dcrat | 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c

Analysis

max time kernel
144s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Size

827KB
MD5

c847a23633e81d799fba45bde7cc9951
SHA1

090035126cabb2fb574175c271097042025202de
SHA256

18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c
SHA512

6b057e15133fe58bc1d105a90b761d2f3558e8a8d3a901d9892905dd75f6be569a4bff4a02d919623305c4d524d96b7f902ef3dded6782cc237b1a47807f34bb
SSDEEP

12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 18 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2668	schtasks.exe
1204	schtasks.exe
1724	schtasks.exe
3052	schtasks.exe
2216	schtasks.exe
2876	schtasks.exe
1764	schtasks.exe
2776	schtasks.exe
2020	schtasks.exe
3024	schtasks.exe
2988	schtasks.exe
1648	schtasks.exe
2548	schtasks.exe
2384	schtasks.exe
1856	schtasks.exe
2148	schtasks.exe
2596	schtasks.exe
1628	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\audiodg.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\audiodg.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Windows\\ShellNew\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\audiodg.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Windows\\ShellNew\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\audiodg.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Windows\\ShellNew\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\smss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\audiodg.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\audiodg.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2680	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2680	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2232-1-0x0000000000BF0000-0x0000000000CC6000-memory.dmp	dcrat
behavioral1/files/0x00050000000193b4-11.dat	dcrat
behavioral1/memory/1700-21-0x00000000000D0000-0x00000000001A6000-memory.dmp	dcrat
behavioral1/memory/2032-29-0x0000000000DB0000-0x0000000000E86000-memory.dmp	dcrat
behavioral1/memory/1692-54-0x0000000000150000-0x0000000000226000-memory.dmp	dcrat
behavioral1/memory/2772-61-0x0000000000920000-0x00000000009F6000-memory.dmp	dcrat
behavioral1/memory/2020-68-0x0000000001030000-0x0000000001106000-memory.dmp	dcrat
behavioral1/memory/2960-93-0x0000000001320000-0x00000000013F6000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
1700	sppsvc.exe
2032	sppsvc.exe
2424	sppsvc.exe
1380	sppsvc.exe
2428	sppsvc.exe
1692	sppsvc.exe
2772	sppsvc.exe
2020	sppsvc.exe
1040	sppsvc.exe
2176	sppsvc.exe
2956	sppsvc.exe
2960	sppsvc.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\ShellNew\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\ShellNew\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153 = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153 = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\smss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\audiodg.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\smss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\audiodg.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
21	pastebin.com
23	pastebin.com
5	pastebin.com
7	pastebin.com
13	pastebin.com
15	pastebin.com
17	pastebin.com
19	pastebin.com
25	pastebin.com
4	pastebin.com
11	pastebin.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cc11b995f2a76d	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\69ddcba757bf72	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\sppsvc.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\ShellNew\0a1fd5f707cd16	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2548	schtasks.exe
1204	schtasks.exe
2988	schtasks.exe
2876	schtasks.exe
2596	schtasks.exe
2216	schtasks.exe
1648	schtasks.exe
1764	schtasks.exe
2776	schtasks.exe
1724	schtasks.exe
2020	schtasks.exe
2668	schtasks.exe
1856	schtasks.exe
3024	schtasks.exe
3052	schtasks.exe
2148	schtasks.exe
1628	schtasks.exe
2384	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs

pid	Process
2032	sppsvc.exe
2424	sppsvc.exe
1380	sppsvc.exe
2428	sppsvc.exe
1692	sppsvc.exe
2772	sppsvc.exe
2020	sppsvc.exe
1040	sppsvc.exe
2176	sppsvc.exe
2956	sppsvc.exe
2960	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2232	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
2232	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
2232	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
1700	sppsvc.exe
2032	sppsvc.exe
2424	sppsvc.exe
1380	sppsvc.exe
2428	sppsvc.exe
1692	sppsvc.exe
2772	sppsvc.exe
2020	sppsvc.exe
1040	sppsvc.exe
2176	sppsvc.exe
2956	sppsvc.exe
2960	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Token: SeDebugPrivilege	1700	sppsvc.exe
Token: SeDebugPrivilege	2032	sppsvc.exe
Token: SeDebugPrivilege	2424	sppsvc.exe
Token: SeDebugPrivilege	1380	sppsvc.exe
Token: SeDebugPrivilege	2428	sppsvc.exe
Token: SeDebugPrivilege	1692	sppsvc.exe
Token: SeDebugPrivilege	2772	sppsvc.exe
Token: SeDebugPrivilege	2020	sppsvc.exe
Token: SeDebugPrivilege	1040	sppsvc.exe
Token: SeDebugPrivilege	2176	sppsvc.exe
Token: SeDebugPrivilege	2956	sppsvc.exe
Token: SeDebugPrivilege	2960	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1700	2232	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	49
PID 2232 wrote to memory of 1700	2232	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	49
PID 2232 wrote to memory of 1700	2232	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	49
PID 2232 wrote to memory of 1700	2232	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	49
PID 2232 wrote to memory of 1700	2232	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	49
PID 1700 wrote to memory of 604	1700	sppsvc.exe	50
PID 1700 wrote to memory of 604	1700	sppsvc.exe	50
PID 1700 wrote to memory of 604	1700	sppsvc.exe	50
PID 604 wrote to memory of 1040	604	cmd.exe	52
PID 604 wrote to memory of 1040	604	cmd.exe	52
PID 604 wrote to memory of 1040	604	cmd.exe	52
PID 604 wrote to memory of 2032	604	cmd.exe	53
PID 604 wrote to memory of 2032	604	cmd.exe	53
PID 604 wrote to memory of 2032	604	cmd.exe	53
PID 604 wrote to memory of 2032	604	cmd.exe	53
PID 604 wrote to memory of 2032	604	cmd.exe	53
PID 2032 wrote to memory of 1984	2032	sppsvc.exe	54
PID 2032 wrote to memory of 1984	2032	sppsvc.exe	54
PID 2032 wrote to memory of 1984	2032	sppsvc.exe	54
PID 1984 wrote to memory of 1368	1984	cmd.exe	56
PID 1984 wrote to memory of 1368	1984	cmd.exe	56
PID 1984 wrote to memory of 1368	1984	cmd.exe	56
PID 1984 wrote to memory of 2424	1984	cmd.exe	57
PID 1984 wrote to memory of 2424	1984	cmd.exe	57
PID 1984 wrote to memory of 2424	1984	cmd.exe	57
PID 1984 wrote to memory of 2424	1984	cmd.exe	57
PID 1984 wrote to memory of 2424	1984	cmd.exe	57
PID 2424 wrote to memory of 712	2424	sppsvc.exe	58
PID 2424 wrote to memory of 712	2424	sppsvc.exe	58
PID 2424 wrote to memory of 712	2424	sppsvc.exe	58
PID 712 wrote to memory of 1972	712	cmd.exe	60
PID 712 wrote to memory of 1972	712	cmd.exe	60
PID 712 wrote to memory of 1972	712	cmd.exe	60
PID 712 wrote to memory of 1380	712	cmd.exe	61
PID 712 wrote to memory of 1380	712	cmd.exe	61
PID 712 wrote to memory of 1380	712	cmd.exe	61
PID 712 wrote to memory of 1380	712	cmd.exe	61
PID 712 wrote to memory of 1380	712	cmd.exe	61
PID 1380 wrote to memory of 3028	1380	sppsvc.exe	62
PID 1380 wrote to memory of 3028	1380	sppsvc.exe	62
PID 1380 wrote to memory of 3028	1380	sppsvc.exe	62
PID 3028 wrote to memory of 1048	3028	cmd.exe	64
PID 3028 wrote to memory of 1048	3028	cmd.exe	64
PID 3028 wrote to memory of 1048	3028	cmd.exe	64
PID 3028 wrote to memory of 2428	3028	cmd.exe	65
PID 3028 wrote to memory of 2428	3028	cmd.exe	65
PID 3028 wrote to memory of 2428	3028	cmd.exe	65
PID 3028 wrote to memory of 2428	3028	cmd.exe	65
PID 3028 wrote to memory of 2428	3028	cmd.exe	65
PID 2428 wrote to memory of 884	2428	sppsvc.exe	66
PID 2428 wrote to memory of 884	2428	sppsvc.exe	66
PID 2428 wrote to memory of 884	2428	sppsvc.exe	66
PID 884 wrote to memory of 3040	884	cmd.exe	68
PID 884 wrote to memory of 3040	884	cmd.exe	68
PID 884 wrote to memory of 3040	884	cmd.exe	68
PID 884 wrote to memory of 1692	884	cmd.exe	69
PID 884 wrote to memory of 1692	884	cmd.exe	69
PID 884 wrote to memory of 1692	884	cmd.exe	69
PID 884 wrote to memory of 1692	884	cmd.exe	69
PID 884 wrote to memory of 1692	884	cmd.exe	69
PID 1692 wrote to memory of 3016	1692	sppsvc.exe	70
PID 1692 wrote to memory of 3016	1692	sppsvc.exe	70
PID 1692 wrote to memory of 3016	1692	sppsvc.exe	70
PID 3016 wrote to memory of 2260	3016	cmd.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
"C:\Users\Admin\AppData\Local\Temp\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\ShellNew\sppsvc.exe
  "C:\Windows\ShellNew\sppsvc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1040
  - - C:\Windows\ShellNew\sppsvc.exe
      "C:\Windows\ShellNew\sppsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1368
      - C:\Windows\ShellNew\sppsvc.exe
        
        "C:\Windows\ShellNew\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1972
        
        C:\Windows\ShellNew\sppsvc.exe
        
        "C:\Windows\ShellNew\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1048
        
        C:\Windows\ShellNew\sppsvc.exe
        
        "C:\Windows\ShellNew\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3040
        
        C:\Windows\ShellNew\sppsvc.exe
        
        "C:\Windows\ShellNew\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2260
        
        C:\Windows\ShellNew\sppsvc.exe
        
        "C:\Windows\ShellNew\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"
        15⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2812
        
        C:\Windows\ShellNew\sppsvc.exe
        
        "C:\Windows\ShellNew\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
        17⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1820
        
        C:\Windows\ShellNew\sppsvc.exe
        
        "C:\Windows\ShellNew\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
        19⤵
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1556
        
        C:\Windows\ShellNew\sppsvc.exe
        
        "C:\Windows\ShellNew\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"
        21⤵
        
        PID:2152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1920
        
        C:\Windows\ShellNew\sppsvc.exe
        
        "C:\Windows\ShellNew\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"
        23⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:280
        
        C:\Windows\ShellNew\sppsvc.exe
        
        "C:\Windows\ShellNew\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d1531" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d1531" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Filesize
827KB

MD5
c847a23633e81d799fba45bde7cc9951

SHA1
090035126cabb2fb574175c271097042025202de

SHA256
18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c

SHA512
6b057e15133fe58bc1d105a90b761d2f3558e8a8d3a901d9892905dd75f6be569a4bff4a02d919623305c4d524d96b7f902ef3dded6782cc237b1a47807f34bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat

Filesize
195B

MD5
c25d2af3a2b279befbd17e620942ce1c

SHA1
bf1e7b1193001050c82d1383c1f557de48305e0e

SHA256
1d60e33d1fb542d713585520947dc070f2f167bbdaf8e65daccd6cbb5081e94c

SHA512
ace78f2478809c0479b2221d50ca33ebd41e19a0a4e9aebb0ca3505b28bd8bc9faff0d04218a28f327017ceba597c8ea3b3a90cc505d447612f7472b1883d4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat

Filesize
195B

MD5
5c8fd55001af2ed88546c492eac2b596

SHA1
53e7c19ce955e05bb8cba8a15bd4820d4b7f392a

SHA256
aa61bb02d82a1fbca9b36037abb9f7806301b841b9dd50490d5951d8171590d9

SHA512
ef7e550856a55a6a8b40259d3bbc9bc8e4fdea395144dca5cade6642a9fdb7156db35b445c74cc5932aa16d32774c01bc944dd2b6960e60fa53b8698d8adb51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat

Filesize
195B

MD5
0e45d956c43fa720bdd40fb2d94dcb04

SHA1
d7990ad4b9597354e8a074687ee35e9c2fd55d1d

SHA256
b919a6de33a075e5074c7e3be524478c08c9a371e86dcccf750c0245929890dd

SHA512
fb6f83b73996ab0f6f759af01a2ede41782a48427542ee181e6c4e0c395fb9a95a4a40e89094758e5049a02f3631b0b69ea88f4bb798d57cea6e5a48b9e10266

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

Filesize
195B

MD5
1965bcd298f05faf31ffddc14b9299f5

SHA1
3f89aba26787fd52fec8d989bd5463303eee49fd

SHA256
4fc04acc10493a664c7b882726f80e85025612007b5d7af0186df1f60cdd0ec7

SHA512
cf9b92de683482698294785eb5d44be8039c89478ea2d20e93906f91785fbc782fe68e84a0df77cbe1f354785ccf3db6e1288d7fd62fbb4519bbe4e8d9c44c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat

Filesize
195B

MD5
138b19d72533bf6d65478e05b2e825a9

SHA1
e723912266bfb99b44d03e44bec6f706ebbb9236

SHA256
065dc7fb559f96a68282ea3155882bf4819df45c227a8c0ed1d13604ea25d59c

SHA512
713a15ef84de639c692a6bc88e25307f0c8ecf3ee1a1e6ef8360f0ca71dfaa5373b09871fae80bc7508e5697b901456b12321dcc33e3b4e2d833c6fe9f103d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat

Filesize
195B

MD5
4ac6509ddd221da0e20240eb5babec9c

SHA1
fe47bbea24156cb462ded45e7b5cdbafd695cae8

SHA256
1c563827a8af326cae3e34db3130dee24402d94fe41edbeb40e7b5bb3e90ac20

SHA512
dd99d2e20a4c3c6c28030f94dff6c361bf4862005443bedba0eaae12c2a3eabcc38084e464cdd092d672c112ca72361f3cd4670426095aeeda672db316db5e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

Filesize
195B

MD5
4e8fd820b3a3fd488257ea5e8fa8c1ad

SHA1
6b98a72f6da4d9ff2d7ec7f82ac1da11668adaaa

SHA256
4111a1d13ce37c64469de28729bbd1cdef8ee875e2bde3fd318db603bb2e2824

SHA512
0b6d5940b58ff9f236974c58665d9c33110ccf963e264fc81c1e73b4384630d4cd819381c3c7f3367b08c112f2a019f962e0612c4dd11bfda2a596977fb6eab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat

Filesize
195B

MD5
0fb6e621ce45b928c97043378a159d92

SHA1
cf48e2ccd946589ad1f3f67949ac565084c932cd

SHA256
c5aefd7a46f063399fd8316b4c71bc7c7901b46000cb1e8deefcd810f5f94c66

SHA512
42cbdc0ce876e88aa3d106e6c291c5dfd0f2f295bb66314a3028c5586e22b45c141cbccac9f63e2f28274e9a4d8710261de2db8a53715eac06457f8662af7e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

Filesize
195B

MD5
fc1bc8e0d9fb1def3a3b8d20564780a1

SHA1
d919d56ae17569fc8022d7d573ffbe9e79cf5020

SHA256
c6c3a21b8fa1391271dcd8ba06f0764d16be10134ea5d4b864d78ee7d687e93f

SHA512
89514fa0f26016a1c4de1b57e72123064f233bed9cdd3c42603f62aaeeecc5868cb04e1e712feb71ae3be21214004eb55bee833740ff4a2394e7c58a7e432738

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat

Filesize
195B

MD5
ac5de25e8598773c5b6a560e4d390a9e

SHA1
a9274cd02b76c8eadf3a02cfc13cb309af6467db

SHA256
975c83e9e7f59cc5365878995a903cfdede8ac39c5a9a9e82141039c543f9fc9

SHA512
5ebdd572ef08eb025a468fd652563825d55f74e26ee65fc089d08ac1011cbdcefbae6637383bc3f473d7ed02995c72acf9363f93b2af7ed6ed9bda06e3ce859d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat

Filesize
195B

MD5
1d9a54b9d8d8431a4b3cc1fcd1b20169

SHA1
8ec4c85e1f4a9aa3da00e7d7a2a9429d227386d7

SHA256
2ad3a12a9771b7ec95d0dde974dc6bf2d25d8c58caa4ad2064f4611bf6623edc

SHA512
fc3c26f72d6f99116cbbaebfde8897a0ec6665fa3ec8993ced94f0dcb248750ae9439b37a2f18fbc0037c1f3588668b247fbd9d788862c45598d131c44af64a2

Download Submit
memory/1692-54-0x0000000000150000-0x0000000000226000-memory.dmp

Filesize
856KB

Download
memory/1700-21-0x00000000000D0000-0x00000000001A6000-memory.dmp

Filesize
856KB

Download
memory/2020-68-0x0000000001030000-0x0000000001106000-memory.dmp

Filesize
856KB

Download
memory/2032-29-0x0000000000DB0000-0x0000000000E86000-memory.dmp

Filesize
856KB

Download
memory/2232-22-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2232-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2232-2-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2232-1-0x0000000000BF0000-0x0000000000CC6000-memory.dmp

Filesize
856KB

Download
memory/2772-61-0x0000000000920000-0x00000000009F6000-memory.dmp

Filesize
856KB

Download
memory/2960-93-0x0000000001320000-0x00000000013F6000-memory.dmp

Filesize
856KB

Download