dcrat | 7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9040D1F68050A9B2533AC7E8B59C2AA0.exe
Size

3.4MB
MD5

9040d1f68050a9b2533ac7e8b59c2aa0
SHA1

1b38a5284d4510423c0c4ac77066fc6eb41b9286
SHA256

7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
SHA512

e2121c2d4156af7968d3e608affc33519933a9e8c3ae6b2ad49af059e3b6cca12b1e3f36bc0283df2ae9645c199192d45f6b1e8053af6adf08724d11791a1f39
SSDEEP

49152:s3GMesEktOcTPuKyI1qd5i6JTnl9gs6ToWbepfutWiNFg20+5J3pS8Dzy:nuEktPuu1qbhwDoWHgt+5JZS8fy

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2144	schtasks.exe	31

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2452-1-0x0000000000800000-0x0000000000B6A000-memory.dmp	dcrat
behavioral1/files/0x0005000000019456-46.dat	dcrat
behavioral1/memory/2092-58-0x0000000000930000-0x0000000000C9A000-memory.dmp	dcrat
behavioral1/memory/2336-70-0x0000000001300000-0x000000000166A000-memory.dmp	dcrat
behavioral1/memory/2708-117-0x0000000000230000-0x000000000059A000-memory.dmp	dcrat
behavioral1/memory/1640-130-0x0000000001190000-0x00000000014FA000-memory.dmp	dcrat

Executes dropped EXE 7 IoCs

pid	Process
2092	sppsvc.exe
2336	sppsvc.exe
2820	sppsvc.exe
2968	sppsvc.exe
916	sppsvc.exe
2708	sppsvc.exe
1640	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
26	pastebin.com
30	pastebin.com
4	pastebin.com
5	pastebin.com
10	pastebin.com
14	pastebin.com
18	pastebin.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\dllhost.exe	9040D1F68050A9B2533AC7E8B59C2AA0.exe
File created	C:\Program Files\Uninstall Information\5940a34987c991	9040D1F68050A9B2533AC7E8B59C2AA0.exe
File created	C:\Program Files\Windows Defender\smss.exe	9040D1F68050A9B2533AC7E8B59C2AA0.exe
File created	C:\Program Files\Windows Defender\69ddcba757bf72	9040D1F68050A9B2533AC7E8B59C2AA0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\taskhost.exe	9040D1F68050A9B2533AC7E8B59C2AA0.exe
File created	C:\Windows\L2Schemas\b75386f1303e64	9040D1F68050A9B2533AC7E8B59C2AA0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2968	schtasks.exe
1056	schtasks.exe
1248	schtasks.exe
2040	schtasks.exe
2732	schtasks.exe
2564	schtasks.exe
2596	schtasks.exe
1556	schtasks.exe
2792	schtasks.exe
2632	schtasks.exe
1984	schtasks.exe
1436	schtasks.exe
2224	schtasks.exe
1284	schtasks.exe
2508	schtasks.exe
796	schtasks.exe
2304	schtasks.exe
2096	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2092	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	9040D1F68050A9B2533AC7E8B59C2AA0.exe
2452	9040D1F68050A9B2533AC7E8B59C2AA0.exe
2452	9040D1F68050A9B2533AC7E8B59C2AA0.exe
2452	9040D1F68050A9B2533AC7E8B59C2AA0.exe
2452	9040D1F68050A9B2533AC7E8B59C2AA0.exe
2452	9040D1F68050A9B2533AC7E8B59C2AA0.exe
2452	9040D1F68050A9B2533AC7E8B59C2AA0.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe
2092	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Token: SeDebugPrivilege	2092	sppsvc.exe
Token: SeDebugPrivilege	2336	sppsvc.exe
Token: SeDebugPrivilege	2820	sppsvc.exe
Token: SeDebugPrivilege	2968	sppsvc.exe
Token: SeDebugPrivilege	916	sppsvc.exe
Token: SeDebugPrivilege	2708	sppsvc.exe
Token: SeDebugPrivilege	1640	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2860	2452	9040D1F68050A9B2533AC7E8B59C2AA0.exe	50
PID 2452 wrote to memory of 2860	2452	9040D1F68050A9B2533AC7E8B59C2AA0.exe	50
PID 2452 wrote to memory of 2860	2452	9040D1F68050A9B2533AC7E8B59C2AA0.exe	50
PID 2860 wrote to memory of 532	2860	cmd.exe	52
PID 2860 wrote to memory of 532	2860	cmd.exe	52
PID 2860 wrote to memory of 532	2860	cmd.exe	52
PID 2860 wrote to memory of 2092	2860	cmd.exe	53
PID 2860 wrote to memory of 2092	2860	cmd.exe	53
PID 2860 wrote to memory of 2092	2860	cmd.exe	53
PID 2860 wrote to memory of 2092	2860	cmd.exe	53
PID 2860 wrote to memory of 2092	2860	cmd.exe	53
PID 2092 wrote to memory of 1044	2092	sppsvc.exe	54
PID 2092 wrote to memory of 1044	2092	sppsvc.exe	54
PID 2092 wrote to memory of 1044	2092	sppsvc.exe	54
PID 2092 wrote to memory of 908	2092	sppsvc.exe	55
PID 2092 wrote to memory of 908	2092	sppsvc.exe	55
PID 2092 wrote to memory of 908	2092	sppsvc.exe	55
PID 1044 wrote to memory of 2336	1044	WScript.exe	56
PID 1044 wrote to memory of 2336	1044	WScript.exe	56
PID 1044 wrote to memory of 2336	1044	WScript.exe	56
PID 1044 wrote to memory of 2336	1044	WScript.exe	56
PID 1044 wrote to memory of 2336	1044	WScript.exe	56
PID 2336 wrote to memory of 1552	2336	sppsvc.exe	57
PID 2336 wrote to memory of 1552	2336	sppsvc.exe	57
PID 2336 wrote to memory of 1552	2336	sppsvc.exe	57
PID 2336 wrote to memory of 844	2336	sppsvc.exe	58
PID 2336 wrote to memory of 844	2336	sppsvc.exe	58
PID 2336 wrote to memory of 844	2336	sppsvc.exe	58
PID 1552 wrote to memory of 2820	1552	WScript.exe	59
PID 1552 wrote to memory of 2820	1552	WScript.exe	59
PID 1552 wrote to memory of 2820	1552	WScript.exe	59
PID 1552 wrote to memory of 2820	1552	WScript.exe	59
PID 1552 wrote to memory of 2820	1552	WScript.exe	59
PID 2820 wrote to memory of 2404	2820	sppsvc.exe	60
PID 2820 wrote to memory of 2404	2820	sppsvc.exe	60
PID 2820 wrote to memory of 2404	2820	sppsvc.exe	60
PID 2820 wrote to memory of 1940	2820	sppsvc.exe	61
PID 2820 wrote to memory of 1940	2820	sppsvc.exe	61
PID 2820 wrote to memory of 1940	2820	sppsvc.exe	61
PID 2404 wrote to memory of 2968	2404	WScript.exe	62
PID 2404 wrote to memory of 2968	2404	WScript.exe	62
PID 2404 wrote to memory of 2968	2404	WScript.exe	62
PID 2404 wrote to memory of 2968	2404	WScript.exe	62
PID 2404 wrote to memory of 2968	2404	WScript.exe	62
PID 2968 wrote to memory of 2088	2968	sppsvc.exe	63
PID 2968 wrote to memory of 2088	2968	sppsvc.exe	63
PID 2968 wrote to memory of 2088	2968	sppsvc.exe	63
PID 2968 wrote to memory of 2264	2968	sppsvc.exe	64
PID 2968 wrote to memory of 2264	2968	sppsvc.exe	64
PID 2968 wrote to memory of 2264	2968	sppsvc.exe	64
PID 2088 wrote to memory of 916	2088	WScript.exe	65
PID 2088 wrote to memory of 916	2088	WScript.exe	65
PID 2088 wrote to memory of 916	2088	WScript.exe	65
PID 2088 wrote to memory of 916	2088	WScript.exe	65
PID 2088 wrote to memory of 916	2088	WScript.exe	65
PID 916 wrote to memory of 2080	916	sppsvc.exe	66
PID 916 wrote to memory of 2080	916	sppsvc.exe	66
PID 916 wrote to memory of 2080	916	sppsvc.exe	66
PID 916 wrote to memory of 1404	916	sppsvc.exe	67
PID 916 wrote to memory of 1404	916	sppsvc.exe	67
PID 916 wrote to memory of 1404	916	sppsvc.exe	67
PID 2080 wrote to memory of 2708	2080	WScript.exe	69
PID 2080 wrote to memory of 2708	2080	WScript.exe	69
PID 2080 wrote to memory of 2708	2080	WScript.exe	69

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9040D1F68050A9B2533AC7E8B59C2AA0.exe
"C:\Users\Admin\AppData\Local\Temp\9040D1F68050A9B2533AC7E8B59C2AA0.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aLgtftWi9.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:532
- - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
    "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2092
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48c8f862-8b00-4e41-b22f-0c2fef90eb02.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2336
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67b01cd9-11a3-44bf-bda4-bf50bb83585d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0881837a-83a6-44b7-9aab-f56a04053d2c.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b931764-cc1c-4ed4-ae46-aacfadd8dc68.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dccb1cf7-6959-4676-88f0-37fe8355c34d.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6286bea4-aadb-405a-a330-25219bb1f2a7.vbs"
        14⤵
        
        PID:2104
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3227b4f5-df29-4ba7-8573-a7ff9547adad.vbs"
        16⤵
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aec1b8f-3081-4908-a049-68a3889a651b.vbs"
        16⤵
        
        PID:1224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4116f12-79e5-486f-8bbf-844f83518ee9.vbs"
        14⤵
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09cbe4be-51e9-41c6-af22-24e4b8501ca5.vbs"
        12⤵
        
        PID:1404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e804e183-0a0f-47d9-aea0-511974135b31.vbs"
        10⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\307534a5-8abc-4324-adff-3d835f2231fc.vbs"
        8⤵
        
        PID:1940
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a95b61a5-9bb7-442d-ab35-f0f383912388.vbs"
        6⤵
        
        PID:844
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0bd886d-3182-4d58-80f2-7137f85c84c6.vbs"
      4⤵
      PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\dllhost.exe

Filesize
3.4MB

MD5
9040d1f68050a9b2533ac7e8b59c2aa0

SHA1
1b38a5284d4510423c0c4ac77066fc6eb41b9286

SHA256
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67

SHA512
e2121c2d4156af7968d3e608affc33519933a9e8c3ae6b2ad49af059e3b6cca12b1e3f36bc0283df2ae9645c199192d45f6b1e8053af6adf08724d11791a1f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\0881837a-83a6-44b7-9aab-f56a04053d2c.vbs

Filesize
735B

MD5
d286eb15f1f932dabd8c8a4e26bc626f

SHA1
f7410d7856c5a6de4f782e023a5ce9097eba2178

SHA256
806b7d4991372fa93b815bd65e5f9ff50f1b388c25984d7f543b3847178e55ea

SHA512
d77a6d9ee8e24c526506bf998f1f791a810e2325c319a8fd8b443fd85b6ae03ac6c9e1e7cd55fba6ddbcf9d07ee0b6b276a8fe805de1611e373c109786ec3680

Download Submit
C:\Users\Admin\AppData\Local\Temp\3227b4f5-df29-4ba7-8573-a7ff9547adad.vbs

Filesize
735B

MD5
47a4875449c8ab6cba5e953d0f67816b

SHA1
151fff45fd0b1e80c2a31b4c78ce79ece1a97683

SHA256
fa8631ed530f07aa38d68e1350e309f5977948001839c5737d322c6fb9b8ef3b

SHA512
3e590399ffd688d273fb5dc8658b30e16b9567ecf5e4ffa3ddc5136660b161b761aac69f963949878ef37ccfd355ca0d8099561d5bb174b55a7d478f06e8a688

Download Submit
C:\Users\Admin\AppData\Local\Temp\48c8f862-8b00-4e41-b22f-0c2fef90eb02.vbs

Filesize
735B

MD5
4361861f5a136efeebfcbad8f7bdfd79

SHA1
7d1d77626485ff56b6da288da9c828c5ed371caa

SHA256
a40c68dff74c59dbc4590cdfbc288ed5e9762b8e5e6a02c9fe7822fa2e25e3ec

SHA512
dc5e5c1a638c69b7d88443f6b824cb32770de0caed5eee7c6c1c1cf931dd90835baa387329028c02ce45e68dbf9406f9e0beaad3a40ac7a61035898d5eb3595c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6286bea4-aadb-405a-a330-25219bb1f2a7.vbs

Filesize
735B

MD5
617ae9092e3167356189e517d568d400

SHA1
95932dbffb3c36035f6c9174fb878f5b3334a7dc

SHA256
8d894317661a2eb1aa4470f49ea94e970c43a6e4e04ca21af33eac3398a386e5

SHA512
18319d02a193e1330a18f06ba4b02d90a08febb94557f6a1a0608aeface9108bb255127407d956428c05179866b9349b88a0fdd411b2c066faa915d28a1d9d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\67b01cd9-11a3-44bf-bda4-bf50bb83585d.vbs

Filesize
735B

MD5
dbbb40a2acc75c68604cf7ca3b5e0165

SHA1
72d31bc01df6a54e94969784e4ae541ac89894c1

SHA256
5b48af93dcf501f1f84de6209683cccbf0261e00b3b2ab4feb555dc5f3facb8a

SHA512
0659e5d037b8cb59e9777d489571c29e72e43149d89ed67492986b6692dfb3d656abc0955383f99750b84d986c7b8a60b544ba9a7ebf2bb116a3ed79de1d1f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aLgtftWi9.bat

Filesize
224B

MD5
ad9795358dc653621fccf0e58d93c9a9

SHA1
004eb94eaf54b1bd480b8af61e076f95deb3ed9a

SHA256
cf7224170af997c62a4588c21f59fcd3aa96d6e59202487cf421882c098641ba

SHA512
a92fbc438ce6da0794b0588585cc37b3ff0f361cf45442034fe279bedf4ce999b6501b1c7ac28645178d2b93669741a4ec12f0ad6935b8c48f007e915b32a5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b931764-cc1c-4ed4-ae46-aacfadd8dc68.vbs

Filesize
735B

MD5
ce1e9a9f1c699186c04f826d25f86291

SHA1
6ca19c67776474ec1390698e95ec5a0916919b30

SHA256
2bd1dc352914d026a4eaff768151917fbdfcbce158300789622fe5aa5f126295

SHA512
397166adf281a072336f80325978f7516d8883746b5de31592df32fbc7c89a24fd57691a2cfc344f5adab6acdf182a6dc6bcc4a9cade6f46a23096aa00caac8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0bd886d-3182-4d58-80f2-7137f85c84c6.vbs

Filesize
511B

MD5
bfa2f36313ddf026eecae5905613f489

SHA1
07e1a6144d11693f8fdd557126724286b2244728

SHA256
a0eb78d334eae0fd15d6b7b11260802496786a95240e9279a2cd36a09f7d5576

SHA512
9d05daeee6e86664bf7fca951b7300fff5fe219b4ae0d38cd12fd398df355df14e5ba254f28e1cb0cfaa11e05e34b94aaacf7168d2c80cf875b3a64d769b654d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dccb1cf7-6959-4676-88f0-37fe8355c34d.vbs

Filesize
734B

MD5
072be54de343651299b9b6f245ddfa0e

SHA1
09434df408e399918162796801322a2dfd59ac1b

SHA256
7c3ced3457318ad110c428fc190e3a753a5b8371b678732bb78d29eae32aa2bb

SHA512
8b0049ac17c3db92d3d26e3c41549977caa942e6979f82f22673580820532683781cfce9c9ad5294b225aa3d997a89ac6fdf6e70c098fade4c5c5a9db6c13ace

Download Submit
memory/916-105-0x00000000012B0000-0x0000000001306000-memory.dmp

Filesize
344KB

Download
memory/916-104-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/1640-130-0x0000000001190000-0x00000000014FA000-memory.dmp

Filesize
3.4MB

Download
memory/2092-59-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2092-58-0x0000000000930000-0x0000000000C9A000-memory.dmp

Filesize
3.4MB

Download
memory/2336-70-0x0000000001300000-0x000000000166A000-memory.dmp

Filesize
3.4MB

Download
memory/2452-13-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/2452-33-0x000000001B0B0000-0x000000001B0B8000-memory.dmp

Filesize
32KB

Download
memory/2452-18-0x000000001A9D0000-0x000000001A9D8000-memory.dmp

Filesize
32KB

Download
memory/2452-21-0x000000001AB00000-0x000000001AB12000-memory.dmp

Filesize
72KB

Download
memory/2452-20-0x000000001AAF0000-0x000000001AAF8000-memory.dmp

Filesize
32KB

Download
memory/2452-19-0x000000001AAE0000-0x000000001AAEC000-memory.dmp

Filesize
48KB

Download
memory/2452-22-0x000000001AF90000-0x000000001AF9C000-memory.dmp

Filesize
48KB

Download
memory/2452-23-0x000000001AFA0000-0x000000001AFAC000-memory.dmp

Filesize
48KB

Download
memory/2452-25-0x000000001B040000-0x000000001B04C000-memory.dmp

Filesize
48KB

Download
memory/2452-24-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

Filesize
32KB

Download
memory/2452-26-0x000000001B050000-0x000000001B05C000-memory.dmp

Filesize
48KB

Download
memory/2452-28-0x000000001B0C0000-0x000000001B0CC000-memory.dmp

Filesize
48KB

Download
memory/2452-27-0x000000001B070000-0x000000001B078000-memory.dmp

Filesize
32KB

Download
memory/2452-32-0x000000001B0A0000-0x000000001B0AE000-memory.dmp

Filesize
56KB

Download
memory/2452-31-0x000000001B090000-0x000000001B098000-memory.dmp

Filesize
32KB

Download
memory/2452-30-0x000000001B080000-0x000000001B08E000-memory.dmp

Filesize
56KB

Download
memory/2452-29-0x000000001B060000-0x000000001B06A000-memory.dmp

Filesize
40KB

Download
memory/2452-37-0x000000001B180000-0x000000001B18C000-memory.dmp

Filesize
48KB

Download
memory/2452-36-0x000000001B170000-0x000000001B17A000-memory.dmp

Filesize
40KB

Download
memory/2452-35-0x000000001B0E0000-0x000000001B0E8000-memory.dmp

Filesize
32KB

Download
memory/2452-34-0x000000001B0D0000-0x000000001B0DC000-memory.dmp

Filesize
48KB

Download
memory/2452-17-0x000000001A9C0000-0x000000001A9CC000-memory.dmp

Filesize
48KB

Download
memory/2452-16-0x000000001AEE0000-0x000000001AF36000-memory.dmp

Filesize
344KB

Download
memory/2452-15-0x0000000002340000-0x000000000234A000-memory.dmp

Filesize
40KB

Download
memory/2452-55-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2452-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/2452-14-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2452-12-0x0000000002310000-0x000000000231C000-memory.dmp

Filesize
48KB

Download
memory/2452-7-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/2452-9-0x00000000022D0000-0x00000000022E6000-memory.dmp

Filesize
88KB

Download
memory/2452-11-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2452-10-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/2452-8-0x00000000022C0000-0x00000000022D0000-memory.dmp

Filesize
64KB

Download
memory/2452-6-0x0000000002290000-0x00000000022AC000-memory.dmp

Filesize
112KB

Download
memory/2452-5-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/2452-4-0x00000000007E0000-0x00000000007EE000-memory.dmp

Filesize
56KB

Download
memory/2452-1-0x0000000000800000-0x0000000000B6A000-memory.dmp

Filesize
3.4MB

Download
memory/2452-2-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2452-3-0x0000000000750000-0x000000000075E000-memory.dmp

Filesize
56KB

Download
memory/2708-118-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/2708-117-0x0000000000230000-0x000000000059A000-memory.dmp

Filesize
3.4MB

Download