dcrat | a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
Size

1.7MB
MD5

45ebb562b38bb86e6375e19eb7f699ad
SHA1

c3470337ef4b26a518260a9e009b474103e5baf5
SHA256

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68
SHA512

c71a64596adb6e1785f7141f20c2b6cc1e1ae3fa53978dccb9e282df45d5318be10ab4c2352e49927bbdb5e314b5406f46a98d862a67d9a3d5364b58599ba495
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2648	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2080-1-0x0000000000290000-0x0000000000446000-memory.dmp	dcrat
C:\Users\Default\smss.exe	dcrat
C:\Windows\twain_32\StartMenuExperienceHost.exe	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5036	powershell.exe
3052	powershell.exe
3612	powershell.exe
1392	powershell.exe
3380	powershell.exe
816	powershell.exe
4876	powershell.exe
4732	powershell.exe
2112	powershell.exe
2292	powershell.exe
2824	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exeSystem.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 2 IoCs

Processes:

System.exeSystem.exe

pid process

720 System.exe
952 System.exe

pid	process
720	System.exe
952	System.exe

Drops file in Program Files directory 10 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXBE72.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXBE82.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\unsecapp.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files\Internet Explorer\5b884080fd4f94	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXC339.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXC33A.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files\Internet Explorer\fontdrvhost.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files\Windows Multimedia Platform\unsecapp.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files\Windows Multimedia Platform\29c1c3cc0f7685	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files\Internet Explorer\fontdrvhost.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

Drops file in Windows directory 16 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

description	ioc	process
File created	C:\Windows\twain_32\55b276f4edf653	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\System.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\twain_32\RCXC85E.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXCCA8.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\27d1bcfc3c54e0	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Windows\Downloaded Program Files\backgroundTaskHost.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Windows\twain_32\StartMenuExperienceHost.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\RCXC0A7.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\twain_32\RCXC7E0.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\System.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Windows\Downloaded Program Files\eddb19405b7ce1	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\RCXC097.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\twain_32\StartMenuExperienceHost.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXCCA7.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\Downloaded Program Files\backgroundTaskHost.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Windows\rescache\RuntimeBroker.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exeSystem.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3856	schtasks.exe
4968	schtasks.exe
432	schtasks.exe
316	schtasks.exe
2132	schtasks.exe
744	schtasks.exe
4820	schtasks.exe
1940	schtasks.exe
656	schtasks.exe
116	schtasks.exe
4296	schtasks.exe
4492	schtasks.exe
4248	schtasks.exe
4708	schtasks.exe
2136	schtasks.exe
2072	schtasks.exe
4544	schtasks.exe
1388	schtasks.exe
4060	schtasks.exe
4772	schtasks.exe
5104	schtasks.exe
2444	schtasks.exe
840	schtasks.exe
752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
3052	powershell.exe
3052	powershell.exe
816	powershell.exe
816	powershell.exe
3380	powershell.exe
3380	powershell.exe
3612	powershell.exe
4876	powershell.exe
3612	powershell.exe
4876	powershell.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2112	powershell.exe
2112	powershell.exe
2292	powershell.exe
2292	powershell.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
5036	powershell.exe
5036	powershell.exe
4732	powershell.exe
3052	powershell.exe
4732	powershell.exe
1392	powershell.exe
1392	powershell.exe
2824	powershell.exe
2824	powershell.exe
4732	powershell.exe
2292	powershell.exe
2824	powershell.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
3380	powershell.exe
4876	powershell.exe
3612	powershell.exe
816	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	720	System.exe
Token: SeDebugPrivilege	952	System.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exeSystem.exeWScript.exe

description	pid	process	target process
PID 2080 wrote to memory of 1392	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 1392	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 3380	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 3380	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 816	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 816	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 3612	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 3612	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 3052	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 3052	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 5036	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 5036	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 2112	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 2112	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 4876	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 4876	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 4732	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 4732	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 2292	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 2292	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 2824	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 2824	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2080 wrote to memory of 720	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	System.exe
PID 2080 wrote to memory of 720	2080	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	System.exe
PID 720 wrote to memory of 1160	720	System.exe	WScript.exe
PID 720 wrote to memory of 1160	720	System.exe	WScript.exe
PID 720 wrote to memory of 2288	720	System.exe	WScript.exe
PID 720 wrote to memory of 2288	720	System.exe	WScript.exe
PID 1160 wrote to memory of 952	1160	WScript.exe	System.exe
PID 1160 wrote to memory of 952	1160	WScript.exe	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
"C:\Users\Admin\AppData\Local\Temp\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\System.exe
  "C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\System.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e67a3de5-1c10-4c4b-8d97-5acca7c0e760.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\System.exe
      "C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:952
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80d44eb3-8dbe-423a-b177-9eadd2989493.vbs"
    3⤵
    PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\80d44eb3-8dbe-423a-b177-9eadd2989493.vbs

Filesize
503B

MD5
0b49349a08df1a67488a2771ce3abe4a

SHA1
1aa7ad0696de6f44f11ec9ff9bd199f27e805435

SHA256
c18681163a72897ecb67a767ed86552066351825684faba56dc22cd9ef337373

SHA512
d039a79282dd4dc1e1092366c0d9319dc6027bc3adfbf450b59e386daae18f785381a31bd374eeff59ad9e9b7389b873bba0ecf9017042daed62f91cbaca60ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ylb4w30e.oih.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e67a3de5-1c10-4c4b-8d97-5acca7c0e760.vbs

Filesize
726B

MD5
73db696e5cd42572de0872604ec01ad7

SHA1
1b6f12d97e2e3b795295c4f47a0e6740a8dd4f9a

SHA256
4b41d0c493e9a889155f2bbd575997cbba89d5cc2e8d1a1084a7b993b6ff7a2e

SHA512
2da51f7788cf5c36b065e722f8f648536edd78a85f1bf5962e7a97ae6573da43dddbc4a778dbdf5fe24428f86c07f243f88dd6baa84346869544e6a042dd1084

Download Submit
C:\Users\Default\smss.exe

Filesize
1.7MB

MD5
45ebb562b38bb86e6375e19eb7f699ad

SHA1
c3470337ef4b26a518260a9e009b474103e5baf5

SHA256
a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68

SHA512
c71a64596adb6e1785f7141f20c2b6cc1e1ae3fa53978dccb9e282df45d5318be10ab4c2352e49927bbdb5e314b5406f46a98d862a67d9a3d5364b58599ba495

Download Submit
C:\Windows\twain_32\StartMenuExperienceHost.exe

Filesize
1.7MB

MD5
9d488d67b574ff7fe53c57400e4eebe0

SHA1
32dd27aff27b14490801510585a97a45f6e146ec

SHA256
7793aaf93f90c0e07dffed58fde76deccc272df628f6126d6880e218b73fd236

SHA512
ff2a458b1dacdf2e8e681205f1b53ab0399b29a38a07d647d06bb86a4ee10c4a908ce4649e56b50d60ff7c6d56efcab83e6f4d02dee09a3227f264be5811fed2

Download Submit
memory/2080-18-0x000000001B960000-0x000000001B96C000-memory.dmp

Filesize
48KB

Download
memory/2080-7-0x000000001B6A0000-0x000000001B6B6000-memory.dmp

Filesize
88KB

Download
memory/2080-15-0x000000001BA80000-0x000000001BA8A000-memory.dmp

Filesize
40KB

Download
memory/2080-17-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

Filesize
48KB

Download
memory/2080-16-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/2080-14-0x000000001BA70000-0x000000001BA7C000-memory.dmp

Filesize
48KB

Download
memory/2080-21-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/2080-0-0x00007FFC7BC93000-0x00007FFC7BC95000-memory.dmp

Filesize
8KB

Download
memory/2080-22-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/2080-23-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/2080-11-0x000000001B6E0000-0x000000001B6E8000-memory.dmp

Filesize
32KB

Download
memory/2080-10-0x000000001B6D0000-0x000000001B6DC000-memory.dmp

Filesize
48KB

Download
memory/2080-136-0x00007FFC7BC93000-0x00007FFC7BC95000-memory.dmp

Filesize
8KB

Download
memory/2080-1-0x0000000000290000-0x0000000000446000-memory.dmp

Filesize
1.7MB

Download
memory/2080-9-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/2080-259-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/2080-287-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/2080-299-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/2080-5-0x000000001B070000-0x000000001B078000-memory.dmp

Filesize
32KB

Download
memory/2080-13-0x000000001B850000-0x000000001B85C000-memory.dmp

Filesize
48KB

Download
memory/2080-8-0x000000001B6C0000-0x000000001B6D2000-memory.dmp

Filesize
72KB

Download
memory/2080-6-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/2080-4-0x000000001B6F0000-0x000000001B740000-memory.dmp

Filesize
320KB

Download
memory/2080-3-0x0000000002630000-0x000000000264C000-memory.dmp

Filesize
112KB

Download
memory/2080-2-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/3612-186-0x0000017DEDD40000-0x0000017DEDD62000-memory.dmp

Filesize
136KB

Download