dcrat | 725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe
Size

2.2MB
MD5

6635e1b3e034061323a0c58b7e603300
SHA1

590d818073040f7536b56d23697c216e01d625f8
SHA256

725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7
SHA512

f388421b20d2e5d56b4e0809ce82485d1e717c10c07e821a10cb7724dd3ebdb780bf67b89de336bd5fd973d94956b4e571a95ecb2e623200e6e39d09981c3a72
SSDEEP

49152:IBJEtknqMuqTELtvmUfSz4mTkqUBrWsSMTm:yutkSqQpvmUK4mg1ys8

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Saved Games\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\cmd.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Saved Games\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\cmd.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\Idle.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Saved Games\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\cmd.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\discord\\conhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Saved Games\\sysmon.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Saved Games\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\RuntimeBroker.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Saved Games\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\""	conhost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	3776	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	3776	schtasks.exe	96

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3940	powershell.exe
1004	powershell.exe
3868	powershell.exe
1688	powershell.exe
4336	powershell.exe
1548	powershell.exe
3996	powershell.exe
1092	powershell.exe
4696	powershell.exe
1556	powershell.exe
1488	powershell.exe
800	powershell.exe
368	powershell.exe
2236	powershell.exe
4480	powershell.exe
1772	powershell.exe
1788	powershell.exe
3452	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 2 IoCs

pid	Process
4896	conhost.exe
5896	sysmon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Microsoft.NET\\authman\\cmd.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Multimedia Platform\\Idle.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Multimedia Platform\\Idle.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord\\conhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\Saved Games\\sysmon.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Portable Devices\\RuntimeBroker.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Microsoft.NET\\authman\\cmd.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord\\conhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\Saved Games\\sysmon.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Portable Devices\\RuntimeBroker.exe\""	conhost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC6D47E6968EE04D55A72223D37D662A61.TMP	csc.exe
File created	\??\c:\Windows\System32\lhkpi-.exe	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\Idle.exe	conhost.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\Idle.exe	conhost.exe
File created	C:\Program Files\Windows Multimedia Platform\6ccacd8608530f	conhost.exe
File created	C:\Program Files\Windows Portable Devices\dllhost.exe	conhost.exe
File created	C:\Program Files\Windows Portable Devices\5940a34987c991	conhost.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	conhost.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	conhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\authman\cmd.exe	conhost.exe
File created	C:\Windows\Microsoft.NET\authman\ebf1f9fa8afd6d	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	conhost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1488	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3320	schtasks.exe
4084	schtasks.exe
1992	schtasks.exe
3532	schtasks.exe
4468	schtasks.exe
4388	schtasks.exe
3488	schtasks.exe
4156	schtasks.exe
2600	schtasks.exe
4460	schtasks.exe
4684	schtasks.exe
3512	schtasks.exe
3664	schtasks.exe
4428	schtasks.exe
1052	schtasks.exe
2876	schtasks.exe
1732	schtasks.exe
2196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3940	powershell.exe
3940	powershell.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe
4896	conhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	4896	conhost.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	5896	sysmon.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 1532	3984	725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe	87
PID 3984 wrote to memory of 1532	3984	725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe	87
PID 3984 wrote to memory of 1532	3984	725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe	87
PID 1532 wrote to memory of 4472	1532	WScript.exe	88
PID 1532 wrote to memory of 4472	1532	WScript.exe	88
PID 1532 wrote to memory of 4472	1532	WScript.exe	88
PID 4472 wrote to memory of 1488	4472	cmd.exe	90
PID 4472 wrote to memory of 1488	4472	cmd.exe	90
PID 4472 wrote to memory of 1488	4472	cmd.exe	90
PID 4472 wrote to memory of 3940	4472	cmd.exe	91
PID 4472 wrote to memory of 3940	4472	cmd.exe	91
PID 4472 wrote to memory of 3940	4472	cmd.exe	91
PID 4472 wrote to memory of 4896	4472	cmd.exe	97
PID 4472 wrote to memory of 4896	4472	cmd.exe	97
PID 4896 wrote to memory of 3752	4896	conhost.exe	101
PID 4896 wrote to memory of 3752	4896	conhost.exe	101
PID 3752 wrote to memory of 4880	3752	csc.exe	103
PID 3752 wrote to memory of 4880	3752	csc.exe	103
PID 4896 wrote to memory of 3868	4896	conhost.exe	119
PID 4896 wrote to memory of 3868	4896	conhost.exe	119
PID 4896 wrote to memory of 1004	4896	conhost.exe	120
PID 4896 wrote to memory of 1004	4896	conhost.exe	120
PID 4896 wrote to memory of 1556	4896	conhost.exe	121
PID 4896 wrote to memory of 1556	4896	conhost.exe	121
PID 4896 wrote to memory of 4696	4896	conhost.exe	122
PID 4896 wrote to memory of 4696	4896	conhost.exe	122
PID 4896 wrote to memory of 1488	4896	conhost.exe	123
PID 4896 wrote to memory of 1488	4896	conhost.exe	123
PID 4896 wrote to memory of 4336	4896	conhost.exe	124
PID 4896 wrote to memory of 4336	4896	conhost.exe	124
PID 4896 wrote to memory of 4480	4896	conhost.exe	125
PID 4896 wrote to memory of 4480	4896	conhost.exe	125
PID 4896 wrote to memory of 1772	4896	conhost.exe	126
PID 4896 wrote to memory of 1772	4896	conhost.exe	126
PID 4896 wrote to memory of 1788	4896	conhost.exe	127
PID 4896 wrote to memory of 1788	4896	conhost.exe	127
PID 4896 wrote to memory of 1548	4896	conhost.exe	128
PID 4896 wrote to memory of 1548	4896	conhost.exe	128
PID 4896 wrote to memory of 800	4896	conhost.exe	129
PID 4896 wrote to memory of 800	4896	conhost.exe	129
PID 4896 wrote to memory of 368	4896	conhost.exe	130
PID 4896 wrote to memory of 368	4896	conhost.exe	130
PID 4896 wrote to memory of 3996	4896	conhost.exe	131
PID 4896 wrote to memory of 3996	4896	conhost.exe	131
PID 4896 wrote to memory of 1688	4896	conhost.exe	132
PID 4896 wrote to memory of 1688	4896	conhost.exe	132
PID 4896 wrote to memory of 1092	4896	conhost.exe	133
PID 4896 wrote to memory of 1092	4896	conhost.exe	133
PID 4896 wrote to memory of 2236	4896	conhost.exe	134
PID 4896 wrote to memory of 2236	4896	conhost.exe	134
PID 4896 wrote to memory of 3452	4896	conhost.exe	135
PID 4896 wrote to memory of 3452	4896	conhost.exe	135
PID 4896 wrote to memory of 4752	4896	conhost.exe	153
PID 4896 wrote to memory of 4752	4896	conhost.exe	153
PID 4752 wrote to memory of 6012	4752	cmd.exe	156
PID 4752 wrote to memory of 6012	4752	cmd.exe	156
PID 4752 wrote to memory of 5588	4752	cmd.exe	157
PID 4752 wrote to memory of 5588	4752	cmd.exe	157
PID 4752 wrote to memory of 5896	4752	cmd.exe	160
PID 4752 wrote to memory of 5896	4752	cmd.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe
"C:\Users\Admin\AppData\Local\Temp\725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\discord\j85J.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\discord\HRJedrpRSEvRWkc5AsZysCURAW4ZqH13C4viou2orJURm0r.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1488
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3940
  - - C:\Users\Admin\AppData\Roaming\discord\conhost.exe
      "C:\Users\Admin\AppData\Roaming\discord/conhost.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l5ex0ntu\l5ex0ntu.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3752
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC94B.tmp" "c:\Windows\System32\CSC6D47E6968EE04D55A72223D37D662A61.TMP"
        6⤵
        
        PID:4880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n432U4XpIH.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:6012
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5588
      - C:\Users\Default\Saved Games\sysmon.exe
        
        "C:\Users\Default\Saved Games\sysmon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\authman\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\authman\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\discord\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\discord\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Roaming\discord\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9bb0e0549a0c44c928fef3feb199ce5a

SHA1
493fc7cfe4fa612320ca72c38cef8045667de321

SHA256
d9513db068305e43ff2ec8195c91405c6d4ee4224c3d9cc3e09013b090a69eb6

SHA512
dfeca5b2e350e8684b55287d7599e83d82c8c4b3cda5f1681c80eb2e00ea1d4793fd90863d86f139890a16baa6760aa905143c7625d21bb097a4a5b7906eeea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC94B.tmp

Filesize
1KB

MD5
1957fcf0439509204fccd0b682eb1652

SHA1
213fd49f1158a2c520b116b6b8487a2ea9e1fbee

SHA256
252f3b006097af1c98ccf75f6374cace852be6290bc258fb9f62e5f1bdb055b6

SHA512
3489f3da2f4c4cd46a100447a55f24045ee2dc7147ead15187e92cdbbf8ec10db48e5f36316a20be4363fdf201f7284de7c35803c68cb685deb3f13970dd0711

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yqbzmxaa.cfj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\n432U4XpIH.bat

Filesize
215B

MD5
94183c4c55ca3de525e0887512bc67d9

SHA1
29bee317b6f2120f1ce730f2b07b4a5e8b5ce8ce

SHA256
0fbb4805aaa987cb74f684315df55f2da15e59d7d368f40bc840b6520a404884

SHA512
6a49e052e053bfba32e07b2564c9cf4cd7938efd9b42be2e04e8e28cfd8aabb0637fa9bb306855bda6553409be6df291486e9301d3f4cdc080ea95aba6967dd7

Download Submit
C:\Users\Admin\AppData\Roaming\discord\HRJedrpRSEvRWkc5AsZysCURAW4ZqH13C4viou2orJURm0r.bat

Filesize
259B

MD5
485cb25e2ba006537bbbabd12800c1dc

SHA1
37775c65f57debb54cf055d2349046db190180fb

SHA256
e856d0bed3738da3f2d0d714c720c78b2c1335ebe4068331d981cf5793be345b

SHA512
95c3dc8479602fc751cdd6b241fe72c8ff80aaffefdc4db9f8e9746417066ec8555f84c8c7a641138e1ac92d5efb38b805b1c162a0131bf3e9b3ba003ffadd1e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\conhost.exe

Filesize
1.9MB

MD5
7def38e7a209ee1f8c043ea89b9ed23a

SHA1
bcc3005f85b1ad183d685cdd20c8e8c2cb5a3ed2

SHA256
aff6e2141539e7750e16f430c9189488c813d55073a48f25247a4857948d790d

SHA512
def4497f19ad79f1882eb764f79742192a7c05c5c9810174ef1102e201a07c83b1244087772859ea433a3d395080cbbec41d4707639b6ef8917218530e0a0885

Download Submit
C:\Users\Admin\AppData\Roaming\discord\j85J.vbe

Filesize
239B

MD5
809c9c712c88de9c72315c13cfa368e9

SHA1
3afa04cc60a11e57930f03e8e0886f8fc5d972d1

SHA256
a28933d0149dada56b9520a2fb2db53dd11911de866a773d74b1139637dc68ab

SHA512
67d1743f0cf58ecef1d54c708a0bd956f07a4f7f8c0d428d394984d3b01c93140e0941c3809df11e189fd69f900daf1dd3f8cf83f374742b1747ebf4dcec6fec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5ex0ntu\l5ex0ntu.0.cs

Filesize
371B

MD5
146b6c156f7ab724d6f5a373c3867d0f

SHA1
ddd5254c75bea3c792d3e00aae5898495813e78d

SHA256
170fff09a2424b3fbc0e4d6598e156ff7dd245608850face004a0b8355a7ab9a

SHA512
782de931d3e82c2dbdf601c70344d4694f66e553da4d3e95fd07a39aeb6cab903da18dd8f9c20906769a4929939cfb96ee06c521a76fc0d5cc3918d6ac76481e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5ex0ntu\l5ex0ntu.cmdline

Filesize
235B

MD5
95228230c29768f9c16dc81e7fc732c7

SHA1
55a4ebddb758a283e381070bdc5ea947c7baa63a

SHA256
0aa2e9ef41a109066fec42d3cdde09bd43a685cd37f91e940b7372325487f0cb

SHA512
209b147780aa06850bb00995e3bdb1860fe374a16a1bff36ef02b533ad1ff1a3504aaa0fa2e8a6f303503299d4f96bf6ca41077b4a5e8e4d9ed271409289952b

Download Submit
\??\c:\Windows\System32\CSC6D47E6968EE04D55A72223D37D662A61.TMP

Filesize
1KB

MD5
75e32610d8ef6143201c7c28465fcda9

SHA1
b2bae99fade2dda07aecbe1659d184be0fc4e7a6

SHA256
97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

SHA512
b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

Download Submit
memory/1772-103-0x000002A3FEF50000-0x000002A3FEF72000-memory.dmp

Filesize
136KB

Download
memory/3940-44-0x0000000007060000-0x000000000706E000-memory.dmp

Filesize
56KB

Download
memory/3940-23-0x0000000005710000-0x0000000005A64000-memory.dmp

Filesize
3.3MB

Download
memory/3940-39-0x0000000007480000-0x0000000007AFA000-memory.dmp

Filesize
6.5MB

Download
memory/3940-40-0x0000000006E30000-0x0000000006E4A000-memory.dmp

Filesize
104KB

Download
memory/3940-41-0x0000000006EA0000-0x0000000006EAA000-memory.dmp

Filesize
40KB

Download
memory/3940-42-0x00000000070B0000-0x0000000007146000-memory.dmp

Filesize
600KB

Download
memory/3940-43-0x0000000007030000-0x0000000007041000-memory.dmp

Filesize
68KB

Download
memory/3940-37-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/3940-45-0x0000000007070000-0x0000000007084000-memory.dmp

Filesize
80KB

Download
memory/3940-46-0x0000000007170000-0x000000000718A000-memory.dmp

Filesize
104KB

Download
memory/3940-47-0x0000000007150000-0x0000000007158000-memory.dmp

Filesize
32KB

Download
memory/3940-27-0x00000000704F0000-0x000000007053C000-memory.dmp

Filesize
304KB

Download
memory/3940-9-0x0000000002200000-0x0000000002236000-memory.dmp

Filesize
216KB

Download
memory/3940-10-0x0000000004DE0000-0x0000000005408000-memory.dmp

Filesize
6.2MB

Download
memory/3940-11-0x0000000004B60000-0x0000000004B82000-memory.dmp

Filesize
136KB

Download
memory/3940-12-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/3940-13-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/3940-38-0x0000000006B00000-0x0000000006BA3000-memory.dmp

Filesize
652KB

Download
memory/3940-24-0x0000000005B00000-0x0000000005B1E000-memory.dmp

Filesize
120KB

Download
memory/3940-26-0x0000000006AC0000-0x0000000006AF2000-memory.dmp

Filesize
200KB

Download
memory/3940-25-0x0000000005B40000-0x0000000005B8C000-memory.dmp

Filesize
304KB

Download
memory/4896-64-0x0000000002F70000-0x0000000002F7C000-memory.dmp

Filesize
48KB

Download
memory/4896-62-0x0000000002F60000-0x0000000002F6E000-memory.dmp

Filesize
56KB

Download
memory/4896-93-0x000000001C9B0000-0x000000001CA7D000-memory.dmp

Filesize
820KB

Download
memory/4896-60-0x00000000030C0000-0x00000000030D8000-memory.dmp

Filesize
96KB

Download
memory/4896-58-0x000000001B950000-0x000000001B9A0000-memory.dmp

Filesize
320KB

Download
memory/4896-57-0x00000000030A0000-0x00000000030BC000-memory.dmp

Filesize
112KB

Download
memory/4896-55-0x0000000002F50000-0x0000000002F5E000-memory.dmp

Filesize
56KB

Download
memory/4896-53-0x0000000000B70000-0x0000000000D54000-memory.dmp

Filesize
1.9MB

Download
memory/5896-293-0x000000001BC30000-0x000000001BCFD000-memory.dmp

Filesize
820KB

Download