dcrat | dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c

Analysis

max time kernel
120s
max time network
112s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
Size

1.7MB
MD5

d071fe4e42941ead06b9be307d35dc02
SHA1

c3101cc5b520f7b29a1dddfbd5968fab06d7771b
SHA256

dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c
SHA512

30015a3d01c8171ab65953dd771d45b63bc8f89f8739bf75c522af208e1b7976b2cb94ee8fb69d9f4507749488f0be19d299480d934018ad2b082bcd6b627163
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvG:+THUxUoh1IF9gl2/

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2196	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2196	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2196	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2196	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2196	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2196	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2196	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2196	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2196	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2196	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2196	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2196	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2364-1-0x00000000010B0000-0x0000000001270000-memory.dmp	dcrat
behavioral1/files/0x000500000001960b-30.dat	dcrat
behavioral1/files/0x00060000000195c5-76.dat	dcrat
behavioral1/files/0x000600000001873d-148.dat	dcrat
behavioral1/memory/2636-149-0x0000000000ED0000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/2452-182-0x00000000003A0000-0x0000000000560000-memory.dmp	dcrat
behavioral1/memory/2112-194-0x00000000003B0000-0x0000000000570000-memory.dmp	dcrat
behavioral1/memory/2636-206-0x00000000003E0000-0x00000000005A0000-memory.dmp	dcrat
behavioral1/memory/2448-218-0x00000000009E0000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/608-230-0x0000000001090000-0x0000000001250000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1624	powershell.exe
2024	powershell.exe
760	powershell.exe
1844	powershell.exe
2896	powershell.exe
2932	powershell.exe
1428	powershell.exe
1720	powershell.exe
1656	powershell.exe
1216	powershell.exe
1928	powershell.exe
1784	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe

Executes dropped EXE 8 IoCs

pid	Process
2636	System.exe
2844	System.exe
2816	System.exe
2452	System.exe
2112	System.exe
2636	System.exe
2448	System.exe
608	System.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\CrashReports\System.exe	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
File created	C:\Program Files (x86)\Google\CrashReports\27d1bcfc3c54e0	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC7C4.tmp	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC7C5.tmp	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXC9C9.tmp	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
File created	C:\Program Files\Windows Portable Devices\1610b97d3ab4a7	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\OSPPSVC.exe	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXC9CA.tmp	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\System.exe	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
File created	C:\Program Files\Windows Portable Devices\OSPPSVC.exe	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2672	schtasks.exe
3040	schtasks.exe
2724	schtasks.exe
2856	schtasks.exe
3024	schtasks.exe
2568	schtasks.exe
2596	schtasks.exe
2224	schtasks.exe
2804	schtasks.exe
2836	schtasks.exe
1148	schtasks.exe
2952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
1428	powershell.exe
760	powershell.exe
1784	powershell.exe
2896	powershell.exe
1928	powershell.exe
2932	powershell.exe
2024	powershell.exe
1844	powershell.exe
1216	powershell.exe
1720	powershell.exe
1624	powershell.exe
1656	powershell.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2636	System.exe
Token: SeDebugPrivilege	2844	System.exe
Token: SeDebugPrivilege	2816	System.exe
Token: SeDebugPrivilege	2452	System.exe
Token: SeDebugPrivilege	2112	System.exe
Token: SeDebugPrivilege	2636	System.exe
Token: SeDebugPrivilege	2448	System.exe
Token: SeDebugPrivilege	608	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1428	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	44
PID 2364 wrote to memory of 1428	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	44
PID 2364 wrote to memory of 1428	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	44
PID 2364 wrote to memory of 1624	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	45
PID 2364 wrote to memory of 1624	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	45
PID 2364 wrote to memory of 1624	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	45
PID 2364 wrote to memory of 1720	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	46
PID 2364 wrote to memory of 1720	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	46
PID 2364 wrote to memory of 1720	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	46
PID 2364 wrote to memory of 2024	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	47
PID 2364 wrote to memory of 2024	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	47
PID 2364 wrote to memory of 2024	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	47
PID 2364 wrote to memory of 1656	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	48
PID 2364 wrote to memory of 1656	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	48
PID 2364 wrote to memory of 1656	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	48
PID 2364 wrote to memory of 760	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	49
PID 2364 wrote to memory of 760	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	49
PID 2364 wrote to memory of 760	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	49
PID 2364 wrote to memory of 1216	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	50
PID 2364 wrote to memory of 1216	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	50
PID 2364 wrote to memory of 1216	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	50
PID 2364 wrote to memory of 1844	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	51
PID 2364 wrote to memory of 1844	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	51
PID 2364 wrote to memory of 1844	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	51
PID 2364 wrote to memory of 1928	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	52
PID 2364 wrote to memory of 1928	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	52
PID 2364 wrote to memory of 1928	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	52
PID 2364 wrote to memory of 1784	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	53
PID 2364 wrote to memory of 1784	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	53
PID 2364 wrote to memory of 1784	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	53
PID 2364 wrote to memory of 2896	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	54
PID 2364 wrote to memory of 2896	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	54
PID 2364 wrote to memory of 2896	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	54
PID 2364 wrote to memory of 2932	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	55
PID 2364 wrote to memory of 2932	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	55
PID 2364 wrote to memory of 2932	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	55
PID 2364 wrote to memory of 2488	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	62
PID 2364 wrote to memory of 2488	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	62
PID 2364 wrote to memory of 2488	2364	dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe	62
PID 2488 wrote to memory of 1740	2488	cmd.exe	70
PID 2488 wrote to memory of 1740	2488	cmd.exe	70
PID 2488 wrote to memory of 1740	2488	cmd.exe	70
PID 2488 wrote to memory of 2636	2488	cmd.exe	71
PID 2488 wrote to memory of 2636	2488	cmd.exe	71
PID 2488 wrote to memory of 2636	2488	cmd.exe	71
PID 2636 wrote to memory of 1932	2636	System.exe	72
PID 2636 wrote to memory of 1932	2636	System.exe	72
PID 2636 wrote to memory of 1932	2636	System.exe	72
PID 2636 wrote to memory of 2004	2636	System.exe	73
PID 2636 wrote to memory of 2004	2636	System.exe	73
PID 2636 wrote to memory of 2004	2636	System.exe	73
PID 1932 wrote to memory of 2844	1932	WScript.exe	74
PID 1932 wrote to memory of 2844	1932	WScript.exe	74
PID 1932 wrote to memory of 2844	1932	WScript.exe	74
PID 2844 wrote to memory of 1792	2844	System.exe	75
PID 2844 wrote to memory of 1792	2844	System.exe	75
PID 2844 wrote to memory of 1792	2844	System.exe	75
PID 2844 wrote to memory of 2556	2844	System.exe	76
PID 2844 wrote to memory of 2556	2844	System.exe	76
PID 2844 wrote to memory of 2556	2844	System.exe	76
PID 1792 wrote to memory of 2816	1792	WScript.exe	77
PID 1792 wrote to memory of 2816	1792	WScript.exe	77
PID 1792 wrote to memory of 2816	1792	WScript.exe	77
PID 2816 wrote to memory of 2180	2816	System.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe
"C:\Users\Admin\AppData\Local\Temp\dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XfWEItxuzP.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1740
- - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
    "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8581b64a-a551-407e-a857-896f05a302a5.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6de90d75-82eb-496f-8b2d-a56e140741f7.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e0d873d-5843-4c93-a537-d2b63d5524c3.vbs"
        8⤵
        
        PID:2180
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78f7a33e-33cd-4b4a-b82f-75e869cb702f.vbs"
        10⤵
        
        PID:2372
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96004bbf-4f5a-452f-8bc6-7668b535847b.vbs"
        12⤵
        
        PID:1104
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abcb9c15-18a5-46dd-bfe8-96cf273615c4.vbs"
        14⤵
        
        PID:1228
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d642ef73-5a87-4c7e-9449-ef4c930eaf98.vbs"
        16⤵
        
        PID:1792
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2345fcd8-cd79-4597-8bfb-258dbd32a084.vbs"
        18⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\966e5cde-94f1-4113-9ace-9b55d24a0012.vbs"
        18⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cb06247-ab0f-4a78-a625-1ea498264a6f.vbs"
        16⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30fa71f5-3316-4c36-8375-1153a25ccdab.vbs"
        14⤵
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43ac6c81-2121-4fc2-93b7-27c6d1b05616.vbs"
        12⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44df4f87-c0a9-4a6f-a69a-ebc55fa215a0.vbs"
        10⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e482b55-560c-477e-a30e-e5a95545db18.vbs"
        8⤵
        
        PID:1436
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\505873b9-2843-4de0-bb63-c2be9cc59da5.vbs"
        6⤵
        
        PID:2556
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa9feac5-eb43-46a9-9890-7ef1522ccbf3.vbs"
      4⤵
      PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe

Filesize
1.7MB

MD5
0a2b311ae2756797eb8624149e1ea761

SHA1
8e6736210f211061ec740ec7fcc05d861eebaa34

SHA256
bc291fb95978148f9bc1578189e3df39997860175824723426919979f29f0346

SHA512
7b38fbf7e56734b68852e6935c7e2bceb7f62175d0287e64afdfbf769e4424bb011a454a5b3c057701b34ec32aaef6a068f124d401f55a5db04a8a1e7b985af0

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe

Filesize
1.7MB

MD5
d071fe4e42941ead06b9be307d35dc02

SHA1
c3101cc5b520f7b29a1dddfbd5968fab06d7771b

SHA256
dcf5dfc2327f09370f1821cf94c3dbba3e3431f9f0e315cfd7f64c76c872cf3c

SHA512
30015a3d01c8171ab65953dd771d45b63bc8f89f8739bf75c522af208e1b7976b2cb94ee8fb69d9f4507749488f0be19d299480d934018ad2b082bcd6b627163

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e0d873d-5843-4c93-a537-d2b63d5524c3.vbs

Filesize
735B

MD5
80b629eb200e193b33d0f073a0ec5dcb

SHA1
e4c1016e68e0b644c29669ded95ee7fc0b1e5f1d

SHA256
2ad08dcfb6f3138480bae978096b600371efd93e85c4ae679a02523691d6726f

SHA512
615d509cb4ccd5fa711ba2e1844c1afb31cc67db93d00466b7e06a4897784adab458a99a771487e15663b3dc7c7580e58ce0661522ac4bca0a6e0278ee40691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2345fcd8-cd79-4597-8bfb-258dbd32a084.vbs

Filesize
734B

MD5
bbd76d575f29d605591b5686d5c6c831

SHA1
70b625085e7d92624f97baff3f0d91b7df973bd7

SHA256
d6bb1c44872903f918e8a2648fa8ddfe4563cae949a38b4eff1add2c596dbb21

SHA512
56a8eea861b2de6de437cd80defb65de21e3f94923b00b9a5cd4291220afe91aa5d179cb537961178761f80d84232ed923917127059939db5a8b0f7672e09e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\6de90d75-82eb-496f-8b2d-a56e140741f7.vbs

Filesize
735B

MD5
8f51f2ddd61a0904ba96ada9a062ce62

SHA1
03e4ed74902f3d68f09915c0d82aa1ca71ff8bc7

SHA256
1bd24ae7e22f7a44569c5b9ee030c0554dd3922d5ced0f947298522819c6ff80

SHA512
b039489c109d4fc4c1f52d0b5b1fb5967051d8532c06a8499eb98b4e8f42dd95a268137a92a476e1872920bf8b59eef89379a42cf562f11f5ea5ea547fb7dd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\78f7a33e-33cd-4b4a-b82f-75e869cb702f.vbs

Filesize
735B

MD5
920f14c011e5de7d189ae73724d9f14b

SHA1
844acef9526329ab66f5541dc3af825b0acc7190

SHA256
b32884dc7fb878c012d8c77d7248bc9a255825e75d0615f58e4ed17ae993715b

SHA512
b10598c58396914e4aa3362a4a3169032d38933ae083386a4d5518c85ea2f5f1c9be3246268d708cc406366a39572dde0888eddae595e8962b62fdcfdbef2d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8581b64a-a551-407e-a857-896f05a302a5.vbs

Filesize
735B

MD5
07a1dc0f35586ce78b0a6f230152f75b

SHA1
44281ccd2a9b5702537a105498822af180e6bea9

SHA256
4d820e08a391595cea16e3c3583f564c8bd0ed1fa9197c04e02a6c7adbb07a3e

SHA512
949062ffbd1dfa81e2be79354d356bd0cd0289633fb4f4b3334b4b72d166f81266573ed9fb751bbf1e5566ba2fd05d7d14c5faaa93b17dfae25533d07b6d3787

Download Submit
C:\Users\Admin\AppData\Local\Temp\96004bbf-4f5a-452f-8bc6-7668b535847b.vbs

Filesize
735B

MD5
835e89eb17f34d8a51ff379416788f0a

SHA1
5949eabe59e45c3dd5f5fba53db5c5a0ef0ec9bc

SHA256
afed01691d469f8d903e222af034e0571313f00897b4b12e71ffa7a94b2a198e

SHA512
78876ae4c38a69f7a7a3e82a067ff91c19141f63dfa74cbb1a017b18d1f9b14afad1d93e3ee35eab35ce77a1ee5f2bbc177df5bb45cd4406fa5860485091b981

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXC5B0.tmp

Filesize
1.7MB

MD5
7a2f8094d8034feeebb4b6eaa3fde100

SHA1
07938320b644032d9955e95234f0abed26ea675c

SHA256
3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbd

SHA512
cb967bd15df2ed22bd2e74a00a603e3fe98b043cce3587aaef0054d5f44fb34718a361fb0c758b3c93071fb8992515f6aff75603cf2535488712c41a5750c06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XfWEItxuzP.bat

Filesize
224B

MD5
b8bbe98d14c037f4a5c6cd4261059be6

SHA1
867272c7336a310b6a54a99dd96d0dc975f2e28d

SHA256
80b62ea59c40c455feb933eb21a5b4d0ed91c37189ac39420972be9862a06fd7

SHA512
1bad9f568f730f1c56deb2e57090d6bd5a0032bc6d68ade7c5f9e821f5551c63943a9d17851ed7e6d82b1b98f10fe0df4c1e85ca1bc7ebf2602c2c1b8ed80623

Download Submit
C:\Users\Admin\AppData\Local\Temp\d642ef73-5a87-4c7e-9449-ef4c930eaf98.vbs

Filesize
735B

MD5
f996e6b9e7486c9d0dba061292c27ffd

SHA1
c9d65258582fa6c4ab4106a69ebb0519984580e5

SHA256
79027449c7c0cca7d172b518f64e6a7378d79189d5710515ea84b61a0e34d48b

SHA512
15a1d5863cb1d5ca88cbc1926c5a8c47ba81d42688b00b3b5f82f955d1588041456fd786b5c084cb96d802347d83f1d4b32e10e352382c1083a1862c3ea65fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa9feac5-eb43-46a9-9890-7ef1522ccbf3.vbs

Filesize
511B

MD5
90d4f47bdc1ec0395b158492fcfa7981

SHA1
2e366dcabc80f2ee6ac9d27b4a21cd32f4bee853

SHA256
440f1860e445ba7f38feda51dd7a7a46eedeb3cd8e86e79ccb4977f4c2e1044b

SHA512
51bff3b20c723b812a89ddfc9566acd8ba29b7a42d06d46e34cec235617cd985b5795b8f9d510a70b628fed7062e24614af0908dcebe2df1b73ecd0b249365d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c3948f4031e8734c3b6ed7e4b53c1a49

SHA1
8aad27a61ed65451c7531466d76f58f5c1cd468b

SHA256
5c86b78cd9a3dbe0f3a7bbc959bfe4bb80c7c40901d6f846301d8ba7817911c5

SHA512
69f4b8b52dee75589587e79ec7f34ee72b7a5f99de1f1b07be8385e757122b29627ff805ce2c7bef684b527874d0f9223f4a95e9fb6e0579a3a020fe123b46d2

Download Submit
memory/608-230-0x0000000001090000-0x0000000001250000-memory.dmp

Filesize
1.8MB

Download
memory/760-109-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/760-115-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2112-194-0x00000000003B0000-0x0000000000570000-memory.dmp

Filesize
1.8MB

Download
memory/2364-11-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2364-9-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/2364-17-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/2364-84-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-16-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2364-15-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/2364-14-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/2364-13-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/2364-12-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/2364-1-0x00000000010B0000-0x0000000001270000-memory.dmp

Filesize
1.8MB

Download
memory/2364-0-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp

Filesize
4KB

Download
memory/2364-19-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-8-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2364-6-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/2364-2-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-7-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2364-4-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2364-5-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2364-3-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2448-218-0x00000000009E0000-0x0000000000BA0000-memory.dmp

Filesize
1.8MB

Download
memory/2452-182-0x00000000003A0000-0x0000000000560000-memory.dmp

Filesize
1.8MB

Download
memory/2636-206-0x00000000003E0000-0x00000000005A0000-memory.dmp

Filesize
1.8MB

Download
memory/2636-149-0x0000000000ED0000-0x0000000001090000-memory.dmp

Filesize
1.8MB

Download