dcrat | 6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
Size

1.7MB
MD5

96eb6349f62024cbe4512ce6fe98e9ca
SHA1

ca1e4b20f9a1e3ffb2ab3776370fe94e936ad29f
SHA256

6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c
SHA512

5741d00be28702ea6e64cfb3ea44fe38df4cd2296b5949d5cfe7ed785eae922d9ba82b07893882d4b19e3685e17796e4fba0087d50366fc608939b9ce0cbd0e4
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2204	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2204	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2204	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2204	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2204	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2204	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2204	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2204	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2204	schtasks.exe	30

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1792-1-0x0000000000C80000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/files/0x00070000000175e7-29.dat	dcrat
behavioral1/files/0x00050000000186f8-38.dat	dcrat
behavioral1/memory/2896-88-0x0000000000060000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/1408-145-0x0000000000860000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/1736-157-0x0000000001010000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/2968-238-0x00000000011D0000-0x0000000001390000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1772	powershell.exe
2528	powershell.exe
2520	powershell.exe
1828	powershell.exe
2396	powershell.exe
1488	powershell.exe
2512	powershell.exe
1260	powershell.exe
1672	powershell.exe
2380	powershell.exe
1720	powershell.exe
2128	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Executes dropped EXE 10 IoCs

pid	Process
2896	audiodg.exe
1408	audiodg.exe
1736	audiodg.exe
1828	audiodg.exe
1596	audiodg.exe
2896	audiodg.exe
2680	audiodg.exe
3028	audiodg.exe
2380	audiodg.exe
2968	audiodg.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCXCAA1.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\f3b6ecef712a24	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\42af1c969fbb7b	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCXCB0F.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXCF18.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXCF19.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe
2836	schtasks.exe
2852	schtasks.exe
2248	schtasks.exe
2384	schtasks.exe
2596	schtasks.exe
2812	schtasks.exe
2728	schtasks.exe
3048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2528	powershell.exe
2520	powershell.exe
2512	powershell.exe
1720	powershell.exe
2128	powershell.exe
1260	powershell.exe
2396	powershell.exe
1828	powershell.exe
2380	powershell.exe
1772	powershell.exe
1488	powershell.exe
1672	powershell.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
2896	audiodg.exe
1408	audiodg.exe
1408	audiodg.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2896	audiodg.exe
Token: SeDebugPrivilege	1408	audiodg.exe
Token: SeDebugPrivilege	1736	audiodg.exe
Token: SeDebugPrivilege	1828	audiodg.exe
Token: SeDebugPrivilege	1596	audiodg.exe
Token: SeDebugPrivilege	2896	audiodg.exe
Token: SeDebugPrivilege	2680	audiodg.exe
Token: SeDebugPrivilege	3028	audiodg.exe
Token: SeDebugPrivilege	2380	audiodg.exe
Token: SeDebugPrivilege	2968	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1772	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	41
PID 1792 wrote to memory of 1772	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	41
PID 1792 wrote to memory of 1772	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	41
PID 1792 wrote to memory of 2512	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	42
PID 1792 wrote to memory of 2512	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	42
PID 1792 wrote to memory of 2512	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	42
PID 1792 wrote to memory of 2528	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	43
PID 1792 wrote to memory of 2528	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	43
PID 1792 wrote to memory of 2528	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	43
PID 1792 wrote to memory of 2520	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	44
PID 1792 wrote to memory of 2520	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	44
PID 1792 wrote to memory of 2520	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	44
PID 1792 wrote to memory of 2380	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	45
PID 1792 wrote to memory of 2380	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	45
PID 1792 wrote to memory of 2380	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	45
PID 1792 wrote to memory of 1672	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	46
PID 1792 wrote to memory of 1672	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	46
PID 1792 wrote to memory of 1672	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	46
PID 1792 wrote to memory of 1260	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	47
PID 1792 wrote to memory of 1260	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	47
PID 1792 wrote to memory of 1260	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	47
PID 1792 wrote to memory of 1828	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	50
PID 1792 wrote to memory of 1828	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	50
PID 1792 wrote to memory of 1828	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	50
PID 1792 wrote to memory of 1720	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	51
PID 1792 wrote to memory of 1720	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	51
PID 1792 wrote to memory of 1720	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	51
PID 1792 wrote to memory of 2128	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	52
PID 1792 wrote to memory of 2128	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	52
PID 1792 wrote to memory of 2128	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	52
PID 1792 wrote to memory of 2396	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	53
PID 1792 wrote to memory of 2396	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	53
PID 1792 wrote to memory of 2396	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	53
PID 1792 wrote to memory of 1488	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	54
PID 1792 wrote to memory of 1488	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	54
PID 1792 wrote to memory of 1488	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	54
PID 1792 wrote to memory of 2896	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	65
PID 1792 wrote to memory of 2896	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	65
PID 1792 wrote to memory of 2896	1792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	65
PID 2896 wrote to memory of 2248	2896	audiodg.exe	66
PID 2896 wrote to memory of 2248	2896	audiodg.exe	66
PID 2896 wrote to memory of 2248	2896	audiodg.exe	66
PID 2896 wrote to memory of 2340	2896	audiodg.exe	67
PID 2896 wrote to memory of 2340	2896	audiodg.exe	67
PID 2896 wrote to memory of 2340	2896	audiodg.exe	67
PID 2248 wrote to memory of 1408	2248	WScript.exe	68
PID 2248 wrote to memory of 1408	2248	WScript.exe	68
PID 2248 wrote to memory of 1408	2248	WScript.exe	68
PID 1408 wrote to memory of 1848	1408	audiodg.exe	69
PID 1408 wrote to memory of 1848	1408	audiodg.exe	69
PID 1408 wrote to memory of 1848	1408	audiodg.exe	69
PID 1408 wrote to memory of 2996	1408	audiodg.exe	70
PID 1408 wrote to memory of 2996	1408	audiodg.exe	70
PID 1408 wrote to memory of 2996	1408	audiodg.exe	70
PID 1848 wrote to memory of 1736	1848	WScript.exe	71
PID 1848 wrote to memory of 1736	1848	WScript.exe	71
PID 1848 wrote to memory of 1736	1848	WScript.exe	71
PID 1736 wrote to memory of 1312	1736	audiodg.exe	72
PID 1736 wrote to memory of 1312	1736	audiodg.exe	72
PID 1736 wrote to memory of 1312	1736	audiodg.exe	72
PID 1736 wrote to memory of 2144	1736	audiodg.exe	73
PID 1736 wrote to memory of 2144	1736	audiodg.exe	73
PID 1736 wrote to memory of 2144	1736	audiodg.exe	73
PID 1312 wrote to memory of 1828	1312	WScript.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
"C:\Users\Admin\AppData\Local\Temp\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
  "C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00572516-0ff2-4e90-94e2-9e7b7e9491a1.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d9302c4-268c-427a-a7cd-d94b3ec3f2f0.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c1bcdad-6221-459f-bf91-f175c052d5f1.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4283393f-e3b1-4ff3-ad00-25e29442f242.vbs"
        9⤵
        
        PID:340
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d4e7020-7fff-42ad-8e83-bfc4f3e7a62c.vbs"
        11⤵
        
        PID:2840
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4458f24c-45fd-45c3-979a-e85ce2fd7aee.vbs"
        13⤵
        
        PID:1976
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89b6bf30-64ef-4321-974c-8ac00e723871.vbs"
        15⤵
        
        PID:552
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0f558a1-6758-4dec-859f-e4c9e00b13b0.vbs"
        17⤵
        
        PID:2252
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\483441c1-1dc3-4a78-a031-ea9d7a38b038.vbs"
        19⤵
        
        PID:1792
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa6827e1-3c60-4156-abca-1cba2cbd5112.vbs"
        21⤵
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06a8fdfe-cf86-4a5c-a553-7f9b050c36de.vbs"
        21⤵
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72a1540e-f46d-4f20-b30f-713854766070.vbs"
        19⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15bfe638-3e0f-4809-a765-2e62744cf9c5.vbs"
        17⤵
        
        PID:624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14d4b2da-f98b-4e47-9eab-ce8f26bd4004.vbs"
        15⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f486912-754c-48ed-8bca-f2c502b333fc.vbs"
        13⤵
        
        PID:564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\428b05e6-202f-45ea-8e44-617b855d79df.vbs"
        11⤵
        
        PID:1216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\426a0e7d-2ab9-4c8f-985d-b8a5886d829e.vbs"
        9⤵
        
        PID:1844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72f8f9bf-3cd5-4787-ac1b-848907b35f74.vbs"
        7⤵
        
        PID:2144
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e7d2754-9f89-4aac-bf84-e123ce2ee471.vbs"
        5⤵
        
        PID:2996
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab85e8fa-693d-4552-8159-692f41c7399d.vbs"
    3⤵
    PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe

Filesize
1.7MB

MD5
aa9196b43766c07c13e898a54321c6b8

SHA1
ed63ffe67bdb4a8354894443ae2fbbbcfc437642

SHA256
b7d99e8fae8f8756d2f295be30234c797e6ad77128daf3e8d38242501f69d423

SHA512
a95c380ef7e8f681dc2d6e8b598a603fa54aaa0d69e382da45ed7a31f2adb6f2f5bedbe1765d57928239e646f3cb2a83943e94f5e3bac07dfb10ded4cff770a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\00572516-0ff2-4e90-94e2-9e7b7e9491a1.vbs

Filesize
743B

MD5
8d22f8a676aa27b68df798958d751244

SHA1
5ec168ee4d39d8c3aa3edfe558a836cab6e89ea6

SHA256
d7560bc8c1753679eb4f56eb15458a049170fc6dc85f442d1f8241be72287ec1

SHA512
8ef033ff8a855ba9640b9eb58e1ae36565ecbd7e2db86d9f6ac9f7d4e0d7a0f5cea482ddd1b4d319c1be8dd2c69d8370d3775ae35aacc46f26544cb930630d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c1bcdad-6221-459f-bf91-f175c052d5f1.vbs

Filesize
743B

MD5
48db2e0a121f7a219d7356dc4c1b9ae7

SHA1
96d8bbabbfc828693e90f1eb593559bea99a7e50

SHA256
5f19931584d138257ed946364180b5266366e785dd0eb2f5af6b45837f499381

SHA512
7e7ba57ef8af3bedfceb4afcef598697d3d4c6353f22bdf15795ac4e50842c114b536710592076e41efe19a525c201cb5585e429b3a425816c4d74bdcd467952

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d9302c4-268c-427a-a7cd-d94b3ec3f2f0.vbs

Filesize
743B

MD5
56f39f645b9ba427b673d6d4362f0977

SHA1
1031bd44d2772e45927de0d4d21ccc7d684c0c71

SHA256
82431bbc84e5e1f2fd35c96fb0ba220b4972b1d1eb5b0833033e1298c8500cd1

SHA512
576abbcbce30fd6d9ee9bd1d3ff3f30bf8f158ef013bd011baf731dae41d148b59b5994d0f9e6669a2a243da5308ff7c616ef261cc5efcbe0a2647213b0f90b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4283393f-e3b1-4ff3-ad00-25e29442f242.vbs

Filesize
743B

MD5
f2f0a3295aa60bfbbb68e065a09f674e

SHA1
2948b299030130a6d3baef37aa7b6ec0fc3dae58

SHA256
1370bc10906becc43a0e59345662b052867167bba091102da6dc7d7200555533

SHA512
9b1fd36ace1ce8191996e4544a5aef4978ad01bf4e5f9adcea16910e22e0e6f5bbddffde4e62136a6864f90fdd1de54dfda8f0fec9096edf0a0836dd3859d9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\483441c1-1dc3-4a78-a031-ea9d7a38b038.vbs

Filesize
743B

MD5
8920af8e043b410d42d57781a68b6bce

SHA1
b77a9579e8c3feda6b02ac1fd49f0f4634f7698a

SHA256
5ffb8da12ab099e22b64e15bd608a44d620c0c4f0c0eb3e4f8d82519e48381f1

SHA512
136b16edcffd0033dce571f40c81c6952fc566016acbcb23af5638cbc5926efc1876c9920143d0cd348a885ed51830407a4badf14edb879967f44c4180d92cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\89b6bf30-64ef-4321-974c-8ac00e723871.vbs

Filesize
743B

MD5
98b3de347ed93f8ed4cb07776c81f7e2

SHA1
dc0b93c8fe6cda838af1b149df6e0ffdb360b574

SHA256
54c68d179ee48e0109ab9851cb24eeaffbc16d3d9d414513b7f0e2388657eabe

SHA512
d8771f7a5d8a02e10495a0402e052613512a86dda83dcfd96395728d2796df88b5966fa8d8bcfb8270514d581e6b4ca84b82a5e0a0a0cce0016c38a80cfcd82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d4e7020-7fff-42ad-8e83-bfc4f3e7a62c.vbs

Filesize
743B

MD5
e8b9a03e1d82b07a046d280d964d0b58

SHA1
57ce1fba7ba97ff512bae0ba9bd5fa1d125b90bc

SHA256
3973ea5a61dba2607873e473fc962ae608f0b74d5b0b4e1c59398a015477b267

SHA512
6194f3cdf1cf69d0186e276ec382fccfe1a19c9877b8018f75f1a82902048483c679d0aa4b683211fa7f5f8901af5d40be829f429930f4867a5401ed6d1eb31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXC89D.tmp

Filesize
1.7MB

MD5
96eb6349f62024cbe4512ce6fe98e9ca

SHA1
ca1e4b20f9a1e3ffb2ab3776370fe94e936ad29f

SHA256
6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c

SHA512
5741d00be28702ea6e64cfb3ea44fe38df4cd2296b5949d5cfe7ed785eae922d9ba82b07893882d4b19e3685e17796e4fba0087d50366fc608939b9ce0cbd0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab85e8fa-693d-4552-8159-692f41c7399d.vbs

Filesize
519B

MD5
9202133f70274d17dd1c427f8c0cb2e9

SHA1
e94183d1b724e768081511feb27d58698d12f029

SHA256
2050103a88ce7f4a68e37a4d3c2455b2d1f26761bee68cecd34d19babbfe8759

SHA512
28eb73586309601ac53f4fde1cd5676c4743bf5f9b80ea7830bdd2ab3b8cf15cfa3ee7c8da238dfbb64eb2c06c39ee825917a3105803f300c00d19e337e4b293

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0f558a1-6758-4dec-859f-e4c9e00b13b0.vbs

Filesize
743B

MD5
3a9c17cc2d49bf3be153789b99eb5f66

SHA1
70aefe6682cb19afbde8bb9928e27d79ecab883b

SHA256
1d78e986ef777505b8a666aec36ce313ab3ab6e9803c9d66509d5303398f3624

SHA512
f808c6f48dd1af8a0624772befa2ee7431d2976efc21bc2bb4ac924187563e6f6ca82d98969604ab9737db1c344d5e10d3b987b70eb488cd5ee5165c57fe524e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa6827e1-3c60-4156-abca-1cba2cbd5112.vbs

Filesize
743B

MD5
c9e4f3bf402649f969b8212d11332c0d

SHA1
79898dda9c371b73f08139f8d1b94ab138803c82

SHA256
d21f0c4791dc04a3c8f3c74c8644bc9f609c8ced28480a59354b0b7946f9d458

SHA512
cf63a3c3dd19c47cb0fa6dd1d8d004592c7bad5a5ed4a60dfa45dd27082be2d4d020125aef4d874b4395b0a445ab1c2bdfdabab13ccfee0dd95ab8906c403130

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7b03b5f870c0e902fa135a344bdf4f9d

SHA1
d32247c397769e42ab3e27e172c8e77e827e835e

SHA256
56fd76c69676b5b6b71a5d45f1af2783f091ac1808f837a91d763c927ce2462c

SHA512
9b210fde1991c22e81c8751d0c4421f670431e0fb7e23aef6a3ecda7da9a6057648930780d1eb24e7b28eea465c2f3091685ee3ec840c060d5a87fe5f4193a12

Download Submit
memory/1408-145-0x0000000000860000-0x0000000000A20000-memory.dmp

Filesize
1.8MB

Download
memory/1596-181-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/1736-157-0x0000000001010000-0x00000000011D0000-memory.dmp

Filesize
1.8MB

Download
memory/1792-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

Filesize
4KB

Download
memory/1792-11-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/1792-14-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/1792-12-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/1792-16-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/1792-89-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-1-0x0000000000C80000-0x0000000000E40000-memory.dmp

Filesize
1.8MB

Download
memory/1792-18-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-4-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/1792-9-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/1792-17-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/1792-8-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/1792-13-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/1792-7-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/1792-3-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/1792-6-0x0000000000A30000-0x0000000000A46000-memory.dmp

Filesize
88KB

Download
memory/1792-15-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/1792-5-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/1828-169-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2528-87-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2528-86-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2680-204-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2896-88-0x0000000000060000-0x0000000000220000-memory.dmp

Filesize
1.8MB

Download
memory/2968-238-0x00000000011D0000-0x0000000001390000-memory.dmp

Filesize
1.8MB

Download