dcrat | 91a5d06a6ddc1dbc0d573871082b21c0ef5d260987d760bff9b1d19966d0c32d

Resubmissions

13-01-2025 04:14

250113-etqtlaxqfm 10

12-01-2025 14:01

250112-rbjc1svmhs 10

Analysis

max time kernel
145s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49f9a9a6f4d5c60ae2c35aafe7d105a.exe
Size

4.2MB
MD5

d49f9a9a6f4d5c60ae2c35aafe7d105a
SHA1

8a192f01c06d2b67437c8789bdf564864d11eefc
SHA256

91a5d06a6ddc1dbc0d573871082b21c0ef5d260987d760bff9b1d19966d0c32d
SHA512

fc90ac8848cbc7231bbe6d1c4e974f375d5af137a157d2553e516059270748f5162c1ea51f282850d4572eef6956fc8e6e9cead1a105286c712251ff43d1a440
SSDEEP

98304:hbE+vSZLE4Cj/L7gHNchtcv4zTk24eDeRRXcaiJ:hw+KL6fwscQTk24eWRXhY

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2572	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2572	schtasks.exe	32

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000014bda-9.dat	dcrat
behavioral1/memory/2720-13-0x0000000000F30000-0x00000000012E4000-memory.dmp	dcrat
behavioral1/memory/3020-71-0x0000000000F60000-0x0000000001314000-memory.dmp	dcrat
behavioral1/memory/1704-95-0x0000000000160000-0x0000000000514000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 4 IoCs

pid	Process
2720	ComProviderreview.exe
3020	taskhost.exe
1820	taskhost.exe
1704	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	cmd.exe
2648	cmd.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComProviderreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\ras\dllhost.exe	ComProviderreview.exe
File created	C:\Windows\System32\ras\5940a34987c991	ComProviderreview.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\dwm.exe	ComProviderreview.exe
File created	C:\Program Files (x86)\Internet Explorer\6cb0b6c459d5d3	ComProviderreview.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\audiodg.exe	ComProviderreview.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\smss.exe	ComProviderreview.exe
File created	C:\Program Files\Windows Portable Devices\taskhost.exe	ComProviderreview.exe
File created	C:\Program Files (x86)\Common Files\sppsvc.exe	ComProviderreview.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\42af1c969fbb7b	ComProviderreview.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\69ddcba757bf72	ComProviderreview.exe
File created	C:\Program Files\Windows Portable Devices\b75386f1303e64	ComProviderreview.exe
File created	C:\Program Files (x86)\Common Files\0a1fd5f707cd16	ComProviderreview.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\cmd.exe	ComProviderreview.exe
File created	C:\Windows\Offline Web Pages\ebf1f9fa8afd6d	ComProviderreview.exe
File created	C:\Windows\L2Schemas\smss.exe	ComProviderreview.exe
File created	C:\Windows\L2Schemas\69ddcba757bf72	ComProviderreview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2316	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1540	schtasks.exe
1252	schtasks.exe
1624	schtasks.exe
2820	schtasks.exe
1036	schtasks.exe
1836	schtasks.exe
1560	schtasks.exe
1724	schtasks.exe
2268	schtasks.exe
1240	schtasks.exe
556	schtasks.exe
2796	schtasks.exe
1636	schtasks.exe
2908	schtasks.exe
1700	schtasks.exe
2160	schtasks.exe
1644	schtasks.exe
828	schtasks.exe
2028	schtasks.exe
1656	schtasks.exe
1536	schtasks.exe
2148	schtasks.exe
2456	schtasks.exe
1640	schtasks.exe
2180	schtasks.exe
2004	schtasks.exe
2164	schtasks.exe
1932	schtasks.exe
1336	schtasks.exe
2032	schtasks.exe
2368	schtasks.exe
2068	schtasks.exe
1948	schtasks.exe
964	schtasks.exe
968	schtasks.exe
2980	schtasks.exe
2260	schtasks.exe
2844	schtasks.exe
1816	schtasks.exe
1872	schtasks.exe
1980	schtasks.exe
408	schtasks.exe
2300	schtasks.exe
2244	schtasks.exe
1092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2720	ComProviderreview.exe
2720	ComProviderreview.exe
2720	ComProviderreview.exe
2720	ComProviderreview.exe
2720	ComProviderreview.exe
3020	taskhost.exe
1820	taskhost.exe
1704	taskhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	ComProviderreview.exe
Token: SeDebugPrivilege	3020	taskhost.exe
Token: SeDebugPrivilege	1820	taskhost.exe
Token: SeDebugPrivilege	1704	taskhost.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2792	2284	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe	28
PID 2284 wrote to memory of 2792	2284	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe	28
PID 2284 wrote to memory of 2792	2284	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe	28
PID 2284 wrote to memory of 2792	2284	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe	28
PID 2792 wrote to memory of 2648	2792	WScript.exe	29
PID 2792 wrote to memory of 2648	2792	WScript.exe	29
PID 2792 wrote to memory of 2648	2792	WScript.exe	29
PID 2792 wrote to memory of 2648	2792	WScript.exe	29
PID 2648 wrote to memory of 2720	2648	cmd.exe	31
PID 2648 wrote to memory of 2720	2648	cmd.exe	31
PID 2648 wrote to memory of 2720	2648	cmd.exe	31
PID 2648 wrote to memory of 2720	2648	cmd.exe	31
PID 2720 wrote to memory of 892	2720	ComProviderreview.exe	78
PID 2720 wrote to memory of 892	2720	ComProviderreview.exe	78
PID 2720 wrote to memory of 892	2720	ComProviderreview.exe	78
PID 892 wrote to memory of 2932	892	cmd.exe	80
PID 892 wrote to memory of 2932	892	cmd.exe	80
PID 892 wrote to memory of 2932	892	cmd.exe	80
PID 2648 wrote to memory of 2316	2648	cmd.exe	81
PID 2648 wrote to memory of 2316	2648	cmd.exe	81
PID 2648 wrote to memory of 2316	2648	cmd.exe	81
PID 2648 wrote to memory of 2316	2648	cmd.exe	81
PID 892 wrote to memory of 3020	892	cmd.exe	82
PID 892 wrote to memory of 3020	892	cmd.exe	82
PID 892 wrote to memory of 3020	892	cmd.exe	82
PID 3020 wrote to memory of 2700	3020	taskhost.exe	83
PID 3020 wrote to memory of 2700	3020	taskhost.exe	83
PID 3020 wrote to memory of 2700	3020	taskhost.exe	83
PID 3020 wrote to memory of 2516	3020	taskhost.exe	84
PID 3020 wrote to memory of 2516	3020	taskhost.exe	84
PID 3020 wrote to memory of 2516	3020	taskhost.exe	84
PID 2700 wrote to memory of 1820	2700	WScript.exe	87
PID 2700 wrote to memory of 1820	2700	WScript.exe	87
PID 2700 wrote to memory of 1820	2700	WScript.exe	87
PID 1820 wrote to memory of 1440	1820	taskhost.exe	88
PID 1820 wrote to memory of 1440	1820	taskhost.exe	88
PID 1820 wrote to memory of 1440	1820	taskhost.exe	88
PID 1820 wrote to memory of 2404	1820	taskhost.exe	89
PID 1820 wrote to memory of 2404	1820	taskhost.exe	89
PID 1820 wrote to memory of 2404	1820	taskhost.exe	89
PID 1440 wrote to memory of 1704	1440	WScript.exe	90
PID 1440 wrote to memory of 1704	1440	WScript.exe	90
PID 1440 wrote to memory of 1704	1440	WScript.exe	90
PID 1704 wrote to memory of 1164	1704	taskhost.exe	91
PID 1704 wrote to memory of 1164	1704	taskhost.exe	91
PID 1704 wrote to memory of 1164	1704	taskhost.exe	91
PID 1704 wrote to memory of 2180	1704	taskhost.exe	92
PID 1704 wrote to memory of 2180	1704	taskhost.exe	92
PID 1704 wrote to memory of 2180	1704	taskhost.exe	92

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d49f9a9a6f4d5c60ae2c35aafe7d105a.exe
"C:\Users\Admin\AppData\Local\Temp\d49f9a9a6f4d5c60ae2c35aafe7d105a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Bridgebrowserdriversession\8Q1TNfuIkORrb6IwpocDiochN.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Bridgebrowserdriversession\7RIlKJCBYDYjVU5Wl3rLZ.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Bridgebrowserdriversession\ComProviderreview.exe
      "C:\Bridgebrowserdriversession\ComProviderreview.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biOrw4GSjV.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:892
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2932
      - C:\Program Files\Windows Portable Devices\taskhost.exe
        
        "C:\Program Files\Windows Portable Devices\taskhost.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad606e62-5308-44fe-b79a-1a7247172d21.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Program Files\Windows Portable Devices\taskhost.exe
        
        "C:\Program Files\Windows Portable Devices\taskhost.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6edc7f6a-eca3-4931-b736-7adc253d94bc.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Program Files\Windows Portable Devices\taskhost.exe
        
        "C:\Program Files\Windows Portable Devices\taskhost.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfb68263-abf1-474c-9821-ebaffc5ca401.vbs"
        11⤵
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26eeaec6-3ee0-47b5-9cee-7e1c64e52516.vbs"
        11⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db1e1fda-9085-4953-8399-ab1c335589c9.vbs"
        9⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38f9f5fb-920d-416c-a880-f3342e52d982.vbs"
        7⤵
        
        PID:2516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\ras\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ras\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\ras\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Bridgebrowserdriversession\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Bridgebrowserdriversession\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Bridgebrowserdriversession\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\PrintHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Bridgebrowserdriversession\7RIlKJCBYDYjVU5Wl3rLZ.bat

Filesize
165B

MD5
03feb686475df3981ff89eaf94c01678

SHA1
d03d6234af5825c397755fd67e32606bab6e7050

SHA256
38e603daba57e1db61b78fbca014e86b0273b43ec6a439d3c5b905679e949862

SHA512
5f277d8988d502373d1b6b723153dd6681f20cbde9d68165bd559a954f60406a1c06a0f583a52c568738becf843236f09b47d3500433bad7fe8363e58846659b

Download Submit
C:\Bridgebrowserdriversession\8Q1TNfuIkORrb6IwpocDiochN.vbe

Filesize
224B

MD5
1382f3e3f9f3a531c081f9216e1f3165

SHA1
63bb2176b3b553f2182fedc1b3e2bcdc33a4691b

SHA256
9f7893fd255de70e98053c1ce04106912a686d110b3ba1034c6690ba7870253d

SHA512
41ad75c7a21967f6463ae5b553088c82097f41aa0ba3ad19f0a65e25a1916e8dd2323e8b9e140170b55b025193d7d670a40b32b6b22ab83d0da4e058c11d9568

Download Submit
C:\Users\Admin\AppData\Local\Temp\38f9f5fb-920d-416c-a880-f3342e52d982.vbs

Filesize
506B

MD5
a48bb69ba91ac1126b8645a2c0c8ddc3

SHA1
8909ce4e8eca51542595add46414f34ce6808d6c

SHA256
6cc003874252f8dc42b0c323002c3c551407683009bf27eeb024d49ed600ffa8

SHA512
efe156709106c4a02a59790ff2632cc90154ebbfd3d8417b70c7e4620ebe972e43b5afb6514c8f46db81af76b85419c7c9c1e0a2dc83680f791581755340605b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6edc7f6a-eca3-4931-b736-7adc253d94bc.vbs

Filesize
730B

MD5
d3d89dfcbe3da092bc2ee9c97609152f

SHA1
802e25b99f85ce39dcdeecbd2f78dee193dbfef5

SHA256
54a902d3302ea892b3da8aa876e33e42a14470acfd464a47fd60fef431eb4d67

SHA512
6944ee84c1fe1140684a0a7d09615fe321ac43f3a6aaa59216c23b463e25bf453506c196c1029df9e5a879bf080bd3f1f25ad4985c3be29ef3e30a3a8576dd6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad606e62-5308-44fe-b79a-1a7247172d21.vbs

Filesize
730B

MD5
c26d34d85ef2f5aace3e95397eff6180

SHA1
1b7ec946a56a477a9ba74448a9781177df01446e

SHA256
81a030c0135d487e27e7faf1e0b4bc9810dbeba5b615d6ab5ef02649db7c7298

SHA512
41754bf2b4e17662428f145fd876c580438270617415b020b80c41a023f28de1b48764755f76e9bfcec6cd2e89dc62c2bb9c703eada7023e84cbf93b6df97663

Download Submit
C:\Users\Admin\AppData\Local\Temp\biOrw4GSjV.bat

Filesize
219B

MD5
9a112faed9a5ca68e0e5bc8006b49774

SHA1
ef0d523a158b50c99a6b4078c0180a5920290277

SHA256
196d54cc1c438128853fd1fb06003337e49c15c5a93648c2c92fd32e3503068d

SHA512
0a6eda1a398d6e1152a5907de4afe35e818b595d566a26cd154b405f9edef4c4228d9b065eb8405dc0349c5a8f3b7aa33e1d1df1ee2d8d17a26be27c7eaa75aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfb68263-abf1-474c-9821-ebaffc5ca401.vbs

Filesize
730B

MD5
f3a2d97755f5144de81b6cb3cdf5dac1

SHA1
139372da2c5ceeb4f9dda61811db15b69ab06b46

SHA256
f74affc739c4ff8d24823e0a78d6f85926393aec19907d8e6f0fd74f27373eec

SHA512
6c9ecce5e4f37bd48b70490ae982beb9c7bd7ef417c9f1fdb96ffde0a2899dbf12495aa614c8b7a77de326b79af0f5c87f274001e22a043f129a3e0ca4f6aee5

Download Submit
\Bridgebrowserdriversession\ComProviderreview.exe

Filesize
3.7MB

MD5
8ba0bad0eb7bd09fde9fe57a8c63c884

SHA1
45a00cb30db1dbf2d6548e1a37cb88a304f46649

SHA256
c050c1d626edf24ea41da7f4b74e20e39a3ae6a66f6a4bff685d6a1c308b600c

SHA512
1c3fa87086fb385d753c5ba49245ddba87a343795b049444d9f21d1cd29adc9dc545f5ef3f92c7d89b9b0289af557524fe88411fefadedcfcd94069845b95041

Download Submit
memory/1704-96-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1704-95-0x0000000000160000-0x0000000000514000-memory.dmp

Filesize
3.7MB

Download
memory/1820-83-0x000000001AAB0000-0x000000001AB06000-memory.dmp

Filesize
344KB

Download
memory/1820-82-0x0000000000C10000-0x0000000000C66000-memory.dmp

Filesize
344KB

Download
memory/2720-18-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/2720-31-0x000000001AC70000-0x000000001AC7C000-memory.dmp

Filesize
48KB

Download
memory/2720-24-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/2720-25-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2720-26-0x0000000002790000-0x000000000279A000-memory.dmp

Filesize
40KB

Download
memory/2720-27-0x00000000027A0000-0x00000000027AE000-memory.dmp

Filesize
56KB

Download
memory/2720-28-0x00000000027B0000-0x00000000027B8000-memory.dmp

Filesize
32KB

Download
memory/2720-29-0x00000000027C0000-0x00000000027CE000-memory.dmp

Filesize
56KB

Download
memory/2720-30-0x000000001AC60000-0x000000001AC6A000-memory.dmp

Filesize
40KB

Download
memory/2720-23-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2720-22-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/2720-13-0x0000000000F30000-0x00000000012E4000-memory.dmp

Filesize
3.7MB

Download
memory/2720-21-0x0000000000D50000-0x0000000000D62000-memory.dmp

Filesize
72KB

Download
memory/2720-20-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2720-19-0x0000000000D00000-0x0000000000D56000-memory.dmp

Filesize
344KB

Download
memory/2720-17-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/2720-16-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2720-15-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/2720-14-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/3020-71-0x0000000000F60000-0x0000000001314000-memory.dmp

Filesize
3.7MB

Download