dcrat | 640c60b075e866cfb3247d92043087ecf89802db24124bd97f1ca1bffa062ccd

Analysis

max time kernel
61s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2022 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ef1669b5a2a031943ebcc66dd1664ad.exe
Size

965KB
MD5

0ef1669b5a2a031943ebcc66dd1664ad
SHA1

13a11b03ad5ad87dbf9ae194bf96253f5fe48f24
SHA256

640c60b075e866cfb3247d92043087ecf89802db24124bd97f1ca1bffa062ccd
SHA512

57c40f13fe0fe14b0dce388f4f8ee64d7965e216f2fb700b29fefc3d1e65d4fc89ea90fa01b74aa5660e0e00077f7e84ec3e6a94a28a5d429f29f494569d60cb
SSDEEP

12288:+K5wpf3kJ7CZIgNw9DAlnZcUUNHuZdYD1cDN+jQ5x+lbbAKLCwzgMl+Vp:R5wp/0CZwDAlnvPa1fjmKbbj+I0

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	176	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	260	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	332	schtasks.exe	30

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1472-132-0x0000000000FD0000-0x00000000010C8000-memory.dmp	dcrat
behavioral2/files/0x0007000000022e2b-136.dat	dcrat
behavioral2/files/0x0007000000022e3f-139.dat	dcrat
behavioral2/files/0x0006000000022e75-142.dat	dcrat
behavioral2/files/0x0006000000022e75-144.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
4092	fontdrvhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	0ef1669b5a2a031943ebcc66dd1664ad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	0ef1669b5a2a031943ebcc66dd1664ad.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files\Google\wininit.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files\Google\56085415360792	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\9e8d7a4ca61bd9	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files\Google\RCXB3A5.tmp	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files\Google\wininit.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\RCXBA23.tmp	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files (x86)\Windows Mail\eddb19405b7ce1	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXA4C6.tmp	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files (x86)\Microsoft\Temp\e1ef82546f0b02	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\SppExtComObj.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files\Internet Explorer\images\explorer.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\RuntimeBroker.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXA544.tmp	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files\Google\RCXB423.tmp	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\sihost.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\66fc9ff0ee96c2	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\sihost.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files\Internet Explorer\images\7a0fd90576e088	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\RCXB9A5.tmp	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files\Internet Explorer\images\explorer.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files (x86)\Microsoft\Temp\SppExtComObj.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\RuntimeBroker.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\appcompat\encapsulation\RuntimeBroker.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Windows\appcompat\encapsulation\RuntimeBroker.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Windows\appcompat\encapsulation\9e8d7a4ca61bd9	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\5b884080fd4f94	0ef1669b5a2a031943ebcc66dd1664ad.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe	0ef1669b5a2a031943ebcc66dd1664ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4360	schtasks.exe
3804	schtasks.exe
840	schtasks.exe
4540	schtasks.exe
2240	schtasks.exe
228	schtasks.exe
2044	schtasks.exe
1460	schtasks.exe
4912	schtasks.exe
3940	schtasks.exe
1964	schtasks.exe
5048	schtasks.exe
2260	schtasks.exe
2856	schtasks.exe
4236	schtasks.exe
260	schtasks.exe
4980	schtasks.exe
4168	schtasks.exe
4124	schtasks.exe
2876	schtasks.exe
4036	schtasks.exe
696	schtasks.exe
1988	schtasks.exe
3980	schtasks.exe
1944	schtasks.exe
2740	schtasks.exe
1816	schtasks.exe
3888	schtasks.exe
1292	schtasks.exe
1840	schtasks.exe
2788	schtasks.exe
5068	schtasks.exe
4624	schtasks.exe
3596	schtasks.exe
1468	schtasks.exe
3932	schtasks.exe
1444	schtasks.exe
388	schtasks.exe
3032	schtasks.exe
1220	schtasks.exe
4508	schtasks.exe
2232	schtasks.exe
1552	schtasks.exe
3524	schtasks.exe
2652	schtasks.exe
4400	schtasks.exe
176	schtasks.exe
4104	schtasks.exe
4292	schtasks.exe
3740	schtasks.exe
4372	schtasks.exe
5060	schtasks.exe
1424	schtasks.exe
4964	schtasks.exe
2188	schtasks.exe
4996	schtasks.exe
4380	schtasks.exe
2288	schtasks.exe
4184	schtasks.exe
5000	schtasks.exe
2660	schtasks.exe
3040	schtasks.exe
1548	schtasks.exe
3516	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0ef1669b5a2a031943ebcc66dd1664ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0ef1669b5a2a031943ebcc66dd1664ad.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
4092	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	0ef1669b5a2a031943ebcc66dd1664ad.exe
Token: SeDebugPrivilege	2968	0ef1669b5a2a031943ebcc66dd1664ad.exe
Token: SeDebugPrivilege	4092	fontdrvhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2968	1472	0ef1669b5a2a031943ebcc66dd1664ad.exe	121
PID 1472 wrote to memory of 2968	1472	0ef1669b5a2a031943ebcc66dd1664ad.exe	121
PID 2968 wrote to memory of 4092	2968	0ef1669b5a2a031943ebcc66dd1664ad.exe	161
PID 2968 wrote to memory of 4092	2968	0ef1669b5a2a031943ebcc66dd1664ad.exe	161

C:\Users\Admin\AppData\Local\Temp\0ef1669b5a2a031943ebcc66dd1664ad.exe
"C:\Users\Admin\AppData\Local\Temp\0ef1669b5a2a031943ebcc66dd1664ad.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\0ef1669b5a2a031943ebcc66dd1664ad.exe
  "C:\Users\Admin\AppData\Local\Temp\0ef1669b5a2a031943ebcc66dd1664ad.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Recovery\WindowsRE\fontdrvhost.exe
    "C:\Recovery\WindowsRE\fontdrvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Recent\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 12 /tr "'C:\odt\SIHClient.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\odt\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 10 /tr "'C:\odt\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\appcompat\encapsulation\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\appcompat\encapsulation\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Public\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Videos\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\sihost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\sihost.exe'" /rl HIGHEST /f
1⤵
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Temp\SppExtComObj.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Temp\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\66fc9ff0ee96c2

Filesize
549B

MD5
56ceb9fa9aafbdb5f69cb709ec96566d

SHA1
c3753044c5cbe4589f47eefde4c29a4bea4006b3

SHA256
f15f5697fdb39713c046e4813fdc533e99826103e8ae39f65d3da94ad407e4ab

SHA512
5540a0c24e34048f54cd1b4a0c5d9adfbb24f466ac08773b9671e87056d7725c40a78ca1b14299bb03d4e9977eee9f7268602a1ed29ec519a8e2364683a05fbb

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
965KB

MD5
0ef1669b5a2a031943ebcc66dd1664ad

SHA1
13a11b03ad5ad87dbf9ae194bf96253f5fe48f24

SHA256
640c60b075e866cfb3247d92043087ecf89802db24124bd97f1ca1bffa062ccd

SHA512
57c40f13fe0fe14b0dce388f4f8ee64d7965e216f2fb700b29fefc3d1e65d4fc89ea90fa01b74aa5660e0e00077f7e84ec3e6a94a28a5d429f29f494569d60cb

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
965KB

MD5
0ef1669b5a2a031943ebcc66dd1664ad

SHA1
13a11b03ad5ad87dbf9ae194bf96253f5fe48f24

SHA256
640c60b075e866cfb3247d92043087ecf89802db24124bd97f1ca1bffa062ccd

SHA512
57c40f13fe0fe14b0dce388f4f8ee64d7965e216f2fb700b29fefc3d1e65d4fc89ea90fa01b74aa5660e0e00077f7e84ec3e6a94a28a5d429f29f494569d60cb

Download Submit
C:\Recovery\WindowsRE\sihost.exe

Filesize
965KB

MD5
0ef1669b5a2a031943ebcc66dd1664ad

SHA1
13a11b03ad5ad87dbf9ae194bf96253f5fe48f24

SHA256
640c60b075e866cfb3247d92043087ecf89802db24124bd97f1ca1bffa062ccd

SHA512
57c40f13fe0fe14b0dce388f4f8ee64d7965e216f2fb700b29fefc3d1e65d4fc89ea90fa01b74aa5660e0e00077f7e84ec3e6a94a28a5d429f29f494569d60cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0ef1669b5a2a031943ebcc66dd1664ad.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ef1669b5a2a031943ebcc66dd1664ad.exe

Filesize
965KB

MD5
0ef1669b5a2a031943ebcc66dd1664ad

SHA1
13a11b03ad5ad87dbf9ae194bf96253f5fe48f24

SHA256
640c60b075e866cfb3247d92043087ecf89802db24124bd97f1ca1bffa062ccd

SHA512
57c40f13fe0fe14b0dce388f4f8ee64d7965e216f2fb700b29fefc3d1e65d4fc89ea90fa01b74aa5660e0e00077f7e84ec3e6a94a28a5d429f29f494569d60cb

Download Submit
memory/1472-137-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmp

Filesize
10.8MB

Download
memory/1472-134-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmp

Filesize
10.8MB

Download
memory/1472-133-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmp

Filesize
10.8MB

Download
memory/1472-132-0x0000000000FD0000-0x00000000010C8000-memory.dmp

Filesize
992KB

Download
memory/2968-138-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmp

Filesize
10.8MB

Download
memory/2968-145-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmp

Filesize
10.8MB

Download
memory/4092-146-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmp

Filesize
10.8MB

Download
memory/4092-147-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmp

Filesize
10.8MB

Download