dcrat | 8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Size

1.6MB
MD5

477db3de46b7779b63495a8bdb279f2c
SHA1

77dc3f7d83728294c49298db82dd0e668adc3a73
SHA256

8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366
SHA512

4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956
SSDEEP

24576:/KEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6:/p1JAz5cjb6k4cFdaNjTXfa/

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.SystemToast.Calling\\Images\\winlogon.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.SystemToast.Calling\\Images\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows NT\\dllhost.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.SystemToast.Calling\\Images\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows NT\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Services\\Idle.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.SystemToast.Calling\\Images\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows NT\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Services\\Idle.exe\", \"C:\\Windows\\Tasks\\TextInputHost.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.SystemToast.Calling\\Images\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows NT\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Services\\Idle.exe\", \"C:\\Windows\\Tasks\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.SystemToast.Calling\\Images\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows NT\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Services\\Idle.exe\", \"C:\\Windows\\Tasks\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	1196	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1196	schtasks.exe	88

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3836	powershell.exe
448	powershell.exe
4248	powershell.exe
2732	powershell.exe
2744	powershell.exe
1848	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe

Executes dropped EXE 1 IoCs

pid	Process
1556	dllhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SystemResources\\Windows.SystemToast.Calling\\Images\\winlogon.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows NT\\dllhost.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Common Files\\Services\\Idle.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Common Files\\Services\\Idle.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SystemResources\\Windows.SystemToast.Calling\\Images\\winlogon.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows NT\\dllhost.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\Tasks\\TextInputHost.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\Tasks\\TextInputHost.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCFB3C7EAE3EF4B32852ABE71D3757598.TMP	csc.exe
File created	\??\c:\Windows\System32\enb1sa.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Services\Idle.exe	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Program Files\Common Files\Services\6ccacd8608530f	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Program Files (x86)\Windows NT\dllhost.exe	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Program Files (x86)\Windows NT\5940a34987c991	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\cc11b995f2a76d	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Windows\Tasks\TextInputHost.exe	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Windows\Tasks\22eafd247d37c3	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\winlogon.exe	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3024	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3024	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2604	schtasks.exe
368	schtasks.exe
4656	schtasks.exe
1964	schtasks.exe
1816	schtasks.exe
224	schtasks.exe
1324	schtasks.exe
3968	schtasks.exe
2552	schtasks.exe
3492	schtasks.exe
3432	schtasks.exe
1724	schtasks.exe
2760	schtasks.exe
1860	schtasks.exe
4980	schtasks.exe
2336	schtasks.exe
4484	schtasks.exe
760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
3836	powershell.exe
2744	powershell.exe
2732	powershell.exe
4248	powershell.exe
4248	powershell.exe
448	powershell.exe
448	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1556	dllhost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1556	dllhost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 3980	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	92
PID 4196 wrote to memory of 3980	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	92
PID 3980 wrote to memory of 5004	3980	csc.exe	94
PID 3980 wrote to memory of 5004	3980	csc.exe	94
PID 4196 wrote to memory of 1848	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	110
PID 4196 wrote to memory of 1848	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	110
PID 4196 wrote to memory of 2744	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	111
PID 4196 wrote to memory of 2744	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	111
PID 4196 wrote to memory of 3836	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	112
PID 4196 wrote to memory of 3836	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	112
PID 4196 wrote to memory of 2732	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	113
PID 4196 wrote to memory of 2732	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	113
PID 4196 wrote to memory of 4248	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	114
PID 4196 wrote to memory of 4248	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	114
PID 4196 wrote to memory of 448	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	115
PID 4196 wrote to memory of 448	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	115
PID 4196 wrote to memory of 2140	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	122
PID 4196 wrote to memory of 2140	4196	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	122
PID 2140 wrote to memory of 5108	2140	cmd.exe	124
PID 2140 wrote to memory of 5108	2140	cmd.exe	124
PID 2140 wrote to memory of 3024	2140	cmd.exe	125
PID 2140 wrote to memory of 3024	2140	cmd.exe	125
PID 2140 wrote to memory of 1556	2140	cmd.exe	132
PID 2140 wrote to memory of 1556	2140	cmd.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
"C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\siz220s0\siz220s0.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7F3.tmp" "c:\Windows\System32\CSCFB3C7EAE3EF4B32852ABE71D3757598.TMP"
    3⤵
    PID:5004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\INVnlFnyXp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5108
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3024
- - C:\Program Files (x86)\Windows NT\dllhost.exe
    "C:\Program Files (x86)\Windows NT\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Tasks\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e563668" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e563668" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2d6d8fcd02f8f29b7487a8f96e4d4119

SHA1
3f2f674997ace9fff0eb09c2fd0ca1763451cccc

SHA256
1d45ec846d0342f53c333a90d9cfb8cd7444bf9ed77eb7a3669ba491a4882dc9

SHA512
09d52edc3ecc4dc879e147f6c02f3446dd04c5aa0ceca8eb5d8e481a35152b13dffec25dae0f036137535b418ec2e3ab284996dd05426011a8e2e6c5a2a655ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\INVnlFnyXp.bat

Filesize
173B

MD5
4a6472f6f4f393d9c9c055a11be5cfa9

SHA1
482fb4c9e9b8c6bad54274ef8bca77afd7560685

SHA256
f954eab37cfbf59c6ff56a301ed119c6a71b34429fccc561339ae966431202fd

SHA512
e57400381e2d8361aeee1d0267b49cf716d533e1a3c4d78dd9e076c1f6e1a842ca4490891a8d14bd5f834af4297c44b7dc0ec7c9d6a9a54e4c726eaefa100ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC7F3.tmp

Filesize
1KB

MD5
8221c27c6d606cbc9bcc9b3af26d50c2

SHA1
afe56fa139f1b3ee8d7edbbba80d6dd5beb127f0

SHA256
0bed8d0df7b44bdac9c38ac1891194732f51f1109652558465d120331a7b7aaf

SHA512
7b31e5d3a913170adf368986f980bafe58b8ccd5fe19e2e416543b3835b702c67fbe45b367acec6dab369fc41d9d54148b6d6125d08de8ee9b221abdaa318c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yppzclgv.g4c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\winlogon.exe

Filesize
1.6MB

MD5
477db3de46b7779b63495a8bdb279f2c

SHA1
77dc3f7d83728294c49298db82dd0e668adc3a73

SHA256
8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

SHA512
4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\siz220s0\siz220s0.0.cs

Filesize
406B

MD5
96e5540dc77460565742b8983f29d53c

SHA1
75dee3d3919f9b0ec5fe6242414a609c47643b2f

SHA256
bb119d21d437f13d8a152935ec08c5d349cab2d63c5e87e03eef108fb3e3ace8

SHA512
5b810a33fc526ce41338aedd91a9a9611a9734ed635ebedc08f756b91fa9df627efa15272b4832523f3dd07ebb3261491e4a45c94993e57ad097ac7049cc4274

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\siz220s0\siz220s0.cmdline

Filesize
235B

MD5
31e752c9e5daa44507397798d63b539a

SHA1
3e10b522b48d53984f5b470237cba5191d023507

SHA256
a0c51d05d162fb11d77744d4dc21dce2159df8ac25e50671a4aa8ad6b1befa03

SHA512
7a86b2525d383d7cb350affcffebbdc5e75839b76f5889c9aa6cec031332e5011fb05766c851d4cc1a5e3f8411bbf590f2fbd739a553d7ce0c02c8c406028ef1

Download Submit
\??\c:\Windows\System32\CSCFB3C7EAE3EF4B32852ABE71D3757598.TMP

Filesize
1KB

MD5
5984679060d0fc54eba47cead995f65a

SHA1
f72bbbba060ac80ac6abedc7b8679e8963f63ebf

SHA256
4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

SHA512
bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

Download Submit
memory/1556-119-0x0000000002C30000-0x0000000002C9B000-memory.dmp

Filesize
428KB

Download
memory/3836-42-0x00000184DA4E0000-0x00000184DA502000-memory.dmp

Filesize
136KB

Download
memory/4196-11-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4196-72-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4196-24-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4196-23-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4196-12-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4196-9-0x0000000002450000-0x000000000245C000-memory.dmp

Filesize
48KB

Download
memory/4196-62-0x000000001B600000-0x000000001B66B000-memory.dmp

Filesize
428KB

Download
memory/4196-25-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4196-0-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

Filesize
8KB

Download
memory/4196-7-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4196-6-0x0000000002440000-0x000000000244E000-memory.dmp

Filesize
56KB

Download
memory/4196-4-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4196-3-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4196-2-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4196-1-0x00000000001C0000-0x000000000036A000-memory.dmp

Filesize
1.7MB

Download