dcrat | 0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8

Analysis

max time kernel
94s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
Size

984KB
MD5

789ff6a462201360bea02c98b4fb3c2d
SHA1

322228573e2be64daf1ee9118af397dfcbc91bce
SHA256

0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8
SHA512

72517203f735a71d241fb69d55a85315f678dec2f7c02d8b3733e318fe804424cf7079873a296a6e411e2b1364800cc89df45987a8609813f1a64a60b044616e
SSDEEP

12288:gyEIOYTNEIf5AycvEhKIV6tEcln0Ai2a61h3cQ9Fk+ntGoWuzsx1oiLgo:gyErYT+PvXIUln/1GJgo

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	212	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	212	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1268-1-0x0000000000080000-0x000000000017C000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b9e-26.dat	dcrat
behavioral2/files/0x000d000000023bad-59.dat	dcrat
behavioral2/files/0x000d000000023b8f-70.dat	dcrat
behavioral2/files/0x000c000000023b96-81.dat	dcrat
behavioral2/files/0x000c000000023b9b-92.dat	dcrat
behavioral2/files/0x000d000000023b9e-115.dat	dcrat
behavioral2/files/0x000c000000023ba5-127.dat	dcrat
behavioral2/memory/544-290-0x00000000006A0000-0x000000000079C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2088	powershell.exe
376	powershell.exe
3804	powershell.exe
4316	powershell.exe
4432	powershell.exe
2276	powershell.exe
1036	powershell.exe
3620	powershell.exe
4104	powershell.exe
4452	powershell.exe
4580	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe

Executes dropped EXE 1 IoCs

pid	Process
544	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\0a1fd5f707cd16	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX93DA.tmp	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File created	C:\Program Files\Windows NT\TableTextService\sppsvc.exe	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\9e8d7a4ca61bd9	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\RCX9147.tmp	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCX966C.tmp	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\RCX91B6.tmp	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCX96DA.tmp	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File created	C:\Program Files\Windows NT\TableTextService\0a1fd5f707cd16	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File created	C:\Program Files\7-Zip\Lang\sppsvc.exe	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\sppsvc.exe	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX9448.tmp	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sppsvc.exe	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2516	schtasks.exe
2640	schtasks.exe
4356	schtasks.exe
3132	schtasks.exe
2012	schtasks.exe
2736	schtasks.exe
2184	schtasks.exe
2452	schtasks.exe
3868	schtasks.exe
4464	schtasks.exe
1620	schtasks.exe
3240	schtasks.exe
2060	schtasks.exe
2872	schtasks.exe
3624	schtasks.exe
4644	schtasks.exe
1696	schtasks.exe
4616	schtasks.exe
5096	schtasks.exe
3656	schtasks.exe
4544	schtasks.exe
4148	schtasks.exe
1116	schtasks.exe
2328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
1036	powershell.exe
1036	powershell.exe
1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
4580	powershell.exe
4580	powershell.exe
2088	powershell.exe
2088	powershell.exe
376	powershell.exe
376	powershell.exe
4452	powershell.exe
4452	powershell.exe
3620	powershell.exe
3620	powershell.exe
4432	powershell.exe
4432	powershell.exe
4316	powershell.exe
4316	powershell.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	544	spoolsv.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 3804	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	109
PID 1268 wrote to memory of 3804	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	109
PID 1268 wrote to memory of 4316	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	110
PID 1268 wrote to memory of 4316	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	110
PID 1268 wrote to memory of 4432	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	111
PID 1268 wrote to memory of 4432	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	111
PID 1268 wrote to memory of 2276	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	112
PID 1268 wrote to memory of 2276	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	112
PID 1268 wrote to memory of 1036	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	113
PID 1268 wrote to memory of 1036	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	113
PID 1268 wrote to memory of 3620	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	114
PID 1268 wrote to memory of 3620	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	114
PID 1268 wrote to memory of 2088	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	115
PID 1268 wrote to memory of 2088	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	115
PID 1268 wrote to memory of 376	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	116
PID 1268 wrote to memory of 376	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	116
PID 1268 wrote to memory of 4452	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	117
PID 1268 wrote to memory of 4452	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	117
PID 1268 wrote to memory of 4580	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	118
PID 1268 wrote to memory of 4580	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	118
PID 1268 wrote to memory of 4104	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	119
PID 1268 wrote to memory of 4104	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	119
PID 1268 wrote to memory of 544	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	131
PID 1268 wrote to memory of 544	1268	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe	131

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
"C:\Users\Admin\AppData\Local\Temp\0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Users\Public\Libraries\spoolsv.exe
  "C:\Users\Public\Libraries\spoolsv.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Temp\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\ssh\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\ssh\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\ssh\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe

Filesize
984KB

MD5
53de311aa377bb5ba3d5d5f5d0f35912

SHA1
fe93b260df6a126813dd94eacbe1d7a89e5778af

SHA256
45b01f655ae9fbf6edaa43e0f6b7c470f033ce493dbc15ef4ec4b5aec3bbb93b

SHA512
9a9d0d9da6decf93e7f4fe474cc32037af8808c0dd6b54a071496e6d6a930d269b250da18d16d9d2224d790c8223ba58bfd6fdcee4d0b2d8613af396cc58b0d9

Download Submit
C:\Program Files\7-Zip\Lang\sppsvc.exe

Filesize
984KB

MD5
a8194fad3f0ceeb12b42753185bea78e

SHA1
456eb4d3bbf2cf659fc2fdd2e35e0117c7a9cdaf

SHA256
4b6ea12a8fc8bfce25dcfd5cbc1151bce38f03f630d60079fc2464c00b31be26

SHA512
899ed281adea4bdc85634dc1e13fc99ac2b1a96eebe1fb7250e6c0e010919eef311ece73219d7f80cca76a5ab7c1d9bea2bcf4dabc2e352fca5722b56a95c90a

Download Submit
C:\Program Files\Windows NT\TableTextService\sppsvc.exe

Filesize
984KB

MD5
77df50bf1e30823a3d86179cd97fd2f4

SHA1
7752dd8becc7c7ea42a517ee57058c314b37cac0

SHA256
e81ca22e3c25f1d2da325f72abaa7fa35ecf243f67df6a0e986abce1494fcc55

SHA512
b0b2d9196812a0979bc3a7e9a213c84b5b0742ae3078fdcae237aee367117502b13edbaf53565175a96d98332b93af26f74ede1fa21634f35944aff81a091cde

Download Submit
C:\Recovery\WindowsRE\unsecapp.exe

Filesize
984KB

MD5
0fef1239f9b966966feacdea5eb60f1d

SHA1
0aa57a0f16e3c739487e661ef88e6830aebee6fe

SHA256
1232e8faa6f44a8a99d175644fdb22f5ef5a3a7225839406adc00df0b570a7af

SHA512
ddadeb9e3fe34b647942397ad26f6291495add86ef6264176ae6e4e2c00f3169e74c2e40b176a6ec9b4caaea9aca8894ea1a1734eba324fee07f052325d49b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkg50laa.pbv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\spoolsv.exe

Filesize
984KB

MD5
6e3b2c8995fc2e06bdf8a898270ea6db

SHA1
d493bc270bc945f96dfd3161a619dc1ca73f022b

SHA256
05548016d2f8f7e8d17129c4547eabed05f5e8af2b1fef76dc4afa427745f7b0

SHA512
bc7223ff0ce9c4a185103ecf68ef01f3c874874357ad53c748ba81e99d7a7e89f04188d0fc81dba1147089936d30ff84b9dbcf0556da3be50375aae3cddc112b

Download Submit
C:\Windows\Temp\TextInputHost.exe

Filesize
984KB

MD5
789ff6a462201360bea02c98b4fb3c2d

SHA1
322228573e2be64daf1ee9118af397dfcbc91bce

SHA256
0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8

SHA512
72517203f735a71d241fb69d55a85315f678dec2f7c02d8b3733e318fe804424cf7079873a296a6e411e2b1364800cc89df45987a8609813f1a64a60b044616e

Download Submit
C:\Windows\Temp\TextInputHost.exe

Filesize
984KB

MD5
1f30f9a8396ef6e21709887b87f70493

SHA1
08fc6829b10132367bbda1821dbc5f15a3f5f132

SHA256
2d332b4cf47f95676334d79dd8bbde4d252cc3df51c772d8349482abed14b87e

SHA512
f39d63dd69210f7138aab9240881e922e31f63fbe308d781bcedb50bd10237dc952cf4e79473fe15cb915e88ace93af51ce6fe617553c57af11e253a0835211b

Download Submit
memory/544-290-0x00000000006A0000-0x000000000079C000-memory.dmp

Filesize
1008KB

Download
memory/1036-184-0x0000022BD4C20000-0x0000022BD4C42000-memory.dmp

Filesize
136KB

Download
memory/1268-12-0x000000001AF20000-0x000000001AF2E000-memory.dmp

Filesize
56KB

Download
memory/1268-214-0x00007FFB5C280000-0x00007FFB5CD41000-memory.dmp

Filesize
10.8MB

Download
memory/1268-11-0x000000001AF10000-0x000000001AF18000-memory.dmp

Filesize
32KB

Download
memory/1268-17-0x00007FFB5C280000-0x00007FFB5CD41000-memory.dmp

Filesize
10.8MB

Download
memory/1268-13-0x000000001AF30000-0x000000001AF3C000-memory.dmp

Filesize
48KB

Download
memory/1268-19-0x00007FFB5C280000-0x00007FFB5CD41000-memory.dmp

Filesize
10.8MB

Download
memory/1268-10-0x000000001AF00000-0x000000001AF0C000-memory.dmp

Filesize
48KB

Download
memory/1268-124-0x00007FFB5C283000-0x00007FFB5C285000-memory.dmp

Filesize
8KB

Download
memory/1268-9-0x000000001AEF0000-0x000000001AEFC000-memory.dmp

Filesize
48KB

Download
memory/1268-18-0x00007FFB5C280000-0x00007FFB5CD41000-memory.dmp

Filesize
10.8MB

Download
memory/1268-8-0x000000001AEE0000-0x000000001AEEC000-memory.dmp

Filesize
48KB

Download
memory/1268-0-0x00007FFB5C283000-0x00007FFB5C285000-memory.dmp

Filesize
8KB

Download
memory/1268-14-0x000000001AF80000-0x000000001AF8C000-memory.dmp

Filesize
48KB

Download
memory/1268-292-0x00007FFB5C280000-0x00007FFB5CD41000-memory.dmp

Filesize
10.8MB

Download
memory/1268-7-0x000000001ADA0000-0x000000001ADAA000-memory.dmp

Filesize
40KB

Download
memory/1268-6-0x000000001AEC0000-0x000000001AED6000-memory.dmp

Filesize
88KB

Download
memory/1268-5-0x000000001AD90000-0x000000001ADA0000-memory.dmp

Filesize
64KB

Download
memory/1268-4-0x000000001AD80000-0x000000001AD88000-memory.dmp

Filesize
32KB

Download
memory/1268-3-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/1268-2-0x00007FFB5C280000-0x00007FFB5CD41000-memory.dmp

Filesize
10.8MB

Download
memory/1268-1-0x0000000000080000-0x000000000017C000-memory.dmp

Filesize
1008KB

Download