dcrat | 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Size

1.9MB
MD5

b379f4ac167609d8a3ef26444098b61d
SHA1

85fe0bbbe666d72a955ee98444415194e00739eb
SHA256

430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80
SHA512

0028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe
SSDEEP

24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\servicing\\Editions\\dwm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\", \"C:\\Windows\\SchCache\\taskhost.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\servicing\\Editions\\dwm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\", \"C:\\Windows\\SchCache\\taskhost.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\servicing\\Editions\\dwm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\", \"C:\\Windows\\SchCache\\taskhost.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\servicing\\Editions\\dwm.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\servicing\\Editions\\dwm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\servicing\\Editions\\dwm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\", \"C:\\Windows\\SchCache\\taskhost.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2688	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2688	schtasks.exe	29

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
840	powershell.exe
2204	powershell.exe
3040	powershell.exe
940	powershell.exe
548	powershell.exe
3028	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\servicing\\Editions\\dwm.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\SchCache\\taskhost.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\it-IT\\winlogon.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80 = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\servicing\\Editions\\dwm.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\SchCache\\taskhost.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\it-IT\\winlogon.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80 = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\""	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC15835A0D45114821A97B2C4719D64BD3.TMP	csc.exe
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\scheduled\WmiPrvSE.exe	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
File created	C:\Windows\it-IT\winlogon.exe	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
File created	C:\Windows\it-IT\cc11b995f2a76d	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
File created	C:\Windows\SchCache\taskhost.exe	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
File created	C:\Windows\SchCache\b75386f1303e64	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
File created	C:\Windows\servicing\Editions\dwm.exe	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
File created	C:\Windows\servicing\Editions\6cb0b6c459d5d3	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1844	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1844	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
308	schtasks.exe
2436	schtasks.exe
2784	schtasks.exe
276	schtasks.exe
2920	schtasks.exe
2704	schtasks.exe
2856	schtasks.exe
980	schtasks.exe
1680	schtasks.exe
2032	schtasks.exe
2040	schtasks.exe
2660	schtasks.exe
2984	schtasks.exe
976	schtasks.exe
1996	schtasks.exe
2192	schtasks.exe
2300	schtasks.exe
1116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2640	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2900	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	33
PID 2580 wrote to memory of 2900	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	33
PID 2580 wrote to memory of 2900	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	33
PID 2900 wrote to memory of 336	2900	csc.exe	35
PID 2900 wrote to memory of 336	2900	csc.exe	35
PID 2900 wrote to memory of 336	2900	csc.exe	35
PID 2580 wrote to memory of 3028	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	51
PID 2580 wrote to memory of 3028	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	51
PID 2580 wrote to memory of 3028	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	51
PID 2580 wrote to memory of 548	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	52
PID 2580 wrote to memory of 548	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	52
PID 2580 wrote to memory of 548	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	52
PID 2580 wrote to memory of 940	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	53
PID 2580 wrote to memory of 940	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	53
PID 2580 wrote to memory of 940	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	53
PID 2580 wrote to memory of 3040	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	54
PID 2580 wrote to memory of 3040	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	54
PID 2580 wrote to memory of 3040	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	54
PID 2580 wrote to memory of 2204	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	56
PID 2580 wrote to memory of 2204	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	56
PID 2580 wrote to memory of 2204	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	56
PID 2580 wrote to memory of 840	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	57
PID 2580 wrote to memory of 840	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	57
PID 2580 wrote to memory of 840	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	57
PID 2580 wrote to memory of 2400	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	63
PID 2580 wrote to memory of 2400	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	63
PID 2580 wrote to memory of 2400	2580	430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe	63
PID 2400 wrote to memory of 1944	2400	cmd.exe	65
PID 2400 wrote to memory of 1944	2400	cmd.exe	65
PID 2400 wrote to memory of 1944	2400	cmd.exe	65
PID 2400 wrote to memory of 1844	2400	cmd.exe	66
PID 2400 wrote to memory of 1844	2400	cmd.exe	66
PID 2400 wrote to memory of 1844	2400	cmd.exe	66
PID 2400 wrote to memory of 2640	2400	cmd.exe	67
PID 2400 wrote to memory of 2640	2400	cmd.exe	67
PID 2400 wrote to memory of 2640	2400	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
"C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4pqul2f5\4pqul2f5.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9109.tmp" "c:\Windows\System32\CSC15835A0D45114821A97B2C4719D64BD3.TMP"
    3⤵
    PID:336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\servicing\Editions\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3IJqF7NZR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1944
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1844
- - C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
    "C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\servicing\Editions\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\servicing\Editions\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\servicing\Editions\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SchCache\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9109.tmp

Filesize
1KB

MD5
55f92198880fc88bd9fab810d370dbaf

SHA1
8be822c7b63bca6ee639ed5052ed86506841a74d

SHA256
acac3b2f353ad12dc2afd0dfb321830ee2c20995a401000588a42c574bb6197b

SHA512
001d6ba38a0c4e3dd8da174b8d1ab7bf203f24d72ecd0a5d673c74228dedaee2cb1b1291d88558c351299ff92c6789259cde9519425d8471a0a9685f78707612

Download Submit
C:\Users\Admin\AppData\Local\Temp\W3IJqF7NZR.bat

Filesize
230B

MD5
e1a793a1c5dc28480d3538018f5487d1

SHA1
8729b89d81032692ed18b20b3041df557a1467a4

SHA256
cfb76bf00238eb2be10c1b16c59cc1a7206ccaca34c8921bf71c299950f92c51

SHA512
ba28051e214b81a9b691ba2027bb93908ea8097eec8337363cfeeb4a4a2dbc295881f58a4ae763399fc3c7b9a5cf845e929df282e9e3571150ec05d316cb4f22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9bf1f823c0e044ce8341161380e586cc

SHA1
a0da638c7b3576b24384d8ed666b4fd69ce22ee5

SHA256
9ef4ac5e69aa6f3576f0b9a30dc0567bebe2989717447097c59ceeb9feb4cf31

SHA512
128c8212db5babfc415608651599655f70ab2755110c1bc759fb3f397727ed55fca19c17ef0311d0fedbc07c748171600dcd17645146ddb94bd9e56e7684e74c

Download Submit
C:\Windows\servicing\Editions\dwm.exe

Filesize
1.9MB

MD5
b379f4ac167609d8a3ef26444098b61d

SHA1
85fe0bbbe666d72a955ee98444415194e00739eb

SHA256
430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80

SHA512
0028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4pqul2f5\4pqul2f5.0.cs

Filesize
369B

MD5
c1cedeeb4502ec451cc325669742a250

SHA1
9673df327029ec8af78e647d5c148812ff1a5a36

SHA256
e035a7738d46123c3d28a5ce817a1e6f7529c45e63f0b23f4615af54e52941a1

SHA512
c25753a5f88384ce8832bd11b2e95ab796232ed4063452af594ddbaab067e6503e89aeb3b02b2870ae3f59a8034b470658ddf20864d53b320424d3be4fe6f7e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4pqul2f5\4pqul2f5.cmdline

Filesize
235B

MD5
50f02e8c67ac8c1ead63bafca318d349

SHA1
cbf2f28419cef58bc219e4937593861f04c450df

SHA256
f718470559b6d010dba9676ae37fea9d0323ef58bf1f16e5e0ddb2d4194dc18a

SHA512
c0a797b953120c9c5b7f59eb5554197c2265df992d437c9628b6b901738c036e697c6fa05c6a96be57165a92dee194566fc27c48c9b4de6c368bb7c3676bdf21

Download Submit
\??\c:\Windows\System32\CSC15835A0D45114821A97B2C4719D64BD3.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
memory/940-56-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/940-57-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/2580-20-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-8-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2580-19-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2580-17-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-16-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/2580-0-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

Filesize
4KB

Download
memory/2580-21-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-23-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-26-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-14-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-11-0x00000000004E0000-0x00000000004F8000-memory.dmp

Filesize
96KB

Download
memory/2580-13-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2580-40-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

Filesize
4KB

Download
memory/2580-9-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-6-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/2580-41-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-4-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-3-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-74-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-2-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-1-0x0000000000D40000-0x0000000000F2C000-memory.dmp

Filesize
1.9MB

Download
memory/2580-86-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download