dcrat | 820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Size

2.6MB
MD5

70cc71e35134d51fc8146e37c5057870
SHA1

7711b99c61a69c022aeb74bca4e8f6514bd60318
SHA256

820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818
SHA512

030064056bf5d8e54024c8ea0471e70719294b4fe71165bdf811789a2419b9bf3f087d2e680db96cd0874a4e2859b7676a13d6c2bb41b0e89aaebc222dde8ea5
SSDEEP

49152:EZjcfg3kx6GhHszTNMdkdOYY/Z5K0eR/SRXtbqayyLsPZqGXkcZAo:nY0UwmOTBU5R+dbqzTB

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2944	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2724-1-0x0000000001030000-0x00000000012D8000-memory.dmp	dcrat
behavioral1/files/0x0005000000019f9a-27.dat	dcrat
behavioral1/files/0x000600000001a4dc-88.dat	dcrat
behavioral1/files/0x000800000001925b-133.dat	dcrat
behavioral1/files/0x000600000001a4bb-215.dat	dcrat
behavioral1/memory/2508-252-0x0000000000880000-0x0000000000B28000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2508	Idle.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXF6F0.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\audiodg.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\RCX5B.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\886983d96e3d3e	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\audiodg.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Media Player\en-US\dwm.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\RCX11C9.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\1610b97d3ab4a7	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Journal\Templates\wininit.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXF6F1.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXF8F5.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\RCX1237.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\42af1c969fbb7b	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXF4EC.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCX143B.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX1640.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Media Player\en-US\6cb0b6c459d5d3	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXF4ED.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXF963.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\RCX5C.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCX143C.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\dwm.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\Idle.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Portable Devices\6ccacd8608530f	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Journal\Templates\56085415360792	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\wininit.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX1641.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\csrss.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Portable Devices\Idle.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\IME\IMEJP10\6cb0b6c459d5d3	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Fonts\6cb0b6c459d5d3	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\IME\IMEJP10\dwm.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\Registration\CRMLog\taskhost.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\Fonts\RCXF57.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\Fonts\dwm.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Registration\CRMLog\taskhost.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\IME\IMEJP10\dwm.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Fonts\dwm.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX8DC.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Registration\CRMLog\b75386f1303e64	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX8DB.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\IME\IMEJP10\RCXAE1.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\IME\IMEJP10\RCXAE0.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\Fonts\RCXF58.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
920	schtasks.exe
832	schtasks.exe
2748	schtasks.exe
2532	schtasks.exe
2228	schtasks.exe
1248	schtasks.exe
2152	schtasks.exe
2280	schtasks.exe
756	schtasks.exe
1940	schtasks.exe
2140	schtasks.exe
2240	schtasks.exe
2536	schtasks.exe
2884	schtasks.exe
2892	schtasks.exe
2700	schtasks.exe
3048	schtasks.exe
1924	schtasks.exe
664	schtasks.exe
2368	schtasks.exe
1900	schtasks.exe
2132	schtasks.exe
2416	schtasks.exe
952	schtasks.exe
2404	schtasks.exe
2772	schtasks.exe
2472	schtasks.exe
1808	schtasks.exe
2288	schtasks.exe
740	schtasks.exe
2632	schtasks.exe
1608	schtasks.exe
2588	schtasks.exe
1612	schtasks.exe
3064	schtasks.exe
1572	schtasks.exe
2564	schtasks.exe
2704	schtasks.exe
1476	schtasks.exe
2856	schtasks.exe
2876	schtasks.exe
568	schtasks.exe
1772	schtasks.exe
2296	schtasks.exe
1504	schtasks.exe
536	schtasks.exe
2924	schtasks.exe
2072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2724	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
2724	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
2724	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
2724	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
2724	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
2508	Idle.exe
2508	Idle.exe
2508	Idle.exe
2508	Idle.exe
2508	Idle.exe
2508	Idle.exe
2508	Idle.exe
2508	Idle.exe
2508	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2508	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Token: SeDebugPrivilege	2508	Idle.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 340	2724	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe	80
PID 2724 wrote to memory of 340	2724	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe	80
PID 2724 wrote to memory of 340	2724	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe	80
PID 340 wrote to memory of 2896	340	cmd.exe	82
PID 340 wrote to memory of 2896	340	cmd.exe	82
PID 340 wrote to memory of 2896	340	cmd.exe	82
PID 340 wrote to memory of 2508	340	cmd.exe	83
PID 340 wrote to memory of 2508	340	cmd.exe	83
PID 340 wrote to memory of 2508	340	cmd.exe	83

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
"C:\Users\Admin\AppData\Local\Temp\820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\58NgmlZn37.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2896
- - C:\Program Files\Windows Portable Devices\Idle.exe
    "C:\Program Files\Windows Portable Devices\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N8" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N8" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Favorites\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Favorites\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\IMEJP10\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\IME\IMEJP10\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\IMEJP10\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe

Filesize
2.6MB

MD5
3408ec727ce3d7a6b7b92e03af535e85

SHA1
20b510859c5497b9886bb982ee73b2321c16d8e1

SHA256
f66c149824ca80bcff6b8e549839e84ab9264335723d75012e4596f9897ad6ce

SHA512
dc8495f6711d3c257f6a839d6da7e486bc2cf43f2dd4424e477886be5c46bc1fa2cbce44a67d63a0b5ff75379242327db840fd0d20b8e7a16dd7ef9a609dd8d7

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe

Filesize
2.6MB

MD5
e1d98a3065391a2154d95be0a0e8dc04

SHA1
7e8b710d6c300ab45787ab7e6f0faa4bbae9e667

SHA256
aa8c602183548d997d8bd952f4b8b029ce1d030fa55b8aa867759b06077259cf

SHA512
0d82391cc0793f6f3c53947d32ac746d65afd073c19effc4e818f04c9b995045a6382cf496d30062aaa329e57223410bb59516ea6aedcaee47b2204e05e187df

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe

Filesize
2.6MB

MD5
e89f08f014d53ce4784fa3441ca620ed

SHA1
a5963114b878f60c15987e65ee978185f939f1ee

SHA256
3ce3122931d6132f703606cc64534f8ac6ac91dd6ecf3ec707b0964d12679e73

SHA512
874d0c22ca1eb8f513e133d059fb19c7df4b7cdc655ab69be8ddba048f7d1838377e6447eab6eef23f0ecdb70e7220e675ec853ce039d8a5d9d1cf2a8c200f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\58NgmlZn37.bat

Filesize
215B

MD5
90422fccbf6110e340b472e9566e332d

SHA1
81d6b38e07007466062bf7327d3b07107b98114c

SHA256
8b1516005b5c7b7ac58fcae55925ac890ff37306f4696177f0c66bf4b9b966a1

SHA512
258bd61ac865ad8f48d576e7d1cb1364e47438ae27e83b0dcfc2562a30f79ee44470535e42c5ae2c39a82eb2d0fb8a2e0891e6b1baa6d3251bf71e7643194612

Download Submit
C:\Users\Default\dllhost.exe

Filesize
2.6MB

MD5
70cc71e35134d51fc8146e37c5057870

SHA1
7711b99c61a69c022aeb74bca4e8f6514bd60318

SHA256
820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818

SHA512
030064056bf5d8e54024c8ea0471e70719294b4fe71165bdf811789a2419b9bf3f087d2e680db96cd0874a4e2859b7676a13d6c2bb41b0e89aaebc222dde8ea5

Download Submit
memory/2508-254-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2508-253-0x0000000000820000-0x0000000000876000-memory.dmp

Filesize
344KB

Download
memory/2508-252-0x0000000000880000-0x0000000000B28000-memory.dmp

Filesize
2.7MB

Download
memory/2724-7-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/2724-8-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2724-10-0x0000000000B20000-0x0000000000B76000-memory.dmp

Filesize
344KB

Download
memory/2724-11-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/2724-12-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2724-14-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/2724-13-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2724-15-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/2724-17-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/2724-18-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/2724-9-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/2724-0-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

Filesize
4KB

Download
memory/2724-6-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/2724-206-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

Filesize
4KB

Download
memory/2724-5-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/2724-221-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-248-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-4-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2724-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2724-2-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-1-0x0000000001030000-0x00000000012D8000-memory.dmp

Filesize
2.7MB

Download