dcrat | 14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
Size

1.7MB
MD5

71cf8d606c066e5d43f2bb53c2d22540
SHA1

5e8c5e1efd7142f1a28e64d4736eea679eccd538
SHA256

14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32
SHA512

9688ecad23e7bc7f95df762ff4f140b37cacd31968d244c4db8daf8a1738e5f1811e4d1df63802b4889439dee5c5999f6853864df4010c82300ac1bc09b575e0
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3740	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	3740	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	3740	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3740	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	3740	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	3740	schtasks.exe	82

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/324-1-0x0000000000580000-0x0000000000740000-memory.dmp	dcrat
behavioral2/files/0x000d000000023b85-32.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1368	powershell.exe
4896	powershell.exe
1892	powershell.exe
2060	powershell.exe
3632	powershell.exe
1756	powershell.exe
1716	powershell.exe
3512	powershell.exe
1472	powershell.exe
2120	powershell.exe
892	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 8 IoCs

pid	Process
3664	smss.exe
3216	smss.exe
1368	smss.exe
3068	smss.exe
1028	smss.exe
4980	smss.exe
3732	smss.exe
2300	smss.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\System.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Program Files\dotnet\27d1bcfc3c54e0	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\dotnet\RCX694D.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\dotnet\RCX694E.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\dotnet\System.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\69ddcba757bf72	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\RCX6718.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\RCX6719.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4184	schtasks.exe
3616	schtasks.exe
1976	schtasks.exe
3508	schtasks.exe
884	schtasks.exe
4840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2060	powershell.exe
2060	powershell.exe
1472	powershell.exe
1472	powershell.exe
2120	powershell.exe
2120	powershell.exe
3632	powershell.exe
3632	powershell.exe
1892	powershell.exe
1892	powershell.exe
892	powershell.exe
892	powershell.exe
1368	powershell.exe
1368	powershell.exe
1716	powershell.exe
1716	powershell.exe
4896	powershell.exe
4896	powershell.exe
3512	powershell.exe
3512	powershell.exe
1756	powershell.exe
1756	powershell.exe
892	powershell.exe
2120	powershell.exe
2060	powershell.exe
2060	powershell.exe
1472	powershell.exe
3632	powershell.exe
1892	powershell.exe
3512	powershell.exe
1716	powershell.exe
1368	powershell.exe
1756	powershell.exe
4896	powershell.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe
3664	smss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	3664	smss.exe
Token: SeDebugPrivilege	3216	smss.exe
Token: SeDebugPrivilege	1368	smss.exe
Token: SeDebugPrivilege	3068	smss.exe
Token: SeDebugPrivilege	1028	smss.exe
Token: SeDebugPrivilege	4980	smss.exe
Token: SeDebugPrivilege	3732	smss.exe
Token: SeDebugPrivilege	2300	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 892	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	89
PID 324 wrote to memory of 892	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	89
PID 324 wrote to memory of 3632	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	90
PID 324 wrote to memory of 3632	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	90
PID 324 wrote to memory of 2120	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	91
PID 324 wrote to memory of 2120	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	91
PID 324 wrote to memory of 1472	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	92
PID 324 wrote to memory of 1472	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	92
PID 324 wrote to memory of 3512	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	93
PID 324 wrote to memory of 3512	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	93
PID 324 wrote to memory of 1892	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	94
PID 324 wrote to memory of 1892	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	94
PID 324 wrote to memory of 1716	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	95
PID 324 wrote to memory of 1716	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	95
PID 324 wrote to memory of 4896	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	96
PID 324 wrote to memory of 4896	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	96
PID 324 wrote to memory of 1368	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	97
PID 324 wrote to memory of 1368	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	97
PID 324 wrote to memory of 1756	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	98
PID 324 wrote to memory of 1756	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	98
PID 324 wrote to memory of 2060	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	99
PID 324 wrote to memory of 2060	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	99
PID 324 wrote to memory of 2532	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	111
PID 324 wrote to memory of 2532	324	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	111
PID 2532 wrote to memory of 1652	2532	cmd.exe	113
PID 2532 wrote to memory of 1652	2532	cmd.exe	113
PID 2532 wrote to memory of 3664	2532	cmd.exe	114
PID 2532 wrote to memory of 3664	2532	cmd.exe	114
PID 3664 wrote to memory of 4456	3664	smss.exe	115
PID 3664 wrote to memory of 4456	3664	smss.exe	115
PID 3664 wrote to memory of 4904	3664	smss.exe	116
PID 3664 wrote to memory of 4904	3664	smss.exe	116
PID 4456 wrote to memory of 3216	4456	WScript.exe	123
PID 4456 wrote to memory of 3216	4456	WScript.exe	123
PID 3216 wrote to memory of 2300	3216	smss.exe	124
PID 3216 wrote to memory of 2300	3216	smss.exe	124
PID 3216 wrote to memory of 3632	3216	smss.exe	125
PID 3216 wrote to memory of 3632	3216	smss.exe	125
PID 2300 wrote to memory of 1368	2300	WScript.exe	127
PID 2300 wrote to memory of 1368	2300	WScript.exe	127
PID 1368 wrote to memory of 2796	1368	smss.exe	129
PID 1368 wrote to memory of 2796	1368	smss.exe	129
PID 1368 wrote to memory of 1448	1368	smss.exe	130
PID 1368 wrote to memory of 1448	1368	smss.exe	130
PID 2796 wrote to memory of 3068	2796	WScript.exe	131
PID 2796 wrote to memory of 3068	2796	WScript.exe	131
PID 3068 wrote to memory of 1476	3068	smss.exe	132
PID 3068 wrote to memory of 1476	3068	smss.exe	132
PID 3068 wrote to memory of 968	3068	smss.exe	133
PID 3068 wrote to memory of 968	3068	smss.exe	133
PID 1476 wrote to memory of 1028	1476	WScript.exe	134
PID 1476 wrote to memory of 1028	1476	WScript.exe	134
PID 1028 wrote to memory of 1704	1028	smss.exe	135
PID 1028 wrote to memory of 1704	1028	smss.exe	135
PID 1028 wrote to memory of 5048	1028	smss.exe	136
PID 1028 wrote to memory of 5048	1028	smss.exe	136
PID 1704 wrote to memory of 4980	1704	WScript.exe	137
PID 1704 wrote to memory of 4980	1704	WScript.exe	137
PID 4980 wrote to memory of 524	4980	smss.exe	138
PID 4980 wrote to memory of 524	4980	smss.exe	138
PID 4980 wrote to memory of 4060	4980	smss.exe	139
PID 4980 wrote to memory of 4060	4980	smss.exe	139
PID 524 wrote to memory of 3732	524	WScript.exe	140
PID 524 wrote to memory of 3732	524	WScript.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
"C:\Users\Admin\AppData\Local\Temp\14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cI1AeIbpc1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1652
- - C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c43dc524-bfa0-4cb4-90ab-8d4c4f99a900.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3216
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21b49b01-7158-4bc0-aac2-367429e1b606.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0598ce0c-22a3-4e6a-bd80-875b3c59a50b.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bb1ca6e-cc69-417f-9f4b-306a1a96baff.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff5c4e93-df4b-4bb7-b9f9-78a9258174a3.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e9ae385-d98d-4b27-a7cb-9c154131dccf.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5497506-25af-4c99-86cc-9b0d85196ac6.vbs"
        16⤵
        
        PID:2580
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        
        C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd5d0181-652d-4d69-84c4-c6b22683d04b.vbs"
        18⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c2e27d9-912c-4e0c-96e7-3cafaa495ba9.vbs"
        18⤵
        
        PID:528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a901c052-7aef-41ac-8a33-5e9a4f20f8ed.vbs"
        16⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eff8cc68-c2db-40cf-995b-b0c965310efb.vbs"
        14⤵
        
        PID:4060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab6f1abe-41a3-49ec-8e78-5a9f6f5df6b5.vbs"
        12⤵
        
        PID:5048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de5e736e-6ac2-404c-a27d-4af3d1c6a250.vbs"
        10⤵
        
        PID:968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71f213f6-8aca-4917-b257-9e5db7df9ac5.vbs"
        8⤵
        
        PID:1448
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82a5c26a-f06a-47fb-b158-73e79f20ba29.vbs"
        6⤵
        
        PID:3632
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f48475b-afeb-4d25-bd96-0151cc2fc869.vbs"
      4⤵
      PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\dotnet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\0598ce0c-22a3-4e6a-bd80-875b3c59a50b.vbs

Filesize
774B

MD5
0743a363bbbd479dba1f5687c19ba908

SHA1
6af355a8e27f95a43becdeecb209beb19dfb66ea

SHA256
2392be6d3753f44aa2b20f0d335c441913707ea594a6872e2465b399adb7419c

SHA512
5dc19cd8c0dce135183f4679fa5c4275ac167f80e88f17a479c390efedf23a3b77313d7f0ddeb1b2354bf97a7b3564c1fddf995dbca51df0fb8bcde62837ba35

Download Submit
C:\Users\Admin\AppData\Local\Temp\21b49b01-7158-4bc0-aac2-367429e1b606.vbs

Filesize
774B

MD5
18d365dd8ec7fce2e903bef2b3f5477e

SHA1
9dcdeed0fc4c18c797a1fcb0687976d2ed6de4f4

SHA256
e3598480f00a5adf6cda327f4ce883fcc9b0503118d5355c484daf8e77d00bb3

SHA512
f64fcab522fd97d1c7356857a84694997e3a6e63bcde076722b6346961c19ed4bf13adff2748e1b8f5c26a2657aee864e4c9f971366c44c8e9558abf890df21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb1ca6e-cc69-417f-9f4b-306a1a96baff.vbs

Filesize
774B

MD5
51fcbda89679ad485ba37bdbdc706f75

SHA1
4e67459b15a96d5b89ffd3905bb40ed677aa8934

SHA256
52c6a78c6cd74b5f54df67b5ad4b127e1220403b4433b6c9298e4af777c1e098

SHA512
c53ce1136b52447fc23ac1769c0dbf7c54b6b2e2790d2147fd9b176e44628870f0ebe8aa518498d405ecece229599fa18804a7db1c84208872515614509383af

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f48475b-afeb-4d25-bd96-0151cc2fc869.vbs

Filesize
550B

MD5
9cc1ef52745a1f05575034c7d885d043

SHA1
58b1ce712d047c9224b027d78415d7ca67305c1b

SHA256
cbd75612eb9ad606560461142cec749b1722e8e856c6194191930b4a6ddb8871

SHA512
d638a34651517f6a425c2bf1cae29feb1e7e9273415b6a18c0699a5a035eb75696ee6902f7a809279b06f183306be41194fda4042a3f8e81b896174c32933e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e9ae385-d98d-4b27-a7cb-9c154131dccf.vbs

Filesize
774B

MD5
b1079cc4049a1edc471e91f80d5343b2

SHA1
4ae470f6d75ad8a84a0ba82af0d5deb75679b855

SHA256
c336a425f5305deea73803bf82f2cdb74667f653364307a99fba944ecf4d5ae5

SHA512
ae7c3198cbd5664bcb7a5428459ef0004bc996fb2fd97f884ce4e643dfd714b33b0f835c0870505ba66290a432d06326104928877e54d3842318e6433a5e6f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ozsakvm.1l3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5497506-25af-4c99-86cc-9b0d85196ac6.vbs

Filesize
774B

MD5
1f465d2c78fbc77df0abb9d4158ed731

SHA1
1de5b675f74cf727847eb4d969ddcb32538e9cb4

SHA256
d0bfc8102aeff1a93964e20f2e5862b1c22876acd4be01a8dc426523ca8604de

SHA512
820797af3d93371b8db4875c0c171da6b63bc2b36469ed6bb382283920d9ceb4ff54f25f5891a6e34824136a1df411a3a26e556ff8150e28ab45206fca8e96eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c43dc524-bfa0-4cb4-90ab-8d4c4f99a900.vbs

Filesize
774B

MD5
88724409ce54b0e5a14754f4aab626b8

SHA1
f3bbaca40a6ca585d05255a8e9699f821a9ce65d

SHA256
f4312201a43dc8a2150ae931982de7bf701b007bc20d665bd504b5391349ed83

SHA512
5e47716ced0488aad53dcb36f13178e94e993ed6b498b28ffcb38dc63ee35a44d97ecdbcec90d76fb539e1b764dfe74b859128ccbe10ba6f93319d48fe94eb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\cI1AeIbpc1.bat

Filesize
263B

MD5
a2242b82dfe70c463a9f24cac20c3aff

SHA1
2304ca3264922e0dc256939f3d0d60e11a7c76d3

SHA256
1396e212c6e7d2c15ec4009d90550b731f787ee3bac1a8818362025c2de44fa0

SHA512
e8f3d685038314d5acf675e46e60a605f460809692c4b0c3e0bd0f30834680094fb2445e870b78c47db562b2d29ade8a03e2e6f6905b43492e555587e586d2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd5d0181-652d-4d69-84c4-c6b22683d04b.vbs

Filesize
774B

MD5
4c793a5c8e43e7d19ecd9101c0dfffd2

SHA1
3ff054dadb124cc053017a6d9e920d22101c9f7e

SHA256
a4c7b3705b43868dfff9ad15cc7e9a1c50bd5ebdd1cad8d1148e4bad448c75c7

SHA512
48660004e637250af6b53971a0227aaadc92f5290dd4f18794e86e7089a1e61d847c5b5d599535b548057fe03c2201d86ccb019a90b2d20d0cea531f917f0e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff5c4e93-df4b-4bb7-b9f9-78a9258174a3.vbs

Filesize
774B

MD5
ab63c49227e3cb2763fbef141e81425f

SHA1
e96d320e84bcf58e49e5fc030aff5fa75913a6d8

SHA256
75433b0b502c3060471ce02e53ef31fa7d499e49ceacb63cc930e72ffeebb4c1

SHA512
847f5d727d8afb85982d68db67f5f3e4d6e7300e6b39a82aad418f784de347582db730ae7676495ded64e6214d207d2d0147391b1d85beee291969ad53cfaa42

Download Submit
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\smss.exe

Filesize
1.7MB

MD5
71cf8d606c066e5d43f2bb53c2d22540

SHA1
5e8c5e1efd7142f1a28e64d4736eea679eccd538

SHA256
14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32

SHA512
9688ecad23e7bc7f95df762ff4f140b37cacd31968d244c4db8daf8a1738e5f1811e4d1df63802b4889439dee5c5999f6853864df4010c82300ac1bc09b575e0

Download Submit
memory/324-10-0x000000001B2C0000-0x000000001B2C8000-memory.dmp

Filesize
32KB

Download
memory/324-5-0x0000000002930000-0x0000000002938000-memory.dmp

Filesize
32KB

Download
memory/324-22-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/324-15-0x000000001BB70000-0x000000001BB7A000-memory.dmp

Filesize
40KB

Download
memory/324-1-0x0000000000580000-0x0000000000740000-memory.dmp

Filesize
1.8MB

Download
memory/324-16-0x000000001BB80000-0x000000001BB8E000-memory.dmp

Filesize
56KB

Download
memory/324-80-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/324-19-0x000000001BCB0000-0x000000001BCBC000-memory.dmp

Filesize
48KB

Download
memory/324-17-0x000000001BB90000-0x000000001BB98000-memory.dmp

Filesize
32KB

Download
memory/324-18-0x000000001BCA0000-0x000000001BCAC000-memory.dmp

Filesize
48KB

Download
memory/324-14-0x000000001BA60000-0x000000001BA6C000-memory.dmp

Filesize
48KB

Download
memory/324-13-0x000000001BF90000-0x000000001C4B8000-memory.dmp

Filesize
5.2MB

Download
memory/324-12-0x000000001B2D0000-0x000000001B2E2000-memory.dmp

Filesize
72KB

Download
memory/324-2-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/324-0-0x00007FFFF8853000-0x00007FFFF8855000-memory.dmp

Filesize
8KB

Download
memory/324-9-0x000000001B2B0000-0x000000001B2BC000-memory.dmp

Filesize
48KB

Download
memory/324-7-0x000000001B280000-0x000000001B296000-memory.dmp

Filesize
88KB

Download
memory/324-3-0x0000000002910000-0x000000000292C000-memory.dmp

Filesize
112KB

Download
memory/324-8-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

Filesize
64KB

Download
memory/324-23-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/324-6-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/324-4-0x000000001B9F0000-0x000000001BA40000-memory.dmp

Filesize
320KB

Download
memory/2060-70-0x0000016E6A6C0000-0x0000016E6A6E2000-memory.dmp

Filesize
136KB

Download
memory/3216-200-0x000000001D3E0000-0x000000001D3F2000-memory.dmp

Filesize
72KB

Download
memory/3664-187-0x000000001D740000-0x000000001D752000-memory.dmp

Filesize
72KB

Download