dcrat | a6cea4f4b68b7f3dd83cbef2f154555cb1f351ad75c061c0650edefa25455d01

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Size

1.5MB
MD5

6689bd9a5c795eedc631e5fbb850b7ff
SHA1

b63d8e25d4eb9abea3ed0f7867f70db2ab18cba2
SHA256

cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b
SHA512

ff51ccd8918344bb0439a4d9e39394383bff2196496d778db9a3d2862479e55f1bf59c7d467ff055c721231cb592c3c7ded63c5af28a3f9552dc6421dd1151bf
SSDEEP

24576:K17t7ROjwJqMAVS2hEijP79eAPkavlCCyYcBoZ11q8UuZPt5PsuWg:KBt7R0wJ4L5Uw5lCCyG31oIPmg

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\winlogon.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WMIADAP.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\spoolsv.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\sppsvc.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	4808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	4808	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3284	powershell.exe
3236	powershell.exe
3152	powershell.exe
3128	powershell.exe
3388	powershell.exe
3324	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1588	WMIADAP.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\winlogon.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows Sidebar\\es-ES\\WMIADAP.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Uninstall Information\\sppsvc.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Uninstall Information\\sppsvc.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\winlogon.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows Sidebar\\es-ES\\WMIADAP.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\spoolsv.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\spoolsv.exe\""	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCE1C756086E464815A42A1BE85F810C1.TMP	csc.exe
File created	\??\c:\Windows\System32\8wawgv.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\sppsvc.exe	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
File created	C:\Program Files (x86)\Uninstall Information\0a1fd5f707cd16	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
File created	C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
File created	C:\Program Files\Windows Sidebar\es-ES\75a57c1bdf437c	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\winlogon.exe	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\cc11b995f2a76d	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5048	schtasks.exe
1676	schtasks.exe
2368	schtasks.exe
2772	schtasks.exe
1684	schtasks.exe
2560	schtasks.exe
4876	schtasks.exe
5020	schtasks.exe
5104	schtasks.exe
2964	schtasks.exe
4848	schtasks.exe
2940	schtasks.exe
2976	schtasks.exe
2584	schtasks.exe
1616	schtasks.exe
4908	schtasks.exe
5076	schtasks.exe
2344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
3152	powershell.exe
3128	powershell.exe
3236	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	1588	WMIADAP.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 4932	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	35
PID 2000 wrote to memory of 4932	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	35
PID 2000 wrote to memory of 4932	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	35
PID 4932 wrote to memory of 4976	4932	csc.exe	37
PID 4932 wrote to memory of 4976	4932	csc.exe	37
PID 4932 wrote to memory of 4976	4932	csc.exe	37
PID 2000 wrote to memory of 3128	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	53
PID 2000 wrote to memory of 3128	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	53
PID 2000 wrote to memory of 3128	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	53
PID 2000 wrote to memory of 3152	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	54
PID 2000 wrote to memory of 3152	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	54
PID 2000 wrote to memory of 3152	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	54
PID 2000 wrote to memory of 3236	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	55
PID 2000 wrote to memory of 3236	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	55
PID 2000 wrote to memory of 3236	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	55
PID 2000 wrote to memory of 3284	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	56
PID 2000 wrote to memory of 3284	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	56
PID 2000 wrote to memory of 3284	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	56
PID 2000 wrote to memory of 3324	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	57
PID 2000 wrote to memory of 3324	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	57
PID 2000 wrote to memory of 3324	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	57
PID 2000 wrote to memory of 3388	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	58
PID 2000 wrote to memory of 3388	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	58
PID 2000 wrote to memory of 3388	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	58
PID 2000 wrote to memory of 4104	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	65
PID 2000 wrote to memory of 4104	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	65
PID 2000 wrote to memory of 4104	2000	cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe	65
PID 4104 wrote to memory of 1800	4104	cmd.exe	67
PID 4104 wrote to memory of 1800	4104	cmd.exe	67
PID 4104 wrote to memory of 1800	4104	cmd.exe	67
PID 4104 wrote to memory of 804	4104	cmd.exe	68
PID 4104 wrote to memory of 804	4104	cmd.exe	68
PID 4104 wrote to memory of 804	4104	cmd.exe	68
PID 4104 wrote to memory of 1588	4104	cmd.exe	69
PID 4104 wrote to memory of 1588	4104	cmd.exe	69
PID 4104 wrote to memory of 1588	4104	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
"C:\Users\Admin\AppData\Local\Temp\cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tvnfd1dv\tvnfd1dv.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD652.tmp" "c:\Windows\System32\CSCE1C756086E464815A42A1BE85F810C1.TMP"
    3⤵
    PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\1033\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hrUkp491SL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1800
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:804
- - C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe
    "C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810bc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810bc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Stationery\1033\winlogon.exe

Filesize
1.5MB

MD5
6689bd9a5c795eedc631e5fbb850b7ff

SHA1
b63d8e25d4eb9abea3ed0f7867f70db2ab18cba2

SHA256
cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b

SHA512
ff51ccd8918344bb0439a4d9e39394383bff2196496d778db9a3d2862479e55f1bf59c7d467ff055c721231cb592c3c7ded63c5af28a3f9552dc6421dd1151bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD652.tmp

Filesize
1KB

MD5
c86336d91438d890be71023622a1c0db

SHA1
df6484363dbf5d2f90898cf36bbbd05aa44406dd

SHA256
651912c1060a581c9c94f01024929e0ceb2531ef3ae35ae050e2c014087dbf54

SHA512
341b8791260103531cea7a1796b0adb1ca13de8f8d6bc4d6208b7d78b1f5006774455973ce50020295543444e9fd3351648c87f45ee40eeee67a82137d937750

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrUkp491SL.bat

Filesize
226B

MD5
02e1747f89ad203a88e44da944261816

SHA1
7803852c92cd9143a3b114ab26454cd7dd9219bb

SHA256
9fed0b4fa7f0c744f1e0186bbc0b9bb7d1e73f821f61079df84952f3ec6bbc32

SHA512
5bf6bbcf572a6530fb14401f46f47832ed92746d766bd14223af54bb626dd4ce713d4a2a08a1e92f77d9cf7fe48a7cd46eea71d9a2605e302e06a977697951dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ab19a4d5a32e355fc93b51bc8a6a88c7

SHA1
20b5e30b0d56234897530ebf61a64cf707073dea

SHA256
7a7cd97ee127b069c26afe45bde2edc2e98fb25bb52d77554c728d15aac511e5

SHA512
4ccb1ab1513207a7930d8e681cce67a74c265a4c2c52d99c9eea6343cd4a82122128339d2844a2b80732aa793191c68e429a9894e00fb23e15addf423332f63e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvnfd1dv\tvnfd1dv.0.cs

Filesize
400B

MD5
f64ca7a731f17fab63745ea830015225

SHA1
31d11419f7268e3c220e98903b703a74df42ee75

SHA256
fbf2473e2c112bddcbdbed28a04f98de988c07c83cee8adaa2cfb7a77965af95

SHA512
c71424ec8f528a697200a9d1e112cb37637a12e1b213926940d60caff37ff6f4d6448d6d544799e408eb38ea2ec695fe2b4859616e6db43bf211b48dc9bb87ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvnfd1dv\tvnfd1dv.cmdline

Filesize
235B

MD5
88a399545e96d2e4b375da9e25370032

SHA1
c4720f62f47391244bac30ac97a3283e9c42ab97

SHA256
63d0e72ca48b47f2a4a1cbc03574d9cd9104b0523367a2d3545ecb3da1f4ed86

SHA512
7f485bf7b4e7521dcfdf7d311d90b28239dca639edaff4e8fa7df7d51d3833351d34c63e54b70f453d8daf901e97fbb68cae4837bd6f9ef8eb6e5bb4ae63da90

Download Submit
\??\c:\Windows\System32\CSCE1C756086E464815A42A1BE85F810C1.TMP

Filesize
1KB

MD5
028d4cd290ab6fe13d6fecce144a32cc

SHA1
e1d9531cb2e6bc9cab285b1f19e5d627257a3394

SHA256
3f42f68eb3df49cf836fbb0019b8206af735e22f3d528e7b122fa9b2541fdde3

SHA512
2f99d37a56444831298f8efaef425e5dadec938ac459bfc0cdaf3708ef8662f12bd8d687a58fc1dd6bbdac6c806214b65a21489a24d3160c1e8575968e3caa6e

Download Submit
memory/1588-3639-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/2000-22-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-13-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-66-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-64-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-62-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-60-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-58-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-56-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-52-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-50-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-48-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-46-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-44-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-42-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-40-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-38-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-34-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-32-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-30-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-28-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-26-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-24-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2000-20-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-18-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-16-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-14-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-54-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-309-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-3560-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-3561-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-3563-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2000-3565-0x0000000000770000-0x000000000078C000-memory.dmp

Filesize
112KB

Download
memory/2000-3566-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-3570-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2000-3568-0x0000000000790000-0x00000000007A8000-memory.dmp

Filesize
96KB

Download
memory/2000-3571-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-36-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-3583-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-3584-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-3585-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-4-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-6-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-8-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-10-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-3598-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2000-3602-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-3-0x000000001AD40000-0x000000001AF14000-memory.dmp

Filesize
1.8MB

Download
memory/2000-3633-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-2-0x000000001AD40000-0x000000001AF1A000-memory.dmp

Filesize
1.9MB

Download
memory/2000-1-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/3128-3636-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/3152-3635-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download