dcrat | 70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-01-2023 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afb679b10d49b2052e1239c345dee646.exe
Size

3.0MB
MD5

afb679b10d49b2052e1239c345dee646
SHA1

5cc8ce5753431b0cc4901aa53d8489e37a91c672
SHA256

70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998
SHA512

14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967
SSDEEP

49152:hwQVR+A3rrXAafICZyKC5iEqpVJ2pfexGqjNJ8JrSwAca2R7TQALtMiTdUdvVSMt:hwQVP7x6iEgBxVr8lMfkT1DBUdvge9Gi

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	460	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	460	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

taskhost.exeafb679b10d49b2052e1239c345dee646.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1116-54-0x0000000000E50000-0x0000000001156000-memory.dmp	dcrat
C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\taskhost.exe	dcrat
C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\taskhost.exe	dcrat
behavioral1/memory/664-102-0x0000000000390000-0x0000000000696000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

taskhost.exe

pid process

664 taskhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
664	taskhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

afb679b10d49b2052e1239c345dee646.exetaskhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in Program Files directory 9 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\0a1fd5f707cd16	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\101b941d020240	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\7a0fd90576e088	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsm.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\explorer.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\MSBuild\explorer.exe	afb679b10d49b2052e1239c345dee646.exe
File opened for modification	C:\Program Files\MSBuild\explorer.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\MSBuild\7a0fd90576e088	afb679b10d49b2052e1239c345dee646.exe

Drops file in Windows directory 2 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exe

description	ioc	process
File created	C:\Windows\ShellNew\lsm.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\ShellNew\101b941d020240	afb679b10d49b2052e1239c345dee646.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1572	schtasks.exe
596	schtasks.exe
1272	schtasks.exe
1992	schtasks.exe
1580	schtasks.exe
548	schtasks.exe
1512	schtasks.exe
1108	schtasks.exe
788	schtasks.exe
780	schtasks.exe
1728	schtasks.exe
1688	schtasks.exe
1960	schtasks.exe
1044	schtasks.exe
1752	schtasks.exe
1252	schtasks.exe
972	schtasks.exe
1792	schtasks.exe
1148	schtasks.exe
1748	schtasks.exe
1220	schtasks.exe
2008	schtasks.exe
1320	schtasks.exe
996	schtasks.exe
1700	schtasks.exe
1956	schtasks.exe
1152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exetaskhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1116	afb679b10d49b2052e1239c345dee646.exe
1116	afb679b10d49b2052e1239c345dee646.exe
1116	afb679b10d49b2052e1239c345dee646.exe
664	taskhost.exe
1548	powershell.exe
1820	powershell.exe
1096	powershell.exe
1272	powershell.exe
1800	powershell.exe
1552	powershell.exe
1708	powershell.exe
1168	powershell.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
1612	powershell.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe
664	taskhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exetaskhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1116	afb679b10d49b2052e1239c345dee646.exe
Token: SeDebugPrivilege	664	taskhost.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeBackupPrivilege	2992	vssvc.exe
Token: SeRestorePrivilege	2992	vssvc.exe
Token: SeAuditPrivilege	2992	vssvc.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exetaskhost.exe

description	pid	process	target process
PID 1116 wrote to memory of 1552	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1552	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1552	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1708	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1708	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1708	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1548	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1548	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1548	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1096	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1096	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1096	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1168	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1168	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1168	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1612	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1612	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1612	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1800	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1800	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1800	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1820	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1820	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1820	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 2012	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 2012	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 2012	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1272	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1272	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 1272	1116	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1116 wrote to memory of 664	1116	afb679b10d49b2052e1239c345dee646.exe	taskhost.exe
PID 1116 wrote to memory of 664	1116	afb679b10d49b2052e1239c345dee646.exe	taskhost.exe
PID 1116 wrote to memory of 664	1116	afb679b10d49b2052e1239c345dee646.exe	taskhost.exe
PID 664 wrote to memory of 2476	664	taskhost.exe	WScript.exe
PID 664 wrote to memory of 2476	664	taskhost.exe	WScript.exe
PID 664 wrote to memory of 2476	664	taskhost.exe	WScript.exe
PID 664 wrote to memory of 2500	664	taskhost.exe	WScript.exe
PID 664 wrote to memory of 2500	664	taskhost.exe	WScript.exe
PID 664 wrote to memory of 2500	664	taskhost.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

afb679b10d49b2052e1239c345dee646.exetaskhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe
"C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\explorer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\lsm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\taskhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\explorer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'
2⤵
PID:2012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\taskhost.exe
"C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\taskhost.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:664

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9e8c9a2-1e40-46f3-a76f-25575a5f7705.vbs"
3⤵
PID:2476

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eb943c1-0709-42b1-bb6c-583450e2407b.vbs"
3⤵
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Favorites\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\taskhost.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\taskhost.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Users\Admin\AppData\Local\Temp\8eb943c1-0709-42b1-bb6c-583450e2407b.vbs
Filesize
513B

MD5
de996babccc293699dc98a2e42c74ca6

SHA1
e77f545545f26ae456ba9abdb25d2b6d8f98c909

SHA256
e14cc656f66ccd8a0e1d2e8ee99b452dd544e71352d98de55adf38da9d87fa35

SHA512
6b26789a01d69ca08d3f92260920b9a853bfc97675e9d68804aa8dab5b044be89a2bb7e05d74a8aaa2fa15fbb0263db4645196214391377975e0ac5a3eaf46cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9e8c9a2-1e40-46f3-a76f-25575a5f7705.vbs
Filesize
736B

MD5
4fca3c62479e7f7a128e2b218c6df8b9

SHA1
d841dc9a480d4c31a4b59b2506b474de491df29c

SHA256
b5f5dbd53e28fea6ba0b0bd84eb2b2b8d5393e550b20ef207b918324d2266d7d

SHA512
3f766edc9893a7dd424ae4c58c63806b702649acfa46e3e30019029da7b47b18f93ccdfa2a8a5e9fb661e7f103268ec37b96d153847808865d60dee47af8f044

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a82efda43881f08d53219c0e405094ad

SHA1
4166826ec5ce3e0547fc49fb4f3ef766e1a6bd74

SHA256
35e36e152149246734951c9deccd8ac73c4e666ae505f01424021a94dcc71fe3

SHA512
4a1fafa426a8843db03aa12bf12328119a8025e35ba56575acd43dd49df26d426407fa07e992dff1ac8d6bbfb7c71ace48965c9f10774f7d3cb15d16e83d105a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a82efda43881f08d53219c0e405094ad

SHA1
4166826ec5ce3e0547fc49fb4f3ef766e1a6bd74

SHA256
35e36e152149246734951c9deccd8ac73c4e666ae505f01424021a94dcc71fe3

SHA512
4a1fafa426a8843db03aa12bf12328119a8025e35ba56575acd43dd49df26d426407fa07e992dff1ac8d6bbfb7c71ace48965c9f10774f7d3cb15d16e83d105a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a82efda43881f08d53219c0e405094ad

SHA1
4166826ec5ce3e0547fc49fb4f3ef766e1a6bd74

SHA256
35e36e152149246734951c9deccd8ac73c4e666ae505f01424021a94dcc71fe3

SHA512
4a1fafa426a8843db03aa12bf12328119a8025e35ba56575acd43dd49df26d426407fa07e992dff1ac8d6bbfb7c71ace48965c9f10774f7d3cb15d16e83d105a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a82efda43881f08d53219c0e405094ad

SHA1
4166826ec5ce3e0547fc49fb4f3ef766e1a6bd74

SHA256
35e36e152149246734951c9deccd8ac73c4e666ae505f01424021a94dcc71fe3

SHA512
4a1fafa426a8843db03aa12bf12328119a8025e35ba56575acd43dd49df26d426407fa07e992dff1ac8d6bbfb7c71ace48965c9f10774f7d3cb15d16e83d105a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a82efda43881f08d53219c0e405094ad

SHA1
4166826ec5ce3e0547fc49fb4f3ef766e1a6bd74

SHA256
35e36e152149246734951c9deccd8ac73c4e666ae505f01424021a94dcc71fe3

SHA512
4a1fafa426a8843db03aa12bf12328119a8025e35ba56575acd43dd49df26d426407fa07e992dff1ac8d6bbfb7c71ace48965c9f10774f7d3cb15d16e83d105a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a82efda43881f08d53219c0e405094ad

SHA1
4166826ec5ce3e0547fc49fb4f3ef766e1a6bd74

SHA256
35e36e152149246734951c9deccd8ac73c4e666ae505f01424021a94dcc71fe3

SHA512
4a1fafa426a8843db03aa12bf12328119a8025e35ba56575acd43dd49df26d426407fa07e992dff1ac8d6bbfb7c71ace48965c9f10774f7d3cb15d16e83d105a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a82efda43881f08d53219c0e405094ad

SHA1
4166826ec5ce3e0547fc49fb4f3ef766e1a6bd74

SHA256
35e36e152149246734951c9deccd8ac73c4e666ae505f01424021a94dcc71fe3

SHA512
4a1fafa426a8843db03aa12bf12328119a8025e35ba56575acd43dd49df26d426407fa07e992dff1ac8d6bbfb7c71ace48965c9f10774f7d3cb15d16e83d105a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a82efda43881f08d53219c0e405094ad

SHA1
4166826ec5ce3e0547fc49fb4f3ef766e1a6bd74

SHA256
35e36e152149246734951c9deccd8ac73c4e666ae505f01424021a94dcc71fe3

SHA512
4a1fafa426a8843db03aa12bf12328119a8025e35ba56575acd43dd49df26d426407fa07e992dff1ac8d6bbfb7c71ace48965c9f10774f7d3cb15d16e83d105a

Download Submit
memory/664-112-0x00000000008F0000-0x0000000000902000-memory.dmp

Filesize
72KB

Download
memory/664-102-0x0000000000390000-0x0000000000696000-memory.dmp

Filesize
3.0MB

Download
memory/664-96-0x0000000000000000-mapping.dmp

Download
memory/1096-81-0x0000000000000000-mapping.dmp

Download
memory/1096-107-0x000007FEEB830000-0x000007FEEC253000-memory.dmp

Filesize
10.1MB

Download
memory/1096-167-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/1096-166-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/1096-131-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/1096-154-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/1096-133-0x000007FEEACD0000-0x000007FEEB82D000-memory.dmp

Filesize
11.4MB

Download
memory/1096-142-0x000000001B920000-0x000000001BC1F000-memory.dmp

Filesize
3.0MB

Download
memory/1096-141-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/1116-74-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/1116-64-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/1116-55-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/1116-77-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/1116-60-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1116-54-0x0000000000E50000-0x0000000001156000-memory.dmp

Filesize
3.0MB

Download
memory/1116-56-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/1116-57-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1116-61-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/1116-59-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/1116-58-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1116-76-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/1116-75-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/1116-73-0x0000000000B10000-0x0000000000B1E000-memory.dmp

Filesize
56KB

Download
memory/1116-72-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1116-71-0x0000000000A70000-0x0000000000A7E000-memory.dmp

Filesize
56KB

Download
memory/1116-70-0x0000000000A60000-0x0000000000A6A000-memory.dmp

Filesize
40KB

Download
memory/1116-69-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/1116-68-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/1116-67-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download
memory/1116-66-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/1116-65-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/1116-62-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/1116-63-0x0000000000560000-0x00000000005B6000-memory.dmp

Filesize
344KB

Download
memory/1168-125-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/1168-135-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/1168-114-0x000007FEEB830000-0x000007FEEC253000-memory.dmp

Filesize
10.1MB

Download
memory/1168-168-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/1168-157-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/1168-169-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/1168-119-0x000007FEEACD0000-0x000007FEEB82D000-memory.dmp

Filesize
11.4MB

Download
memory/1168-82-0x0000000000000000-mapping.dmp

Download
memory/1272-120-0x000007FEEACD0000-0x000007FEEB82D000-memory.dmp

Filesize
11.4MB

Download
memory/1272-126-0x0000000001E00000-0x0000000001E80000-memory.dmp

Filesize
512KB

Download
memory/1272-88-0x0000000000000000-mapping.dmp

Download
memory/1272-163-0x0000000001E00000-0x0000000001E80000-memory.dmp

Filesize
512KB

Download
memory/1272-136-0x0000000001E00000-0x0000000001E80000-memory.dmp

Filesize
512KB

Download
memory/1272-117-0x000007FEEB830000-0x000007FEEC253000-memory.dmp

Filesize
10.1MB

Download
memory/1548-161-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1548-130-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1548-140-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1548-80-0x0000000000000000-mapping.dmp

Download
memory/1548-113-0x000007FEEB830000-0x000007FEEC253000-memory.dmp

Filesize
10.1MB

Download
memory/1548-171-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1548-132-0x000007FEEACD0000-0x000007FEEB82D000-memory.dmp

Filesize
11.4MB

Download
memory/1548-145-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/1548-174-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1552-124-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/1552-134-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/1552-164-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/1552-144-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/1552-104-0x000007FEEB830000-0x000007FEEC253000-memory.dmp

Filesize
10.1MB

Download
memory/1552-155-0x000000000246B000-0x000000000248A000-memory.dmp

Filesize
124KB

Download
memory/1552-118-0x000007FEEACD0000-0x000007FEEB82D000-memory.dmp

Filesize
11.4MB

Download
memory/1552-165-0x000000000246B000-0x000000000248A000-memory.dmp

Filesize
124KB

Download
memory/1552-78-0x0000000000000000-mapping.dmp

Download
memory/1612-83-0x0000000000000000-mapping.dmp

Download
memory/1612-177-0x000007FEEB7D0000-0x000007FEEC1F3000-memory.dmp

Filesize
10.1MB

Download
memory/1612-180-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1612-178-0x000007FEEAC70000-0x000007FEEB7CD000-memory.dmp

Filesize
11.4MB

Download
memory/1708-86-0x000007FEFC431000-0x000007FEFC433000-memory.dmp

Filesize
8KB

Download
memory/1708-151-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/1708-139-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1708-123-0x000007FEEACD0000-0x000007FEEB82D000-memory.dmp

Filesize
11.4MB

Download
memory/1708-98-0x000007FEEB830000-0x000007FEEC253000-memory.dmp

Filesize
10.1MB

Download
memory/1708-79-0x0000000000000000-mapping.dmp

Download
memory/1708-129-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1708-170-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1708-172-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/1708-158-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/1800-156-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1800-121-0x000007FEEACD0000-0x000007FEEB82D000-memory.dmp

Filesize
11.4MB

Download
memory/1800-160-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1800-84-0x0000000000000000-mapping.dmp

Download
memory/1800-162-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1800-127-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1800-147-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/1800-116-0x000007FEEB830000-0x000007FEEC253000-memory.dmp

Filesize
10.1MB

Download
memory/1800-137-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1820-122-0x000007FEEACD0000-0x000007FEEB82D000-memory.dmp

Filesize
11.4MB

Download
memory/1820-85-0x0000000000000000-mapping.dmp

Download
memory/1820-115-0x000007FEEB830000-0x000007FEEC253000-memory.dmp

Filesize
10.1MB

Download
memory/1820-175-0x00000000026B4000-0x00000000026B7000-memory.dmp

Filesize
12KB

Download
memory/1820-128-0x00000000026B4000-0x00000000026B7000-memory.dmp

Filesize
12KB

Download
memory/1820-173-0x00000000026BB000-0x00000000026DA000-memory.dmp

Filesize
124KB

Download
memory/1820-159-0x00000000026BB000-0x00000000026DA000-memory.dmp

Filesize
124KB

Download
memory/1820-138-0x00000000026B4000-0x00000000026B7000-memory.dmp

Filesize
12KB

Download
memory/1820-146-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/2012-87-0x0000000000000000-mapping.dmp

Download
memory/2476-148-0x0000000000000000-mapping.dmp

Download
memory/2500-149-0x0000000000000000-mapping.dmp

Download