dcrat | ae40b1604e91a796697711123b511b4404635b7297c4edbf018d2891988ee8cc

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-09-2022 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AE40B1604E91A796697711123B511B4404635B7297C4E.exe
Size

4.9MB
MD5

1ec352f87b2a0f057fad1a1d8fdb4fb0
SHA1

6fde03bf354eb22766eeda3063c5513257723ee6
SHA256

ae40b1604e91a796697711123b511b4404635b7297c4edbf018d2891988ee8cc
SHA512

047835a8ea448330815d796ae77459c667f328bef4f6e0ace9505f9b2cae0f2db9c13582401a53a676c252d8d1d8bfdc09a5fa3f8e2776b03bb55f4a8a080b0f
SSDEEP

98304:I+m3o+rxVmA8OM6KPigiaFfqw1crsT/e3Le7dqc:It42VmhOM6KPNiSqw1cwTu+l

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1180	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1500-55-0x000000001C080000-0x000000001C318000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

Processes:

tmp7ACC.tmp.exewinlogon.exetmp203E.tmp.exe

pid process

1480 tmp7ACC.tmp.exe
2244 winlogon.exe
2352 tmp203E.tmp.exe

pid	process
1480	tmp7ACC.tmp.exe
2244	winlogon.exe
2352	tmp203E.tmp.exe

Loads dropped DLL 11 IoCs

Processes:

WerFault.execmd.exeWerFault.exe

pid	process
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
2188	cmd.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
7 ipinfo.io

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 12 IoCs

Processes:

AE40B1604E91A796697711123B511B4404635B7297C4E.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\Microsoft\Idle.exe	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\cc11b995f2a76d	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\6203df4a6bafc7	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\b75386f1303e64	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\6ccacd8608530f	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
File created	C:\Program Files\Windows Mail\ja-JP\WMIADAP.exe	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
File created	C:\Program Files\Windows Mail\ja-JP\75a57c1bdf437c	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\lsass.exe	AE40B1604E91A796697711123B511B4404635B7297C4E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1340 1480 WerFault.exe tmp7ACC.tmp.exe
2368 2352 WerFault.exe tmp203E.tmp.exe

pid	pid_target	process	target process
1340	1480	WerFault.exe	tmp7ACC.tmp.exe
2368	2352	WerFault.exe	tmp203E.tmp.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1760	schtasks.exe
1044	schtasks.exe
1484	schtasks.exe
1616	schtasks.exe
524	schtasks.exe
316	schtasks.exe
844	schtasks.exe
272	schtasks.exe
940	schtasks.exe
1712	schtasks.exe
968	schtasks.exe
560	schtasks.exe
1888	schtasks.exe
2096	schtasks.exe
1888	schtasks.exe
1692	schtasks.exe
608	schtasks.exe
432	schtasks.exe
1164	schtasks.exe
1924	schtasks.exe
580	schtasks.exe
932	schtasks.exe
672	schtasks.exe
2044	schtasks.exe
688	schtasks.exe
1808	schtasks.exe
2076	schtasks.exe
1400	schtasks.exe
1972	schtasks.exe
1460	schtasks.exe
1496	schtasks.exe
1736	schtasks.exe
1948	schtasks.exe
1112	schtasks.exe
1144	schtasks.exe
1624	schtasks.exe
1252	schtasks.exe
1672	schtasks.exe
2160	schtasks.exe
1948	schtasks.exe
1704	schtasks.exe
1072	schtasks.exe
2120	schtasks.exe
2140	schtasks.exe
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AE40B1604E91A796697711123B511B4404635B7297C4E.exe

pid	process
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AE40B1604E91A796697711123B511B4404635B7297C4E.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 1500 AE40B1604E91A796697711123B511B4404635B7297C4E.exe
Token: SeDebugPrivilege 2244 winlogon.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winlogon.exe

pid process

2244 winlogon.exe

description	pid	process
Token: SeDebugPrivilege	1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe
Token: SeDebugPrivilege	2244	winlogon.exe

pid	process
2244	winlogon.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

AE40B1604E91A796697711123B511B4404635B7297C4E.exetmp7ACC.tmp.execmd.exewinlogon.exetmp203E.tmp.exe

description	pid	process	target process
PID 1500 wrote to memory of 1480	1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe	tmp7ACC.tmp.exe
PID 1500 wrote to memory of 1480	1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe	tmp7ACC.tmp.exe
PID 1500 wrote to memory of 1480	1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe	tmp7ACC.tmp.exe
PID 1500 wrote to memory of 1480	1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe	tmp7ACC.tmp.exe
PID 1480 wrote to memory of 1340	1480	tmp7ACC.tmp.exe	WerFault.exe
PID 1480 wrote to memory of 1340	1480	tmp7ACC.tmp.exe	WerFault.exe
PID 1480 wrote to memory of 1340	1480	tmp7ACC.tmp.exe	WerFault.exe
PID 1480 wrote to memory of 1340	1480	tmp7ACC.tmp.exe	WerFault.exe
PID 1500 wrote to memory of 2188	1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe	cmd.exe
PID 1500 wrote to memory of 2188	1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe	cmd.exe
PID 1500 wrote to memory of 2188	1500	AE40B1604E91A796697711123B511B4404635B7297C4E.exe	cmd.exe
PID 2188 wrote to memory of 2220	2188	cmd.exe	w32tm.exe
PID 2188 wrote to memory of 2220	2188	cmd.exe	w32tm.exe
PID 2188 wrote to memory of 2220	2188	cmd.exe	w32tm.exe
PID 2188 wrote to memory of 2244	2188	cmd.exe	winlogon.exe
PID 2188 wrote to memory of 2244	2188	cmd.exe	winlogon.exe
PID 2188 wrote to memory of 2244	2188	cmd.exe	winlogon.exe
PID 2244 wrote to memory of 2352	2244	winlogon.exe	tmp203E.tmp.exe
PID 2244 wrote to memory of 2352	2244	winlogon.exe	tmp203E.tmp.exe
PID 2244 wrote to memory of 2352	2244	winlogon.exe	tmp203E.tmp.exe
PID 2244 wrote to memory of 2352	2244	winlogon.exe	tmp203E.tmp.exe
PID 2352 wrote to memory of 2368	2352	tmp203E.tmp.exe	WerFault.exe
PID 2352 wrote to memory of 2368	2352	tmp203E.tmp.exe	WerFault.exe
PID 2352 wrote to memory of 2368	2352	tmp203E.tmp.exe	WerFault.exe
PID 2352 wrote to memory of 2368	2352	tmp203E.tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\AE40B1604E91A796697711123B511B4404635B7297C4E.exe
"C:\Users\Admin\AppData\Local\Temp\AE40B1604E91A796697711123B511B4404635B7297C4E.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\tmp7ACC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7ACC.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 44
3⤵
- Loads dropped DLL
- Program crash
PID:1340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mXwt0TPAcq.bat"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2220

C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\tmp203E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp203E.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 44
5⤵
- Loads dropped DLL
- Program crash
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\ja-JP\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp7ACC.tmpt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\tmp7ACC.tmp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp7ACC.tmp" /sc ONLOGON /tr "'C:\Users\Public\Downloads\tmp7ACC.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp7ACC.tmpt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\tmp7ACC.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe
Filesize
4.9MB

MD5
1ec352f87b2a0f057fad1a1d8fdb4fb0

SHA1
6fde03bf354eb22766eeda3063c5513257723ee6

SHA256
ae40b1604e91a796697711123b511b4404635b7297c4edbf018d2891988ee8cc

SHA512
047835a8ea448330815d796ae77459c667f328bef4f6e0ace9505f9b2cae0f2db9c13582401a53a676c252d8d1d8bfdc09a5fa3f8e2776b03bb55f4a8a080b0f

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe
Filesize
4.9MB

MD5
1ec352f87b2a0f057fad1a1d8fdb4fb0

SHA1
6fde03bf354eb22766eeda3063c5513257723ee6

SHA256
ae40b1604e91a796697711123b511b4404635b7297c4edbf018d2891988ee8cc

SHA512
047835a8ea448330815d796ae77459c667f328bef4f6e0ace9505f9b2cae0f2db9c13582401a53a676c252d8d1d8bfdc09a5fa3f8e2776b03bb55f4a8a080b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mXwt0TPAcq.bat
Filesize
231B

MD5
767359e2c88451bfcd8817ab5d5b208b

SHA1
0fc22eff36c749465bb706fbf172239a15c2ff21

SHA256
7594514bf045fc2d93f34ef5f411f11d764608836e0d8a28204ea33fe47518cd

SHA512
534635a7eb8c2009b81121d2eb26ab52f89a825313cc837645a319abbb6df1a62cfdfa6b531ba747e66e7ce3ae641369fd994db89d33eb4a1c9c88654f975291

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp203E.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7ACC.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe
Filesize
4.9MB

MD5
1ec352f87b2a0f057fad1a1d8fdb4fb0

SHA1
6fde03bf354eb22766eeda3063c5513257723ee6

SHA256
ae40b1604e91a796697711123b511b4404635b7297c4edbf018d2891988ee8cc

SHA512
047835a8ea448330815d796ae77459c667f328bef4f6e0ace9505f9b2cae0f2db9c13582401a53a676c252d8d1d8bfdc09a5fa3f8e2776b03bb55f4a8a080b0f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp203E.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp203E.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp203E.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp203E.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp203E.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7ACC.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7ACC.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7ACC.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7ACC.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7ACC.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
memory/1340-58-0x0000000000000000-mapping.dmp

Download
memory/1480-56-0x0000000000000000-mapping.dmp

Download
memory/1500-72-0x0000000002180000-0x000000000218E000-memory.dmp

Filesize
56KB

Download
memory/1500-66-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1500-54-0x000000013F500000-0x000000013F9E6000-memory.dmp

Filesize
4.9MB

Download
memory/1500-55-0x000000001C080000-0x000000001C318000-memory.dmp

Filesize
2.6MB

Download
memory/1500-71-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/1500-70-0x0000000002120000-0x0000000002132000-memory.dmp

Filesize
72KB

Download
memory/1500-64-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/1500-69-0x0000000002110000-0x000000000211C000-memory.dmp

Filesize
48KB

Download
memory/1500-65-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/1500-67-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/1500-68-0x0000000000810000-0x0000000000866000-memory.dmp

Filesize
344KB

Download
memory/2188-73-0x0000000000000000-mapping.dmp

Download
memory/2220-75-0x0000000000000000-mapping.dmp

Download
memory/2244-80-0x000000013FFD0000-0x00000001404B6000-memory.dmp

Filesize
4.9MB

Download
memory/2244-77-0x0000000000000000-mapping.dmp

Download
memory/2244-89-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/2244-90-0x000000001A7E0000-0x000000001A836000-memory.dmp

Filesize
344KB

Download
memory/2244-91-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2352-81-0x0000000000000000-mapping.dmp

Download
memory/2368-83-0x0000000000000000-mapping.dmp

Download