dcrat | 545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
62s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

692a24fa9e70407c4d311a134752a34b.exe
Size

5.9MB
MD5

692a24fa9e70407c4d311a134752a34b
SHA1

26e196e795d61f2054ff612c744807c39d83f5c4
SHA256

82fada6265676b0e76d9902aed25cda0431e992ba79d21cceb3dd1e2c6471227
SHA512

a6e6a2c1c8c3839542cf3e9f0012070809d7e30abbbc1c9f7b0c85f5bf1ce2974148784f2845fe724a36d5cf408e799b9265aa9fef4c65ea7342585e442c973e
SSDEEP

98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw42:ByeU11Rvqmu8TWKnF6N/1wP

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2984	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	692a24fa9e70407c4d311a134752a34b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	692a24fa9e70407c4d311a134752a34b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	692a24fa9e70407c4d311a134752a34b.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2268	powershell.exe
1780	powershell.exe
1288	powershell.exe
2528	powershell.exe
2676	powershell.exe
2792	powershell.exe
2788	powershell.exe
1964	powershell.exe
1596	powershell.exe
660	powershell.exe
2684	powershell.exe
2884	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	692a24fa9e70407c4d311a134752a34b.exe

Executes dropped EXE 1 IoCs

pid	Process
2544	audiodg.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	692a24fa9e70407c4d311a134752a34b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	692a24fa9e70407c4d311a134752a34b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2544	audiodg.exe
2544	audiodg.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC18.tmp	692a24fa9e70407c4d311a134752a34b.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC19.tmp	692a24fa9e70407c4d311a134752a34b.exe
File created	C:\Program Files\Windows Portable Devices\audiodg.exe	692a24fa9e70407c4d311a134752a34b.exe
File created	C:\Program Files\Windows Portable Devices\42af1c969fbb7b	692a24fa9e70407c4d311a134752a34b.exe
File created	C:\Program Files (x86)\Reference Assemblies\wininit.exe	692a24fa9e70407c4d311a134752a34b.exe
File opened for modification	C:\Program Files\Windows Portable Devices\audiodg.exe	692a24fa9e70407c4d311a134752a34b.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXE2C.tmp	692a24fa9e70407c4d311a134752a34b.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXE9A.tmp	692a24fa9e70407c4d311a134752a34b.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\wininit.exe	692a24fa9e70407c4d311a134752a34b.exe
File created	C:\Program Files (x86)\Reference Assemblies\56085415360792	692a24fa9e70407c4d311a134752a34b.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\56085415360792	692a24fa9e70407c4d311a134752a34b.exe
File opened for modification	C:\Windows\L2Schemas\RCX17B6.tmp	692a24fa9e70407c4d311a134752a34b.exe
File opened for modification	C:\Windows\L2Schemas\RCX17C6.tmp	692a24fa9e70407c4d311a134752a34b.exe
File opened for modification	C:\Windows\L2Schemas\wininit.exe	692a24fa9e70407c4d311a134752a34b.exe
File created	C:\Windows\L2Schemas\wininit.exe	692a24fa9e70407c4d311a134752a34b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
880	schtasks.exe
1044	schtasks.exe
2820	schtasks.exe
684	schtasks.exe
2256	schtasks.exe
1696	schtasks.exe
1676	schtasks.exe
924	schtasks.exe
772	schtasks.exe
408	schtasks.exe
2232	schtasks.exe
2972	schtasks.exe
2008	schtasks.exe
2708	schtasks.exe
1872	schtasks.exe
2080	schtasks.exe
2740	schtasks.exe
2108	schtasks.exe
2196	schtasks.exe
2012	schtasks.exe
2988	schtasks.exe
2132	schtasks.exe
1636	schtasks.exe
1784	schtasks.exe
1868	schtasks.exe
320	schtasks.exe
2968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
2788	powershell.exe
1288	powershell.exe
2616	692a24fa9e70407c4d311a134752a34b.exe
1596	powershell.exe
660	powershell.exe
2528	powershell.exe
2884	powershell.exe
2684	powershell.exe
2792	powershell.exe
2676	powershell.exe
2268	powershell.exe
1964	powershell.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe
2544	audiodg.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	692a24fa9e70407c4d311a134752a34b.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2544	audiodg.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1288	2616	692a24fa9e70407c4d311a134752a34b.exe	58
PID 2616 wrote to memory of 1288	2616	692a24fa9e70407c4d311a134752a34b.exe	58
PID 2616 wrote to memory of 1288	2616	692a24fa9e70407c4d311a134752a34b.exe	58
PID 2616 wrote to memory of 660	2616	692a24fa9e70407c4d311a134752a34b.exe	59
PID 2616 wrote to memory of 660	2616	692a24fa9e70407c4d311a134752a34b.exe	59
PID 2616 wrote to memory of 660	2616	692a24fa9e70407c4d311a134752a34b.exe	59
PID 2616 wrote to memory of 1780	2616	692a24fa9e70407c4d311a134752a34b.exe	61
PID 2616 wrote to memory of 1780	2616	692a24fa9e70407c4d311a134752a34b.exe	61
PID 2616 wrote to memory of 1780	2616	692a24fa9e70407c4d311a134752a34b.exe	61
PID 2616 wrote to memory of 1596	2616	692a24fa9e70407c4d311a134752a34b.exe	62
PID 2616 wrote to memory of 1596	2616	692a24fa9e70407c4d311a134752a34b.exe	62
PID 2616 wrote to memory of 1596	2616	692a24fa9e70407c4d311a134752a34b.exe	62
PID 2616 wrote to memory of 2268	2616	692a24fa9e70407c4d311a134752a34b.exe	64
PID 2616 wrote to memory of 2268	2616	692a24fa9e70407c4d311a134752a34b.exe	64
PID 2616 wrote to memory of 2268	2616	692a24fa9e70407c4d311a134752a34b.exe	64
PID 2616 wrote to memory of 1964	2616	692a24fa9e70407c4d311a134752a34b.exe	66
PID 2616 wrote to memory of 1964	2616	692a24fa9e70407c4d311a134752a34b.exe	66
PID 2616 wrote to memory of 1964	2616	692a24fa9e70407c4d311a134752a34b.exe	66
PID 2616 wrote to memory of 2788	2616	692a24fa9e70407c4d311a134752a34b.exe	67
PID 2616 wrote to memory of 2788	2616	692a24fa9e70407c4d311a134752a34b.exe	67
PID 2616 wrote to memory of 2788	2616	692a24fa9e70407c4d311a134752a34b.exe	67
PID 2616 wrote to memory of 2792	2616	692a24fa9e70407c4d311a134752a34b.exe	69
PID 2616 wrote to memory of 2792	2616	692a24fa9e70407c4d311a134752a34b.exe	69
PID 2616 wrote to memory of 2792	2616	692a24fa9e70407c4d311a134752a34b.exe	69
PID 2616 wrote to memory of 2676	2616	692a24fa9e70407c4d311a134752a34b.exe	70
PID 2616 wrote to memory of 2676	2616	692a24fa9e70407c4d311a134752a34b.exe	70
PID 2616 wrote to memory of 2676	2616	692a24fa9e70407c4d311a134752a34b.exe	70
PID 2616 wrote to memory of 2884	2616	692a24fa9e70407c4d311a134752a34b.exe	72
PID 2616 wrote to memory of 2884	2616	692a24fa9e70407c4d311a134752a34b.exe	72
PID 2616 wrote to memory of 2884	2616	692a24fa9e70407c4d311a134752a34b.exe	72
PID 2616 wrote to memory of 2528	2616	692a24fa9e70407c4d311a134752a34b.exe	73
PID 2616 wrote to memory of 2528	2616	692a24fa9e70407c4d311a134752a34b.exe	73
PID 2616 wrote to memory of 2528	2616	692a24fa9e70407c4d311a134752a34b.exe	73
PID 2616 wrote to memory of 2684	2616	692a24fa9e70407c4d311a134752a34b.exe	75
PID 2616 wrote to memory of 2684	2616	692a24fa9e70407c4d311a134752a34b.exe	75
PID 2616 wrote to memory of 2684	2616	692a24fa9e70407c4d311a134752a34b.exe	75
PID 2616 wrote to memory of 2544	2616	692a24fa9e70407c4d311a134752a34b.exe	82
PID 2616 wrote to memory of 2544	2616	692a24fa9e70407c4d311a134752a34b.exe	82
PID 2616 wrote to memory of 2544	2616	692a24fa9e70407c4d311a134752a34b.exe	82
PID 2544 wrote to memory of 1016	2544	audiodg.exe	83
PID 2544 wrote to memory of 1016	2544	audiodg.exe	83
PID 2544 wrote to memory of 1016	2544	audiodg.exe	83
PID 2544 wrote to memory of 1692	2544	audiodg.exe	84
PID 2544 wrote to memory of 1692	2544	audiodg.exe	84
PID 2544 wrote to memory of 1692	2544	audiodg.exe	84

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	692a24fa9e70407c4d311a134752a34b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	692a24fa9e70407c4d311a134752a34b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	692a24fa9e70407c4d311a134752a34b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\692a24fa9e70407c4d311a134752a34b.exe
"C:\Users\Admin\AppData\Local\Temp\692a24fa9e70407c4d311a134752a34b.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Users\Default User\audiodg.exe
  "C:\Users\Default User\audiodg.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2544
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2df6d50-9b74-43c1-ad98-ab6493960421.vbs"
    3⤵
    PID:1016
  - - C:\Users\Default User\audiodg.exe
      "C:\Users\Default User\audiodg.exe"
      4⤵
      PID:592
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\632327cc-3174-457d-918a-185f1f5a9ebb.vbs"
        5⤵
        
        PID:2548
      - C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        6⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5176ecd3-bb05-4a61-baaf-229db533c653.vbs"
        7⤵
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbff5b15-4a9f-485c-ab64-d433462eba4b.vbs"
        7⤵
        
        PID:2436
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a91f3b01-cfe5-45e2-b51b-c8a8ea9aeadd.vbs"
        5⤵
        
        PID:2736
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dae77e6-d31d-40ec-966f-818e40ab3432.vbs"
    3⤵
    PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Favorites\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\RCXE9A.tmp

Filesize
5.9MB

MD5
99bda29d077331ce44499b30cd9366df

SHA1
9da748afdfdcbba7961c75e32c8f779d08708520

SHA256
e76a9ba6f579ad80c5c7c9d5231751420b1a6181d056f1048e5fc2e930f8c3b8

SHA512
cfad98d3ac5506db2b6790621673c3e05c73958a3783c7a53cc608e41cadb1328ffeb6604d02957a7b27b5d7256f9c25aef00a044593f37e7d9a8edf81435d54

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe

Filesize
5.9MB

MD5
692a24fa9e70407c4d311a134752a34b

SHA1
26e196e795d61f2054ff612c744807c39d83f5c4

SHA256
82fada6265676b0e76d9902aed25cda0431e992ba79d21cceb3dd1e2c6471227

SHA512
a6e6a2c1c8c3839542cf3e9f0012070809d7e30abbbc1c9f7b0c85f5bf1ce2974148784f2845fe724a36d5cf408e799b9265aa9fef4c65ea7342585e442c973e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5176ecd3-bb05-4a61-baaf-229db533c653.vbs

Filesize
709B

MD5
932d2a254e3c5326230a4942adb869c6

SHA1
06bd8d48100d731671e01175700b172285efc63c

SHA256
5d222a7825a5b3a33cc11e78011a3a257bd479b52912f226e44258abb1cf80a4

SHA512
50b756b6adbb128000e0759468e991115c6581a82964eade278e75c46d8ddb7723e21174b7d1108a7ae8be02d4f8d71013403c0cbb0fdadeb814adb1d37d9dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\632327cc-3174-457d-918a-185f1f5a9ebb.vbs

Filesize
708B

MD5
28f5627f1b67d2321a6624382e311afb

SHA1
d27d289ee1835b6a3415a72f3e54b1fc99bc293a

SHA256
3148b26478da2ad2c10e3cd83c8d4dfbb895a45f0f2a3fcc9bc4ddf59fb86842

SHA512
d7397bd824932b83c9b156d35fc5bda9a749ca1b88ac1660b6c52979f78e24b4ee5b787b507939b8d915bccac76de01d5cf4a16913137912b2819439b5a7b6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dae77e6-d31d-40ec-966f-818e40ab3432.vbs

Filesize
485B

MD5
1b0df7c97f5ba2d06df8f065e3517343

SHA1
935642b614538f21955321595d08571e011285a1

SHA256
2f81855edecf58e17e380ab46c619c20564fa0f18b06dc89f6560e4c176dcf14

SHA512
d66755f80c9ed297b25bec14879779674f5d90a6e07c9f0af8d26925d3ae0b295dcc8226db608075a1114d4b1cb08b27fc5d98064156c093707e47bbad66999b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2df6d50-9b74-43c1-ad98-ab6493960421.vbs

Filesize
709B

MD5
8fac98eacc493c3cbb2fddb4d23e2555

SHA1
036579123ab1e3402e52fbde707d3b1c375bdf00

SHA256
c48d321ef93bb16667c41ab48f9887e9535ecb4de71d338320071f339606f3f6

SHA512
8ffb9e7ecb8f19c2259c18e308ff4721cedddafce68f3be724fc99a7c5a83f0fc4dee226e03ed5651769572cbdc1f90834cd21d1f120d90af69b7f99d882cb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa045c084686510f74980455c4d9e2e32b5acc15.exe

Filesize
3.4MB

MD5
895efd215bb67c475ee946146ade4620

SHA1
08034c2b27ac96e54777144b43e41316c66f7a60

SHA256
37a3f612745ced1668ec61bcf3732f2a663245210b8d11ba84557059dccd439d

SHA512
390f4ef8af730e93ab1374e9fc554a3a209a747a7c6b1910f67f518cd5602d04ed7ec730570c975d311911670d176a8b66cd0a2810a2470e5eca176c984c9311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\csrss.exe

Filesize
5.9MB

MD5
2895208341ec18da6df128d82486fc84

SHA1
514fdee33959f09e431b75703a53321acbaae34f

SHA256
e15f9235eae75c42ea61e24235ad575ffeebc7f31b353013b03772526677ea4d

SHA512
fa23ca2f0f7638d6e49388a6e76987e2408cbda84cd463bbd023c3f34d10e1d0b712efe6835ac23767219f2f7c97ad08f4c9bf91f0735c33b6c3386256eb9c32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZO7LRJS5MB54YJAF2M5M.temp

Filesize
7KB

MD5
8fe59750534528a798b950e4db3dad82

SHA1
d0de99629030e35bff5ade1554a8345e249c23bd

SHA256
96dd5e1500418e98c7bdb244a88c6623d07e8e55b86ae1bf080ca0293e6ecb11

SHA512
8ae7981fd2e052e1a9fbc08926304d83413646d0a9df77d7066e05c934ea6cbc0b2754eb04af46ed203ccc1330f3c7280195bb7c2e1aba3b06202d93630478fb

Download Submit
C:\Users\Default\audiodg.exe

Filesize
3.9MB

MD5
2af793dc2144961ab7acad513e2fea6b

SHA1
59d922e30bf8508ddb1ce1dc4435604b9bb1cef2

SHA256
43c6fd0050c3737c6cf85316b5acca4e85d63d7631262d52b152c8ebd8c97d5b

SHA512
e7899f2569e1a0b64da31ff7097216a87831770d6711b328c962543993dc27fd133a431b2959cc52d03dd9a284636b13cfd62a40e0f229a1e94e4d09d60c3b48

Download Submit
C:\Users\Default\audiodg.exe

Filesize
5.9MB

MD5
562e2e4603f171f3a4e39bb5a4de8cb2

SHA1
25184c004fd3799929850f54f3f02378ea4d3c5b

SHA256
23bad827bc90c9f4ec9f2f89f48c13b93486b00572f9ce57eb706226fea4a134

SHA512
2965ed9d003dc93daecf2b26a6d7485b1f74521c3ab9a151806700ce5209f4928d4132073272238375d170415e2f26e2c541bc079ed1b320344e7317450353e4

Download Submit
memory/592-243-0x00000000001F0000-0x0000000000AE8000-memory.dmp

Filesize
9.0MB

Download
memory/1288-193-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2544-230-0x00000000010D0000-0x00000000019C8000-memory.dmp

Filesize
9.0MB

Download
memory/2544-232-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2616-23-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2616-12-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2616-35-0x0000000002B40000-0x0000000002B48000-memory.dmp

Filesize
32KB

Download
memory/2616-39-0x0000000002C00000-0x0000000002C0C000-memory.dmp

Filesize
48KB

Download
memory/2616-38-0x0000000002BF0000-0x0000000002BFA000-memory.dmp

Filesize
40KB

Download
memory/2616-37-0x0000000002BE0000-0x0000000002BE8000-memory.dmp

Filesize
32KB

Download
memory/2616-36-0x0000000002BD0000-0x0000000002BDC000-memory.dmp

Filesize
48KB

Download
memory/2616-34-0x0000000002B30000-0x0000000002B3E000-memory.dmp

Filesize
56KB

Download
memory/2616-33-0x0000000002B20000-0x0000000002B28000-memory.dmp

Filesize
32KB

Download
memory/2616-31-0x0000000002B00000-0x0000000002B0A000-memory.dmp

Filesize
40KB

Download
memory/2616-30-0x0000000002960000-0x000000000296C000-memory.dmp

Filesize
48KB

Download
memory/2616-29-0x0000000002950000-0x0000000002958000-memory.dmp

Filesize
32KB

Download
memory/2616-27-0x00000000028F0000-0x00000000028FC000-memory.dmp

Filesize
48KB

Download
memory/2616-28-0x0000000002900000-0x000000000290C000-memory.dmp

Filesize
48KB

Download
memory/2616-26-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2616-25-0x00000000028D0000-0x00000000028DC000-memory.dmp

Filesize
48KB

Download
memory/2616-24-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/2616-21-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/2616-17-0x0000000000A20000-0x0000000000A76000-memory.dmp

Filesize
344KB

Download
memory/2616-15-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2616-14-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2616-32-0x0000000002B10000-0x0000000002B1E000-memory.dmp

Filesize
56KB

Download
memory/2616-7-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/2616-6-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/2616-4-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/2616-0-0x000007FEF4E33000-0x000007FEF4E34000-memory.dmp

Filesize
4KB

Download
memory/2616-19-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/2616-20-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/2616-18-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/2616-1-0x0000000000AD0000-0x00000000013C8000-memory.dmp

Filesize
9.0MB

Download
memory/2616-16-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/2616-229-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-13-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2616-11-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2616-8-0x0000000000190000-0x0000000000198000-memory.dmp

Filesize
32KB

Download
memory/2616-10-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2616-9-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/2616-5-0x0000000000170000-0x000000000017E000-memory.dmp

Filesize
56KB

Download
memory/2616-2-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2616-3-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-258-0x0000000000C30000-0x0000000000C42000-memory.dmp

Filesize
72KB

Download
memory/2776-259-0x0000000002AC0000-0x0000000002AD2000-memory.dmp

Filesize
72KB

Download
memory/2776-256-0x0000000000C50000-0x0000000001548000-memory.dmp

Filesize
9.0MB

Download
memory/2788-183-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download