dcrat | 7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2

Analysis

max time kernel
116s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Size

1.7MB
MD5

89b97de873721b7f7c0e290f3009714a
SHA1

a497ecfd40010292888930dad8e90139555a53a1
SHA256

7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2
SHA512

48a4de3da13249137fac6c62df309a3be67c2123f689a0186fb48af00d2f60ab9faf1d2f7e865af9e3e3403f1d9abfee77386f92d7fb476a6717b10f2bc5d474
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvX:eTHUxUoh1IF9gl2o

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	3448	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	3448	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	3448	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3448	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	3448	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	3448	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	3448	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	3448	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3448	schtasks.exe	81

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/772-1-0x0000000000380000-0x0000000000540000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b41-29.dat	dcrat
behavioral2/files/0x000a000000023b38-201.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4980	powershell.exe
4832	powershell.exe
2660	powershell.exe
1696	powershell.exe
4960	powershell.exe
444	powershell.exe
4952	powershell.exe
60	powershell.exe
4396	powershell.exe
2400	powershell.exe
4964	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 8 IoCs

pid	Process
116	smss.exe
4320	smss.exe
3956	smss.exe
1524	smss.exe
4816	smss.exe
1008	smss.exe
1332	smss.exe
1920	smss.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DiagTrack\Registry.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\DiagTrack\ee2ad38f3d4382	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\DiagTrack\RCX71E3.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\DiagTrack\RCX71E4.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\DiagTrack\Registry.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4748	schtasks.exe
636	schtasks.exe
2772	schtasks.exe
976	schtasks.exe
3972	schtasks.exe
3852	schtasks.exe
3416	schtasks.exe
2540	schtasks.exe
2124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2400	powershell.exe
2400	powershell.exe
4832	powershell.exe
4832	powershell.exe
1696	powershell.exe
1696	powershell.exe
2660	powershell.exe
2660	powershell.exe
4396	powershell.exe
4396	powershell.exe
60	powershell.exe
60	powershell.exe
4964	powershell.exe
4964	powershell.exe
4960	powershell.exe
4960	powershell.exe
4980	powershell.exe
4980	powershell.exe
4952	powershell.exe
4952	powershell.exe
444	powershell.exe
444	powershell.exe
444	powershell.exe
4952	powershell.exe
2400	powershell.exe
1696	powershell.exe
4832	powershell.exe
2660	powershell.exe
4980	powershell.exe
60	powershell.exe
4396	powershell.exe
4960	powershell.exe
4964	powershell.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	116	smss.exe
Token: SeDebugPrivilege	4320	smss.exe
Token: SeDebugPrivilege	3956	smss.exe
Token: SeDebugPrivilege	1524	smss.exe
Token: SeDebugPrivilege	4816	smss.exe
Token: SeDebugPrivilege	1008	smss.exe
Token: SeDebugPrivilege	1332	smss.exe
Token: SeDebugPrivilege	1920	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 2660	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	91
PID 772 wrote to memory of 2660	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	91
PID 772 wrote to memory of 60	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	92
PID 772 wrote to memory of 60	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	92
PID 772 wrote to memory of 1696	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	93
PID 772 wrote to memory of 1696	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	93
PID 772 wrote to memory of 4960	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	94
PID 772 wrote to memory of 4960	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	94
PID 772 wrote to memory of 4396	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	95
PID 772 wrote to memory of 4396	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	95
PID 772 wrote to memory of 2400	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	96
PID 772 wrote to memory of 2400	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	96
PID 772 wrote to memory of 4964	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	97
PID 772 wrote to memory of 4964	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	97
PID 772 wrote to memory of 444	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	98
PID 772 wrote to memory of 444	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	98
PID 772 wrote to memory of 4980	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	99
PID 772 wrote to memory of 4980	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	99
PID 772 wrote to memory of 4832	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	100
PID 772 wrote to memory of 4832	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	100
PID 772 wrote to memory of 4952	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	101
PID 772 wrote to memory of 4952	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	101
PID 772 wrote to memory of 3960	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	113
PID 772 wrote to memory of 3960	772	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	113
PID 3960 wrote to memory of 4408	3960	cmd.exe	115
PID 3960 wrote to memory of 4408	3960	cmd.exe	115
PID 3960 wrote to memory of 116	3960	cmd.exe	116
PID 3960 wrote to memory of 116	3960	cmd.exe	116
PID 116 wrote to memory of 5084	116	smss.exe	120
PID 116 wrote to memory of 5084	116	smss.exe	120
PID 116 wrote to memory of 4764	116	smss.exe	121
PID 116 wrote to memory of 4764	116	smss.exe	121
PID 5084 wrote to memory of 4320	5084	WScript.exe	125
PID 5084 wrote to memory of 4320	5084	WScript.exe	125
PID 4320 wrote to memory of 1276	4320	smss.exe	126
PID 4320 wrote to memory of 1276	4320	smss.exe	126
PID 4320 wrote to memory of 4240	4320	smss.exe	127
PID 4320 wrote to memory of 4240	4320	smss.exe	127
PID 1276 wrote to memory of 3956	1276	WScript.exe	130
PID 1276 wrote to memory of 3956	1276	WScript.exe	130
PID 3956 wrote to memory of 1228	3956	smss.exe	131
PID 3956 wrote to memory of 1228	3956	smss.exe	131
PID 3956 wrote to memory of 5104	3956	smss.exe	132
PID 3956 wrote to memory of 5104	3956	smss.exe	132
PID 1228 wrote to memory of 1524	1228	WScript.exe	133
PID 1228 wrote to memory of 1524	1228	WScript.exe	133
PID 1524 wrote to memory of 5028	1524	smss.exe	134
PID 1524 wrote to memory of 5028	1524	smss.exe	134
PID 1524 wrote to memory of 4952	1524	smss.exe	135
PID 1524 wrote to memory of 4952	1524	smss.exe	135
PID 5028 wrote to memory of 4816	5028	WScript.exe	136
PID 5028 wrote to memory of 4816	5028	WScript.exe	136
PID 4816 wrote to memory of 3200	4816	smss.exe	137
PID 4816 wrote to memory of 3200	4816	smss.exe	137
PID 4816 wrote to memory of 3480	4816	smss.exe	138
PID 4816 wrote to memory of 3480	4816	smss.exe	138
PID 3200 wrote to memory of 1008	3200	WScript.exe	139
PID 3200 wrote to memory of 1008	3200	WScript.exe	139
PID 1008 wrote to memory of 3084	1008	smss.exe	140
PID 1008 wrote to memory of 3084	1008	smss.exe	140
PID 1008 wrote to memory of 3088	1008	smss.exe	141
PID 1008 wrote to memory of 3088	1008	smss.exe	141
PID 3084 wrote to memory of 1332	3084	WScript.exe	142
PID 3084 wrote to memory of 1332	3084	WScript.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
"C:\Users\Admin\AppData\Local\Temp\7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZnppPT7KU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4408
- - C:\Recovery\WindowsRE\smss.exe
    "C:\Recovery\WindowsRE\smss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2952184-4915-4ff3-890d-a71074e0abcb.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e064221a-fc75-44b0-a1f5-1bc431d1426f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c55c9060-aa38-4da0-9953-1958ab52803e.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd275d9c-396f-4600-916a-549337291929.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb5cadee-3b9b-49b1-baaf-cccfab1a6325.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b541009-25ac-4b18-a9f2-650e92e4cc2b.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8dea9d1-8f50-468b-ac97-d1654e9b43b3.vbs"
        16⤵
        
        PID:4564
        
        C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b17944d0-cdb9-49ed-93ea-3c62451212ed.vbs"
        18⤵
        
        PID:4216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8d20630-09ea-43d4-93ca-ef7a5cd88ae9.vbs"
        18⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84927983-5c15-428b-8848-8b0f60d93f0f.vbs"
        16⤵
        
        PID:944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcf66e71-d70e-419b-a7e8-946d6fe7cb20.vbs"
        14⤵
        
        PID:3088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d80e00b7-129f-411c-b37a-328377d8cb68.vbs"
        12⤵
        
        PID:3480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e7bbf18-43ce-4693-ad50-b6364e19ef9a.vbs"
        10⤵
        
        PID:4952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aa12553-9738-4f0f-82c5-dfd5910fcf91.vbs"
        8⤵
        
        PID:5104
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04c7306c-36f5-40ca-b8ab-b384a13e6059.vbs"
        6⤵
        
        PID:4240
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d78cb6e-a3c8-4d15-bfcd-4ac44c222197.vbs"
      4⤵
      PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\DiagTrack\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\MF\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MF\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\MF\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\smss.exe

Filesize
1.7MB

MD5
89b97de873721b7f7c0e290f3009714a

SHA1
a497ecfd40010292888930dad8e90139555a53a1

SHA256
7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2

SHA512
48a4de3da13249137fac6c62df309a3be67c2123f689a0186fb48af00d2f60ab9faf1d2f7e865af9e3e3403f1d9abfee77386f92d7fb476a6717b10f2bc5d474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d78cb6e-a3c8-4d15-bfcd-4ac44c222197.vbs

Filesize
482B

MD5
cfb101c27d1b398437a5240c0d5ef89d

SHA1
76b3bc53bfb1cfd0053781cd0a0acd28065c8a37

SHA256
69af6a44697f53d78f323ec42381584d44d0e9db1a1ebcb651a6c7fba137a5be

SHA512
b84429295812956942dada202b0b70c14b7b2471f6d748338c9f5338e2a7fc69604c16513bcbd2b748a987b92a088d5c9db6fb0f7833cdfb8a5bca46b47b7227

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b541009-25ac-4b18-a9f2-650e92e4cc2b.vbs

Filesize
706B

MD5
2e155f5269db12552cd137dfa39b9420

SHA1
bdb2b26384bcf5c7af704bc9eb1b81084f061417

SHA256
91c2fe3c8544fd5331d8e0dacee3c9c4d79af08ddd89fb4fa50a6f4d3fb0840a

SHA512
b7bf11fdcaaa38ab159b2680de94be37ff58fc26a0dcace19559a62e69f94bb14a6aa45fb2f6883b5bceeb88bf2ad4e25b56e91f63485ddd3b8ec03bb296a82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX6F41.tmp

Filesize
1.7MB

MD5
20bbb35ecafbbf381f961e15ea808779

SHA1
a1b1b63e784f0b8edc6ada54349229287dceeda4

SHA256
02ce8493f355569dbf57812c6616c6347f5792399d57963d63d6ca78d57e2e9a

SHA512
fece7fd33fe648f6f1da0ff77c2da9098904d379ede324012d1ccd0809808b8fafd129f7e6971316442dfb24611fcf56035a084b77ee09353c5769f4e4fe3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZnppPT7KU.bat

Filesize
195B

MD5
cc8f3cc59539da5cd11b9959a060a85b

SHA1
82806ed8cab2fbcdedf1985337c36e7ce54fd0f0

SHA256
6211bc4391daa1f9abd5f21d2fcaf09dcb9fcba01e030c4752e2f8c79ee216b2

SHA512
2e20acc84e4d387be226c9d86554c1f0a4866395b6f20a26dc370a78a4756fcd7f96a00730400db953eebf99a5703a3831755508fa1ef41ea058dd1c727ed61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jalibjbq.nep.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b17944d0-cdb9-49ed-93ea-3c62451212ed.vbs

Filesize
706B

MD5
e8893ebc868e2ce950cc23e1b017336c

SHA1
330ce67014f966f2b2d849b55b6964f9c48243c4

SHA256
e11fa4647c5ce700e5970b60fda7e32caad3de9ed4047db50076af4f9ee66443

SHA512
7e18f824513021e5392870ccaba1468b7132bdd94c082b24a5b19c8a3da9bc3e338c3c6e039f34bae89161cb4c1a686bfc08d2264ea3d51c6e8ff482a4379dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2952184-4915-4ff3-890d-a71074e0abcb.vbs

Filesize
705B

MD5
ec2f6b855babd103dd08f0ece3b6ac41

SHA1
8e50146e7b4b256f98a55765fc236781353a9678

SHA256
156949b5dde1c72d2cdcce1cbea626c9e0344c51053e8c191a211260473e8bcd

SHA512
725e1b9d2b8e7fec4ffe9ad5a09b6f864b35f79af4e9f69b269cc6c95e2d1f015ff80af539a361e333f49a3e87e378b56c87524f48626968f21477bbbfbe89b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd275d9c-396f-4600-916a-549337291929.vbs

Filesize
706B

MD5
940f6998a8dcdf6f49aaca0c2ce2011d

SHA1
2bda832e491a065dcbc90f856e48a0352c3f2192

SHA256
50556614f4b077da85472b745f5fa9ada0bf58f596ab96e629338a87c14901ac

SHA512
16e7c5eae93809000eca36f91f9cd86b1d991ddd2c35788cd4988783f2abbcfe279260ad471faa3483d45e8d85dad20e4468a5b677b8fd4de16f9638febcbb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\c55c9060-aa38-4da0-9953-1958ab52803e.vbs

Filesize
706B

MD5
9f66b3221e6a0b1af629d465a738b03d

SHA1
d0a57bea09617721a13be56e29d6564d8a754a13

SHA256
870f96b035f03114f2bd521121fa13699397acbb44d1adeadc7f362e8e61f479

SHA512
0d048bac75ab9f4171852f0e7893679f64eab7d849743a135f2a8a4d33a2a81600e02ce5d1095621f074dd8b3a05bfdfc6be63fd289dbc50c213d3cc5e7964b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8dea9d1-8f50-468b-ac97-d1654e9b43b3.vbs

Filesize
706B

MD5
c1fafb01514af868e0912ec810f0e8ed

SHA1
9deaff1f2790edd45368499803536248f1456f73

SHA256
797d274515420b6a2a991183b05434b668335dc929a9d625b219daaff6fefa43

SHA512
86f57f903891f814d5f82f723e631a0d8898b99d12e1d99f69ec327c3acf505860fb70d8dbb34c7a982ed244cfb9aa84b5a24b4d1585666d50fc83923783b027

Download Submit
C:\Users\Admin\AppData\Local\Temp\e064221a-fc75-44b0-a1f5-1bc431d1426f.vbs

Filesize
706B

MD5
a56e4876ff95d984a0e94b9e008b2e6e

SHA1
c596df1916626c577202a7dc24f89ee1435bad31

SHA256
c7f815a3a425a2d3a899ca4ebf6219ce6741d60d1789a3463b23ad68bd880a63

SHA512
1003900d9ade3e336abb14c4a81932718c4d909c55ccdd4d04cbf8b79a37ed71a5ed6aad06c7d545badfa39f7e4cbd670074bc2a9f76e658a9c49d2af067abae

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb5cadee-3b9b-49b1-baaf-cccfab1a6325.vbs

Filesize
706B

MD5
5ee4b8f719299651af9662e88ef3d23f

SHA1
944e93da96e39f425a0a5ff8537ceba9dbc8be2d

SHA256
14c567e2e5fc19fbe4bf9787cbebd6ff7165ea09972b56b8b65da751c867d21e

SHA512
ff24347b4f78db3a03dd9d6cce22b301caafac2f53259113e1d15c287e9d513f7e8f833b4156e7c503ff97062b7ed87ec232510a907c25498bfa8f9eff200398

Download Submit
memory/772-12-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/772-13-0x000000001BE20000-0x000000001C348000-memory.dmp

Filesize
5.2MB

Download
memory/772-1-0x0000000000380000-0x0000000000540000-memory.dmp

Filesize
1.8MB

Download
memory/772-23-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

Filesize
10.8MB

Download
memory/772-21-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

Filesize
10.8MB

Download
memory/772-19-0x000000001B1B0000-0x000000001B1BC000-memory.dmp

Filesize
48KB

Download
memory/772-16-0x000000001BAF0000-0x000000001BAFE000-memory.dmp

Filesize
56KB

Download
memory/772-17-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/772-18-0x0000000002730000-0x000000000273C000-memory.dmp

Filesize
48KB

Download
memory/772-15-0x000000001B1C0000-0x000000001B1CA000-memory.dmp

Filesize
40KB

Download
memory/772-14-0x0000000002710000-0x000000000271C000-memory.dmp

Filesize
48KB

Download
memory/772-75-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

Filesize
10.8MB

Download
memory/772-0-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp

Filesize
8KB

Download
memory/772-10-0x00000000026D0000-0x00000000026D8000-memory.dmp

Filesize
32KB

Download
memory/772-9-0x00000000026C0000-0x00000000026CC000-memory.dmp

Filesize
48KB

Download
memory/772-7-0x0000000002680000-0x0000000002696000-memory.dmp

Filesize
88KB

Download
memory/772-8-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/772-5-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/772-6-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/772-4-0x000000001B120000-0x000000001B170000-memory.dmp

Filesize
320KB

Download
memory/772-3-0x0000000000BF0000-0x0000000000C0C000-memory.dmp

Filesize
112KB

Download
memory/772-2-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

Filesize
10.8MB

Download
memory/2400-81-0x0000022E3ECC0000-0x0000022E3ECE2000-memory.dmp

Filesize
136KB

Download