dcrat | e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Size

1.8MB
MD5

382eaedc34bfc15b7e749fb8a0cff600
SHA1

d8729997725a187120ee95e1d6068586a13ab678
SHA256

e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a
SHA512

f2be10566728f10a1396abf3115a01d98a5b06d18b94e84ecb6fbb012f1ad3ad588be84f09ceafa55bc9fd65a7e6763c68ca67596141c750ae54a2bebfc5c16b
SSDEEP

24576:nfNh6iTrBgSq+kdkpupwocpF4jGdWWfWanontd7ksYKtAwqgKchGGqGLk6kIv/D5:f3/kGAwaCYO4ngs7wg8UkcX

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\smss.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Windows\\IME\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\smss.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Windows\\IME\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\smss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\smss.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\smss.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Windows\\IME\\spoolsv.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	4892	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4892	schtasks.exe	82

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe
920	powershell.exe
1072	powershell.exe
380	powershell.exe
1288	powershell.exe
4424	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Executes dropped EXE 1 IoCs

pid	Process
1536	csrss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\smss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\smss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\IME\\spoolsv.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\IME\\spoolsv.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCF829D1D794474D6DA8EAEE5C37F9BD3A.TMP	csc.exe
File created	\??\c:\Windows\System32\enb1sa.exe	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\69ddcba757bf72	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\121e5b5079f7c0	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\OCR\de-de\explorer.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File created	C:\Windows\IME\spoolsv.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File created	C:\Windows\IME\f3b6ecef712a24	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1912	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1912	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3332	schtasks.exe
4000	schtasks.exe
3292	schtasks.exe
4148	schtasks.exe
1436	schtasks.exe
5052	schtasks.exe
2280	schtasks.exe
4416	schtasks.exe
1988	schtasks.exe
664	schtasks.exe
2212	schtasks.exe
2204	schtasks.exe
344	schtasks.exe
692	schtasks.exe
1496	schtasks.exe
5084	schtasks.exe
2512	schtasks.exe
4468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1536	csrss.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	1536	csrss.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 888	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	86
PID 3352 wrote to memory of 888	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	86
PID 888 wrote to memory of 1936	888	csc.exe	120
PID 888 wrote to memory of 1936	888	csc.exe	120
PID 3352 wrote to memory of 4424	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	104
PID 3352 wrote to memory of 4424	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	104
PID 3352 wrote to memory of 1288	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	105
PID 3352 wrote to memory of 1288	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	105
PID 3352 wrote to memory of 380	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	106
PID 3352 wrote to memory of 380	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	106
PID 3352 wrote to memory of 1072	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	107
PID 3352 wrote to memory of 1072	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	107
PID 3352 wrote to memory of 920	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	108
PID 3352 wrote to memory of 920	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	108
PID 3352 wrote to memory of 2644	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	109
PID 3352 wrote to memory of 2644	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	109
PID 3352 wrote to memory of 4332	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	116
PID 3352 wrote to memory of 4332	3352	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	116
PID 4332 wrote to memory of 3480	4332	cmd.exe	118
PID 4332 wrote to memory of 3480	4332	cmd.exe	118
PID 4332 wrote to memory of 1912	4332	cmd.exe	119
PID 4332 wrote to memory of 1912	4332	cmd.exe	119
PID 4332 wrote to memory of 1536	4332	cmd.exe	126
PID 4332 wrote to memory of 1536	4332	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
"C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e3acy1rn\e3acy1rn.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F80.tmp" "c:\Windows\System32\CSCF829D1D794474D6DA8EAEE5C37F9BD3A.TMP"
    3⤵
    PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EUW8PA4gv.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3480
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1912
- - C:\Program Files (x86)\Windows Portable Devices\csrss.exe
    "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\IME\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847ae" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847ae" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 55f4e7bce8ae2b5f0a5649520adfac20 FQoCDexGJ0eoPjnICJN/Ow.0.1.0.0.0
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe

Filesize
1.8MB

MD5
382eaedc34bfc15b7e749fb8a0cff600

SHA1
d8729997725a187120ee95e1d6068586a13ab678

SHA256
e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a

SHA512
f2be10566728f10a1396abf3115a01d98a5b06d18b94e84ecb6fbb012f1ad3ad588be84f09ceafa55bc9fd65a7e6763c68ca67596141c750ae54a2bebfc5c16b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EUW8PA4gv.bat

Filesize
185B

MD5
6325f6e2c6bb652fba61c574a201664d

SHA1
0aa23409537fa97487ac4028bac2dcbec61f63e4

SHA256
4025adb5b6ee31c1dc413b1a9e45d7633c707aed806323b46f04a5a7fea76ab1

SHA512
730f7d2b044ee11cd6f41d841d5230c2caaf2d78a5724d6ea40ebffe2eb397646fd3bf30adf62d08e3129e6e4c024e72e3e69519c8d6820032e7048309a5a7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7F80.tmp

Filesize
1KB

MD5
bfbabb9a826d81714e5b08ed494c3bd0

SHA1
cc0729cd83faf9b74fc5accb32ed014c06ab5a80

SHA256
c006c5bea0fb10caa8aba32c0f70246c579f6e55657dad1f97fcea04fb7017e1

SHA512
d7f4cf260b103426961369ffb0a595b94fb0ac433ff014f05323be32d31a91b8598ff43f4aebb021054a14c5a80447acf2e76714953881b2c041f21e84c88748

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyda55yc.ad4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3acy1rn\e3acy1rn.0.cs

Filesize
394B

MD5
eb4f09f5f1c9f03753b4e61f14fa5ca0

SHA1
c35098d793bd8ef9b9052e3c386456fd43e27d64

SHA256
2b675b8fbfccbc31268c7555b5b1f051328e457665529a455779f991ea22dda9

SHA512
fd193cadda4a28563825f54096c0161d9281d70a559c10c9f18579ac7a3d41cf93bcfe980caf80a4b483342b5111aabda23a6075c1480cf389c30816db880c2a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3acy1rn\e3acy1rn.cmdline

Filesize
235B

MD5
99e9a6bad427f4cd99bd79d5bbe524a2

SHA1
e945691f75ba29951c1bf5a49d88c73888468e0e

SHA256
1093b027c30ef0ef3a1a83c12e03d49e20345489591646c3b022ba3a30de1097

SHA512
1bc4919fe21f8b45704ab226325454d5179a40f024a7773e67b1589d9901252e785b6864e13272a5a30fc1164c1957d6534e35b8ac94947561b98ccc2534a7d0

Download Submit
\??\c:\Windows\System32\CSCF829D1D794474D6DA8EAEE5C37F9BD3A.TMP

Filesize
1KB

MD5
5984679060d0fc54eba47cead995f65a

SHA1
f72bbbba060ac80ac6abedc7b8679e8963f63ebf

SHA256
4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

SHA512
bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

Download Submit
memory/1288-54-0x000002554FC00000-0x000002554FC22000-memory.dmp

Filesize
136KB

Download
memory/3352-8-0x0000000002E40000-0x0000000002E5C000-memory.dmp

Filesize
112KB

Download
memory/3352-10-0x000000001BC10000-0x000000001BC60000-memory.dmp

Filesize
320KB

Download
memory/3352-29-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-30-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-24-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-16-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-35-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-14-0x0000000002E20000-0x0000000002E2C000-memory.dmp

Filesize
48KB

Download
memory/3352-12-0x0000000002E60000-0x0000000002E78000-memory.dmp

Filesize
96KB

Download
memory/3352-28-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-0-0x00007FFA73F03000-0x00007FFA73F05000-memory.dmp

Filesize
8KB

Download
memory/3352-77-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-9-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-6-0x0000000001520000-0x000000000152E000-memory.dmp

Filesize
56KB

Download
memory/3352-4-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-3-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-2-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-1-0x0000000000A20000-0x0000000000BFA000-memory.dmp

Filesize
1.9MB

Download