dcrat | f4111d30be32600233ad61440ff2f9a6484f3ba6c04fae4b522fc09ab0de3831

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

485ef3e4d31b39e6107f797859f14415.exe
Size

5.9MB
MD5

485ef3e4d31b39e6107f797859f14415
SHA1

3739bada3227bce92e083531766d21aa4c11159a
SHA256

b37b01540833889b41c27875378edb8fefebb2b56423c57a3a003bb1a71e501b
SHA512

d5708f1610ec1748d1866edf380b5bd34f2bced3b100654d0d8cd25651565a6ac3d92777b8959a36290a9020649570e7a64d44d6afd6d33cc6df0dee1a408145
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4t:hyeU11Rvqmu8TWKnF6N/1wY

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2716	schtasks.exe	30

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	485ef3e4d31b39e6107f797859f14415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	485ef3e4d31b39e6107f797859f14415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	485ef3e4d31b39e6107f797859f14415.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2384	powershell.exe
1528	powershell.exe
1740	powershell.exe
1768	powershell.exe
1416	powershell.exe
1640	powershell.exe
864	powershell.exe
1080	powershell.exe
2472	powershell.exe
2664	powershell.exe
1512	powershell.exe
1516	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	485ef3e4d31b39e6107f797859f14415.exe

Executes dropped EXE 3 IoCs

pid	Process
1692	lsass.exe
3068	lsass.exe
676	lsass.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	485ef3e4d31b39e6107f797859f14415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	485ef3e4d31b39e6107f797859f14415.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1692	lsass.exe
1692	lsass.exe
3068	lsass.exe
3068	lsass.exe
676	lsass.exe
676	lsass.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX9EC8.tmp	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\485ef3e4d31b39e6107f797859f14415.exe	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\RCXA34E.tmp	485ef3e4d31b39e6107f797859f14415.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	485ef3e4d31b39e6107f797859f14415.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe	485ef3e4d31b39e6107f797859f14415.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\dwm.exe	485ef3e4d31b39e6107f797859f14415.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\6cb0b6c459d5d3	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX9713.tmp	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX9724.tmp	485ef3e4d31b39e6107f797859f14415.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\f3b6ecef712a24	485ef3e4d31b39e6107f797859f14415.exe
File created	C:\Program Files (x86)\Uninstall Information\485ef3e4d31b39e6107f797859f14415.exe	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCX9BD8.tmp	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCX9C56.tmp	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\RCXA34D.tmp	485ef3e4d31b39e6107f797859f14415.exe
File created	C:\Program Files (x86)\Uninstall Information\3da032cf671515	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX9E5A.tmp	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\dwm.exe	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	485ef3e4d31b39e6107f797859f14415.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\en-US\cc11b995f2a76d	485ef3e4d31b39e6107f797859f14415.exe
File created	C:\Windows\AppPatch\AppPatch64\24dbde2999530e	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\RCXA0CD.tmp	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\WmiPrvSE.exe	485ef3e4d31b39e6107f797859f14415.exe
File created	C:\Windows\en-US\winlogon.exe	485ef3e4d31b39e6107f797859f14415.exe
File created	C:\Windows\AppPatch\AppPatch64\WmiPrvSE.exe	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Windows\en-US\RCX9928.tmp	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Windows\en-US\RCX99A6.tmp	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Windows\en-US\winlogon.exe	485ef3e4d31b39e6107f797859f14415.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\RCXA0CC.tmp	485ef3e4d31b39e6107f797859f14415.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
2460	schtasks.exe
1996	schtasks.exe
3048	schtasks.exe
2064	schtasks.exe
2940	schtasks.exe
1860	schtasks.exe
2888	schtasks.exe
2092	schtasks.exe
1668	schtasks.exe
1700	schtasks.exe
1936	schtasks.exe
2136	schtasks.exe
2236	schtasks.exe
2256	schtasks.exe
1256	schtasks.exe
2688	schtasks.exe
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1172	485ef3e4d31b39e6107f797859f14415.exe
1740	powershell.exe
2664	powershell.exe
1080	powershell.exe
2384	powershell.exe
1512	powershell.exe
1416	powershell.exe
1768	powershell.exe
1528	powershell.exe
1516	powershell.exe
2472	powershell.exe
1640	powershell.exe
864	powershell.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe
1692	lsass.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	485ef3e4d31b39e6107f797859f14415.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1692	lsass.exe
Token: SeDebugPrivilege	3068	lsass.exe
Token: SeDebugPrivilege	676	lsass.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2664	1172	485ef3e4d31b39e6107f797859f14415.exe	49
PID 1172 wrote to memory of 2664	1172	485ef3e4d31b39e6107f797859f14415.exe	49
PID 1172 wrote to memory of 2664	1172	485ef3e4d31b39e6107f797859f14415.exe	49
PID 1172 wrote to memory of 1512	1172	485ef3e4d31b39e6107f797859f14415.exe	50
PID 1172 wrote to memory of 1512	1172	485ef3e4d31b39e6107f797859f14415.exe	50
PID 1172 wrote to memory of 1512	1172	485ef3e4d31b39e6107f797859f14415.exe	50
PID 1172 wrote to memory of 2472	1172	485ef3e4d31b39e6107f797859f14415.exe	51
PID 1172 wrote to memory of 2472	1172	485ef3e4d31b39e6107f797859f14415.exe	51
PID 1172 wrote to memory of 2472	1172	485ef3e4d31b39e6107f797859f14415.exe	51
PID 1172 wrote to memory of 1080	1172	485ef3e4d31b39e6107f797859f14415.exe	53
PID 1172 wrote to memory of 1080	1172	485ef3e4d31b39e6107f797859f14415.exe	53
PID 1172 wrote to memory of 1080	1172	485ef3e4d31b39e6107f797859f14415.exe	53
PID 1172 wrote to memory of 1740	1172	485ef3e4d31b39e6107f797859f14415.exe	54
PID 1172 wrote to memory of 1740	1172	485ef3e4d31b39e6107f797859f14415.exe	54
PID 1172 wrote to memory of 1740	1172	485ef3e4d31b39e6107f797859f14415.exe	54
PID 1172 wrote to memory of 1516	1172	485ef3e4d31b39e6107f797859f14415.exe	55
PID 1172 wrote to memory of 1516	1172	485ef3e4d31b39e6107f797859f14415.exe	55
PID 1172 wrote to memory of 1516	1172	485ef3e4d31b39e6107f797859f14415.exe	55
PID 1172 wrote to memory of 864	1172	485ef3e4d31b39e6107f797859f14415.exe	56
PID 1172 wrote to memory of 864	1172	485ef3e4d31b39e6107f797859f14415.exe	56
PID 1172 wrote to memory of 864	1172	485ef3e4d31b39e6107f797859f14415.exe	56
PID 1172 wrote to memory of 1768	1172	485ef3e4d31b39e6107f797859f14415.exe	57
PID 1172 wrote to memory of 1768	1172	485ef3e4d31b39e6107f797859f14415.exe	57
PID 1172 wrote to memory of 1768	1172	485ef3e4d31b39e6107f797859f14415.exe	57
PID 1172 wrote to memory of 2384	1172	485ef3e4d31b39e6107f797859f14415.exe	58
PID 1172 wrote to memory of 2384	1172	485ef3e4d31b39e6107f797859f14415.exe	58
PID 1172 wrote to memory of 2384	1172	485ef3e4d31b39e6107f797859f14415.exe	58
PID 1172 wrote to memory of 1416	1172	485ef3e4d31b39e6107f797859f14415.exe	59
PID 1172 wrote to memory of 1416	1172	485ef3e4d31b39e6107f797859f14415.exe	59
PID 1172 wrote to memory of 1416	1172	485ef3e4d31b39e6107f797859f14415.exe	59
PID 1172 wrote to memory of 1528	1172	485ef3e4d31b39e6107f797859f14415.exe	60
PID 1172 wrote to memory of 1528	1172	485ef3e4d31b39e6107f797859f14415.exe	60
PID 1172 wrote to memory of 1528	1172	485ef3e4d31b39e6107f797859f14415.exe	60
PID 1172 wrote to memory of 1640	1172	485ef3e4d31b39e6107f797859f14415.exe	62
PID 1172 wrote to memory of 1640	1172	485ef3e4d31b39e6107f797859f14415.exe	62
PID 1172 wrote to memory of 1640	1172	485ef3e4d31b39e6107f797859f14415.exe	62
PID 1172 wrote to memory of 1692	1172	485ef3e4d31b39e6107f797859f14415.exe	73
PID 1172 wrote to memory of 1692	1172	485ef3e4d31b39e6107f797859f14415.exe	73
PID 1172 wrote to memory of 1692	1172	485ef3e4d31b39e6107f797859f14415.exe	73
PID 1692 wrote to memory of 2380	1692	lsass.exe	74
PID 1692 wrote to memory of 2380	1692	lsass.exe	74
PID 1692 wrote to memory of 2380	1692	lsass.exe	74
PID 1692 wrote to memory of 756	1692	lsass.exe	75
PID 1692 wrote to memory of 756	1692	lsass.exe	75
PID 1692 wrote to memory of 756	1692	lsass.exe	75
PID 2380 wrote to memory of 3068	2380	WScript.exe	76
PID 2380 wrote to memory of 3068	2380	WScript.exe	76
PID 2380 wrote to memory of 3068	2380	WScript.exe	76
PID 3068 wrote to memory of 984	3068	lsass.exe	77
PID 3068 wrote to memory of 984	3068	lsass.exe	77
PID 3068 wrote to memory of 984	3068	lsass.exe	77
PID 3068 wrote to memory of 948	3068	lsass.exe	78
PID 3068 wrote to memory of 948	3068	lsass.exe	78
PID 3068 wrote to memory of 948	3068	lsass.exe	78
PID 984 wrote to memory of 676	984	WScript.exe	79
PID 984 wrote to memory of 676	984	WScript.exe	79
PID 984 wrote to memory of 676	984	WScript.exe	79
PID 676 wrote to memory of 1640	676	lsass.exe	80
PID 676 wrote to memory of 1640	676	lsass.exe	80
PID 676 wrote to memory of 1640	676	lsass.exe	80
PID 676 wrote to memory of 2828	676	lsass.exe	81
PID 676 wrote to memory of 2828	676	lsass.exe	81
PID 676 wrote to memory of 2828	676	lsass.exe	81

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	485ef3e4d31b39e6107f797859f14415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	485ef3e4d31b39e6107f797859f14415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	485ef3e4d31b39e6107f797859f14415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\485ef3e4d31b39e6107f797859f14415.exe
"C:\Users\Admin\AppData\Local\Temp\485ef3e4d31b39e6107f797859f14415.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Program Files (x86)\Windows Portable Devices\lsass.exe
  "C:\Program Files (x86)\Windows Portable Devices\lsass.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1692
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d54188ed-983a-442a-96df-0028ada4de74.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Program Files (x86)\Windows Portable Devices\lsass.exe
      "C:\Program Files (x86)\Windows Portable Devices\lsass.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3068
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdaa1f9e-79cc-4ff8-ade9-ad28b045c112.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:984
      - C:\Program Files (x86)\Windows Portable Devices\lsass.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\lsass.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94016749-8571-41e6-9784-4979914fa145.vbs"
        7⤵
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c51b0dae-ba2a-49cd-8222-8773e9b6dc77.vbs"
        7⤵
        
        PID:2828
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99890db3-4a0f-4b0c-bf1b-a49199c55a73.vbs"
        5⤵
        
        PID:948
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24871a01-b77b-442a-a39f-165144996910.vbs"
    3⤵
    PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "485ef3e4d31b39e6107f797859f144154" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\485ef3e4d31b39e6107f797859f14415.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "485ef3e4d31b39e6107f797859f14415" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\485ef3e4d31b39e6107f797859f14415.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "485ef3e4d31b39e6107f797859f144154" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\485ef3e4d31b39e6107f797859f14415.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\AppPatch64\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\AppPatch64\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Uninstall Information\485ef3e4d31b39e6107f797859f14415.exe

Filesize
5.9MB

MD5
181174227e5c23c010be07ed9433b4fd

SHA1
6bbf66424281d336e9ce6590eed806920914d043

SHA256
a4dd0c3d8ebfe3ed91db50d4253ec316ede5af3960e4f89e3b572448f7c5615e

SHA512
e39b44c6b755b6b650367bc1b14b6055ebb1e0795a7846be59dada05a54495a9f440ffa258a6bb6e5bd14230446530021fb18e716a7c4a02f464b04f61e79b5c

Download Submit
C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe

Filesize
5.9MB

MD5
ddf43c5bf5f08235e863844955937271

SHA1
140d889b59e168352dc9d45be10a30f43233624d

SHA256
14d8373cb58cfb2a65f68bb49b5e4fe4233b3969b88d542135261c682b9b9fec

SHA512
0e337f47001429281a7b692abd6714e209e844d7473522afcc974a7a874d50335dd28502a0c8bab1107eba5b5b47bcb51c7f26593510938a4ab37858eb38ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\24871a01-b77b-442a-a39f-165144996910.vbs

Filesize
509B

MD5
dad30cd7aadeb6815c403e7c1deb41a6

SHA1
2b29588459cec5d5c750ae828159d530b50d38fc

SHA256
fde9b0f4354720924d8b2593f8855a71e427f73b1e1ff4bc494761f37657bd35

SHA512
c6edb45aaa7c0d5611d1cecf449964d29775847e1994dd3e388756ae1c46131e606a6a1b4139adaf979b11974af9f0fea86fecb3a0e156a0f35fe0462816ed72

Download Submit
C:\Users\Admin\AppData\Local\Temp\94016749-8571-41e6-9784-4979914fa145.vbs

Filesize
732B

MD5
43414b573f9ed61ee50de74dad4d74c0

SHA1
f8e42a4bae7d788d0e93bd19cef9bf6594a258c6

SHA256
fbdf56cada2e97c6c3703af9e54f9006b99a236f3cd4c1dfc67d2b9efe010162

SHA512
dd6103aceedc2e9d1857f8122d5593f3f1c2473281c46aa1e329de4a4fde8729d89569a067787cc0537fd8efc9aedca53b8b6ee552bba7dd93818e7764b49684

Download Submit
C:\Users\Admin\AppData\Local\Temp\d54188ed-983a-442a-96df-0028ada4de74.vbs

Filesize
733B

MD5
3ed458343f809b4755ebb5f55131b8e4

SHA1
6cfcf42203cb651fd8ad174df48c2177babfe7b0

SHA256
7ec34d865a71b0b40ac6ba6242b332b5845ef0382f9823c4976071aedca442d8

SHA512
e23d93b956b04e2afbe03dbe569c58db6d224b458c3ddc5b03f0a5b4653da58636fac4aa4426607c7ed05bd455d683b5448dc94cc57a941aeeee3f0c6495a7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdaa1f9e-79cc-4ff8-ade9-ad28b045c112.vbs

Filesize
733B

MD5
62f156f16268a3f0e3e4500bc4488317

SHA1
2a1fddcc01b78a4311beb11c913ff90abb9d63c0

SHA256
a300924419a23dddf6739254f573371a3f73a5a07a04c011587ad7f28742dfbb

SHA512
40ad97396c6811a101add63c7c6021aae8b0f96ebf1a35919717f54fd4ad75e67ddb6d0878da62fb17e7cf43df6582b13affe3b82d6bef828acf46649975c5ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QAZBL19I0EMJMZTS0WIM.temp

Filesize
7KB

MD5
78edfa6160ddbddf94466e21f374706b

SHA1
06d55e9a0bbf1109d381914db1379012aa57c789

SHA256
5d15f91a916f2967936b813fd9f6597d4c2af752eec05a086358bc0012deb3d5

SHA512
c163cb5a6e26e10be7bbb81d8b8f957269b19c92ff1eb1eefd1caa514fef5b5e26506adf2b092d750c27c4371239c77a78984ca42a36813351222c933dac20a4

Download Submit
C:\Windows\AppPatch\AppPatch64\WmiPrvSE.exe

Filesize
5.9MB

MD5
485ef3e4d31b39e6107f797859f14415

SHA1
3739bada3227bce92e083531766d21aa4c11159a

SHA256
b37b01540833889b41c27875378edb8fefebb2b56423c57a3a003bb1a71e501b

SHA512
d5708f1610ec1748d1866edf380b5bd34f2bced3b100654d0d8cd25651565a6ac3d92777b8959a36290a9020649570e7a64d44d6afd6d33cc6df0dee1a408145

Download Submit
C:\Windows\en-US\winlogon.exe

Filesize
5.9MB

MD5
f7e497f31548578ab55515cd0cb25a47

SHA1
5e3e5832cc807fbadb7dd8ac8851dc4757f56749

SHA256
a48a809101ad1f51d745c087f74a61a8ee870901851e2ddc7393d9d0c0a458fa

SHA512
43788207660699c07b156eed0428b894c452b2b10cf423c475322dcf4cd395f923ef3b9a54eb1beca836042035be8f9728e1d4e196709703a732f54f9fdb06c7

Download Submit
memory/676-222-0x0000000002810000-0x0000000002866000-memory.dmp

Filesize
344KB

Download
memory/676-220-0x0000000000250000-0x0000000000B48000-memory.dmp

Filesize
9.0MB

Download
memory/1172-14-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/1172-34-0x000000001BBB0000-0x000000001BBBE000-memory.dmp

Filesize
56KB

Download
memory/1172-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/1172-15-0x0000000000C70000-0x0000000000C80000-memory.dmp

Filesize
64KB

Download
memory/1172-16-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/1172-17-0x0000000002C00000-0x0000000002C56000-memory.dmp

Filesize
344KB

Download
memory/1172-18-0x0000000000D90000-0x0000000000D9C000-memory.dmp

Filesize
48KB

Download
memory/1172-19-0x0000000002C50000-0x0000000002C58000-memory.dmp

Filesize
32KB

Download
memory/1172-20-0x000000001B060000-0x000000001B06C000-memory.dmp

Filesize
48KB

Download
memory/1172-21-0x000000001B070000-0x000000001B078000-memory.dmp

Filesize
32KB

Download
memory/1172-23-0x000000001B080000-0x000000001B092000-memory.dmp

Filesize
72KB

Download
memory/1172-24-0x000000001B500000-0x000000001B50C000-memory.dmp

Filesize
48KB

Download
memory/1172-25-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

Filesize
48KB

Download
memory/1172-26-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

Filesize
32KB

Download
memory/1172-27-0x000000001BA40000-0x000000001BA4C000-memory.dmp

Filesize
48KB

Download
memory/1172-28-0x000000001BB50000-0x000000001BB5C000-memory.dmp

Filesize
48KB

Download
memory/1172-30-0x000000001BB60000-0x000000001BB6C000-memory.dmp

Filesize
48KB

Download
memory/1172-29-0x000000001BB80000-0x000000001BB88000-memory.dmp

Filesize
32KB

Download
memory/1172-31-0x000000001BB70000-0x000000001BB7A000-memory.dmp

Filesize
40KB

Download
memory/1172-32-0x000000001BB90000-0x000000001BB9E000-memory.dmp

Filesize
56KB

Download
memory/1172-33-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

Filesize
32KB

Download
memory/1172-13-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/1172-35-0x000000001BBC0000-0x000000001BBC8000-memory.dmp

Filesize
32KB

Download
memory/1172-36-0x000000001BBD0000-0x000000001BBDC000-memory.dmp

Filesize
48KB

Download
memory/1172-37-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

Filesize
32KB

Download
memory/1172-38-0x000000001BBF0000-0x000000001BBFA000-memory.dmp

Filesize
40KB

Download
memory/1172-39-0x000000001BC00000-0x000000001BC0C000-memory.dmp

Filesize
48KB

Download
memory/1172-12-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/1172-11-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/1172-10-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

Filesize
88KB

Download
memory/1172-9-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/1172-8-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/1172-1-0x0000000000E20000-0x0000000001718000-memory.dmp

Filesize
9.0MB

Download
memory/1172-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1172-164-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/1172-7-0x0000000000410000-0x000000000042C000-memory.dmp

Filesize
112KB

Download
memory/1172-3-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/1172-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1172-5-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/1172-4-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/1692-147-0x0000000000BD0000-0x00000000014C8000-memory.dmp

Filesize
9.0MB

Download
memory/1740-142-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1740-144-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/3068-207-0x00000000011F0000-0x0000000001AE8000-memory.dmp

Filesize
9.0MB

Download