dcrat | 5307ce2390d7c4bfba56c3f519dfcf29d7a5e1752150847c43b6d94d5a9e0ffb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932a9096cd16630970f2bdc5e6cb9aeb.exe
Size

5.9MB
MD5

932a9096cd16630970f2bdc5e6cb9aeb
SHA1

52d4a032ac5cbdbb8bed5b401283c1b49201ca92
SHA256

79edf19412f95a9de108ec3ccdbaa450eab559c421768ff53a184da9563fc190
SHA512

5fd9f0de72eb989d27c3a46a6ff1e79a61576bf24089437d73e0c2eead05f3a14a326966d9176a993f2b7289bbfe70206ea001742517e24e23e108577694aaeb
SSDEEP

98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4y:xyeU11Rvqmu8TWKnF6N/1wX

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	932a9096cd16630970f2bdc5e6cb9aeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	932a9096cd16630970f2bdc5e6cb9aeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	932a9096cd16630970f2bdc5e6cb9aeb.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1688	powershell.exe
1368	powershell.exe
700	powershell.exe
3540	powershell.exe
5820	powershell.exe
756	powershell.exe
2936	powershell.exe
2156	powershell.exe
5720	powershell.exe
6128	powershell.exe
1932	powershell.exe
4108	powershell.exe
3984	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	932a9096cd16630970f2bdc5e6cb9aeb.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	932a9096cd16630970f2bdc5e6cb9aeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 3 IoCs

pid	Process
2724	lsass.exe
2296	lsass.exe
2140	lsass.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	932a9096cd16630970f2bdc5e6cb9aeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	932a9096cd16630970f2bdc5e6cb9aeb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
2724	lsass.exe
2724	lsass.exe
2296	lsass.exe
2296	lsass.exe
2140	lsass.exe
2140	lsass.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4436_110538529\RCX5556.tmp	932a9096cd16630970f2bdc5e6cb9aeb.exe
File opened for modification	C:\Program Files\edge_BITS_4436_110538529\RCX5566.tmp	932a9096cd16630970f2bdc5e6cb9aeb.exe
File created	C:\Program Files\edge_BITS_4436_110538529\dllhost.exe	932a9096cd16630970f2bdc5e6cb9aeb.exe
File opened for modification	C:\Program Files\edge_BITS_4436_1280475842\RCX5C41.tmp	932a9096cd16630970f2bdc5e6cb9aeb.exe
File opened for modification	C:\Program Files\edge_BITS_4436_1280475842\RCX5C52.tmp	932a9096cd16630970f2bdc5e6cb9aeb.exe
File opened for modification	C:\Program Files\edge_BITS_4436_1280475842\RuntimeBroker.exe	932a9096cd16630970f2bdc5e6cb9aeb.exe
File opened for modification	C:\Program Files\edge_BITS_4436_110538529\dllhost.exe	932a9096cd16630970f2bdc5e6cb9aeb.exe
File created	C:\Program Files\edge_BITS_4436_110538529\5940a34987c991	932a9096cd16630970f2bdc5e6cb9aeb.exe
File created	C:\Program Files\edge_BITS_4436_1280475842\RuntimeBroker.exe	932a9096cd16630970f2bdc5e6cb9aeb.exe
File created	C:\Program Files\edge_BITS_4436_1280475842\9e8d7a4ca61bd9	932a9096cd16630970f2bdc5e6cb9aeb.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\en-US\6203df4a6bafc7	932a9096cd16630970f2bdc5e6cb9aeb.exe
File opened for modification	C:\Windows\debug\RCX59AF.tmp	932a9096cd16630970f2bdc5e6cb9aeb.exe
File opened for modification	C:\Windows\debug\RCX59C0.tmp	932a9096cd16630970f2bdc5e6cb9aeb.exe
File opened for modification	C:\Windows\debug\System.exe	932a9096cd16630970f2bdc5e6cb9aeb.exe
File created	C:\Windows\debug\System.exe	932a9096cd16630970f2bdc5e6cb9aeb.exe
File created	C:\Windows\debug\27d1bcfc3c54e0	932a9096cd16630970f2bdc5e6cb9aeb.exe
File opened for modification	C:\Windows\en-US\RCX577A.tmp	932a9096cd16630970f2bdc5e6cb9aeb.exe
File opened for modification	C:\Windows\en-US\RCX578B.tmp	932a9096cd16630970f2bdc5e6cb9aeb.exe
File opened for modification	C:\Windows\en-US\lsass.exe	932a9096cd16630970f2bdc5e6cb9aeb.exe
File created	C:\Windows\en-US\lsass.exe	932a9096cd16630970f2bdc5e6cb9aeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	932a9096cd16630970f2bdc5e6cb9aeb.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4464	schtasks.exe
3184	schtasks.exe
620	schtasks.exe
960	schtasks.exe
3476	schtasks.exe
552	schtasks.exe
2352	schtasks.exe
2508	schtasks.exe
5364	schtasks.exe
4660	schtasks.exe
6032	schtasks.exe
1628	schtasks.exe
5556	schtasks.exe
1972	schtasks.exe
3000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
2156	powershell.exe
2156	powershell.exe
2936	powershell.exe
2936	powershell.exe
3540	powershell.exe
3540	powershell.exe
1932	powershell.exe
1932	powershell.exe
1368	powershell.exe
1368	powershell.exe
5720	powershell.exe
700	powershell.exe
5720	powershell.exe
700	powershell.exe
6128	powershell.exe
6128	powershell.exe
5820	powershell.exe
5820	powershell.exe
4108	powershell.exe
4108	powershell.exe
3984	powershell.exe
3984	powershell.exe
1688	powershell.exe
1688	powershell.exe
756	powershell.exe
756	powershell.exe
700	powershell.exe
5720	powershell.exe
1688	powershell.exe
2156	powershell.exe
1932	powershell.exe
3984	powershell.exe
4108	powershell.exe
3540	powershell.exe
2936	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	6128	powershell.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2724	lsass.exe
Token: SeDebugPrivilege	2296	lsass.exe
Token: SeDebugPrivilege	2140	lsass.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2156	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	110
PID 3044 wrote to memory of 2156	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	110
PID 3044 wrote to memory of 3984	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	111
PID 3044 wrote to memory of 3984	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	111
PID 3044 wrote to memory of 2936	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	112
PID 3044 wrote to memory of 2936	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	112
PID 3044 wrote to memory of 4108	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	113
PID 3044 wrote to memory of 4108	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	113
PID 3044 wrote to memory of 756	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	115
PID 3044 wrote to memory of 756	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	115
PID 3044 wrote to memory of 5820	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	116
PID 3044 wrote to memory of 5820	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	116
PID 3044 wrote to memory of 1932	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	117
PID 3044 wrote to memory of 1932	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	117
PID 3044 wrote to memory of 3540	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	118
PID 3044 wrote to memory of 3540	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	118
PID 3044 wrote to memory of 6128	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	119
PID 3044 wrote to memory of 6128	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	119
PID 3044 wrote to memory of 700	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	122
PID 3044 wrote to memory of 700	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	122
PID 3044 wrote to memory of 1368	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	123
PID 3044 wrote to memory of 1368	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	123
PID 3044 wrote to memory of 5720	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	125
PID 3044 wrote to memory of 5720	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	125
PID 3044 wrote to memory of 1688	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	127
PID 3044 wrote to memory of 1688	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	127
PID 3044 wrote to memory of 2224	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	136
PID 3044 wrote to memory of 2224	3044	932a9096cd16630970f2bdc5e6cb9aeb.exe	136
PID 2224 wrote to memory of 5312	2224	cmd.exe	139
PID 2224 wrote to memory of 5312	2224	cmd.exe	139
PID 2224 wrote to memory of 2724	2224	cmd.exe	141
PID 2224 wrote to memory of 2724	2224	cmd.exe	141
PID 2724 wrote to memory of 2744	2724	lsass.exe	143
PID 2724 wrote to memory of 2744	2724	lsass.exe	143
PID 2724 wrote to memory of 6000	2724	lsass.exe	144
PID 2724 wrote to memory of 6000	2724	lsass.exe	144
PID 2744 wrote to memory of 2296	2744	WScript.exe	157
PID 2744 wrote to memory of 2296	2744	WScript.exe	157
PID 2296 wrote to memory of 1088	2296	lsass.exe	158
PID 2296 wrote to memory of 1088	2296	lsass.exe	158
PID 2296 wrote to memory of 2816	2296	lsass.exe	159
PID 2296 wrote to memory of 2816	2296	lsass.exe	159
PID 1088 wrote to memory of 2140	1088	WScript.exe	161
PID 1088 wrote to memory of 2140	1088	WScript.exe	161
PID 2140 wrote to memory of 3900	2140	lsass.exe	162
PID 2140 wrote to memory of 3900	2140	lsass.exe	162
PID 2140 wrote to memory of 4440	2140	lsass.exe	163
PID 2140 wrote to memory of 4440	2140	lsass.exe	163

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	932a9096cd16630970f2bdc5e6cb9aeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	932a9096cd16630970f2bdc5e6cb9aeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	932a9096cd16630970f2bdc5e6cb9aeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\932a9096cd16630970f2bdc5e6cb9aeb.exe
"C:\Users\Admin\AppData\Local\Temp\932a9096cd16630970f2bdc5e6cb9aeb.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4d7dcf6448637544ea7e961be1ad/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4fc20efa2b2ad5aa4b35f8fcca90f7df/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YRXbn8bWta.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5312
- - C:\Windows\en-US\lsass.exe
    "C:\Windows\en-US\lsass.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2724
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74e712ce-1885-4827-8356-f6bf76fcb4ff.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\en-US\lsass.exe
        
        C:\Windows\en-US\lsass.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2296
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d0282a4-33ab-4692-9984-dcf70fc2a9e3.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\en-US\lsass.exe
        
        C:\Windows\en-US\lsass.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d030a82-b56b-4489-bee7-30dfb3ec4069.vbs"
        8⤵
        
        PID:3900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eac5e8f4-597d-479f-9abc-2d15addeb229.vbs"
        8⤵
        
        PID:4440
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\901f5dc5-cc6c-431a-97d6-1aa961d946b1.vbs"
        6⤵
        
        PID:2816
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05f176d3-56a2-4ff8-b288-f7c97dfde6be.vbs"
      4⤵
      PID:6000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4436_110538529\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4436_110538529\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4436_110538529\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\debug\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4436_1280475842\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4436_1280475842\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4436_1280475842\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe

Filesize
5.9MB

MD5
2bf639cea8ed5db6d557d05c1bcc8615

SHA1
7da5b1c4e5107639408c3395738bcb75c43e95ab

SHA256
5af8eaa667391d31a4271d06e5451c0fddf054ec4202673db5a5f7b3148e3cf0

SHA512
86ef016e28ad4c00de25b839ad83697bd8856a04a6a021ba86579f55a6442320db391fc00c8e5ca835d756c919644b8837f1f5c7fe7115d1193f95ab72ab5853

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe

Filesize
5.9MB

MD5
932a9096cd16630970f2bdc5e6cb9aeb

SHA1
52d4a032ac5cbdbb8bed5b401283c1b49201ca92

SHA256
79edf19412f95a9de108ec3ccdbaa450eab559c421768ff53a184da9563fc190

SHA512
5fd9f0de72eb989d27c3a46a6ff1e79a61576bf24089437d73e0c2eead05f3a14a326966d9176a993f2b7289bbfe70206ea001742517e24e23e108577694aaeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1641de9a10da75d35edf03caa25212c1

SHA1
af73f64f8ce476c8e4eb56bb40426552d34c1ca8

SHA256
5fbacccb41dad88018fad178d824e1dc4cdc48e08032d374ac88d37c88ee60c2

SHA512
7123f9d69a0930a5143e442893cb2711bd9fd911f50e00f7b651ff8d448b78541ea0fa5f36452ad30e4c90ebfd1b1cc51e97422d6649089ec6b9f783ee6101e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2cb0c163f92e343cbfa657ce4d842fb6

SHA1
0299696d7430f09f9e3d32aa5b95f01363b405f5

SHA256
c604c709aa50f7f59c87b4420713c8563bc5b80d9bce8f812d26e0a7c25d13f7

SHA512
780353a0fa086a96d6b186a4f38160b0521e972ccfa18803db64ecd2ef6d3c1c69ea4dba0b557f1cf7c1ff6ab8720e447e827c92549b6aea5a0ecacd0494b8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
56addce8ad0788fa7ed121c8239f965f

SHA1
ac9482a712ad866d8d8ba241489613344883ba32

SHA256
cf8f4a84a53607b45f9dfed75c34776b03777d64ac3c44112ccc5638957557d8

SHA512
ecb98df46c6ccec6e9f401f1c8456b26cf38afe82e2bea885c8dc10619fcbaba9e89432f055b1bdbcce40254b06b1e20e330ea4ac724e4f0c673a5697c548521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c87ff349c47ae6e678ea72feb4bb181

SHA1
0668dc890d29354fbb86cfaeae5363d9f2c1fdc8

SHA256
68decb0f61e56ef1ad4a9c69e0c496ac30ead7bdb15ae2830a01a21cb4c243fc

SHA512
32a9a76ddc1de0612c74ce170e86e716fde003306c202c68573ce4dcbb58e2ff59b7bdff77e4c259c869f4443e2c6aa023d1fcae6857ea36e4bf8a3110b58fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
414d3c7be38a289ed476cbb4ac51ae02

SHA1
da5113d85edeefb5a20093e40bb548356316f3d4

SHA256
d8ce1dc945725e1a003fcad77de1db795d498003228c088506d286c613cd2e31

SHA512
a6db753e6e9515ad845b8073e725b2d0182697c6dd77475291aefd19e7331d78039c00b9d41ee8cccfabe9a2e0e2ab25753ebf9a865c4a3c18d77ee27cbbae93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47d9df7fab0d0c96afdd2ca49f2b5030

SHA1
92583883bcf376062ddef5db2333f066d8d36612

SHA256
0f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02

SHA512
1844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3357c199be211a745818714039e25935

SHA1
7d50d07ff2e234f3d10a88363796cbd615b1e9a3

SHA256
668bb751b77a8c5c53c7efcb71e3ee9b2902388e0503e6d6ad3647587a0a0a38

SHA512
052751067bede3dba675313a1c0d88c0e76d62bbc903dbd9ba4cf2b8d03530716c021926bbe34242af9516a77e27df080d1cedde04d8cb51c88c1484ea8a1077

Download Submit
C:\Users\Admin\AppData\Local\Temp\05f176d3-56a2-4ff8-b288-f7c97dfde6be.vbs

Filesize
478B

MD5
8af64231fd208ef57f10946820571e35

SHA1
c85ef7a8fdc999c92b426b29b2e9dcd09225a6ae

SHA256
c5caf3299aa38b855b732a5289c98caf9a3bb3502fc7bb2c2bad7e5558f4f342

SHA512
7976807ddcf72c93e131ef16fd6c8f8c2d4ab3ecd411a1fcf7f8484d9b2c071247d4768151a27529ac22da2eb53f5c6d0670eca47a54323447e999545fb9cd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d030a82-b56b-4489-bee7-30dfb3ec4069.vbs

Filesize
702B

MD5
00449deb5e9a7fb3f581189aec552811

SHA1
bf677832b86bc9816d0590b1297c9d2b7263905d

SHA256
42c60cf33fc72787dbe3d3361e52d5a2ac1d37fad23339ddfc79f3a5b8838eff

SHA512
1ae487c02842ec0358d9aeffa1ed9f62a6067d478b4cbef08992e8f07a217e777f7be52cbc29938539bda696b223c20ca1f8fd3a2b5e3f957d7fa8c0e859422b

Download Submit
C:\Users\Admin\AppData\Local\Temp\74e712ce-1885-4827-8356-f6bf76fcb4ff.vbs

Filesize
702B

MD5
95a4063cb5c5c77a1d1801d48a38e78d

SHA1
e9beca772d897150a9e55a61ec31b191875fb0e6

SHA256
5b79aef139fc7e0075a5d4a9494cdbdab7b6dc511ebb1983e263ecb203989875

SHA512
f44e671535c993eba0e6b3cab9c1aa2aee2707c213faf591cd157644357cb758d90d328a62517f439bac75534ef88e02badbeae46cfba73fe53aee737a0408c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d0282a4-33ab-4692-9984-dcf70fc2a9e3.vbs

Filesize
702B

MD5
c8ca64bc1716a512c89c2a5c0bd29f7d

SHA1
045ba10612e75096cec9db35e756bee85225c400

SHA256
9698e1720407c2ab0becc4bfe5b6c3f6dc06cdc9e5ab53cd7eb435c4ff36d275

SHA512
d68f69ca9983578b216ca9909e09d7b4d910ca5ddc2043cc22663725856db1212432cc250b72430a6465fcfade801893e11e2fa87771f99b9faca1dedc04ac17

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRXbn8bWta.bat

Filesize
191B

MD5
52dadec169a858d00830920e46ebec69

SHA1
1de7c7cdedfa4d3673156dbfd9e1689d233bb0a4

SHA256
2bcbf0b433367ea44a8a66aa269882dfee9b1666223948e43773af51e64f8215

SHA512
0997bdc448f97e9b0e59bc6aa04825ebe706688213fdb9a22518ff4b393476cc2b33b32c07588d2ead913580215a7259543da352b0fd732a75f3592f61c9bbb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdyxysvk.40x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2724-272-0x000000001E500000-0x000000001E512000-memory.dmp

Filesize
72KB

Download
memory/3044-22-0x000000001D750000-0x000000001D758000-memory.dmp

Filesize
32KB

Download
memory/3044-10-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/3044-37-0x000000001D830000-0x000000001D838000-memory.dmp

Filesize
32KB

Download
memory/3044-41-0x000000001DA80000-0x000000001DA8C000-memory.dmp

Filesize
48KB

Download
memory/3044-40-0x000000001DB80000-0x000000001DB8A000-memory.dmp

Filesize
40KB

Download
memory/3044-39-0x000000001DA70000-0x000000001DA78000-memory.dmp

Filesize
32KB

Download
memory/3044-38-0x000000001D840000-0x000000001D84C000-memory.dmp

Filesize
48KB

Download
memory/3044-26-0x000000001D790000-0x000000001D79C000-memory.dmp

Filesize
48KB

Download
memory/3044-36-0x000000001D820000-0x000000001D82E000-memory.dmp

Filesize
56KB

Download
memory/3044-35-0x000000001D810000-0x000000001D818000-memory.dmp

Filesize
32KB

Download
memory/3044-34-0x000000001D800000-0x000000001D80E000-memory.dmp

Filesize
56KB

Download
memory/3044-33-0x000000001D7F0000-0x000000001D7FA000-memory.dmp

Filesize
40KB

Download
memory/3044-32-0x000000001D7E0000-0x000000001D7EC000-memory.dmp

Filesize
48KB

Download
memory/3044-30-0x000000001D7D0000-0x000000001D7DC000-memory.dmp

Filesize
48KB

Download
memory/3044-29-0x000000001D7C0000-0x000000001D7CC000-memory.dmp

Filesize
48KB

Download
memory/3044-28-0x000000001D7B0000-0x000000001D7B8000-memory.dmp

Filesize
32KB

Download
memory/3044-27-0x000000001D7A0000-0x000000001D7AC000-memory.dmp

Filesize
48KB

Download
memory/3044-25-0x000000001DD90000-0x000000001E2B8000-memory.dmp

Filesize
5.2MB

Download
memory/3044-14-0x000000001D550000-0x000000001D55C000-memory.dmp

Filesize
48KB

Download
memory/3044-12-0x000000001BD20000-0x000000001BD28000-memory.dmp

Filesize
32KB

Download
memory/3044-11-0x000000001BD00000-0x000000001BD16000-memory.dmp

Filesize
88KB

Download
memory/3044-31-0x000000001DA60000-0x000000001DA68000-memory.dmp

Filesize
32KB

Download
memory/3044-9-0x00000000031F0000-0x00000000031F8000-memory.dmp

Filesize
32KB

Download
memory/3044-6-0x00000000018C0000-0x00000000018C8000-memory.dmp

Filesize
32KB

Download
memory/3044-20-0x000000001D740000-0x000000001D748000-memory.dmp

Filesize
32KB

Download
memory/3044-121-0x00007FFFBFE30000-0x00007FFFC08F1000-memory.dmp

Filesize
10.8MB

Download
memory/3044-1-0x00000000007E0000-0x00000000010D8000-memory.dmp

Filesize
9.0MB

Download
memory/3044-21-0x000000001D850000-0x000000001D85C000-memory.dmp

Filesize
48KB

Download
memory/3044-0-0x00007FFFBFE33000-0x00007FFFBFE35000-memory.dmp

Filesize
8KB

Download
memory/3044-24-0x000000001D760000-0x000000001D772000-memory.dmp

Filesize
72KB

Download
memory/3044-19-0x000000001D590000-0x000000001D59C000-memory.dmp

Filesize
48KB

Download
memory/3044-18-0x000000001D6F0000-0x000000001D746000-memory.dmp

Filesize
344KB

Download
memory/3044-17-0x000000001D580000-0x000000001D58A000-memory.dmp

Filesize
40KB

Download
memory/3044-15-0x000000001D560000-0x000000001D568000-memory.dmp

Filesize
32KB

Download
memory/3044-16-0x000000001D570000-0x000000001D580000-memory.dmp

Filesize
64KB

Download
memory/3044-13-0x000000001BE40000-0x000000001BE52000-memory.dmp

Filesize
72KB

Download
memory/3044-7-0x00000000031D0000-0x00000000031EC000-memory.dmp

Filesize
112KB

Download
memory/3044-8-0x000000001D5A0000-0x000000001D5F0000-memory.dmp

Filesize
320KB

Download
memory/3044-5-0x00000000018B0000-0x00000000018BE000-memory.dmp

Filesize
56KB

Download
memory/3044-4-0x00000000018A0000-0x00000000018AE000-memory.dmp

Filesize
56KB

Download
memory/3044-3-0x00007FFFBFE30000-0x00007FFFC08F1000-memory.dmp

Filesize
10.8MB

Download
memory/3044-2-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/4108-124-0x0000016944760000-0x0000016944782000-memory.dmp

Filesize
136KB

Download