dcrat | e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
Size

1.7MB
MD5

fd2f835cbc87e966ad711028d848d14d
SHA1

cceb6c9065ea8385e2d1c5c026366491d2f60f13
SHA256

e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272
SHA512

f6a9e29fd62178eb5ab867e77a1fd36f5591f8a7427d62038e0e247fb1274050f1028e5af93ab1bbbc5d42a8a8eab75f5d9290298322f1a3c7381e1e1fef53c5
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvu:+THUxUoh1IF9gl2F

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	3008	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1996-1-0x0000000000E40000-0x0000000001000000-memory.dmp	dcrat
behavioral1/files/0x000600000001941b-30.dat	dcrat
behavioral1/files/0x00050000000194d0-40.dat	dcrat
behavioral1/memory/1044-113-0x0000000000960000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/files/0x00060000000186c9-112.dat	dcrat
behavioral1/memory/1872-160-0x0000000000F90000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/1780-172-0x0000000001100000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/904-185-0x0000000000280000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/1608-198-0x0000000000990000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/1324-211-0x0000000000BA0000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/1280-223-0x0000000000ED0000-0x0000000001090000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
700	powershell.exe
332	powershell.exe
1488	powershell.exe
1028	powershell.exe
1760	powershell.exe
1480	powershell.exe
2576	powershell.exe
1744	powershell.exe
2252	powershell.exe
1256	powershell.exe
1492	powershell.exe
1200	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe

Executes dropped EXE 8 IoCs

pid	Process
1044	services.exe
1872	services.exe
1780	services.exe
904	services.exe
1608	services.exe
1324	services.exe
1280	services.exe
1456	services.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX81D3.tmp	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
File created	C:\Program Files\Google\taskhost.exe	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
File opened for modification	C:\Program Files\Google\taskhost.exe	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
File created	C:\Program Files\Google\b75386f1303e64	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\c5b4cb5e9653cc	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
File opened for modification	C:\Program Files\Google\RCX7D2D.tmp	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
File opened for modification	C:\Program Files\Google\RCX7D9C.tmp	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX81D4.tmp	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\schemas\EAPHost\smss.exe	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
528	schtasks.exe
768	schtasks.exe
2812	schtasks.exe
2668	schtasks.exe
2752	schtasks.exe
2732	schtasks.exe
2908	schtasks.exe
2736	schtasks.exe
1456	schtasks.exe
2380	schtasks.exe
2056	schtasks.exe
2264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
1744	powershell.exe
2576	powershell.exe
1488	powershell.exe
700	powershell.exe
1028	powershell.exe
1492	powershell.exe
1200	powershell.exe
332	powershell.exe
1760	powershell.exe
1256	powershell.exe
1480	powershell.exe
2252	powershell.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1044	services.exe
1872	services.exe
1872	services.exe
1872	services.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1044	services.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1872	services.exe
Token: SeDebugPrivilege	1780	services.exe
Token: SeDebugPrivilege	904	services.exe
Token: SeDebugPrivilege	1608	services.exe
Token: SeDebugPrivilege	1324	services.exe
Token: SeDebugPrivilege	1280	services.exe
Token: SeDebugPrivilege	1456	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2576	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	43
PID 1996 wrote to memory of 2576	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	43
PID 1996 wrote to memory of 2576	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	43
PID 1996 wrote to memory of 1744	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	44
PID 1996 wrote to memory of 1744	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	44
PID 1996 wrote to memory of 1744	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	44
PID 1996 wrote to memory of 700	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	45
PID 1996 wrote to memory of 700	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	45
PID 1996 wrote to memory of 700	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	45
PID 1996 wrote to memory of 1492	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	46
PID 1996 wrote to memory of 1492	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	46
PID 1996 wrote to memory of 1492	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	46
PID 1996 wrote to memory of 332	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	47
PID 1996 wrote to memory of 332	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	47
PID 1996 wrote to memory of 332	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	47
PID 1996 wrote to memory of 1488	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	48
PID 1996 wrote to memory of 1488	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	48
PID 1996 wrote to memory of 1488	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	48
PID 1996 wrote to memory of 1028	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	49
PID 1996 wrote to memory of 1028	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	49
PID 1996 wrote to memory of 1028	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	49
PID 1996 wrote to memory of 1200	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	50
PID 1996 wrote to memory of 1200	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	50
PID 1996 wrote to memory of 1200	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	50
PID 1996 wrote to memory of 1256	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	51
PID 1996 wrote to memory of 1256	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	51
PID 1996 wrote to memory of 1256	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	51
PID 1996 wrote to memory of 1760	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	52
PID 1996 wrote to memory of 1760	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	52
PID 1996 wrote to memory of 1760	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	52
PID 1996 wrote to memory of 1480	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	53
PID 1996 wrote to memory of 1480	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	53
PID 1996 wrote to memory of 1480	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	53
PID 1996 wrote to memory of 2252	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	54
PID 1996 wrote to memory of 2252	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	54
PID 1996 wrote to memory of 2252	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	54
PID 1996 wrote to memory of 1044	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	67
PID 1996 wrote to memory of 1044	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	67
PID 1996 wrote to memory of 1044	1996	e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe	67
PID 1044 wrote to memory of 2024	1044	services.exe	68
PID 1044 wrote to memory of 2024	1044	services.exe	68
PID 1044 wrote to memory of 2024	1044	services.exe	68
PID 1044 wrote to memory of 2964	1044	services.exe	69
PID 1044 wrote to memory of 2964	1044	services.exe	69
PID 1044 wrote to memory of 2964	1044	services.exe	69
PID 2024 wrote to memory of 1872	2024	WScript.exe	70
PID 2024 wrote to memory of 1872	2024	WScript.exe	70
PID 2024 wrote to memory of 1872	2024	WScript.exe	70
PID 1872 wrote to memory of 2172	1872	services.exe	71
PID 1872 wrote to memory of 2172	1872	services.exe	71
PID 1872 wrote to memory of 2172	1872	services.exe	71
PID 1872 wrote to memory of 996	1872	services.exe	72
PID 1872 wrote to memory of 996	1872	services.exe	72
PID 1872 wrote to memory of 996	1872	services.exe	72
PID 2172 wrote to memory of 1780	2172	WScript.exe	74
PID 2172 wrote to memory of 1780	2172	WScript.exe	74
PID 2172 wrote to memory of 1780	2172	WScript.exe	74
PID 1780 wrote to memory of 1336	1780	services.exe	75
PID 1780 wrote to memory of 1336	1780	services.exe	75
PID 1780 wrote to memory of 1336	1780	services.exe	75
PID 1780 wrote to memory of 1260	1780	services.exe	76
PID 1780 wrote to memory of 1260	1780	services.exe	76
PID 1780 wrote to memory of 1260	1780	services.exe	76
PID 1336 wrote to memory of 904	1336	WScript.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe
"C:\Users\Admin\AppData\Local\Temp\e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe
  "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8470cdbe-8663-4cd3-9887-3c4fe8410f1d.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe
      "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\817e5963-73b6-47e8-ac92-ca7154589f51.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a125c54-9bfe-4d11-90e5-83c03a9be57e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49f6bac9-a504-4dc5-8aad-9618cc7a5140.vbs"
        9⤵
        
        PID:1480
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd1a38e6-0d9d-4185-80e8-f539137910a3.vbs"
        11⤵
        
        PID:2780
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b15b7565-b233-45db-8326-3cd7881158e4.vbs"
        13⤵
        
        PID:2828
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1371cad-2b48-4eec-aa69-a1fd6dda93d9.vbs"
        15⤵
        
        PID:1680
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ee70c2b-f8a6-4ced-914a-75cef40462dc.vbs"
        17⤵
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebf647d7-73f3-4224-98e1-2b17ce9568f7.vbs"
        17⤵
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25f1416c-0658-4bcf-9a84-c1be01e3a144.vbs"
        15⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad3f5cff-9b95-49b7-a652-daca29774c84.vbs"
        13⤵
        
        PID:396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e42bf01-d68d-4009-b1eb-16ab323d223c.vbs"
        11⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34dfc78f-3867-41f1-9e21-b1cfc1296ed8.vbs"
        9⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7687aae-b920-499b-98c7-23bcf0ff9f40.vbs"
        7⤵
        
        PID:1260
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb2c85bc-0555-4df7-978b-ee1ace3ab126.vbs"
        5⤵
        
        PID:996
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1815bb27-5872-4592-8e2c-354e2a9935e1.vbs"
    3⤵
    PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Google\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\PrintHood\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\PrintHood\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe

Filesize
1.7MB

MD5
fd2f835cbc87e966ad711028d848d14d

SHA1
cceb6c9065ea8385e2d1c5c026366491d2f60f13

SHA256
e7e75f2ba01f39cba2de5fddf3072a0ec6aaa55bd583f3a910385a5370063272

SHA512
f6a9e29fd62178eb5ab867e77a1fd36f5591f8a7427d62038e0e247fb1274050f1028e5af93ab1bbbc5d42a8a8eab75f5d9290298322f1a3c7381e1e1fef53c5

Download Submit
C:\Program Files\Google\taskhost.exe

Filesize
1.7MB

MD5
f3ec484997f33fff46e375808adf29e3

SHA1
0bff9c9d3d82794eeb864caa40c41431a10f29e8

SHA256
9bc442aca5b97218618b4c16df03b1ce5e0806b85dd24644f82991b3cbc1e7fd

SHA512
6a1eeef72e2e257357ae530b34beddb800ad12475d9ffd5ca23a87a50b2c1057950a0d38c488ff18a60938629958ff77ee07613093e041cd81216269064dc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1815bb27-5872-4592-8e2c-354e2a9935e1.vbs

Filesize
529B

MD5
141dff3a4c07656d0a78feb9c0268730

SHA1
b8bf6f6166ad0cc512d79c56436f253d7d20a0c2

SHA256
de63401d3b60a478761f92100d253516bd2b24231f7af71fa00da5956ee0c513

SHA512
91abddc03ba96b71162884a55b13d34c57304ca6f6cf3c7a64cbefb2d4d05e41ad790994d2807761380768ea7a1a5cdb3b2699988411acd8ce488dd2702c3b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\49f6bac9-a504-4dc5-8aad-9618cc7a5140.vbs

Filesize
752B

MD5
20564a21c5509d622cbb8f1d1bd0fbdd

SHA1
8af65b2834689b8b9674602a8c8d04aab9293b7f

SHA256
3a1c35ac74d17cd941e120ed5cbd3b1d8bfc8c734a83b802dd6c310a4bdf2b68

SHA512
61e59f9412cad92d8d3b47409fe24e8023f51522f86bd81ebdd5be1d9de0abb2fdddc14fede1074bfa8e91e498916e3066fc0086a738fe1083b6917186cb4e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a125c54-9bfe-4d11-90e5-83c03a9be57e.vbs

Filesize
753B

MD5
19bfbea56835a153b6e7b5c569f822c7

SHA1
391e0d6e4a89e7d8e8c370caf76d648a91a7fcbf

SHA256
c11a87f6b55d99e6d7d38be58ed47a4eb931c3e81cb022595fd8dcf0c76cef78

SHA512
d3bc171dfd6a022941fd1a42235105007d1fec75d39b6e4ed7626654527535e2f76d7dcbdfc9d8c0d72f95e54bd153c0ab0d4a9bf872c8eb443419c9a1190946

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ee70c2b-f8a6-4ced-914a-75cef40462dc.vbs

Filesize
753B

MD5
509393ec59d4fa3292a9300ae7e22e61

SHA1
cb6d198a1f865c48b8559ff6bfa6446486bc6166

SHA256
8f07ab86c0d230986807e623ab059d759a77e76e35fed6e4404c3f367bc54a34

SHA512
13cf8146288d9ab763cea9213a950b3a0b2bc60be2abd5e12a25780523afd37dc9cecfc16d03c307618f973ce45987af5b230b4bf5a2cb92fcffbc75489a511b

Download Submit
C:\Users\Admin\AppData\Local\Temp\817e5963-73b6-47e8-ac92-ca7154589f51.vbs

Filesize
753B

MD5
aa5c47e1f1c818c1bd0b1dd1959a6e11

SHA1
c6f73e49c23c9fa6eb7321494c8344fc8fa1a4df

SHA256
469d54f5285b59493f6b5511cf751263462103f7e98d60c3c1a8c737224016b4

SHA512
5501f97e99f9e1a87e81660a60c9a95a66b8f018c2d5809de87c147d0b0c9ac725c2146e05052bfdd57fdca7c80dcf4861155b7b3306c2d9e7e821879ff0bb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8470cdbe-8663-4cd3-9887-3c4fe8410f1d.vbs

Filesize
753B

MD5
81d081f6658e41cf16cfe03c05888256

SHA1
de70852bbbe9017f98d525e8e6a287dab863900e

SHA256
565b325a445370cf770909870a2ef6b14549c5668a1695308dc9df25cfb5d575

SHA512
3ea81cf8e8d0d30201cad875510e78fcdf70efb18ec798802053e78db8910ba9b057779c284b17e30bc8ed5eb6e9fd2d2fcff079e6ba6a5d000f6f7b35ddad07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX7B2A.tmp

Filesize
1.7MB

MD5
6bcfacff2920b20d946173bf95750330

SHA1
7a6166a959e12742b8d01ffe953ca1bd63bc000f

SHA256
c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339

SHA512
896bac1f6043b3f1b863f120450f747154d3d116c4bdcd725bc0d6c63b59345e8ca4ada1e0a794561854db8468356dfd9e17dac296dfa8097621f2d3b90c584f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b15b7565-b233-45db-8326-3cd7881158e4.vbs

Filesize
753B

MD5
9f47e53fbde06a1c817d1956e8b70c56

SHA1
7ec38bdf1c94aba12ce54bfe1f389d6c8889bd3f

SHA256
e12326a953b1f390c7a781f4d3241b3032c5510ed92cb361af1f90805cba8c9f

SHA512
ad068ed4536a1d78d16f4fe41b2aa188c64d66ceaa85825f0d19acce8546a221d3b65f4e432efa5ac8cb27eda501714f73a5a0db5cda10a8e026477663c0d279

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd1a38e6-0d9d-4185-80e8-f539137910a3.vbs

Filesize
753B

MD5
56857fc19869c2c273c94e7af797236e

SHA1
d8116de352615b4d7100a490d93da5388b6d5d32

SHA256
6dc7ccf21783371317b09a1928945811a3aca12be244b4ec2a779930516ec947

SHA512
6c8b0d94fe46fe46189e661bf5f6b14856a7e46ce4e4e627446e61efc9eb901b061eb482edd62e9f5906736bf19b099f47f9242772383ecb971f6b8f69e3567f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1371cad-2b48-4eec-aa69-a1fd6dda93d9.vbs

Filesize
753B

MD5
a7782b927f71f325e0edb47e6f14f846

SHA1
4f236c8877320a08b1ac5447b7aef26c04ad90b8

SHA256
66ad5586fade979eaf30287274cdb66dd860438d99c4e795dd7d656ed05026a8

SHA512
5798832dc870bda2459a23c2e0a2b2bf3aaddfee6dc9c7bd4eaff322c3f3d385c6523eec616a723a107849a50ed2062d70aedcd067c6d8f49654819fa1000b60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d96258b4b3bb0fdd48759895d2ec2714

SHA1
dfe4f596b4654fc92e0c64a6b51d561761f06ede

SHA256
6bc25e6f4ce111dc1c5e33ec4cf03e1aea28d970a18afac7a326fed39753b408

SHA512
3433cabd5ba182c2d33637f1da25cc711a4bb89ca73de581419434bf114e53f7ec6555dc2cb80e3a85611541b3de8a307cf1c9a11b45584d098002459d38fd77

Download Submit
memory/904-185-0x0000000000280000-0x0000000000440000-memory.dmp

Filesize
1.8MB

Download
memory/904-186-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1044-149-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1044-113-0x0000000000960000-0x0000000000B20000-memory.dmp

Filesize
1.8MB

Download
memory/1280-223-0x0000000000ED0000-0x0000000001090000-memory.dmp

Filesize
1.8MB

Download
memory/1324-211-0x0000000000BA0000-0x0000000000D60000-memory.dmp

Filesize
1.8MB

Download
memory/1456-235-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/1608-198-0x0000000000990000-0x0000000000B50000-memory.dmp

Filesize
1.8MB

Download
memory/1608-199-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/1780-173-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1780-172-0x0000000001100000-0x00000000012C0000-memory.dmp

Filesize
1.8MB

Download
memory/1872-160-0x0000000000F90000-0x0000000001150000-memory.dmp

Filesize
1.8MB

Download
memory/1996-15-0x000000001A880000-0x000000001A888000-memory.dmp

Filesize
32KB

Download
memory/1996-1-0x0000000000E40000-0x0000000001000000-memory.dmp

Filesize
1.8MB

Download
memory/1996-12-0x000000001A860000-0x000000001A86C000-memory.dmp

Filesize
48KB

Download
memory/1996-2-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1996-17-0x000000001A920000-0x000000001A92C000-memory.dmp

Filesize
48KB

Download
memory/1996-6-0x0000000000D50000-0x0000000000D66000-memory.dmp

Filesize
88KB

Download
memory/1996-3-0x00000000005F0000-0x000000000060C000-memory.dmp

Filesize
112KB

Download
memory/1996-4-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1996-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/1996-20-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1996-115-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1996-7-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/1996-5-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/1996-16-0x000000001A890000-0x000000001A89C000-memory.dmp

Filesize
48KB

Download
memory/1996-13-0x000000001A930000-0x000000001A93A000-memory.dmp

Filesize
40KB

Download
memory/1996-14-0x000000001A870000-0x000000001A87E000-memory.dmp

Filesize
56KB

Download
memory/1996-8-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/1996-11-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/1996-9-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/2576-103-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2576-109-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download