dcrat | e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9

Analysis

max time kernel
116s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Size

1.8MB
MD5

7129b24ba5b05e8a48304a861d744780
SHA1

556ddf9ca97c6bd773351eb8ec0ab7797a27bb18
SHA256

e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9
SHA512

06c038e7241f0a49b4700bb5c7012b123df27bba1eff1723dae5722216edaa3b468d290431db33c75d37517d6a3b229f66149a7ec2e1e10a271e5d2f433a4496
SSDEEP

49152:OhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:OgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2252	schtasks.exe

UAC bypass 3 TTPs 15 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2872-1-0x0000000000930000-0x0000000000AFE000-memory.dmp	dcrat
C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe	dcrat
C:\Program Files (x86)\Windows Mail\Idle.exe	dcrat
behavioral1/memory/1284-98-0x0000000001310000-0x00000000014DE000-memory.dmp	dcrat
behavioral1/memory/2000-111-0x0000000000210000-0x00000000003DE000-memory.dmp	dcrat
behavioral1/memory/436-125-0x0000000000FE0000-0x00000000011AE000-memory.dmp	dcrat
behavioral1/memory/2216-138-0x0000000001050000-0x000000000121E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2464 powershell.exe
2348 powershell.exe
1560 powershell.exe
1556 powershell.exe
472 powershell.exe
2216 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

Idle.exeIdle.exeIdle.exeIdle.exe

pid process

1284 Idle.exe
2000 Idle.exe
436 Idle.exe
2216 Idle.exe

pid	process
2464	powershell.exe
2348	powershell.exe
1560	powershell.exe
1556	powershell.exe
472	powershell.exe
2216	powershell.exe

pid	process
1284	Idle.exe
2000	Idle.exe
436	Idle.exe
2216	Idle.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Drops file in Program Files directory 13 IoCs

Processes:

e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\Icons\sppsvc.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX4A4D.tmp	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\RCX4CED.tmp	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files\DVD Maker\dllhost.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files (x86)\Windows Mail\Idle.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files (x86)\Windows Mail\6ccacd8608530f	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\cc11b995f2a76d	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files\DVD Maker\RCX4617.tmp	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files\DVD Maker\dllhost.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\Idle.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files\DVD Maker\5940a34987c991	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1444	schtasks.exe
2444	schtasks.exe
2676	schtasks.exe
2480	schtasks.exe
2336	schtasks.exe
2988	schtasks.exe
2712	schtasks.exe
2116	schtasks.exe
1136	schtasks.exe
2924	schtasks.exe
2012	schtasks.exe
1624	schtasks.exe
1944	schtasks.exe
1780	schtasks.exe
2652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exeIdle.exeIdle.exeIdle.exe

pid	process
2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
2464	powershell.exe
2348	powershell.exe
1560	powershell.exe
1556	powershell.exe
472	powershell.exe
2216	powershell.exe
1284	Idle.exe
2000	Idle.exe
436	Idle.exe
2216	Idle.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	pid	process
Token: SeDebugPrivilege	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1284	Idle.exe
Token: SeDebugPrivilege	2000	Idle.exe
Token: SeDebugPrivilege	436	Idle.exe
Token: SeDebugPrivilege	2216	Idle.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.execmd.exeIdle.exeWScript.exeIdle.exeWScript.exeIdle.exeWScript.exeIdle.exe

description	pid	process	target process
PID 2872 wrote to memory of 472	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 472	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 472	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 1556	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 1556	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 1556	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 1560	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 1560	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 1560	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 2348	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 2348	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 2348	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 2464	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 2464	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 2464	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 2216	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 2216	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 2216	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	powershell.exe
PID 2872 wrote to memory of 2552	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	cmd.exe
PID 2872 wrote to memory of 2552	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	cmd.exe
PID 2872 wrote to memory of 2552	2872	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	cmd.exe
PID 2552 wrote to memory of 780	2552	cmd.exe	w32tm.exe
PID 2552 wrote to memory of 780	2552	cmd.exe	w32tm.exe
PID 2552 wrote to memory of 780	2552	cmd.exe	w32tm.exe
PID 2552 wrote to memory of 1284	2552	cmd.exe	Idle.exe
PID 2552 wrote to memory of 1284	2552	cmd.exe	Idle.exe
PID 2552 wrote to memory of 1284	2552	cmd.exe	Idle.exe
PID 1284 wrote to memory of 1668	1284	Idle.exe	WScript.exe
PID 1284 wrote to memory of 1668	1284	Idle.exe	WScript.exe
PID 1284 wrote to memory of 1668	1284	Idle.exe	WScript.exe
PID 1284 wrote to memory of 3020	1284	Idle.exe	WScript.exe
PID 1284 wrote to memory of 3020	1284	Idle.exe	WScript.exe
PID 1284 wrote to memory of 3020	1284	Idle.exe	WScript.exe
PID 1668 wrote to memory of 2000	1668	WScript.exe	Idle.exe
PID 1668 wrote to memory of 2000	1668	WScript.exe	Idle.exe
PID 1668 wrote to memory of 2000	1668	WScript.exe	Idle.exe
PID 2000 wrote to memory of 2624	2000	Idle.exe	WScript.exe
PID 2000 wrote to memory of 2624	2000	Idle.exe	WScript.exe
PID 2000 wrote to memory of 2624	2000	Idle.exe	WScript.exe
PID 2000 wrote to memory of 1624	2000	Idle.exe	WScript.exe
PID 2000 wrote to memory of 1624	2000	Idle.exe	WScript.exe
PID 2000 wrote to memory of 1624	2000	Idle.exe	WScript.exe
PID 2624 wrote to memory of 436	2624	WScript.exe	Idle.exe
PID 2624 wrote to memory of 436	2624	WScript.exe	Idle.exe
PID 2624 wrote to memory of 436	2624	WScript.exe	Idle.exe
PID 436 wrote to memory of 1952	436	Idle.exe	WScript.exe
PID 436 wrote to memory of 1952	436	Idle.exe	WScript.exe
PID 436 wrote to memory of 1952	436	Idle.exe	WScript.exe
PID 436 wrote to memory of 1700	436	Idle.exe	WScript.exe
PID 436 wrote to memory of 1700	436	Idle.exe	WScript.exe
PID 436 wrote to memory of 1700	436	Idle.exe	WScript.exe
PID 1952 wrote to memory of 2216	1952	WScript.exe	Idle.exe
PID 1952 wrote to memory of 2216	1952	WScript.exe	Idle.exe
PID 1952 wrote to memory of 2216	1952	WScript.exe	Idle.exe
PID 2216 wrote to memory of 836	2216	Idle.exe	WScript.exe
PID 2216 wrote to memory of 836	2216	Idle.exe	WScript.exe
PID 2216 wrote to memory of 836	2216	Idle.exe	WScript.exe
PID 2216 wrote to memory of 1828	2216	Idle.exe	WScript.exe
PID 2216 wrote to memory of 1828	2216	Idle.exe	WScript.exe
PID 2216 wrote to memory of 1828	2216	Idle.exe	WScript.exe

System policy modification 1 TTPs 15 IoCs

evasion

Modify Registry

T1112

Processes:

e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
"C:\Users\Admin\AppData\Local\Temp\e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pXlQnQd1ki.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:780
- - C:\Program Files (x86)\Windows Mail\Idle.exe
    "C:\Program Files (x86)\Windows Mail\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1284
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73146c9c-bd62-4cda-bd22-ecd0af579e67.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Program Files (x86)\Windows Mail\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\Idle.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2000
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47e109b6-c411-4e17-a2e4-bdf3cf7cea67.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Program Files (x86)\Windows Mail\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\Idle.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7359df5a-2f0f-4cba-9314-ccbea4311b27.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Program Files (x86)\Windows Mail\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\Idle.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\728aa705-030f-457f-a55b-c328439211fa.vbs"
        10⤵
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5013e559-9c35-4012-8e19-031d7021c57b.vbs"
        10⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aba0518-2a1a-4b58-a14f-05bd83dcf094.vbs"
        8⤵
        
        PID:1700
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dda35264-1d1d-4081-baf1-c1ec8a49bf1f.vbs"
        6⤵
        
        PID:1624
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\056bd45f-c6c9-48a8-a9b4-54db5b8cdf4f.vbs"
      4⤵
      PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\Idle.exe

Filesize
1.8MB

MD5
df9535b858491562c9f2b78ecb2d903b

SHA1
f7edde6f6a9028e4f1277488b7d25cfe9bd13660

SHA256
80607ed7d343420bae41e80b18020003a292c9f4548fddfec355612da054f870

SHA512
f5413469fdb030888ccd0a63fc4d7d9ebd6cd03a0334cdd3fbcebe0069000af7bba4c14c75e2d508e1c516465c4c5275ed7f4da122ec821d79ba7d2212f5b495

Download Submit
C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe

Filesize
1.8MB

MD5
7129b24ba5b05e8a48304a861d744780

SHA1
556ddf9ca97c6bd773351eb8ec0ab7797a27bb18

SHA256
e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9

SHA512
06c038e7241f0a49b4700bb5c7012b123df27bba1eff1723dae5722216edaa3b468d290431db33c75d37517d6a3b229f66149a7ec2e1e10a271e5d2f433a4496

Download Submit
C:\Users\Admin\AppData\Local\Temp\056bd45f-c6c9-48a8-a9b4-54db5b8cdf4f.vbs

Filesize
496B

MD5
5cd7a745c8fa7859d0c2621be66578f5

SHA1
81928ecb8a7bbd69a3c3dba44faeed312cca872f

SHA256
9070104b741568b344e6bd44c2bc4d34419ee48e2893159f74ed640b2121a08b

SHA512
e93a0d1631fb1c51826fccb716d322097891796d609676033d0257db389426dba4e50890caeae4d90b8e3c2c25ad8efe93c305268621b39f10cd3c9d88c7c0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\47e109b6-c411-4e17-a2e4-bdf3cf7cea67.vbs

Filesize
720B

MD5
dd12107958ab33da0acf9487bad7d225

SHA1
9a0e6fd6c70fb2b5a96519a2420b240f98048e00

SHA256
9e075bd678e72ad1daccd7a22680854d7cebc66b7937bac3a406f538388cd1ac

SHA512
6a4a7d10c628ab6356ee415d4e69cab34fdb721d90c51afc9c133476e278514b03d8542f415f22b606398cb8711b21b8f37716d47c6a7d0a228fbf3a8f5429cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\728aa705-030f-457f-a55b-c328439211fa.vbs

Filesize
720B

MD5
d23f2a64455704acefb8d98a3a162d66

SHA1
b26670375d93288e42094bc984bae6d63b46d9ae

SHA256
7a7dbf6591a673097f591252ca0c383fea7a5e86b239df4c8119c92bd2bc9a67

SHA512
bc67e8354a775982e3401a2620ba18421472758f0c98ba6744f0c049b910afd8280db40cefc7e590e25b13e4606c453937e9b0387f66e8c781ff4dec41755a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\73146c9c-bd62-4cda-bd22-ecd0af579e67.vbs

Filesize
720B

MD5
11aa0395f62384d1c9232eadfd6bdb89

SHA1
fe8947a2c8f4ce1223c61dd319a52c737fa87634

SHA256
cdf1836718d57a96b99ec78e4955580d14f9ef868ada1aedc136686ab60f1ff4

SHA512
7477e3c27e564d24cbfecbbecf2412c8ef618df86dddb1cd0ca38fe6d340d4e591c48528265653024a41daeb1ab111289ba5fa34ebca6197b80e926a92cbd170

Download Submit
C:\Users\Admin\AppData\Local\Temp\7359df5a-2f0f-4cba-9314-ccbea4311b27.vbs

Filesize
719B

MD5
1ab856a9dfc731e2491317aed37d5d3c

SHA1
21912e0ff0e3305e07cb14ccba9c3664b328449c

SHA256
61ac1a7564d2fb75af45fab6322e9ba2b2c4937c5f005940bc7af0e564bf3651

SHA512
9b91365a2f6998e2443b57c1e3cd2d497ef42d015fa29a167aaf6575f5f6881e3f4d60ee28dbef33785a5a03d0d7dad904017659c63b3ee3d1c349d56fdceebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pXlQnQd1ki.bat

Filesize
209B

MD5
dd613aef54774d7377319f5ca88c3919

SHA1
96733210274d95b73059a4710b5d198ac1fee07b

SHA256
bb70a3ae75b693842e931f42292ecbd62c8d375e36bd5f74cb6f428ce8566c3f

SHA512
55dbc89af8a480e376c9714551ef0ffb2a2de9c209a79d767b3b7cbf9ad8c331bf780a029a1ec410301656c94fbdfb8c96982de88320c8a6b92b5aa60d66b797

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MWPEWFAZX1X3WB7YQGQB.temp

Filesize
7KB

MD5
6028c6c0199201d505f367638dbf2c2f

SHA1
56889e0d4114165c9ed9399ca8cc2cfc5a03e376

SHA256
212901ad1411e96ff2626cb7074d80e05d3486e5c8e32c4d3dc7aefa169f6f57

SHA512
497cb759d547d54fb7a86c484c4101e44881bee6decc0b1ae6da69777d77a73755a2171a7ba7a23aec5c6004b15021928a8ef744906f462992029b9b9384adca

Download Submit
memory/436-126-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/436-125-0x0000000000FE0000-0x00000000011AE000-memory.dmp

Filesize
1.8MB

Download
memory/1284-98-0x0000000001310000-0x00000000014DE000-memory.dmp

Filesize
1.8MB

Download
memory/1284-100-0x00000000006C0000-0x00000000006D2000-memory.dmp

Filesize
72KB

Download
memory/1284-99-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/2000-113-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/2000-112-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2000-111-0x0000000000210000-0x00000000003DE000-memory.dmp

Filesize
1.8MB

Download
memory/2216-138-0x0000000001050000-0x000000000121E000-memory.dmp

Filesize
1.8MB

Download
memory/2348-87-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2348-89-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2872-12-0x000000001A800000-0x000000001A80E000-memory.dmp

Filesize
56KB

Download
memory/2872-7-0x00000000020E0000-0x00000000020F2000-memory.dmp

Filesize
72KB

Download
memory/2872-95-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-14-0x000000001A820000-0x000000001A82C000-memory.dmp

Filesize
48KB

Download
memory/2872-13-0x000000001A810000-0x000000001A81E000-memory.dmp

Filesize
56KB

Download
memory/2872-15-0x000000001A830000-0x000000001A83C000-memory.dmp

Filesize
48KB

Download
memory/2872-5-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/2872-4-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2872-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

Filesize
4KB

Download
memory/2872-6-0x0000000002270000-0x0000000002286000-memory.dmp

Filesize
88KB

Download
memory/2872-9-0x0000000002290000-0x000000000229A000-memory.dmp

Filesize
40KB

Download
memory/2872-3-0x0000000000900000-0x000000000091C000-memory.dmp

Filesize
112KB

Download
memory/2872-11-0x000000001A7F0000-0x000000001A7FA000-memory.dmp

Filesize
40KB

Download
memory/2872-10-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/2872-2-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-8-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2872-1-0x0000000000930000-0x0000000000AFE000-memory.dmp

Filesize
1.8MB

Download