dcrat | 5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01

Analysis

max time kernel
107s
max time network
107s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Size

1.1MB
MD5

7f1a6a71484ac1b261fe91aa1c83ba40
SHA1

fc04b2dc24f946b1a18a36c5a565a66c60cb740b
SHA256

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01
SHA512

7c798991dd774434f04d535d5f34982f8c868ec3fb595d773da64364cf0430bbe44d49056c35a27e2b4161c4daad94989344c250dc6fb1c976e7d230eedb7661
SSDEEP

24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpd:EPkVXFGDQoP7FRCZRonh4hfewhmpd

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2600	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2708-12-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2708-10-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2708-20-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2708-18-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2708-17-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2292-183-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2292-186-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2992 powershell.exe
1656 powershell.exe
1336 powershell.exe
2880 powershell.exe
2136 powershell.exe
3000 powershell.exe
Executes dropped EXE 6 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid process

2232 csrss.exe
2776 csrss.exe
1524 csrss.exe
2292 csrss.exe
636 csrss.exe
1540 csrss.exe

pid	process
2992	powershell.exe
1656	powershell.exe
1336	powershell.exe
2880	powershell.exe
2136	powershell.exe
3000	powershell.exe

pid	process
2232	csrss.exe
2776	csrss.exe
1524	csrss.exe
2292	csrss.exe
636	csrss.exe
1540	csrss.exe

Loads dropped DLL 9 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.execsrss.exeWScript.execsrss.exeWScript.exe

pid	process
2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2232	csrss.exe
1900	WScript.exe
1900	WScript.exe
1524	csrss.exe
1524	csrss.exe
2436	WScript.exe
2436	WScript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.execsrss.execsrss.exe

description	pid	process	target process
PID 2304 set thread context of 2708	2304	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 2232 set thread context of 2776	2232	csrss.exe	csrss.exe
PID 1524 set thread context of 2292	1524	csrss.exe	csrss.exe

Drops file in Program Files directory 15 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Temp\taskhost.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX7C0.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCX1199.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files\Windows NT\b75386f1303e64	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\d5a7132610e615	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\Windows NT\RCX9C5.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX7C1.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\Windows NT\RCXA33.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\Windows NT\taskhost.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCX112A.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Google\Temp\taskhost.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Google\Temp\b75386f1303e64	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files\Windows NT\taskhost.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csrss.exeWScript.execsrss.execsrss.execsrss.exe5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exeWScript.exeWScript.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exeWScript.exepowershell.exepowershell.exe5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2584	schtasks.exe
1292	schtasks.exe
1824	schtasks.exe
2920	schtasks.exe
2944	schtasks.exe
1316	schtasks.exe
2120	schtasks.exe
3056	schtasks.exe
1300	schtasks.exe
1912	schtasks.exe
1060	schtasks.exe
1516	schtasks.exe
2676	schtasks.exe
2196	schtasks.exe
264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.exe

pid	process
2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2992	powershell.exe
2880	powershell.exe
2136	powershell.exe
1656	powershell.exe
3000	powershell.exe
1336	powershell.exe
2776	csrss.exe
1524	csrss.exe
1524	csrss.exe
2292	csrss.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2776	csrss.exe
Token: SeDebugPrivilege	1524	csrss.exe
Token: SeDebugPrivilege	2292	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.execsrss.execsrss.exeWScript.execsrss.exe

description	pid	process	target process
PID 2304 wrote to memory of 2708	2304	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 2304 wrote to memory of 2708	2304	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 2304 wrote to memory of 2708	2304	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 2304 wrote to memory of 2708	2304	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 2304 wrote to memory of 2708	2304	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 2304 wrote to memory of 2708	2304	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 2304 wrote to memory of 2708	2304	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 2304 wrote to memory of 2708	2304	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 2304 wrote to memory of 2708	2304	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 2708 wrote to memory of 3000	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 3000	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 3000	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 3000	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2992	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2992	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2992	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2992	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 1656	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 1656	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 1656	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 1656	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 1336	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 1336	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 1336	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 1336	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2880	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2880	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2880	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2880	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2136	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2136	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2136	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2136	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 2708 wrote to memory of 2232	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	csrss.exe
PID 2708 wrote to memory of 2232	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	csrss.exe
PID 2708 wrote to memory of 2232	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	csrss.exe
PID 2708 wrote to memory of 2232	2708	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	csrss.exe
PID 2232 wrote to memory of 2776	2232	csrss.exe	csrss.exe
PID 2232 wrote to memory of 2776	2232	csrss.exe	csrss.exe
PID 2232 wrote to memory of 2776	2232	csrss.exe	csrss.exe
PID 2232 wrote to memory of 2776	2232	csrss.exe	csrss.exe
PID 2232 wrote to memory of 2776	2232	csrss.exe	csrss.exe
PID 2232 wrote to memory of 2776	2232	csrss.exe	csrss.exe
PID 2232 wrote to memory of 2776	2232	csrss.exe	csrss.exe
PID 2232 wrote to memory of 2776	2232	csrss.exe	csrss.exe
PID 2232 wrote to memory of 2776	2232	csrss.exe	csrss.exe
PID 2776 wrote to memory of 1900	2776	csrss.exe	WScript.exe
PID 2776 wrote to memory of 1900	2776	csrss.exe	WScript.exe
PID 2776 wrote to memory of 1900	2776	csrss.exe	WScript.exe
PID 2776 wrote to memory of 1900	2776	csrss.exe	WScript.exe
PID 2776 wrote to memory of 1472	2776	csrss.exe	WScript.exe
PID 2776 wrote to memory of 1472	2776	csrss.exe	WScript.exe
PID 2776 wrote to memory of 1472	2776	csrss.exe	WScript.exe
PID 2776 wrote to memory of 1472	2776	csrss.exe	WScript.exe
PID 1900 wrote to memory of 1524	1900	WScript.exe	csrss.exe
PID 1900 wrote to memory of 1524	1900	WScript.exe	csrss.exe
PID 1900 wrote to memory of 1524	1900	WScript.exe	csrss.exe
PID 1900 wrote to memory of 1524	1900	WScript.exe	csrss.exe
PID 1524 wrote to memory of 636	1524	csrss.exe	csrss.exe
PID 1524 wrote to memory of 636	1524	csrss.exe	csrss.exe
PID 1524 wrote to memory of 636	1524	csrss.exe	csrss.exe
PID 1524 wrote to memory of 636	1524	csrss.exe	csrss.exe
PID 1524 wrote to memory of 2292	1524	csrss.exe	csrss.exe
PID 1524 wrote to memory of 2292	1524	csrss.exe	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
"C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\taskhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\taskhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Users\Default User\csrss.exe
    "C:\Users\Default User\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Users\Default User\csrss.exe
      "{path}"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b26d6eaf-3b21-407b-bcdf-d395a07b1170.vbs"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Users\Default User\csrss.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Users\Default User\csrss.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8055474-1b14-48f9-bb93-81ddc9cae331.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e43c7d60-c79a-42c2-8c18-dc8619ac83a7.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fc5cf1b-eeab-4827-9cca-3f1d5b2a00be.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N5" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N5" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Filesize
1.1MB

MD5
7f1a6a71484ac1b261fe91aa1c83ba40

SHA1
fc04b2dc24f946b1a18a36c5a565a66c60cb740b

SHA256
5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01

SHA512
7c798991dd774434f04d535d5f34982f8c868ec3fb595d773da64364cf0430bbe44d49056c35a27e2b4161c4daad94989344c250dc6fb1c976e7d230eedb7661

Download Submit
C:\Program Files\Windows NT\taskhost.exe

Filesize
1.1MB

MD5
a97f1729ed6208c78a3633e6def6b31a

SHA1
f62dcdf4cb4d68df273cb201552b698234a99cc8

SHA256
2a977a56e939ed093b217873a5f6ec625e8736020ef62cbd64c23bd6ba9614d4

SHA512
6b70a8c3712c7aca5a5176de5cce7a4a709e4e2cd8102690e5832ba3c814ca2c94c691dd75002f50207f35f7720a1a02621070109285563b7d352f864c7473ac

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe

Filesize
1.1MB

MD5
1fb968858221c834e22ce291dc454dde

SHA1
d2fba16ccde873f3e520f2c6ec1d6472adbd1318

SHA256
9f8dad2e6806e3553d237578578d7435d092ec49500d7c59df087273b82743e8

SHA512
bdf409c8a0f863ff7622f750f7a2493bb34096aaaa29a88d6243ef7967fc0a52e4eda98b6f90885409221de6da4e64b2285eafd27b3aae78cd322c7fa65b307d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fc5cf1b-eeab-4827-9cca-3f1d5b2a00be.vbs

Filesize
483B

MD5
1ffb4e2c34dd256213a7ef20c1303515

SHA1
d09f1f5da914470ea81e198a65499dabbd43043d

SHA256
a7ab13f46f9abb128d72bdc92e520b42ae3e4b0c8cee7a84e62a832fdd73dfef

SHA512
586f72fc15d6ff64c96625ce0c531b1179f7d0ee72a650168fdcaed9c700074e41390494ef9cf18ccbec61cb004aca5a400201e06fffc33ba4a5c54389d30485

Download Submit
C:\Users\Admin\AppData\Local\Temp\b26d6eaf-3b21-407b-bcdf-d395a07b1170.vbs

Filesize
707B

MD5
2c2d9b6e6eaea6af7645719cdb908681

SHA1
6a03c5e725ab8390021e2f0e414a64972e6f4dc7

SHA256
1e1a93655a447a427da7634cc84727f5c0977f1a9019b41ce75681d7b785f9ef

SHA512
e3bba454cb9bde48694b0d3859e4b11ed882b6c9323062f7c68a1f2a37439938361319232e48c59fc7fe04a99da20d8720af82d2ec4b6cb9ff9926ba3eb8bd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8055474-1b14-48f9-bb93-81ddc9cae331.vbs

Filesize
707B

MD5
307cfc366914310a6cc11d25e63a8586

SHA1
cd601dfb4079be9df3cdcf6f2b54441dec1daf61

SHA256
7a505231af4c6b73266713d84bf01963fee1e60c33ad374b987d797d4250bb8d

SHA512
faac816ee0a41bcddf99ce30f1d23caa51bb2b000bd736c62f0462c2b7a4af44ba47eaef36e760ac9980702268e5611115c0570b47230bfce2eb1d8eb08124f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F806GOKDNLE9LPQC356C.temp

Filesize
7KB

MD5
45d593f86308cc790f3757a7a22aa070

SHA1
48206cc814a1dcd6bfc66d6f85a7eec9ba9355f1

SHA256
58d04c2bbe21d499305c8dd2d7707b48dd17648334f1ff7de084c3706c22a9ca

SHA512
5c2b2b6281dbfc2dbf37df8840606c5cd64c57fbc712713467d1ceee7e255d239f3340e8b07d2b977d022838639dbfaf7abf4931afeda57bead718891bd1be56

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.1MB

MD5
6f60b5279ab115074a2d4f6661e64a7a

SHA1
8295583e026ef868a5bb0cba99efabaf24891806

SHA256
45a8932f9b1abf1f11cff1581e8cc72ad9e3f89b42f84335477c27fa27833461

SHA512
1b4a28baaf1a19eba6a12369ea6e83cab7ba2d77cf5efb35574a474176a57a8c429dbd92d00818cbdf55e14367950bafee9ada9013972e29d279eb3d67b8ea51

Download Submit
memory/1524-169-0x0000000000070000-0x000000000019C000-memory.dmp

Filesize
1.2MB

Download
memory/1540-200-0x0000000000EF0000-0x000000000101C000-memory.dmp

Filesize
1.2MB

Download
memory/2232-140-0x0000000000FE0000-0x000000000110C000-memory.dmp

Filesize
1.2MB

Download
memory/2232-142-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download
memory/2292-186-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2292-183-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2292-180-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2304-0-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download
memory/2304-7-0x0000000005CF0000-0x0000000005E1E000-memory.dmp

Filesize
1.2MB

Download
memory/2304-23-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-6-0x0000000005660000-0x0000000005756000-memory.dmp

Filesize
984KB

Download
memory/2304-5-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-4-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download
memory/2304-3-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2304-2-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-1-0x0000000000F60000-0x000000000108C000-memory.dmp

Filesize
1.2MB

Download
memory/2708-9-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2708-24-0x0000000000210000-0x000000000022C000-memory.dmp

Filesize
112KB

Download
memory/2708-30-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2708-33-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/2708-32-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2708-34-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2708-29-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2708-28-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2708-27-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2708-26-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/2708-25-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2708-31-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/2708-22-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-141-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-17-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2708-21-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-18-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2708-20-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2708-10-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2708-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2708-8-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2776-152-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download