.vbs"
        6⤵
        
        PID:436
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\Comref.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Comref" /sc ONLOGON /tr "'C:\Users\Default\Downloads\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\BlockPortWinDhcp\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\BlockPortWinDhcp\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\BlockPortWinDhcp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\BlockPortWinDhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\BlockPortWinDhcp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\BlockPortWinDhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\BlockPortWinDhcp\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\BlockPortWinDhcp\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\Download\Comref.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Comref" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\Download\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\BlockPortWinDhcp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\BlockPortWinDhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Saved Games\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Comref.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Comref" /sc ONLOGON /tr "'C:\Users\Default User\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\BlockPortWinDhcp\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\BlockPortWinDhcp\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockPortWinDhcp\Comref.exe

Filesize
3.6MB

MD5
020fcee4acad7e7412ad0f27501ae749

SHA1
4282618cca56b75eb3921653c5daa2137eaa5ffa

SHA256
40ddad4ca2337022808328174ced0149caa955dcdf7a3b9eaf062818ffa43669

SHA512
e6c6749f7b8a67a5acc4910ccb59931582cb929392f7647f51d7d133cec3980375edc7d56be4d5cbac0f1d0ab1e46204b46b7349980aedaeb5a680a745fd7f9f

Download Submit
C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.bat

Filesize
144B

MD5
ce3dd3c96548149537e6d3a679917a26

SHA1
0faba6346d98fe426902f01be3337bdb700bb4fa

SHA256
3d7dfa7a908d3eef1344c70e6ea39e14dba844fcc727fc6b2d4f07f488303c7c

SHA512
7326f45903c3eca92bc3de0ee50f13042f3f6cc6494da0273ba65a53308ba63b7607ac7f6b27dba20e649717781fc90254173ffd837fd7d98f21aa211f3af23d

Download Submit
C:\BlockPortWinDhcp\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\BlockPortWinDhcp\pIqe6hsiC.vbe

Filesize
209B

MD5
fe9707d9d0f3a70f1672c83f8ab78cab

SHA1
4d25ca2d7b215e7757eec53b2c55060756cf3fc0

SHA256
e50eaf2ab143000660efab3e91bef57d2407c372820d022a10dac8c06e0c8e99

SHA512
fab4bbb58aa50e636fb553fc9d01fa69ad63fbdf7e7d677ed8b7b29838ed9525489d871af2e7c3b5b7e6afb34f79fb2ad7ef0897f4b8ad52d887c4ab096a84e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Comref.exe.log

Filesize
1KB

MD5
655010c15ea0ca05a6e5ddcd84986b98

SHA1
120bf7e516aeed462c07625fbfcdab5124ad05d3

SHA256
2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

SHA512
e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

Download Submit
C:\Users\Admin\AppData\Local\Temp\04354a97-b857-475d-afa3-365a24b13d71.vbs

Filesize
489B

MD5
d02f6c76842b8a2d2360fdeaac212bde

SHA1
727c5fe6423f39cd63070acc0c9d58bea10fbc5e

SHA256
30c86d9045cc59f01570d1e4aa3f8d0fea84a0aa7113a3d59bed380bb2152525

SHA512
4ef7063f21f8e80c1a90a660886630ac3eb66f5e07db20227c98639edad19892343b9dfd62170d1203e7d80cdec9df7244f413b9a001f600a7f7a8cf0394883a

Download Submit
C:\Users\Admin\AppData\Local\Temp\057bfe6f-c820-4e98-9ec2-06b6e1e82407.vbs

Filesize
712B

MD5
588e223eea0270534725b3a8d626ac73

SHA1
be23bd5b9fb4c28a5d35163a500c1c7c0cd82eec

SHA256
c9456777617642f89197394e32d9d00021c3607ab4858507ab0cc337565f9b50

SHA512
6e5c776e202d113895c96a5afa8a95bc57a4dfd1923a715b6dd63b86e5a13c9935ad26606c4d19b5c01cf66c3833667619b4a2923e3c371ef95454520200a287

Download Submit
C:\Users\Admin\AppData\Local\Temp\52844a1d-f450-4f62-977a-3709ff77b761.vbs

Filesize
713B

MD5
5fff7859c7b0edd2500e85df67c60075

SHA1
596fc2de334107a406493eb718598becc11b4dfc

SHA256
804ca01db48bfba42edd5f0bbb24c188bcfbed27f0d5bbe4edb0427371e71584

SHA512
b4a6310cb4fd13a9b627a6efc4fb47c2d2fee6d10a7ab76dca2a7357ed2950706b49ff10ca6613984da9fb49f7f6ec4a0330fcfaeb80b32afe777d9e63eba63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b92b88a1-36a1-44b8-a7e3-28cb9548ff0b.vbs

Filesize
713B

MD5
81c56bea3aa395eda413cc52410dcc83

SHA1
718d504f3f8fc6ddffda433d0404d61ad7e83b5e

SHA256
6320b016e3642d659c5c77ca841fa1200258dc1d0424d149c8b2b2a71fd77807

SHA512
55e1a2745c6496b8fd2ea5f0eb917b6012b248f604e79247a156d7af65746f1e7b697a315ad5b394ee99641c7ba3469afa3ca68c29ab100d7e52548874f9fa32

Download Submit
memory/932-93-0x0000000003320000-0x0000000003332000-memory.dmp

Filesize
72KB

Download
memory/2712-32-0x000000001C0D0000-0x000000001C0DA000-memory.dmp

Filesize
40KB

Download
memory/2712-35-0x000000001BFF0000-0x000000001BFFE000-memory.dmp

Filesize
56KB

Download
memory/2712-25-0x000000001B670000-0x000000001B67C000-memory.dmp

Filesize
48KB

Download
memory/2712-26-0x000000001BF20000-0x000000001BF32000-memory.dmp

Filesize
72KB

Download
memory/2712-31-0x000000001BFC0000-0x000000001BFC8000-memory.dmp

Filesize
32KB

Download
memory/2712-33-0x000000001BFD0000-0x000000001BFDE000-memory.dmp

Filesize
56KB

Download
memory/2712-23-0x000000001B660000-0x000000001B66A000-memory.dmp

Filesize
40KB

Download
memory/2712-30-0x000000001BF70000-0x000000001BFC6000-memory.dmp

Filesize
344KB

Download
memory/2712-29-0x000000001BF60000-0x000000001BF68000-memory.dmp

Filesize
32KB

Download
memory/2712-28-0x000000001BF50000-0x000000001BF58000-memory.dmp

Filesize
32KB

Download
memory/2712-27-0x000000001C480000-0x000000001C9A8000-memory.dmp

Filesize
5.2MB

Download
memory/2712-24-0x000000001BCD0000-0x000000001BD26000-memory.dmp

Filesize
344KB

Download
memory/2712-34-0x000000001BFE0000-0x000000001BFE8000-memory.dmp

Filesize
32KB

Download
memory/2712-38-0x000000001C030000-0x000000001C03C000-memory.dmp

Filesize
48KB

Download
memory/2712-37-0x000000001C020000-0x000000001C02A000-memory.dmp

Filesize
40KB

Download
memory/2712-36-0x000000001C000000-0x000000001C008000-memory.dmp

Filesize
32KB

Download
memory/2712-22-0x0000000002C60000-0x0000000002C76000-memory.dmp

Filesize
88KB

Download
memory/2712-20-0x000000001BD20000-0x000000001BD70000-memory.dmp

Filesize
320KB

Download
memory/2712-21-0x0000000002C50000-0x0000000002C58000-memory.dmp

Filesize
32KB

Download
memory/2712-19-0x0000000002BC0000-0x0000000002BDC000-memory.dmp

Filesize
112KB

Download
memory/2712-18-0x0000000002BB0000-0x0000000002BBE000-memory.dmp

Filesize
56KB

Download
memory/2712-17-0x0000000000690000-0x0000000000A3C000-memory.dmp

Filesize
3.7MB

Download