dcrat | 02f08c858916067c2b1a33de8748c875efb373fe93c2b6cff3887021b89c5e3f

Analysis

max time kernel
122s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Size

1.9MB
MD5

6706364c78566c589c6c45217e852b02
SHA1

e0bc8a67a91d5ea42c072e63f36f4993d9620c2d
SHA256

87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b
SHA512

3aed779886dcb08bac7eda66cf4b4adbcf420ac0dfc702ef645f231cc40f0801cd16b35cafb12dc5b7125c237df65df091366c884ce20158447752507e1023f7
SSDEEP

49152:JV9LiEUzT6V+qiRGVcqb++v8PlPwvwOfPGZyM1b2DAWsM:JnezTGriRRq3vGNCJfPOy4b

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\Templates\\OSPPSVC.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\Templates\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsass.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\Templates\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\lsm.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\Templates\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\lsm.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\Templates\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\lsm.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\Templates\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\lsm.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2332	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2384	powershell.exe
2772	powershell.exe
2156	powershell.exe
2180	powershell.exe
2432	powershell.exe
1448	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Windows Journal\\Templates\\OSPPSVC.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Windows Journal\\Templates\\OSPPSVC.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsass.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsass.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\lsm.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\lsm.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\""	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC8B10E39851B146B3A333C1C71137B732.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\101b941d020240	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
File created	C:\Program Files\Windows Journal\Templates\OSPPSVC.exe	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
File created	C:\Program Files\Windows Journal\Templates\1610b97d3ab4a7	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2564	schtasks.exe
1496	schtasks.exe
1992	schtasks.exe
2852	schtasks.exe
664	schtasks.exe
2000	schtasks.exe
2020	schtasks.exe
640	schtasks.exe
320	schtasks.exe
2604	schtasks.exe
2536	schtasks.exe
2888	schtasks.exe
1644	schtasks.exe
2368	schtasks.exe
2124	schtasks.exe
2976	schtasks.exe
2296	schtasks.exe
2292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2944	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1308	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	34
PID 2996 wrote to memory of 1308	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	34
PID 2996 wrote to memory of 1308	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	34
PID 1308 wrote to memory of 1028	1308	csc.exe	36
PID 1308 wrote to memory of 1028	1308	csc.exe	36
PID 1308 wrote to memory of 1028	1308	csc.exe	36
PID 2996 wrote to memory of 2384	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	52
PID 2996 wrote to memory of 2384	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	52
PID 2996 wrote to memory of 2384	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	52
PID 2996 wrote to memory of 2772	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	53
PID 2996 wrote to memory of 2772	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	53
PID 2996 wrote to memory of 2772	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	53
PID 2996 wrote to memory of 2156	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	54
PID 2996 wrote to memory of 2156	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	54
PID 2996 wrote to memory of 2156	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	54
PID 2996 wrote to memory of 2180	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	55
PID 2996 wrote to memory of 2180	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	55
PID 2996 wrote to memory of 2180	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	55
PID 2996 wrote to memory of 2432	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	56
PID 2996 wrote to memory of 2432	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	56
PID 2996 wrote to memory of 2432	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	56
PID 2996 wrote to memory of 1448	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	57
PID 2996 wrote to memory of 1448	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	57
PID 2996 wrote to memory of 1448	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	57
PID 2996 wrote to memory of 1036	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	61
PID 2996 wrote to memory of 1036	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	61
PID 2996 wrote to memory of 1036	2996	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe	61
PID 1036 wrote to memory of 2104	1036	cmd.exe	66
PID 1036 wrote to memory of 2104	1036	cmd.exe	66
PID 1036 wrote to memory of 2104	1036	cmd.exe	66
PID 1036 wrote to memory of 2636	1036	cmd.exe	67
PID 1036 wrote to memory of 2636	1036	cmd.exe	67
PID 1036 wrote to memory of 2636	1036	cmd.exe	67
PID 1036 wrote to memory of 2944	1036	cmd.exe	68
PID 1036 wrote to memory of 2944	1036	cmd.exe	68
PID 1036 wrote to memory of 2944	1036	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
"C:\Users\Admin\AppData\Local\Temp\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b5dqt25n\b5dqt25n.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35B.tmp" "c:\Windows\System32\CSC8B10E39851B146B3A333C1C71137B732.TMP"
    3⤵
    PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QKkjcnOV4q.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2104
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2636
- - C:\Users\Admin\AppData\Local\Temp\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe
    "C:\Users\Admin\AppData\Local\Temp\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b8" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b8" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Journal\Templates\OSPPSVC.exe

Filesize
1.9MB

MD5
6706364c78566c589c6c45217e852b02

SHA1
e0bc8a67a91d5ea42c072e63f36f4993d9620c2d

SHA256
87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b

SHA512
3aed779886dcb08bac7eda66cf4b4adbcf420ac0dfc702ef645f231cc40f0801cd16b35cafb12dc5b7125c237df65df091366c884ce20158447752507e1023f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKkjcnOV4q.bat

Filesize
278B

MD5
260b5f691937dd114abab54257d4c374

SHA1
14d24e2f143246563aa107de2a155d160e7e2417

SHA256
a5710e16d1deffa42db5cb958ddf29671acd6999e3e58df8c3e3772f3326d9a2

SHA512
04e3170fd111917db33eaff6cf1c919215b9d57508569346c717bea1278ba97fd6031f868fe652f69e68414040767f95b7a2f00febc354d7824113b74fbef441

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES35B.tmp

Filesize
1KB

MD5
8019a93018efb81b96f0f3febb49e7b7

SHA1
2dde77431a64c81e326006930a97abecdf3c0ae7

SHA256
13551b6ea70b48599818a2a46058c2e832236cc4391d549e17f846aa4d0b92d6

SHA512
c246bc6d6c49950d442b6f32bc031553bfef53a389988282b4d895ec64f6a777342cdf716b243a4ed76a7c29189183cb482594c20b9aec3a97ee0ebef702b350

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1ee35c6b478e8d6fafa138e199d7511e

SHA1
5ea86243ef9c01089efc4e2c93a2d5edde7481ab

SHA256
6ad897ee4c7bb8fc0fc27c2ff5edaf422791527b7cd0cc7fbf1ee8e7cf93f4a6

SHA512
faf28117610a1e7dc07a10e474e1a3bac2277cfb884ec522d83a093466a6fdfe8aa1eb69d7432c78f8d12991f757af695c492743283ee50a95bf76e7fcb057bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b5dqt25n\b5dqt25n.0.cs

Filesize
386B

MD5
15a33f3a06ee462fc082cbcd851f7db5

SHA1
329f743a3e641dfa9676a30e3017bfdb1812f0d2

SHA256
99bf95b69c46fbadc0e5cee5a2ddf2d82b5df68a367b9d691ffa39c656f12880

SHA512
00cd0f3376ba99b9dbd1231c8633e244d76c75785b1fa96c09e2ebb570280688753cfad42a9c59eb6fb669691a3000baa8b89a51a11b6a4667868ec494af003e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b5dqt25n\b5dqt25n.cmdline

Filesize
235B

MD5
5a6d6b43e8fa45d8067a95da7756d693

SHA1
81ee5ddc4d4631c13aff78e8d1d2830c6f9dac3e

SHA256
6690c9f5c82b19f7aa8f3a0944b7ed501b18ff1207199b526e5e2de886403ee0

SHA512
511e7076cb8a3946d0181d8de1ee49a06a26d25ccc23b2108bd354b11deb9d6e3420a8be3d9d8a80bfcf8df059ce390aa2245bb46317981d0452a7793e9c0876

Download Submit
\??\c:\Windows\System32\CSC8B10E39851B146B3A333C1C71137B732.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
memory/2180-59-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2180-60-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2944-81-0x0000000001290000-0x0000000001476000-memory.dmp

Filesize
1.9MB

Download
memory/2996-6-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-8-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2996-17-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-14-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2996-29-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-30-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-31-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-12-0x00000000005F0000-0x0000000000608000-memory.dmp

Filesize
96KB

Download
memory/2996-10-0x00000000005D0000-0x00000000005EC000-memory.dmp

Filesize
112KB

Download
memory/2996-16-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/2996-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/2996-5-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-4-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-3-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-75-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-1-0x00000000002C0000-0x00000000004A6000-memory.dmp

Filesize
1.9MB

Download