dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
60s
max time network
52s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c8fa2e136e29f51a3670f440b9f0a0.exe
Size

2.5MB
MD5

86c8fa2e136e29f51a3670f440b9f0a0
SHA1

103d45983c01fc861cb7390afe5db10ff2892fc0
SHA256

da49bed9676a8352a71fdd38dc855a01ca72f5dd393a91e9d7ad71ef9a4f11eb
SHA512

7c5f74c7a041c38216dc4a7f1d60d1a622227b8cd5aea5c1c4d200a5ccfabd7cbd2a17b22ca2ff028fc45dd0373df8cf9a5998cbefe7873fa7f9eda7ad117ddb
SSDEEP

49152:BjLLQdzMIwA7G5ALF/CT2vyYSjEf+QSs5saA2R97oF/cZ8ekY4E7Jy:B2l7G5Auotf+Lg4ElM

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 13 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2292	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2292	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1852	powershell.exe
2800	powershell.exe
492	powershell.exe
1908	powershell.exe
2928	powershell.exe
2720	powershell.exe
1484	powershell.exe
2888	powershell.exe
1932	powershell.exe
2768	powershell.exe
2936	powershell.exe
2804	powershell.exe
896	powershell.exe
2124	powershell.exe
1552	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
792	explorer.exe
1324	explorer.exe
1728	explorer.exe
1924	explorer.exe
2796	explorer.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\spoolsv.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\Admin\\csrss.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\WUDFPlatform\\dwm.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\winlogon.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\TSWbPrxy\\dllhost.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\localspl\\taskhost.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\qdvd\\dllhost.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Mail\\en-US\\taskhost.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\perfi010\\lsass.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\ieetwcollectorres\\winlogon.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\vsstrace\\taskhost.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\twunk_16\\explorer.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\PerfLogs\\Admin\\audiodg.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\Windows\System32\perfi010\6203df4a6bafc7	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\ieetwcollectorres\RCXA955.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\localspl\taskhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\qdvd\dllhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\perfi010\RCXA750.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\qdvd\5940a34987c991	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\vsstrace\RCXAB5A.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\WUDFPlatform\6cb0b6c459d5d3	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\TSWbPrxy\dllhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\TSWbPrxy\5940a34987c991	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\WUDFPlatform\dwm.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\ieetwcollectorres\cc11b995f2a76d	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\qdvd\dllhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\perfi010\RCXA74F.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\vsstrace\taskhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\TSWbPrxy\dllhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\perfi010\lsass.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\vsstrace\taskhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\vsstrace\b75386f1303e64	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\qdvd\RCXA2D8.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\perfi010\lsass.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\WUDFPlatform\dwm.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\localspl\b75386f1303e64	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\ieetwcollectorres\winlogon.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\ieetwcollectorres\RCXA954.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\ieetwcollectorres\winlogon.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\localspl\taskhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\qdvd\RCXA2D9.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\vsstrace\RCXAB59.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\en-US\b75386f1303e64	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCXA54A.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCXA54B.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\taskhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\cc11b995f2a76d	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Program Files\Windows Mail\en-US\taskhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\twunk_16\explorer.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\twunk_16\explorer.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\twunk_16\7a0fd90576e088	86c8fa2e136e29f51a3670f440b9f0a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1656	schtasks.exe
1728	schtasks.exe
1296	schtasks.exe
2840	schtasks.exe
2344	schtasks.exe
2756	schtasks.exe
1748	schtasks.exe
2744	schtasks.exe
884	schtasks.exe
1704	schtasks.exe
2792	schtasks.exe
2164	schtasks.exe
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
1552	powershell.exe
896	powershell.exe
1484	powershell.exe
2888	powershell.exe
1908	powershell.exe
1852	powershell.exe
492	powershell.exe
2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
288	86c8fa2e136e29f51a3670f440b9f0a0.exe
2804	powershell.exe
2720	powershell.exe
2800	powershell.exe
1932	powershell.exe
2124	powershell.exe
2936	powershell.exe
2768	powershell.exe
2928	powershell.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	288	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	792	explorer.exe
Token: SeDebugPrivilege	1324	explorer.exe
Token: SeDebugPrivilege	1924	explorer.exe
Token: SeDebugPrivilege	2796	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2888	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	37
PID 2204 wrote to memory of 2888	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	37
PID 2204 wrote to memory of 2888	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	37
PID 2204 wrote to memory of 896	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	38
PID 2204 wrote to memory of 896	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	38
PID 2204 wrote to memory of 896	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	38
PID 2204 wrote to memory of 1852	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	39
PID 2204 wrote to memory of 1852	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	39
PID 2204 wrote to memory of 1852	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	39
PID 2204 wrote to memory of 1484	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	40
PID 2204 wrote to memory of 1484	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	40
PID 2204 wrote to memory of 1484	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	40
PID 2204 wrote to memory of 1552	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	41
PID 2204 wrote to memory of 1552	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	41
PID 2204 wrote to memory of 1552	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	41
PID 2204 wrote to memory of 1908	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	43
PID 2204 wrote to memory of 1908	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	43
PID 2204 wrote to memory of 1908	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	43
PID 2204 wrote to memory of 492	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	44
PID 2204 wrote to memory of 492	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	44
PID 2204 wrote to memory of 492	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	44
PID 2204 wrote to memory of 288	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	51
PID 2204 wrote to memory of 288	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	51
PID 2204 wrote to memory of 288	2204	86c8fa2e136e29f51a3670f440b9f0a0.exe	51
PID 288 wrote to memory of 2804	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	59
PID 288 wrote to memory of 2804	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	59
PID 288 wrote to memory of 2804	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	59
PID 288 wrote to memory of 2720	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	60
PID 288 wrote to memory of 2720	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	60
PID 288 wrote to memory of 2720	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	60
PID 288 wrote to memory of 2124	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	61
PID 288 wrote to memory of 2124	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	61
PID 288 wrote to memory of 2124	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	61
PID 288 wrote to memory of 2936	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	64
PID 288 wrote to memory of 2936	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	64
PID 288 wrote to memory of 2936	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	64
PID 288 wrote to memory of 2928	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	65
PID 288 wrote to memory of 2928	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	65
PID 288 wrote to memory of 2928	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	65
PID 288 wrote to memory of 2768	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	66
PID 288 wrote to memory of 2768	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	66
PID 288 wrote to memory of 2768	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	66
PID 288 wrote to memory of 2800	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	67
PID 288 wrote to memory of 2800	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	67
PID 288 wrote to memory of 2800	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	67
PID 288 wrote to memory of 1932	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	68
PID 288 wrote to memory of 1932	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	68
PID 288 wrote to memory of 1932	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	68
PID 288 wrote to memory of 792	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	75
PID 288 wrote to memory of 792	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	75
PID 288 wrote to memory of 792	288	86c8fa2e136e29f51a3670f440b9f0a0.exe	75
PID 792 wrote to memory of 1312	792	explorer.exe	76
PID 792 wrote to memory of 1312	792	explorer.exe	76
PID 792 wrote to memory of 1312	792	explorer.exe	76
PID 792 wrote to memory of 1948	792	explorer.exe	77
PID 792 wrote to memory of 1948	792	explorer.exe	77
PID 792 wrote to memory of 1948	792	explorer.exe	77
PID 1312 wrote to memory of 1324	1312	WScript.exe	79
PID 1312 wrote to memory of 1324	1312	WScript.exe	79
PID 1312 wrote to memory of 1324	1312	WScript.exe	79
PID 1324 wrote to memory of 2876	1324	explorer.exe	80
PID 1324 wrote to memory of 2876	1324	explorer.exe	80
PID 1324 wrote to memory of 2876	1324	explorer.exe	80
PID 1324 wrote to memory of 1516	1324	explorer.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe
"C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\qdvd\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\perfi010\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ieetwcollectorres\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\vsstrace\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:492
- C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe
  "C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twunk_16\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WUDFPlatform\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\audiodg.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\TSWbPrxy\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\localspl\taskhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\twunk_16\explorer.exe
    "C:\Windows\twunk_16\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41aa2c37-e735-4446-906e-7aaf231b1750.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\twunk_16\explorer.exe
        
        C:\Windows\twunk_16\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70320598-1208-4d88-809a-b2cb727f46dc.vbs"
        6⤵
        
        PID:2876
        
        C:\Windows\twunk_16\explorer.exe
        
        C:\Windows\twunk_16\explorer.exe
        7⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96b92c49-f7ad-4c2e-b4ea-d4843eda9747.vbs"
        8⤵
        
        PID:3012
        
        C:\Windows\twunk_16\explorer.exe
        
        C:\Windows\twunk_16\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee2e1e1b-ec8e-4ee2-8f5e-f9f5665d29aa.vbs"
        10⤵
        
        PID:2104
        
        C:\Windows\twunk_16\explorer.exe
        
        C:\Windows\twunk_16\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f66e537-4bc6-444b-bbba-f8ac673ecd08.vbs"
        12⤵
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b851fe29-7c74-499a-b70a-97b27bb11f0c.vbs"
        12⤵
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1bd6de1-c0a2-4e7d-af62-748b3a06bb5b.vbs"
        10⤵
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e07c93c-489e-43b8-9666-507c0798f83d.vbs"
        8⤵
        
        PID:2716
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\673babef-2bb4-4182-a20d-c46b9c4f5932.vbs"
        6⤵
        
        PID:1516
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84c7478c-8575-4887-991f-1877d4386657.vbs"
      4⤵
      PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\qdvd\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\perfi010\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\ieetwcollectorres\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\vsstrace\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twunk_16\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\WUDFPlatform\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\PerfLogs\Admin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\TSWbPrxy\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\localspl\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41aa2c37-e735-4446-906e-7aaf231b1750.vbs

Filesize
707B

MD5
cc7b870a5d2d8b18bfbba083aff67ae1

SHA1
315850953e58fa98ab12a25d1f89046ecc7ddf62

SHA256
4310a91e5e2cf1c1cad050ce9c4ed054ae73e2ab8edec5434780162f91e243de

SHA512
c3dd47f4d51ca77c52640fc28aec107d40ea5e29dd450b51889f50e2c91d082da00f17b059455cb79d85e215c782ee0ee03dcdee57bf54d73389817fad87b3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\470a027819ca774620a782f2f8324ec598a1f0c24.5.27CSGHOST1360480b1d5ea38ed41018cccd11b6bdf364c7af

Filesize
588B

MD5
3a1f61dfc662c26b3be99350348bd8c6

SHA1
ea634ecb24ea619eaaa5d34270d80cf342fda0a1

SHA256
9e165b94aea9fb3c20f29a2d750eb5f5500d23ff4dab8ddd9bab3c0ae33af3a6

SHA512
deab2f76e90c51b14699e5e406cc92db024d73dc019260fffafa0ee906890e4a7be7561111966b3798bfd8cc64f38bc98823f4bd0708655584755f8ccf239bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\70320598-1208-4d88-809a-b2cb727f46dc.vbs

Filesize
708B

MD5
b5d858008e2ad874278c9c08b5192a18

SHA1
13e1cbe66132fbf9accca147a2776124f03922ef

SHA256
91c7c8436760d06b9d7f02ad9502383bb280f8817ce8cf8659e79cafad02a87e

SHA512
2dbdd0ab652bd359cfe81d1eae2d76523fb8509572f0f71a5ac9075a07680451c4f564ce3198886f8992b9648b1d877163ed114b6bb9dcc426acf58952480026

Download Submit
C:\Users\Admin\AppData\Local\Temp\84c7478c-8575-4887-991f-1877d4386657.vbs

Filesize
484B

MD5
e89381a38f48353e3968338ce92fdaeb

SHA1
49ad16fd51fa816d080a0e26bf37a3b2532aa1ca

SHA256
57ee4e8ff8bdbfb6bbc70c046126fa19d594ce2ebaf84e49194605d85a2a445f

SHA512
c803078b22ae8a56dd8b7fce37e6a5b69d94c5b80c631874818cd293705f4d359e0a145d0cecaaecb5dc8f73855197d767f2c1d6a9f264b8299e818e4153cfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f66e537-4bc6-444b-bbba-f8ac673ecd08.vbs

Filesize
708B

MD5
20ee87e7ea784592d51723b2ec63312b

SHA1
602a919ff5688286282d42435362f9fe79d59755

SHA256
56892c75d2d5a657b89710223fe382860f62025cfad408ca18cb84187b875570

SHA512
9b62352b55b42ccf842721c53fe8af2af21512e5e4689e76575ed4b840b2b92173d26960a68cafdb59514d2fb230b65332c4eed52e7cde0db7f9f12f9c1405ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee2e1e1b-ec8e-4ee2-8f5e-f9f5665d29aa.vbs

Filesize
708B

MD5
557d19012eab7ebf9a29d151e0af026f

SHA1
3885be8d2f72ea9c390cdd0765dfa67a8b3142ac

SHA256
aaacd7f833f062ddd8e0da1da2c9ad30a882cf155445ee64572670e7a9187fd4

SHA512
5800f005b67ea821174e0384c7028cdf13c9a220f3de70c7b3479284c949627c5cb659703d2a5fe9f09706cea1ca0807af82d0f4efea4bc5b4b6d0ad194e762d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
58ddb6536d1d67f4aaca233395366dc0

SHA1
089a4dac8dfdf420522c36bc646902e2d17a4fd4

SHA256
e70ff33ecd31f4cdd9e565c27539ff1b5f987e88cef878483679c887598c2da8

SHA512
2894183e7fa0f9b5e36e3069bda2ad64f8d9f1a3711d47a9a00e0800bf4db4707b72076b4e0ac2ac4f213a4205846b405635777693c9eadf2ce16a6dffa38595

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5051827a36605d921477aba3b8c565da

SHA1
d4a482eca8186bc948fef0ac0aa6728a08797531

SHA256
b9443ec545d9d805794475f9bba681742b5b86ae7503793255093d65ee307bf3

SHA512
f56b19d042153cd67aa97d9cb829bb6006f7e4b56752c31860654d8ac7a0c73bf49df395bb07d91aed7931f0daaf0c5666171e7bee1b813d8c5c5042557ba59b

Download Submit
C:\Windows\System32\ieetwcollectorres\winlogon.exe

Filesize
2.5MB

MD5
86c8fa2e136e29f51a3670f440b9f0a0

SHA1
103d45983c01fc861cb7390afe5db10ff2892fc0

SHA256
da49bed9676a8352a71fdd38dc855a01ca72f5dd393a91e9d7ad71ef9a4f11eb

SHA512
7c5f74c7a041c38216dc4a7f1d60d1a622227b8cd5aea5c1c4d200a5ccfabd7cbd2a17b22ca2ff028fc45dd0373df8cf9a5998cbefe7873fa7f9eda7ad117ddb

Download Submit
memory/288-141-0x00000000005D0000-0x0000000000626000-memory.dmp

Filesize
344KB

Download
memory/288-142-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/792-192-0x0000000000090000-0x0000000000316000-memory.dmp

Filesize
2.5MB

Download
memory/1324-234-0x0000000000390000-0x0000000000616000-memory.dmp

Filesize
2.5MB

Download
memory/1552-133-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/1552-123-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1924-248-0x00000000012B0000-0x0000000001536000-memory.dmp

Filesize
2.5MB

Download
memory/1924-249-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2204-12-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/2204-5-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/2204-140-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-11-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/2204-13-0x0000000000A60000-0x0000000000A6A000-memory.dmp

Filesize
40KB

Download
memory/2204-14-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/2204-15-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/2204-1-0x0000000000AE0000-0x0000000000D66000-memory.dmp

Filesize
2.5MB

Download
memory/2204-2-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-16-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/2204-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

Filesize
4KB

Download
memory/2204-10-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download
memory/2204-6-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/2204-8-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/2204-9-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2204-7-0x0000000000690000-0x00000000006E6000-memory.dmp

Filesize
344KB

Download
memory/2204-4-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/2204-3-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/2796-261-0x00000000002A0000-0x0000000000526000-memory.dmp

Filesize
2.5MB

Download
memory/2796-262-0x0000000002090000-0x00000000020A2000-memory.dmp

Filesize
72KB

Download
memory/2804-181-0x000000001B930000-0x000000001BC12000-memory.dmp

Filesize
2.9MB

Download
memory/2804-186-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download