dcrat | 51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0

Analysis

max time kernel
74s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12-12-2022 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc9ea28a3c3659c4200e442d20198458.exe
Size

2.0MB
MD5

fc9ea28a3c3659c4200e442d20198458
SHA1

79ede873cd08d5941e54524dd85b5add0a79bd7c
SHA256

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0
SHA512

c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17
SSDEEP

49152:ubA3jVKbYcU6bWUfj4a7syRO2tzK/RNS/2t:ubjJXj4a4IKJYet

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1736	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1736	schtasks.exe	32

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x00080000000133e2-64.dat	dcrat
behavioral1/files/0x00080000000133e2-62.dat	dcrat
behavioral1/files/0x00080000000133e2-61.dat	dcrat
behavioral1/files/0x00080000000133e2-60.dat	dcrat
behavioral1/memory/652-65-0x0000000001280000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/2728-121-0x0000000001000000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/files/0x000700000001454d-120.dat	dcrat
behavioral1/files/0x000700000001454d-118.dat	dcrat
behavioral1/memory/2496-149-0x0000000001E50000-0x0000000001ED0000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

Executes dropped EXE 2 IoCs

Processes:

SurrogateDll.exeIdle.exe

pid	Process
652	SurrogateDll.exe
2728	Idle.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
1484	cmd.exe
1484	cmd.exe

Drops file in Program Files directory 10 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\cc11b995f2a76d	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\RCX5B18.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\RCX5DD7.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\RCX64DA.tmp	SurrogateDll.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\cc11b995f2a76d	SurrogateDll.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\winlogon.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\winlogon.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\RCX67A9.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\winlogon.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\winlogon.exe	SurrogateDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	Process
1676	schtasks.exe
1248	schtasks.exe
2092	schtasks.exe
2188	schtasks.exe
1508	schtasks.exe
1136	schtasks.exe
1656	schtasks.exe
1428	schtasks.exe
592	schtasks.exe
2112	schtasks.exe
1952	schtasks.exe
1256	schtasks.exe
1584	schtasks.exe
276	schtasks.exe
2072	schtasks.exe
1456	schtasks.exe
1092	schtasks.exe
308	schtasks.exe
1332	schtasks.exe
816	schtasks.exe
2144	schtasks.exe
948	schtasks.exe
2040	schtasks.exe
1140	schtasks.exe
1096	schtasks.exe
1792	schtasks.exe
2024	schtasks.exe
1304	schtasks.exe
852	schtasks.exe
676	schtasks.exe
2160	schtasks.exe
1684	schtasks.exe
1988	schtasks.exe
884	schtasks.exe
272	schtasks.exe
824	schtasks.exe
1036	schtasks.exe
1864	schtasks.exe
852	schtasks.exe
788	schtasks.exe
1256	schtasks.exe
1136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SurrogateDll.exe

pid	Process
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe
652	SurrogateDll.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

SurrogateDll.exeIdle.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	652	SurrogateDll.exe
Token: SeDebugPrivilege	2728	Idle.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

fc9ea28a3c3659c4200e442d20198458.exeWScript.execmd.exeSurrogateDll.exe

description	pid	Process	procid_target
PID 1240 wrote to memory of 2040	1240	fc9ea28a3c3659c4200e442d20198458.exe	28
PID 1240 wrote to memory of 2040	1240	fc9ea28a3c3659c4200e442d20198458.exe	28
PID 1240 wrote to memory of 2040	1240	fc9ea28a3c3659c4200e442d20198458.exe	28
PID 1240 wrote to memory of 2040	1240	fc9ea28a3c3659c4200e442d20198458.exe	28
PID 2040 wrote to memory of 1484	2040	WScript.exe	29
PID 2040 wrote to memory of 1484	2040	WScript.exe	29
PID 2040 wrote to memory of 1484	2040	WScript.exe	29
PID 2040 wrote to memory of 1484	2040	WScript.exe	29
PID 1484 wrote to memory of 652	1484	cmd.exe	31
PID 1484 wrote to memory of 652	1484	cmd.exe	31
PID 1484 wrote to memory of 652	1484	cmd.exe	31
PID 1484 wrote to memory of 652	1484	cmd.exe	31
PID 652 wrote to memory of 2228	652	SurrogateDll.exe	75
PID 652 wrote to memory of 2228	652	SurrogateDll.exe	75
PID 652 wrote to memory of 2228	652	SurrogateDll.exe	75
PID 652 wrote to memory of 2240	652	SurrogateDll.exe	76
PID 652 wrote to memory of 2240	652	SurrogateDll.exe	76
PID 652 wrote to memory of 2240	652	SurrogateDll.exe	76
PID 652 wrote to memory of 2252	652	SurrogateDll.exe	77
PID 652 wrote to memory of 2252	652	SurrogateDll.exe	77
PID 652 wrote to memory of 2252	652	SurrogateDll.exe	77
PID 652 wrote to memory of 2280	652	SurrogateDll.exe	80
PID 652 wrote to memory of 2280	652	SurrogateDll.exe	80
PID 652 wrote to memory of 2280	652	SurrogateDll.exe	80
PID 652 wrote to memory of 2296	652	SurrogateDll.exe	81
PID 652 wrote to memory of 2296	652	SurrogateDll.exe	81
PID 652 wrote to memory of 2296	652	SurrogateDll.exe	81
PID 652 wrote to memory of 2332	652	SurrogateDll.exe	83
PID 652 wrote to memory of 2332	652	SurrogateDll.exe	83
PID 652 wrote to memory of 2332	652	SurrogateDll.exe	83
PID 652 wrote to memory of 2344	652	SurrogateDll.exe	84
PID 652 wrote to memory of 2344	652	SurrogateDll.exe	84
PID 652 wrote to memory of 2344	652	SurrogateDll.exe	84
PID 652 wrote to memory of 2376	652	SurrogateDll.exe	87
PID 652 wrote to memory of 2376	652	SurrogateDll.exe	87
PID 652 wrote to memory of 2376	652	SurrogateDll.exe	87
PID 652 wrote to memory of 2392	652	SurrogateDll.exe	91
PID 652 wrote to memory of 2392	652	SurrogateDll.exe	91
PID 652 wrote to memory of 2392	652	SurrogateDll.exe	91
PID 652 wrote to memory of 2424	652	SurrogateDll.exe	92
PID 652 wrote to memory of 2424	652	SurrogateDll.exe	92
PID 652 wrote to memory of 2424	652	SurrogateDll.exe	92
PID 652 wrote to memory of 2440	652	SurrogateDll.exe	93
PID 652 wrote to memory of 2440	652	SurrogateDll.exe	93
PID 652 wrote to memory of 2440	652	SurrogateDll.exe	93
PID 652 wrote to memory of 2460	652	SurrogateDll.exe	95
PID 652 wrote to memory of 2460	652	SurrogateDll.exe	95
PID 652 wrote to memory of 2460	652	SurrogateDll.exe	95
PID 652 wrote to memory of 2496	652	SurrogateDll.exe	96
PID 652 wrote to memory of 2496	652	SurrogateDll.exe	96
PID 652 wrote to memory of 2496	652	SurrogateDll.exe	96
PID 652 wrote to memory of 2728	652	SurrogateDll.exe	101
PID 652 wrote to memory of 2728	652	SurrogateDll.exe	101
PID 652 wrote to memory of 2728	652	SurrogateDll.exe	101

C:\Users\Admin\AppData\Local\Temp\fc9ea28a3c3659c4200e442d20198458.exe
"C:\Users\Admin\AppData\Local\Temp\fc9ea28a3c3659c4200e442d20198458.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\agentBrowsersavesRefBroker\DYj6G9.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
      "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        5⤵
        
        PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        
        PID:2332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\agentBrowsersavesRefBroker\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\agentBrowsersavesRefBroker\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDllS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\SurrogateDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDll" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\SurrogateDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDllS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\SurrogateDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\agentBrowsersavesRefBroker\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\agentBrowsersavesRefBroker\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe

Filesize
1.7MB

MD5
4b6128250b77a8a973582b40aad2c87a

SHA1
fcee9a9e359a2791971b3495b8068bbaea4beb48

SHA256
802a016b5568de4915a7e99add71564bb3a5d12ac3db7e6f05fd8368191bed0f

SHA512
6fe23d80003930417cb4f0b57e8df983424dafa1e717a0cf5c143ddacef1d00ecaba43fc6e3a4955c129b0c101f1a4ceb658b6ee64baec85f90f21f92dbd4e3b

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe

Filesize
1.7MB

MD5
4b6128250b77a8a973582b40aad2c87a

SHA1
fcee9a9e359a2791971b3495b8068bbaea4beb48

SHA256
802a016b5568de4915a7e99add71564bb3a5d12ac3db7e6f05fd8368191bed0f

SHA512
6fe23d80003930417cb4f0b57e8df983424dafa1e717a0cf5c143ddacef1d00ecaba43fc6e3a4955c129b0c101f1a4ceb658b6ee64baec85f90f21f92dbd4e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0215407ee36b0223d8bbfc9631217295

SHA1
e36dd9ccd9dc11c7c25072088a275707e069db8f

SHA256
c5455e553bcf9d5f7a0e915d465271fc7ce08bf85a3e604e4574908ad7397e28

SHA512
baf8571040cf745a3a596fb250d8ca3f2bdcda0e50a845868f9a2dbfc3e7de3787e5ff386772c5a4dd60b239840fb772fb376bbe96ad974aaa689ac57d1fe774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0215407ee36b0223d8bbfc9631217295

SHA1
e36dd9ccd9dc11c7c25072088a275707e069db8f

SHA256
c5455e553bcf9d5f7a0e915d465271fc7ce08bf85a3e604e4574908ad7397e28

SHA512
baf8571040cf745a3a596fb250d8ca3f2bdcda0e50a845868f9a2dbfc3e7de3787e5ff386772c5a4dd60b239840fb772fb376bbe96ad974aaa689ac57d1fe774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0215407ee36b0223d8bbfc9631217295

SHA1
e36dd9ccd9dc11c7c25072088a275707e069db8f

SHA256
c5455e553bcf9d5f7a0e915d465271fc7ce08bf85a3e604e4574908ad7397e28

SHA512
baf8571040cf745a3a596fb250d8ca3f2bdcda0e50a845868f9a2dbfc3e7de3787e5ff386772c5a4dd60b239840fb772fb376bbe96ad974aaa689ac57d1fe774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0215407ee36b0223d8bbfc9631217295

SHA1
e36dd9ccd9dc11c7c25072088a275707e069db8f

SHA256
c5455e553bcf9d5f7a0e915d465271fc7ce08bf85a3e604e4574908ad7397e28

SHA512
baf8571040cf745a3a596fb250d8ca3f2bdcda0e50a845868f9a2dbfc3e7de3787e5ff386772c5a4dd60b239840fb772fb376bbe96ad974aaa689ac57d1fe774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0215407ee36b0223d8bbfc9631217295

SHA1
e36dd9ccd9dc11c7c25072088a275707e069db8f

SHA256
c5455e553bcf9d5f7a0e915d465271fc7ce08bf85a3e604e4574908ad7397e28

SHA512
baf8571040cf745a3a596fb250d8ca3f2bdcda0e50a845868f9a2dbfc3e7de3787e5ff386772c5a4dd60b239840fb772fb376bbe96ad974aaa689ac57d1fe774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0215407ee36b0223d8bbfc9631217295

SHA1
e36dd9ccd9dc11c7c25072088a275707e069db8f

SHA256
c5455e553bcf9d5f7a0e915d465271fc7ce08bf85a3e604e4574908ad7397e28

SHA512
baf8571040cf745a3a596fb250d8ca3f2bdcda0e50a845868f9a2dbfc3e7de3787e5ff386772c5a4dd60b239840fb772fb376bbe96ad974aaa689ac57d1fe774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0215407ee36b0223d8bbfc9631217295

SHA1
e36dd9ccd9dc11c7c25072088a275707e069db8f

SHA256
c5455e553bcf9d5f7a0e915d465271fc7ce08bf85a3e604e4574908ad7397e28

SHA512
baf8571040cf745a3a596fb250d8ca3f2bdcda0e50a845868f9a2dbfc3e7de3787e5ff386772c5a4dd60b239840fb772fb376bbe96ad974aaa689ac57d1fe774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0215407ee36b0223d8bbfc9631217295

SHA1
e36dd9ccd9dc11c7c25072088a275707e069db8f

SHA256
c5455e553bcf9d5f7a0e915d465271fc7ce08bf85a3e604e4574908ad7397e28

SHA512
baf8571040cf745a3a596fb250d8ca3f2bdcda0e50a845868f9a2dbfc3e7de3787e5ff386772c5a4dd60b239840fb772fb376bbe96ad974aaa689ac57d1fe774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0215407ee36b0223d8bbfc9631217295

SHA1
e36dd9ccd9dc11c7c25072088a275707e069db8f

SHA256
c5455e553bcf9d5f7a0e915d465271fc7ce08bf85a3e604e4574908ad7397e28

SHA512
baf8571040cf745a3a596fb250d8ca3f2bdcda0e50a845868f9a2dbfc3e7de3787e5ff386772c5a4dd60b239840fb772fb376bbe96ad974aaa689ac57d1fe774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0215407ee36b0223d8bbfc9631217295

SHA1
e36dd9ccd9dc11c7c25072088a275707e069db8f

SHA256
c5455e553bcf9d5f7a0e915d465271fc7ce08bf85a3e604e4574908ad7397e28

SHA512
baf8571040cf745a3a596fb250d8ca3f2bdcda0e50a845868f9a2dbfc3e7de3787e5ff386772c5a4dd60b239840fb772fb376bbe96ad974aaa689ac57d1fe774

Download Submit
C:\agentBrowsersavesRefBroker\DYj6G9.bat

Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe

Filesize
209B

MD5
22bdc192d231db2480148ba60871353b

SHA1
511712d83287343407b489ffbba56f1543062496

SHA256
442844f37559614e588adbd17a56c93e76687efdc6757a8aa0510e87b5a9fd22

SHA512
b7f044b2e707f474d7b5cba6fd4dd484debd04a7f7a80b81d81a1a9b49c8f85746804f5382770b338bdaf2471b09734deb5b0fdf30daa82e610435418866e444

Download Submit
\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
memory/652-70-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/652-74-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/652-75-0x0000000000380000-0x0000000000400000-memory.dmp

Filesize
512KB

Download
memory/652-76-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/652-77-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/652-78-0x0000000001230000-0x0000000001238000-memory.dmp

Filesize
32KB

Download
memory/652-79-0x0000000001240000-0x000000000124C000-memory.dmp

Filesize
48KB

Download
memory/652-80-0x0000000001250000-0x000000000125C000-memory.dmp

Filesize
48KB

Download
memory/652-81-0x0000000000380000-0x0000000000400000-memory.dmp

Filesize
512KB

Download
memory/652-72-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/652-71-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/652-63-0x0000000000000000-mapping.dmp

Download
memory/652-65-0x0000000001280000-0x0000000001440000-memory.dmp

Filesize
1.8MB

Download
memory/652-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/652-73-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/652-69-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/652-67-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/652-68-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/1240-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1484-59-0x0000000000000000-mapping.dmp

Download
memory/2040-55-0x0000000000000000-mapping.dmp

Download
memory/2228-82-0x0000000000000000-mapping.dmp

Download
memory/2240-183-0x000000000293B000-0x000000000295A000-memory.dmp

Filesize
124KB

Download
memory/2240-135-0x000007FEEA860000-0x000007FEEB283000-memory.dmp

Filesize
10.1MB

Download
memory/2240-142-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2240-151-0x000007FEECF80000-0x000007FEEDADD000-memory.dmp

Filesize
11.4MB

Download
memory/2240-158-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/2240-173-0x000000000293B000-0x000000000295A000-memory.dmp

Filesize
124KB

Download
memory/2240-83-0x0000000000000000-mapping.dmp

Download
memory/2240-182-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2252-178-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/2252-146-0x000007FEECF80000-0x000007FEEDADD000-memory.dmp

Filesize
11.4MB

Download
memory/2252-131-0x000007FEEA860000-0x000007FEEB283000-memory.dmp

Filesize
10.1MB

Download
memory/2252-138-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2252-84-0x0000000000000000-mapping.dmp

Download
memory/2252-162-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/2252-176-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2280-155-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/2280-179-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2280-150-0x000007FEECF80000-0x000007FEEDADD000-memory.dmp

Filesize
11.4MB

Download
memory/2280-132-0x000007FEEA860000-0x000007FEEB283000-memory.dmp

Filesize
10.1MB

Download
memory/2280-139-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2280-181-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/2280-169-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/2280-85-0x0000000000000000-mapping.dmp

Download
memory/2296-86-0x0000000000000000-mapping.dmp

Download
memory/2296-188-0x000007FEECF80000-0x000007FEEDADD000-memory.dmp

Filesize
11.4MB

Download
memory/2296-195-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/2296-186-0x000007FEEA860000-0x000007FEEB283000-memory.dmp

Filesize
10.1MB

Download
memory/2296-194-0x000000000291B000-0x000000000293A000-memory.dmp

Filesize
124KB

Download
memory/2296-193-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/2296-190-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/2332-112-0x000007FEEA860000-0x000007FEEB283000-memory.dmp

Filesize
10.1MB

Download
memory/2332-87-0x0000000000000000-mapping.dmp

Download
memory/2332-161-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/2332-127-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2332-187-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/2332-125-0x000007FEECF80000-0x000007FEEDADD000-memory.dmp

Filesize
11.4MB

Download
memory/2332-185-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2344-170-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/2344-165-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/2344-88-0x0000000000000000-mapping.dmp

Download
memory/2344-133-0x000007FEEA860000-0x000007FEEB283000-memory.dmp

Filesize
10.1MB

Download
memory/2344-156-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/2344-172-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/2344-148-0x000007FEECF80000-0x000007FEEDADD000-memory.dmp

Filesize
11.4MB

Download
memory/2344-140-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/2376-154-0x000000001BA40000-0x000000001BD3F000-memory.dmp

Filesize
3.0MB

Download
memory/2376-128-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/2376-177-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/2376-180-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/2376-113-0x000007FEEA860000-0x000007FEEB283000-memory.dmp

Filesize
10.1MB

Download
memory/2376-143-0x000007FEECF80000-0x000007FEEDADD000-memory.dmp

Filesize
11.4MB

Download
memory/2376-171-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/2376-89-0x0000000000000000-mapping.dmp

Download
memory/2376-95-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download
memory/2392-90-0x0000000000000000-mapping.dmp

Download
memory/2424-114-0x000007FEEA860000-0x000007FEEB283000-memory.dmp

Filesize
10.1MB

Download
memory/2424-153-0x000000001BA20000-0x000000001BD1F000-memory.dmp

Filesize
3.0MB

Download
memory/2424-126-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/2424-124-0x000007FEECF80000-0x000007FEEDADD000-memory.dmp

Filesize
11.4MB

Download
memory/2424-192-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/2424-191-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/2424-189-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/2424-91-0x0000000000000000-mapping.dmp

Download
memory/2440-130-0x000007FEEA860000-0x000007FEEB283000-memory.dmp

Filesize
10.1MB

Download
memory/2440-164-0x000000000239B000-0x00000000023BA000-memory.dmp

Filesize
124KB

Download
memory/2440-137-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/2440-174-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/2440-175-0x000000000239B000-0x00000000023BA000-memory.dmp

Filesize
124KB

Download
memory/2440-144-0x000007FEECF80000-0x000007FEEDADD000-memory.dmp

Filesize
11.4MB

Download
memory/2440-152-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/2440-92-0x0000000000000000-mapping.dmp

Download
memory/2460-93-0x0000000000000000-mapping.dmp

Download
memory/2460-141-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/2460-145-0x000007FEECF80000-0x000007FEEDADD000-memory.dmp

Filesize
11.4MB

Download
memory/2460-168-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/2460-134-0x000007FEEA860000-0x000007FEEB283000-memory.dmp

Filesize
10.1MB

Download
memory/2460-166-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/2460-163-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/2460-159-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/2496-94-0x0000000000000000-mapping.dmp

Download
memory/2496-149-0x0000000001E50000-0x0000000001ED0000-memory.dmp

Filesize
512KB

Download
memory/2496-136-0x0000000001E50000-0x0000000001ED0000-memory.dmp

Filesize
512KB

Download
memory/2496-147-0x000007FEECF80000-0x000007FEEDADD000-memory.dmp

Filesize
11.4MB

Download
memory/2496-167-0x0000000001E50000-0x0000000001ED0000-memory.dmp

Filesize
512KB

Download
memory/2496-129-0x000007FEEA860000-0x000007FEEB283000-memory.dmp

Filesize
10.1MB

Download
memory/2496-160-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

Filesize
3.0MB

Download
memory/2728-121-0x0000000001000000-0x00000000011C0000-memory.dmp

Filesize
1.8MB

Download
memory/2728-108-0x0000000000000000-mapping.dmp

Download