dcrat | d94aec0bdc801cd7cad261af02d7ed8f171374b1fbd101449013c2d166dc07ce

Analysis

max time kernel
5s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-08-2022 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

084edc7b5451c4e18a20ca7982787742.exe
Size

1.4MB
MD5

084edc7b5451c4e18a20ca7982787742
SHA1

0c9899f2b4b46bfd903ce96b0c73899e6ba6952d
SHA256

d94aec0bdc801cd7cad261af02d7ed8f171374b1fbd101449013c2d166dc07ce
SHA512

c3c45b858524d0010f2f9124f6cdc01de1f5e1100c41914fbb9c9150c7d98840d7c0d18a4b976e74bc289654485b2fc8aaa0a8246d3e27ab3dd0e6c42728305f
SSDEEP

24576:xJiN7JdiObNHEnToSiqX4uKlyz/hQQ6c0gJgkKrM7cCFm:xJUJoKEn9iSKlkW9ekCRF

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1556	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

084edc7b5451c4e18a20ca7982787742.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	084edc7b5451c4e18a20ca7982787742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	084edc7b5451c4e18a20ca7982787742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	084edc7b5451c4e18a20ca7982787742.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1316-54-0x0000000000080000-0x00000000001E2000-memory.dmp	dcrat

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

084edc7b5451c4e18a20ca7982787742.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	084edc7b5451c4e18a20ca7982787742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	084edc7b5451c4e18a20ca7982787742.exe

Drops file in Program Files directory 11 IoCs

Processes:

084edc7b5451c4e18a20ca7982787742.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\886983d96e3d3e	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files\Windows Journal\ja-JP\winlogon.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\0a1fd5f707cd16	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\winlogon.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files\Windows Portable Devices\69ddcba757bf72	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files\Windows Portable Devices\smss.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\6203df4a6bafc7	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files\Windows Journal\ja-JP\cc11b995f2a76d	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\sppsvc.exe	084edc7b5451c4e18a20ca7982787742.exe

Drops file in Windows directory 4 IoCs

Processes:

084edc7b5451c4e18a20ca7982787742.exe

description	ioc	process
File created	C:\Windows\Prefetch\ReadyBoot\lsm.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Windows\Prefetch\ReadyBoot\101b941d020240	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Windows\L2Schemas\lsass.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Windows\L2Schemas\6203df4a6bafc7	084edc7b5451c4e18a20ca7982787742.exe

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
872	schtasks.exe
1004	schtasks.exe
452	schtasks.exe
1220	schtasks.exe
868	schtasks.exe
1040	schtasks.exe
2056	schtasks.exe
2096	schtasks.exe
1784	schtasks.exe
1388	schtasks.exe
1764	schtasks.exe
672	schtasks.exe
1476	schtasks.exe
2076	schtasks.exe
1780	schtasks.exe
1372	schtasks.exe
1768	schtasks.exe
2040	schtasks.exe
976	schtasks.exe
1292	schtasks.exe
1680	schtasks.exe
432	schtasks.exe
1924	schtasks.exe
1760	schtasks.exe
2124	schtasks.exe
1424	schtasks.exe
1348	schtasks.exe
1992	schtasks.exe
584	schtasks.exe
1884	schtasks.exe
1280	schtasks.exe
668	schtasks.exe
1860	schtasks.exe
1056	schtasks.exe
1748	schtasks.exe
1872	schtasks.exe
632	schtasks.exe
1948	schtasks.exe
572	schtasks.exe
1700	schtasks.exe
1788	schtasks.exe
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

084edc7b5451c4e18a20ca7982787742.exe

pid process

1316 084edc7b5451c4e18a20ca7982787742.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

084edc7b5451c4e18a20ca7982787742.exe

description pid process

Token: SeDebugPrivilege 1316 084edc7b5451c4e18a20ca7982787742.exe

pid	process
1316	084edc7b5451c4e18a20ca7982787742.exe

description	pid	process
Token: SeDebugPrivilege	1316	084edc7b5451c4e18a20ca7982787742.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

084edc7b5451c4e18a20ca7982787742.exe

description	pid	process	target process
PID 1316 wrote to memory of 2152	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2152	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2152	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2164	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2164	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2164	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2176	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2176	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2176	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2204	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2204	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2204	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2220	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2220	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2220	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2252	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2252	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2252	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2268	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2268	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2268	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2288	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2288	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2288	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2328	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2328	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2328	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2344	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2344	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2344	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2384	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2384	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 1316 wrote to memory of 2384	1316	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

084edc7b5451c4e18a20ca7982787742.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	084edc7b5451c4e18a20ca7982787742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	084edc7b5451c4e18a20ca7982787742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	084edc7b5451c4e18a20ca7982787742.exe

C:\Users\Admin\AppData\Local\Temp\084edc7b5451c4e18a20ca7982787742.exe
"C:\Users\Admin\AppData\Local\Temp\084edc7b5451c4e18a20ca7982787742.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\084edc7b5451c4e18a20ca7982787742.exe'
2⤵
PID:2152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'
2⤵
PID:2164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\lsm.exe'
2⤵
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'
2⤵
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\smss.exe'
2⤵
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\smss.exe'
2⤵
PID:2252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\lsass.exe'
2⤵
PID:2268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\wininit.exe'
2⤵
PID:2288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\lsass.exe'
2⤵
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'
2⤵
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'
2⤵
PID:2436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\sppsvc.exe'
2⤵
PID:2524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'
2⤵
PID:2544

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\sppsvc.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\sppsvc.exe"
2⤵
PID:2772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\smss.exe'
2⤵
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\winlogon.exe'
2⤵
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\0f610c02-1a7a-11ed-aa03-bd3b28e7cbef\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea418d1633cd621039a34943fd632db2

SHA1
b5fff8147e1bca1647fc4b38ea9fa9a90e29f4e5

SHA256
ba333394e986c5e6aedaecb2e19920c9d6d38a449e581063b45c329e2cc094ff

SHA512
9fb7ea44bd6ba1ad3ced472010eb91ad53198bab44e557949513cd0da954518d49e1bc164f659fc0e3e1395ac190a1d0e7b05ee91586100c24b165a910646efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea418d1633cd621039a34943fd632db2

SHA1
b5fff8147e1bca1647fc4b38ea9fa9a90e29f4e5

SHA256
ba333394e986c5e6aedaecb2e19920c9d6d38a449e581063b45c329e2cc094ff

SHA512
9fb7ea44bd6ba1ad3ced472010eb91ad53198bab44e557949513cd0da954518d49e1bc164f659fc0e3e1395ac190a1d0e7b05ee91586100c24b165a910646efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea418d1633cd621039a34943fd632db2

SHA1
b5fff8147e1bca1647fc4b38ea9fa9a90e29f4e5

SHA256
ba333394e986c5e6aedaecb2e19920c9d6d38a449e581063b45c329e2cc094ff

SHA512
9fb7ea44bd6ba1ad3ced472010eb91ad53198bab44e557949513cd0da954518d49e1bc164f659fc0e3e1395ac190a1d0e7b05ee91586100c24b165a910646efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea418d1633cd621039a34943fd632db2

SHA1
b5fff8147e1bca1647fc4b38ea9fa9a90e29f4e5

SHA256
ba333394e986c5e6aedaecb2e19920c9d6d38a449e581063b45c329e2cc094ff

SHA512
9fb7ea44bd6ba1ad3ced472010eb91ad53198bab44e557949513cd0da954518d49e1bc164f659fc0e3e1395ac190a1d0e7b05ee91586100c24b165a910646efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea418d1633cd621039a34943fd632db2

SHA1
b5fff8147e1bca1647fc4b38ea9fa9a90e29f4e5

SHA256
ba333394e986c5e6aedaecb2e19920c9d6d38a449e581063b45c329e2cc094ff

SHA512
9fb7ea44bd6ba1ad3ced472010eb91ad53198bab44e557949513cd0da954518d49e1bc164f659fc0e3e1395ac190a1d0e7b05ee91586100c24b165a910646efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea418d1633cd621039a34943fd632db2

SHA1
b5fff8147e1bca1647fc4b38ea9fa9a90e29f4e5

SHA256
ba333394e986c5e6aedaecb2e19920c9d6d38a449e581063b45c329e2cc094ff

SHA512
9fb7ea44bd6ba1ad3ced472010eb91ad53198bab44e557949513cd0da954518d49e1bc164f659fc0e3e1395ac190a1d0e7b05ee91586100c24b165a910646efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea418d1633cd621039a34943fd632db2

SHA1
b5fff8147e1bca1647fc4b38ea9fa9a90e29f4e5

SHA256
ba333394e986c5e6aedaecb2e19920c9d6d38a449e581063b45c329e2cc094ff

SHA512
9fb7ea44bd6ba1ad3ced472010eb91ad53198bab44e557949513cd0da954518d49e1bc164f659fc0e3e1395ac190a1d0e7b05ee91586100c24b165a910646efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea418d1633cd621039a34943fd632db2

SHA1
b5fff8147e1bca1647fc4b38ea9fa9a90e29f4e5

SHA256
ba333394e986c5e6aedaecb2e19920c9d6d38a449e581063b45c329e2cc094ff

SHA512
9fb7ea44bd6ba1ad3ced472010eb91ad53198bab44e557949513cd0da954518d49e1bc164f659fc0e3e1395ac190a1d0e7b05ee91586100c24b165a910646efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea418d1633cd621039a34943fd632db2

SHA1
b5fff8147e1bca1647fc4b38ea9fa9a90e29f4e5

SHA256
ba333394e986c5e6aedaecb2e19920c9d6d38a449e581063b45c329e2cc094ff

SHA512
9fb7ea44bd6ba1ad3ced472010eb91ad53198bab44e557949513cd0da954518d49e1bc164f659fc0e3e1395ac190a1d0e7b05ee91586100c24b165a910646efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea418d1633cd621039a34943fd632db2

SHA1
b5fff8147e1bca1647fc4b38ea9fa9a90e29f4e5

SHA256
ba333394e986c5e6aedaecb2e19920c9d6d38a449e581063b45c329e2cc094ff

SHA512
9fb7ea44bd6ba1ad3ced472010eb91ad53198bab44e557949513cd0da954518d49e1bc164f659fc0e3e1395ac190a1d0e7b05ee91586100c24b165a910646efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea418d1633cd621039a34943fd632db2

SHA1
b5fff8147e1bca1647fc4b38ea9fa9a90e29f4e5

SHA256
ba333394e986c5e6aedaecb2e19920c9d6d38a449e581063b45c329e2cc094ff

SHA512
9fb7ea44bd6ba1ad3ced472010eb91ad53198bab44e557949513cd0da954518d49e1bc164f659fc0e3e1395ac190a1d0e7b05ee91586100c24b165a910646efe

Download Submit
memory/1316-58-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/1316-54-0x0000000000080000-0x00000000001E2000-memory.dmp

Filesize
1.4MB

Download
memory/1316-61-0x0000000001F60000-0x0000000001F6C000-memory.dmp

Filesize
48KB

Download
memory/1316-60-0x0000000001F50000-0x0000000001F5E000-memory.dmp

Filesize
56KB

Download
memory/1316-59-0x0000000001EC0000-0x0000000001ECA000-memory.dmp

Filesize
40KB

Download
memory/1316-57-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download
memory/1316-56-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/1316-55-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2152-62-0x0000000000000000-mapping.dmp

Download
memory/2152-164-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/2152-130-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/2152-88-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2152-166-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/2152-155-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/2152-135-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2164-153-0x000000000246B000-0x000000000248A000-memory.dmp

Filesize
124KB

Download
memory/2164-139-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/2164-145-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/2164-63-0x0000000000000000-mapping.dmp

Download
memory/2164-115-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2164-70-0x000007FEFB941000-0x000007FEFB943000-memory.dmp

Filesize
8KB

Download
memory/2164-78-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2164-152-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/2164-121-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/2176-131-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2176-157-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/2176-105-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2176-64-0x0000000000000000-mapping.dmp

Download
memory/2176-151-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/2176-156-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/2176-126-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/2204-174-0x00000000025AB000-0x00000000025CA000-memory.dmp

Filesize
124KB

Download
memory/2204-65-0x0000000000000000-mapping.dmp

Download
memory/2204-163-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/2204-132-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2204-173-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/2204-127-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/2204-161-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/2204-108-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2220-170-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/2220-129-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/2220-168-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/2220-107-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2220-133-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2220-159-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/2220-66-0x0000000000000000-mapping.dmp

Download
memory/2252-125-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/2252-162-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/2252-177-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/2252-113-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2252-119-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2252-175-0x000000000239B000-0x00000000023BA000-memory.dmp

Filesize
124KB

Download
memory/2252-67-0x0000000000000000-mapping.dmp

Download
memory/2268-124-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/2268-143-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/2268-118-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2268-68-0x0000000000000000-mapping.dmp

Download
memory/2268-106-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2268-144-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/2268-136-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/2288-150-0x000000001B960000-0x000000001BC5F000-memory.dmp

Filesize
3.0MB

Download
memory/2288-123-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/2288-69-0x0000000000000000-mapping.dmp

Download
memory/2288-117-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2288-154-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/2288-141-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/2288-109-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2328-171-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2328-71-0x0000000000000000-mapping.dmp

Download
memory/2328-178-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/2328-181-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/2328-180-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/2328-176-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2344-128-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/2344-165-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/2344-158-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/2344-112-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2344-169-0x00000000023DB000-0x00000000023FA000-memory.dmp

Filesize
124KB

Download
memory/2344-172-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/2344-134-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2344-72-0x0000000000000000-mapping.dmp

Download
memory/2384-142-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/2384-148-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/2384-74-0x0000000000000000-mapping.dmp

Download
memory/2384-147-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2384-116-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2384-122-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2384-140-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2384-110-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2436-120-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/2436-137-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/2436-76-0x0000000000000000-mapping.dmp

Download
memory/2436-146-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/2436-149-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/2436-111-0x000007FEEB770000-0x000007FEEC193000-memory.dmp

Filesize
10.1MB

Download
memory/2436-114-0x000007FEEAC10000-0x000007FEEB76D000-memory.dmp

Filesize
11.4MB

Download
memory/2436-138-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/2480-79-0x0000000000000000-mapping.dmp

Download
memory/2524-82-0x0000000000000000-mapping.dmp

Download
memory/2544-83-0x0000000000000000-mapping.dmp

Download
memory/2772-97-0x0000000000000000-mapping.dmp

Download