dcrat | 0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe
Size

3.7MB
MD5

934f077da68d3fda26839f06286b71e4
SHA1

f805ec2e43d7518d420b94b954fd6b4e640ef64d
SHA256

0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b
SHA512

85e2bff55ce5aa6569d50146a3d95c611f774605fa9a8ee041cede3a928bf7585943e63aaf9eb5b14dc4d25fe6bee3e57d58c9b586653322300aaa67e87dd714
SSDEEP

49152:UbA30FDlon6ZtXRUNAtf3zkDcpigc4Jp8+bF5BxiLFHqzQ6yQH2lJwtYv2:UbZ7tXyNAtf3Rigc4n58xHqzQ6TH2Lel

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2948	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2948	schtasks.exe	36

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperblockDll.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001926b-17.dat	dcrat
behavioral1/memory/2696-18-0x0000000000210000-0x000000000057A000-memory.dmp	dcrat
behavioral1/memory/2808-87-0x0000000000DB0000-0x000000000111A000-memory.dmp	dcrat

Executes dropped EXE 6 IoCs

pid	Process
2696	hyperblockDll.exe
2808	taskhost.exe
2416	taskhost.exe
1976	taskhost.exe
1140	taskhost.exe
1636	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	cmd.exe
3032	cmd.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\fr-FR\6ccacd8608530f	hyperblockDll.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe	hyperblockDll.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\b75386f1303e64	hyperblockDll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\taskhost.exe	hyperblockDll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\b75386f1303e64	hyperblockDll.exe
File created	C:\Program Files\Windows Defender\fr-FR\Idle.exe	hyperblockDll.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\Idle.exe	hyperblockDll.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\886983d96e3d3e	hyperblockDll.exe
File created	C:\Windows\Migration\winlogon.exe	hyperblockDll.exe
File created	C:\Windows\Migration\cc11b995f2a76d	hyperblockDll.exe
File created	C:\Windows\Panther\UnattendGC\services.exe	hyperblockDll.exe
File created	C:\Windows\Panther\UnattendGC\c5b4cb5e9653cc	hyperblockDll.exe
File created	C:\Windows\Performance\WinSAT\DataStore\csrss.exe	hyperblockDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1568	schtasks.exe
340	schtasks.exe
1696	schtasks.exe
1676	schtasks.exe
744	schtasks.exe
2252	schtasks.exe
952	schtasks.exe
1048	schtasks.exe
2184	schtasks.exe
1648	schtasks.exe
2144	schtasks.exe
448	schtasks.exe
840	schtasks.exe
1512	schtasks.exe
2728	schtasks.exe
2472	schtasks.exe
1284	schtasks.exe
1744	schtasks.exe
904	schtasks.exe
2460	schtasks.exe
2996	schtasks.exe
2152	schtasks.exe
1580	schtasks.exe
1288	schtasks.exe
1616	schtasks.exe
1108	schtasks.exe
1028	schtasks.exe
2348	schtasks.exe
2076	schtasks.exe
528	schtasks.exe
1172	schtasks.exe
1396	schtasks.exe
1276	schtasks.exe
2824	schtasks.exe
2148	schtasks.exe
3068	schtasks.exe
2008	schtasks.exe
1764	schtasks.exe
2688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2696	hyperblockDll.exe
2696	hyperblockDll.exe
2696	hyperblockDll.exe
2696	hyperblockDll.exe
2696	hyperblockDll.exe
2808	taskhost.exe
2808	taskhost.exe
2808	taskhost.exe
2808	taskhost.exe
2808	taskhost.exe
2808	taskhost.exe
2808	taskhost.exe
1976	taskhost.exe
1976	taskhost.exe
1976	taskhost.exe
1976	taskhost.exe
1976	taskhost.exe
1976	taskhost.exe
1976	taskhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	hyperblockDll.exe
Token: SeDebugPrivilege	2808	taskhost.exe
Token: SeDebugPrivilege	1976	taskhost.exe
Token: SeDebugPrivilege	2416	taskhost.exe
Token: SeDebugPrivilege	1140	taskhost.exe
Token: SeDebugPrivilege	1636	taskhost.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1968	2088	0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe	31
PID 2088 wrote to memory of 1968	2088	0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe	31
PID 2088 wrote to memory of 1968	2088	0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe	31
PID 2088 wrote to memory of 1968	2088	0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe	31
PID 2088 wrote to memory of 2032	2088	0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe	32
PID 2088 wrote to memory of 2032	2088	0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe	32
PID 2088 wrote to memory of 2032	2088	0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe	32
PID 2088 wrote to memory of 2032	2088	0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe	32
PID 1968 wrote to memory of 3032	1968	WScript.exe	33
PID 1968 wrote to memory of 3032	1968	WScript.exe	33
PID 1968 wrote to memory of 3032	1968	WScript.exe	33
PID 1968 wrote to memory of 3032	1968	WScript.exe	33
PID 3032 wrote to memory of 2696	3032	cmd.exe	35
PID 3032 wrote to memory of 2696	3032	cmd.exe	35
PID 3032 wrote to memory of 2696	3032	cmd.exe	35
PID 3032 wrote to memory of 2696	3032	cmd.exe	35
PID 2696 wrote to memory of 1800	2696	hyperblockDll.exe	76
PID 2696 wrote to memory of 1800	2696	hyperblockDll.exe	76
PID 2696 wrote to memory of 1800	2696	hyperblockDll.exe	76
PID 1800 wrote to memory of 1788	1800	cmd.exe	78
PID 1800 wrote to memory of 1788	1800	cmd.exe	78
PID 1800 wrote to memory of 1788	1800	cmd.exe	78
PID 1800 wrote to memory of 2808	1800	cmd.exe	79
PID 1800 wrote to memory of 2808	1800	cmd.exe	79
PID 1800 wrote to memory of 2808	1800	cmd.exe	79
PID 2808 wrote to memory of 572	2808	taskhost.exe	80
PID 2808 wrote to memory of 572	2808	taskhost.exe	80
PID 2808 wrote to memory of 572	2808	taskhost.exe	80
PID 2808 wrote to memory of 2564	2808	taskhost.exe	81
PID 2808 wrote to memory of 2564	2808	taskhost.exe	81
PID 2808 wrote to memory of 2564	2808	taskhost.exe	81
PID 2808 wrote to memory of 2208	2808	taskhost.exe	82
PID 2808 wrote to memory of 2208	2808	taskhost.exe	82
PID 2808 wrote to memory of 2208	2808	taskhost.exe	82
PID 2208 wrote to memory of 1680	2208	cmd.exe	84
PID 2208 wrote to memory of 1680	2208	cmd.exe	84
PID 2208 wrote to memory of 1680	2208	cmd.exe	84
PID 2208 wrote to memory of 2416	2208	cmd.exe	85
PID 2208 wrote to memory of 2416	2208	cmd.exe	85
PID 2208 wrote to memory of 2416	2208	cmd.exe	85
PID 572 wrote to memory of 1976	572	WScript.exe	86
PID 572 wrote to memory of 1976	572	WScript.exe	86
PID 572 wrote to memory of 1976	572	WScript.exe	86
PID 1976 wrote to memory of 2128	1976	taskhost.exe	87
PID 1976 wrote to memory of 2128	1976	taskhost.exe	87
PID 1976 wrote to memory of 2128	1976	taskhost.exe	87
PID 1976 wrote to memory of 2376	1976	taskhost.exe	88
PID 1976 wrote to memory of 2376	1976	taskhost.exe	88
PID 1976 wrote to memory of 2376	1976	taskhost.exe	88
PID 2376 wrote to memory of 748	2376	cmd.exe	90
PID 2376 wrote to memory of 748	2376	cmd.exe	90
PID 2376 wrote to memory of 748	2376	cmd.exe	90
PID 2128 wrote to memory of 1140	2128	WScript.exe	91
PID 2128 wrote to memory of 1140	2128	WScript.exe	91
PID 2128 wrote to memory of 1140	2128	WScript.exe	91
PID 2376 wrote to memory of 1636	2376	cmd.exe	92
PID 2376 wrote to memory of 1636	2376	cmd.exe	92
PID 2376 wrote to memory of 1636	2376	cmd.exe	92

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe
"C:\Users\Admin\AppData\Local\Temp\0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgehyperchainportAgent\lcZ6MvLb.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BridgehyperchainportAgent\akmRZ8KYIwqCrue04KkAUPxFzhoyZ.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\BridgehyperchainportAgent\hyperblockDll.exe
      "C:\BridgehyperchainportAgent\hyperblockDll.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2696
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EBKE1u0GZC.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1788
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95835df2-c425-42c6-bd14-dd0f774968f2.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18d80dfd-b8eb-46e8-bc55-5ce4ed793621.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CVS5LeuuDU.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:748
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b2c1be-1d10-41c8-ac67-7ff93ddc35ea.vbs"
        7⤵
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\atu0UbTjEV.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1680
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgehyperchainportAgent\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\BridgehyperchainportAgent\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\BridgehyperchainportAgent\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\UnattendGC\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\UnattendGC\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Videos\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Migration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgehyperchainportAgent\akmRZ8KYIwqCrue04KkAUPxFzhoyZ.bat

Filesize
48B

MD5
efb9b32455839f2f1e46065e13aeb93f

SHA1
cae49ccdd500a9808ac144387b15ad6ced46c036

SHA256
611d9c30bfabaaa6e9aee5c75025b71dca9116c45300ac325febeefe2d5b0e24

SHA512
351d053f36e497238add089f19e30f164c1110be7826d58e7fb71705b06a7d6d51789add692ac08af4c1e613e3f9c54789a5c8f707ad302a70bcd379645cff1c

Download Submit
C:\BridgehyperchainportAgent\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\BridgehyperchainportAgent\hyperblockDll.exe

Filesize
3.4MB

MD5
df6d3aff42df48d0830227cae92e6bd6

SHA1
bf7f75fd82694b2a44098df2b28c2db35e7ea142

SHA256
05b5df5bc84e193fba3aa26d1b20cb81faa7b176a24a8df2238c8ed61e6e583a

SHA512
07163831729582397fdbdcef5d921750b2968b9d555fd0b881913ae1b283573e4efc827d0eb51552882743b541e44ff2a8dbf0d99a4e5c3f47228a4536bab64a

Download Submit
C:\BridgehyperchainportAgent\lcZ6MvLb.vbe

Filesize
231B

MD5
05a47a3e17c29bf5b8bc6949a26ccb44

SHA1
87e896625a30943a252a839ba3e22507422bbb04

SHA256
85f873ac1def74dea8180c0cce0084490505d2bc213abf34d3a95fda4b92c63f

SHA512
72ef9bb092cfbc824341aa0075ee594b410e9afea3a8ae40c0f1743a4cb2528005701099ef156dc0f2a2da4474809f1d5995e01d12c6ac36f0cc7ae6baf8f64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\18d80dfd-b8eb-46e8-bc55-5ce4ed793621.vbs

Filesize
736B

MD5
d352141b66bfd4fc14fc63f3dee57f03

SHA1
4ceeb36ecf0e214df34dfddcac4b563b906eff09

SHA256
94c4bfa044b0f07feead06c730f81bf36bed443564c89f627b5198e9db121e80

SHA512
60fe869a39ab56e89bfa78d73971e475c24709c167c6d013eb12d71863abd02b73b5ec02ca13411d928971b3f892e5133539b8ffe53aedbf66636888e375ae85

Download Submit
C:\Users\Admin\AppData\Local\Temp\95835df2-c425-42c6-bd14-dd0f774968f2.vbs

Filesize
736B

MD5
97ef9dd75920b1958fc530c53a56c20e

SHA1
3d8c78ef8ae5c4db1aee6c5ec7b87532b44ce18e

SHA256
c46751f751517a33300fa8b0b96ad10e12d21caa6071966d28b707bfa2986bfb

SHA512
c60b5b53ff8ce7576260844a7941b2bdb59666a8c4ee5e93c97b336c615e6f4ac6a22eeea69778769204627cf23b2ef0fa38bd5766b2979a2ced907decc5484a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CVS5LeuuDU.bat

Filesize
225B

MD5
ea4198e70351c9f994159f004372f1ff

SHA1
bb522c0c70ace3c619a9ddd7474ac1065afa7832

SHA256
8c405fc35f3f897ace55a3ac999cf0947bce96b9e42559cdf8eb0d1c7e21cc3d

SHA512
5d7a2f95bebc539074e9b7c74acdf95553fb6b385fdd2e357b19b144e9638165d00cc4c84c6559d87e08f30dfd611064b49b4645acfd93b6bde8bc373fe58632

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBKE1u0GZC.bat

Filesize
225B

MD5
b636369d26c7dbacd1ebda2340ba5475

SHA1
d0b2ad0f7701a428079c2de0d9a9c6f132123483

SHA256
382e91b1e536d916f1c91c043c1c16a5e3e4afc59c11ce383d53b3a20d65640c

SHA512
aebc455d4ea9f655f61547e9a9057236d7abc21fab2b1bea79805c10f4ce4717cfe6a0e3f7790fcaf775eb7fb1f1eec7add241d59779c81d9bb01c7479795f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\atu0UbTjEV.bat

Filesize
225B

MD5
6104fb58aa9b0d790e4791fb2265c48b

SHA1
2907f48b783ea588804e82f2623ba2519a977e01

SHA256
1483f808f40ad8628628cb0b9022e79ce417e260bd557212895af0869d2087c0

SHA512
9204f45d99f93c128a61013b37c2e11d37374dac31d55235a23e0f38b461bfcd2f49e8f29fb72d72247ffaf338fc6530805c3e88940be40b237fc9750cc368f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4b2c1be-1d10-41c8-ac67-7ff93ddc35ea.vbs

Filesize
512B

MD5
124511d46fc549dfa821636b91e586da

SHA1
12900b964365292a4e5f4d9910c21735471dad05

SHA256
9e8b38961b206c44a527f642d919c0eff6ac0ff6d6cc6315ed0ea1d2b6533dad

SHA512
03ecd190c6c65c23bfc7e14f544699e3ee76dee1ded821e30f133e0e8b60daaf254855adae248e7e185aead8924bb88b86b54afbf35181936a365715f09458fd

Download Submit
memory/2696-38-0x000000001AB00000-0x000000001AB0C000-memory.dmp

Filesize
48KB

Download
memory/2696-43-0x000000001AF20000-0x000000001AF28000-memory.dmp

Filesize
32KB

Download
memory/2696-26-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/2696-27-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2696-28-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/2696-29-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/2696-30-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/2696-31-0x0000000002450000-0x000000000245A000-memory.dmp

Filesize
40KB

Download
memory/2696-32-0x0000000002570000-0x00000000025C6000-memory.dmp

Filesize
344KB

Download
memory/2696-33-0x0000000002460000-0x000000000246C000-memory.dmp

Filesize
48KB

Download
memory/2696-34-0x00000000025C0000-0x00000000025C8000-memory.dmp

Filesize
32KB

Download
memory/2696-35-0x000000001AAB0000-0x000000001AABC000-memory.dmp

Filesize
48KB

Download
memory/2696-36-0x000000001AAC0000-0x000000001AAC8000-memory.dmp

Filesize
32KB

Download
memory/2696-37-0x000000001AAD0000-0x000000001AAE2000-memory.dmp

Filesize
72KB

Download
memory/2696-24-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/2696-39-0x000000001AB10000-0x000000001AB1C000-memory.dmp

Filesize
48KB

Download
memory/2696-40-0x000000001AB20000-0x000000001AB28000-memory.dmp

Filesize
32KB

Download
memory/2696-41-0x000000001AB30000-0x000000001AB3C000-memory.dmp

Filesize
48KB

Download
memory/2696-42-0x000000001AB40000-0x000000001AB4C000-memory.dmp

Filesize
48KB

Download
memory/2696-25-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/2696-44-0x000000001AF30000-0x000000001AF3C000-memory.dmp

Filesize
48KB

Download
memory/2696-45-0x000000001AF40000-0x000000001AF4A000-memory.dmp

Filesize
40KB

Download
memory/2696-46-0x000000001AF50000-0x000000001AF5E000-memory.dmp

Filesize
56KB

Download
memory/2696-47-0x000000001AF60000-0x000000001AF68000-memory.dmp

Filesize
32KB

Download
memory/2696-48-0x000000001AF70000-0x000000001AF7E000-memory.dmp

Filesize
56KB

Download
memory/2696-49-0x000000001AF80000-0x000000001AF88000-memory.dmp

Filesize
32KB

Download
memory/2696-50-0x000000001AF90000-0x000000001AF9C000-memory.dmp

Filesize
48KB

Download
memory/2696-51-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

Filesize
32KB

Download
memory/2696-52-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

Filesize
40KB

Download
memory/2696-53-0x000000001B000000-0x000000001B00C000-memory.dmp

Filesize
48KB

Download
memory/2696-23-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download
memory/2696-18-0x0000000000210000-0x000000000057A000-memory.dmp

Filesize
3.4MB

Download
memory/2696-19-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2696-22-0x0000000000A20000-0x0000000000A3C000-memory.dmp

Filesize
112KB

Download
memory/2696-21-0x00000000007D0000-0x00000000007D8000-memory.dmp

Filesize
32KB

Download
memory/2696-20-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/2808-88-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/2808-87-0x0000000000DB0000-0x000000000111A000-memory.dmp

Filesize
3.4MB

Download