dcrat | 2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/01/2025, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
Size

1.7MB
MD5

66eded8b72e993eef8ec0b1b19944cc0
SHA1

21b2295f1f9bd380dd114ff5a5c931b281b1f74c
SHA256

2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480d
SHA512

da0079636800e3b463582f90fe68daf8edfa3dd7a5b2837844bd4009607e6b98e6d134ddb92c2f91ebafc251636840e8ab6f5a4fdb87d716a40ca111a84ac787
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2768	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2680-1-0x0000000000A30000-0x0000000000BF0000-memory.dmp	dcrat
behavioral1/files/0x000500000001a4b7-27.dat	dcrat
behavioral1/files/0x000600000001a4f7-60.dat	dcrat
behavioral1/files/0x000900000001956c-71.dat	dcrat
behavioral1/files/0x00080000000195d6-82.dat	dcrat
behavioral1/files/0x000b000000019606-105.dat	dcrat
behavioral1/files/0x000700000001a4bd-116.dat	dcrat
behavioral1/files/0x000700000001a4c3-125.dat	dcrat
behavioral1/memory/2376-169-0x0000000000140000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/2592-211-0x0000000000A80000-0x0000000000C40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1216	powershell.exe
2508	powershell.exe
1128	powershell.exe
2488	powershell.exe
2500	powershell.exe
708	powershell.exe
1964	powershell.exe
1948	powershell.exe
2492	powershell.exe
2936	powershell.exe
2456	powershell.exe
1740	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe

Executes dropped EXE 3 IoCs

pid	Process
2376	audiodg.exe
2592	audiodg.exe
1172	audiodg.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6ccacd8608530f	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Google\Temp\6cb0b6c459d5d3	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX3953.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX321D.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX348F.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Google\Temp\dwm.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX31AF.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX3954.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\dwm.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\6ccacd8608530f	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX3421.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\es-ES\2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Windows\es-ES\2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Windows\es-ES\9fc2f42d69d780	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Windows\es-ES\RCX3B58.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Windows\es-ES\RCX3BC6.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2380	schtasks.exe
2280	schtasks.exe
772	schtasks.exe
2616	schtasks.exe
2060	schtasks.exe
2216	schtasks.exe
2636	schtasks.exe
2240	schtasks.exe
2764	schtasks.exe
2168	schtasks.exe
1172	schtasks.exe
2384	schtasks.exe
2460	schtasks.exe
1888	schtasks.exe
2252	schtasks.exe
1004	schtasks.exe
1916	schtasks.exe
1496	schtasks.exe
592	schtasks.exe
2820	schtasks.exe
2584	schtasks.exe
2696	schtasks.exe
2364	schtasks.exe
2480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
1964	powershell.exe
1216	powershell.exe
2492	powershell.exe
2488	powershell.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
1128	powershell.exe
2508	powershell.exe
2936	powershell.exe
708	powershell.exe
1740	powershell.exe
1948	powershell.exe
2500	powershell.exe
2456	powershell.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe
2376	audiodg.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2376	audiodg.exe
Token: SeDebugPrivilege	2592	audiodg.exe
Token: SeDebugPrivilege	1172	audiodg.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1964	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	55
PID 2680 wrote to memory of 1964	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	55
PID 2680 wrote to memory of 1964	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	55
PID 2680 wrote to memory of 1948	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	56
PID 2680 wrote to memory of 1948	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	56
PID 2680 wrote to memory of 1948	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	56
PID 2680 wrote to memory of 1216	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	58
PID 2680 wrote to memory of 1216	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	58
PID 2680 wrote to memory of 1216	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	58
PID 2680 wrote to memory of 2500	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	59
PID 2680 wrote to memory of 2500	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	59
PID 2680 wrote to memory of 2500	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	59
PID 2680 wrote to memory of 2488	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	61
PID 2680 wrote to memory of 2488	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	61
PID 2680 wrote to memory of 2488	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	61
PID 2680 wrote to memory of 2492	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	62
PID 2680 wrote to memory of 2492	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	62
PID 2680 wrote to memory of 2492	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	62
PID 2680 wrote to memory of 2508	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	64
PID 2680 wrote to memory of 2508	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	64
PID 2680 wrote to memory of 2508	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	64
PID 2680 wrote to memory of 1128	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	67
PID 2680 wrote to memory of 1128	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	67
PID 2680 wrote to memory of 1128	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	67
PID 2680 wrote to memory of 2936	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	68
PID 2680 wrote to memory of 2936	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	68
PID 2680 wrote to memory of 2936	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	68
PID 2680 wrote to memory of 2456	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	70
PID 2680 wrote to memory of 2456	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	70
PID 2680 wrote to memory of 2456	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	70
PID 2680 wrote to memory of 1740	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	72
PID 2680 wrote to memory of 1740	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	72
PID 2680 wrote to memory of 1740	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	72
PID 2680 wrote to memory of 708	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	74
PID 2680 wrote to memory of 708	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	74
PID 2680 wrote to memory of 708	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	74
PID 2680 wrote to memory of 2376	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	79
PID 2680 wrote to memory of 2376	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	79
PID 2680 wrote to memory of 2376	2680	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	79
PID 2376 wrote to memory of 852	2376	audiodg.exe	80
PID 2376 wrote to memory of 852	2376	audiodg.exe	80
PID 2376 wrote to memory of 852	2376	audiodg.exe	80
PID 2376 wrote to memory of 1012	2376	audiodg.exe	81
PID 2376 wrote to memory of 1012	2376	audiodg.exe	81
PID 2376 wrote to memory of 1012	2376	audiodg.exe	81
PID 852 wrote to memory of 2592	852	WScript.exe	82
PID 852 wrote to memory of 2592	852	WScript.exe	82
PID 852 wrote to memory of 2592	852	WScript.exe	82
PID 2592 wrote to memory of 2372	2592	audiodg.exe	83
PID 2592 wrote to memory of 2372	2592	audiodg.exe	83
PID 2592 wrote to memory of 2372	2592	audiodg.exe	83
PID 2592 wrote to memory of 2164	2592	audiodg.exe	84
PID 2592 wrote to memory of 2164	2592	audiodg.exe	84
PID 2592 wrote to memory of 2164	2592	audiodg.exe	84
PID 2372 wrote to memory of 1172	2372	WScript.exe	85
PID 2372 wrote to memory of 1172	2372	WScript.exe	85
PID 2372 wrote to memory of 1172	2372	WScript.exe	85
PID 1172 wrote to memory of 2696	1172	audiodg.exe	86
PID 1172 wrote to memory of 2696	1172	audiodg.exe	86
PID 1172 wrote to memory of 2696	1172	audiodg.exe	86
PID 1172 wrote to memory of 1616	1172	audiodg.exe	87
PID 1172 wrote to memory of 1616	1172	audiodg.exe	87
PID 1172 wrote to memory of 1616	1172	audiodg.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
"C:\Users\Admin\AppData\Local\Temp\2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Users\Admin\NetHood\audiodg.exe
  "C:\Users\Admin\NetHood\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\172b7ae3-96c1-495f-87bb-2ff46fbb22e2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Users\Admin\NetHood\audiodg.exe
      C:\Users\Admin\NetHood\audiodg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04879b1d-8b0c-4033-ac33-29528b081f8f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Users\Admin\NetHood\audiodg.exe
        
        C:\Users\Admin\NetHood\audiodg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f5a181f-12d6-4792-89ef-a6cd51b63fdd.vbs"
        7⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d98915d9-68dc-49f3-82d6-435f9bdec1fe.vbs"
        7⤵
        
        PID:1616
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bce10fd-1af3-460a-be0a-0b094cd09e3d.vbs"
        5⤵
        
        PID:2164
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4c5e894-46a0-486b-b44a-5fe472ae35b3.vbs"
    3⤵
    PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN2" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN" /sc ONLOGON /tr "'C:\Windows\es-ES\2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN2" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\dwm.exe

Filesize
1.7MB

MD5
66eded8b72e993eef8ec0b1b19944cc0

SHA1
21b2295f1f9bd380dd114ff5a5c931b281b1f74c

SHA256
2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480d

SHA512
da0079636800e3b463582f90fe68daf8edfa3dd7a5b2837844bd4009607e6b98e6d134ddb92c2f91ebafc251636840e8ab6f5a4fdb87d716a40ca111a84ac787

Download Submit
C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe

Filesize
1.7MB

MD5
bb86722eeb12b6c718a7e9769a4f99ec

SHA1
76e3baa25d56accba3e7f5fd1c4c07ed50cdd151

SHA256
e5671670f2b61f897a6a22b7e2260ddeee8ae75c89a875e205b5a54b9736839d

SHA512
6c2e13886bcdcb44a2bf5fcbcda2f7de64aa73d5d0f5291fbd1b1d6efc9bb5a94ccd605a6e025807c612bf819ceb8dadd0ecc0937a3d0cf4ba07a10e63bc7aae

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe

Filesize
1.7MB

MD5
9a8844f9f06cae9ad7a19e346aeb107a

SHA1
d0110a1a738555475b95c366d467ea3723f1d9fd

SHA256
5fc30447ae6cb050646d305bd77161a8aa989032564b62d995bc3ecb6327b636

SHA512
63fc7b30bc6d906d63ed24eb081d018d4323336cc4c45d84af2bc5c02c2585c128d2a1cdf7115a40b1f45fb8d25f39cf9dd9261bf270861d8df80fe07364d6cf

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\lsm.exe

Filesize
1.7MB

MD5
68e5d263fdf60f3b076891bb9236e2ab

SHA1
436c91fff36d5f4b598571c02b7001ca49c0b28d

SHA256
dc6450d81a1e71b9f183f54f8e07c5dbddc2b72acac9b2a138a7df52b1a378ad

SHA512
09fc3332905f9257ce5ce027818cbe2cc9ad85dff0a9d716be5a568191cf331bfddb3d45b3583e7b3fa3d6fd349d8db13162647ae7e80b16b9bb2cf2db15b578

Download Submit
C:\Users\Admin\AppData\Local\Temp\04879b1d-8b0c-4033-ac33-29528b081f8f.vbs

Filesize
710B

MD5
c36a3141572079ee986a2b10d8d4dbcd

SHA1
46a12193c7c4c4030a55375afbc60e8613c814d3

SHA256
e02397a28103a0edcf8c18d4e76cc2a5760a3c78b1002bf709ea2acb84ab60de

SHA512
2edc4f5f042c089cd9331e60eb7542f24eb0fab2349e0e1f2f1d2243b286a640f649291e7862722908518de5e9b09031baa6ce2772cc372434d0d25cddcd61de

Download Submit
C:\Users\Admin\AppData\Local\Temp\172b7ae3-96c1-495f-87bb-2ff46fbb22e2.vbs

Filesize
710B

MD5
bd0369e4bc45d77facab42539d8b792b

SHA1
898d5116216bba280a8e3665834fd671ce8d2987

SHA256
7da44954ff65f8253ae23e229e7da2345e729447969efff366dcccac1ec9bd91

SHA512
5999e82046ab3375b319908fcfa574b90fae0d143298a22e3768d781fd2b5bae6cb9b00994e5d42b01dbe8f4463a45e6170c27bd17a8ab84523d72368f2ab897

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f5a181f-12d6-4792-89ef-a6cd51b63fdd.vbs

Filesize
710B

MD5
a7acbc5cbf493e1dfde072ba4be118db

SHA1
626f0ea73369205c0e7e2a6282b595b44b94f69a

SHA256
add79b92a7fef7733fbd79a6f0eb0db8110bcd531e123edf871a58411da0f818

SHA512
d7676968d7abcfb116f87d4ae48aa2cb48a3a2a8363f2910b03df0868ad2f0503ec3949b46e294147710e94125b52dc63de3681cca2eeca1b2b51d0794fb6c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4c5e894-46a0-486b-b44a-5fe472ae35b3.vbs

Filesize
486B

MD5
38c5461fc26b5bfed9af43aae990c61c

SHA1
b4094f9aa4c47ef8e53aae4468adb2468e47d5f6

SHA256
17ca1140a70da2fddf7f4e02c9c7fd527ecf0513156722154ad0e8a508cc0e79

SHA512
fb7b3f8a0fcd01f4203dfc268517be2efcfc4fc197ee51775d555da01234082cf7a03fb877e58f7305944b2d61ace57e727beee0ec781e68a059956ea81b1445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\audiodg.exe

Filesize
1.7MB

MD5
a7c93bfda4c620b86d6fb301d62ed572

SHA1
222e6916e8f10943f65a1c2763bcc0140dac9cda

SHA256
e757b4727d5e75f8411d9a3e926e814e158e4f42859a00120c817a870a639bc0

SHA512
9e3daa4117972fac715184edb164e97e5c32049a753e377069eaa1ec02f1ba13776ccd2f0ce8ac3cabb8d8bb7de48c9c2b9f1b99f445ccdf9dde061f0685bca2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0af968e53461bd5f3d295abf80397591

SHA1
1d6e21d95038d28ee71b66bfca5d7423745415b5

SHA256
c376bb6a2c9e78fdb3cb252a351918aee665fff4ee92a098fd22820c442ac1dc

SHA512
01ad1d7f42fd959cc5fc757bef0f99e77540cea49788a372ac68246207e7ffff99328dff3060b0b254ee164988440e19ec7b8d3ea64c0db01c5d278ce309f13c

Download Submit
C:\Users\Default\sppsvc.exe

Filesize
1.7MB

MD5
a1e434f0ab0587fa5ae6551aa5dad8d5

SHA1
0609cd8f06170ab57bc28ad0ce85734661fd9bdd

SHA256
7116da8ae20c2b9484b5e73dc0ab166c7999495db0ee21df6821e8057444c51f

SHA512
a76958ed74d08d44bfb413370c6be16bdead4c090bd50e0a708b4cd1862224099bb05b9bee7afe36c03a2a1b5d6a89f851953a1595ba61afe42dbcf0fae41049

Download Submit
C:\Windows\es-ES\2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe

Filesize
1.7MB

MD5
ce3e6ad7248f9f11008e5ff838cba677

SHA1
5efb26cef87d1a54c52c91da6ae3cf676b861846

SHA256
f4acf0f7c8593bc6c83abd6b84e3866b2f1c0a94a95a45b7afd53f4853e554af

SHA512
8254d021bbb8a447802c5ef8c2e6523fb8cf34e419220a2d9f302de19de3e17986bab4b5bccbe852bff14cc9c132a799a3ee108e8ab657c7485ac9fefdeddd45

Download Submit
memory/1216-146-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1216-152-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2376-169-0x0000000000140000-0x0000000000300000-memory.dmp

Filesize
1.8MB

Download
memory/2376-200-0x00000000022E0000-0x00000000022F2000-memory.dmp

Filesize
72KB

Download
memory/2592-211-0x0000000000A80000-0x0000000000C40000-memory.dmp

Filesize
1.8MB

Download
memory/2680-14-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/2680-7-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2680-13-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/2680-16-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/2680-12-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/2680-11-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2680-9-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2680-8-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2680-6-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/2680-15-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/2680-0-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp

Filesize
4KB

Download
memory/2680-5-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2680-189-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-20-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-4-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2680-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2680-17-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/2680-2-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-1-0x0000000000A30000-0x0000000000BF0000-memory.dmp

Filesize
1.8MB

Download