dcrat | dcca5dae3518d25030ca6e89ab90cd5631ea028b8376e01a8d2a151eff2a744e

Analysis

max time kernel
79s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fff5ee9044814883cfa8d76e281284c.exe
Size

2.5MB
MD5

1fff5ee9044814883cfa8d76e281284c
SHA1

519f65b397de210f1a69c95d8d6b4aebccdf6cee
SHA256

dcca5dae3518d25030ca6e89ab90cd5631ea028b8376e01a8d2a151eff2a744e
SHA512

0b3e60339d1b4a7e7d889b4db6f7187a0a10a7adb77ac21b664cd6434a9836ccb6ae7de005d4f41aeb49179fe36f09230cd5b0ed4b4695d0e1321794a3816536
SSDEEP

49152:jFhevimCMPQCEwTnppuDhWwBar79vwS1o5SGAY3A6S02Gb7RgtHCw9MP0:ZhrRwtkNqhwSktStGvRQHi

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	1468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1468	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2020-54-0x00000000001B0000-0x0000000000436000-memory.dmp	dcrat
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe	dcrat
C:\Program Files (x86)\Adobe\RCX3201.tmp	dcrat
behavioral1/memory/2020-153-0x000000001B1F0000-0x000000001B270000-memory.dmp	dcrat
behavioral1/memory/2712-268-0x0000000001150000-0x00000000013D6000-memory.dmp	dcrat
C:\Windows\PLA\spoolsv.exe	dcrat
C:\Windows\PLA\spoolsv.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

2712 spoolsv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2712	spoolsv.exe

Drops file in Program Files directory 13 IoCs

Processes:

1fff5ee9044814883cfa8d76e281284c.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6cb0b6c459d5d3	1fff5ee9044814883cfa8d76e281284c.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCX17F6.tmp	1fff5ee9044814883cfa8d76e281284c.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe	1fff5ee9044814883cfa8d76e281284c.exe
File created	C:\Program Files\Windows Mail\en-US\taskhost.exe	1fff5ee9044814883cfa8d76e281284c.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\taskhost.exe	1fff5ee9044814883cfa8d76e281284c.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe	1fff5ee9044814883cfa8d76e281284c.exe
File created	C:\Program Files (x86)\Adobe\System.exe	1fff5ee9044814883cfa8d76e281284c.exe
File created	C:\Program Files (x86)\Adobe\27d1bcfc3c54e0	1fff5ee9044814883cfa8d76e281284c.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX2958.tmp	1fff5ee9044814883cfa8d76e281284c.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX3201.tmp	1fff5ee9044814883cfa8d76e281284c.exe
File opened for modification	C:\Program Files (x86)\Adobe\System.exe	1fff5ee9044814883cfa8d76e281284c.exe
File created	C:\Program Files\Windows Mail\en-US\b75386f1303e64	1fff5ee9044814883cfa8d76e281284c.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\sppsvc.exe	1fff5ee9044814883cfa8d76e281284c.exe

Drops file in Windows directory 8 IoCs

Processes:

1fff5ee9044814883cfa8d76e281284c.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\RCX20BE.tmp	1fff5ee9044814883cfa8d76e281284c.exe
File opened for modification	C:\Windows\Tasks\csrss.exe	1fff5ee9044814883cfa8d76e281284c.exe
File opened for modification	C:\Windows\PLA\RCX2DAC.tmp	1fff5ee9044814883cfa8d76e281284c.exe
File opened for modification	C:\Windows\PLA\spoolsv.exe	1fff5ee9044814883cfa8d76e281284c.exe
File created	C:\Windows\Tasks\csrss.exe	1fff5ee9044814883cfa8d76e281284c.exe
File created	C:\Windows\Tasks\886983d96e3d3e	1fff5ee9044814883cfa8d76e281284c.exe
File created	C:\Windows\PLA\spoolsv.exe	1fff5ee9044814883cfa8d76e281284c.exe
File created	C:\Windows\PLA\f3b6ecef712a24	1fff5ee9044814883cfa8d76e281284c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
340	schtasks.exe
1252	schtasks.exe
1884	schtasks.exe
868	schtasks.exe
284	schtasks.exe
1048	schtasks.exe
812	schtasks.exe
1524	schtasks.exe
1900	schtasks.exe
860	schtasks.exe
1476	schtasks.exe
912	schtasks.exe
1184	schtasks.exe
976	schtasks.exe
1224	schtasks.exe
1856	schtasks.exe
852	schtasks.exe
1600	schtasks.exe
1068	schtasks.exe
584	schtasks.exe
1888	schtasks.exe
1396	schtasks.exe
1664	schtasks.exe
1144	schtasks.exe
1548	schtasks.exe
1296	schtasks.exe
1240	schtasks.exe
1680	schtasks.exe
1920	schtasks.exe
1744	schtasks.exe
1620	schtasks.exe
1424	schtasks.exe
1964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

1fff5ee9044814883cfa8d76e281284c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exe

pid	process
2020	1fff5ee9044814883cfa8d76e281284c.exe
2020	1fff5ee9044814883cfa8d76e281284c.exe
2020	1fff5ee9044814883cfa8d76e281284c.exe
632	powershell.exe
1732	powershell.exe
1788	powershell.exe
1708	powershell.exe
1856	powershell.exe
1296	powershell.exe
1792	powershell.exe
1348	powershell.exe
2024	powershell.exe
1068	powershell.exe
1664	powershell.exe
1320	powershell.exe
2712	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe
2712	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2020	1fff5ee9044814883cfa8d76e281284c.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2712	spoolsv.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

1fff5ee9044814883cfa8d76e281284c.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 1792	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1792	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1792	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1068	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1068	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1068	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1348	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1348	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1348	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1788	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1788	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1788	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1296	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1296	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1296	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1320	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1320	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1320	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1664	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1664	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1664	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1732	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1732	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1732	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1708	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1708	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1708	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 2024	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 2024	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 2024	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 632	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 632	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 632	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1856	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1856	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1856	2020	1fff5ee9044814883cfa8d76e281284c.exe	powershell.exe
PID 2020 wrote to memory of 1384	2020	1fff5ee9044814883cfa8d76e281284c.exe	cmd.exe
PID 2020 wrote to memory of 1384	2020	1fff5ee9044814883cfa8d76e281284c.exe	cmd.exe
PID 2020 wrote to memory of 1384	2020	1fff5ee9044814883cfa8d76e281284c.exe	cmd.exe
PID 1384 wrote to memory of 2316	1384	cmd.exe	w32tm.exe
PID 1384 wrote to memory of 2316	1384	cmd.exe	w32tm.exe
PID 1384 wrote to memory of 2316	1384	cmd.exe	w32tm.exe
PID 1384 wrote to memory of 2712	1384	cmd.exe	spoolsv.exe
PID 1384 wrote to memory of 2712	1384	cmd.exe	spoolsv.exe
PID 1384 wrote to memory of 2712	1384	cmd.exe	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1fff5ee9044814883cfa8d76e281284c.exe
"C:\Users\Admin\AppData\Local\Temp\1fff5ee9044814883cfa8d76e281284c.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1fff5ee9044814883cfa8d76e281284c.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\taskhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\spoolsv.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4dB2r8yAb.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2316

C:\Windows\PLA\spoolsv.exe
"C:\Windows\PLA\spoolsv.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\RCX3201.tmp
Filesize
2.5MB

MD5
983ab196649ba448a45db83213687f17

SHA1
5ff7ffa0857f809fac0b97c19e5dfd45c65e1855

SHA256
90255ae4b247eb7540a21b081f47f006abd2920bf55792cb3fe6fdef30bba679

SHA512
9d0be970e8e0b2a2a26ee2ba788f706b8de04d82ef6d63afd29c20e65662eeebe705fca7aa652d6b37acecc6b531012b952ff2f6d73c08d9ff526ff7b571ac6c

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe
Filesize
2.5MB

MD5
1fff5ee9044814883cfa8d76e281284c

SHA1
519f65b397de210f1a69c95d8d6b4aebccdf6cee

SHA256
dcca5dae3518d25030ca6e89ab90cd5631ea028b8376e01a8d2a151eff2a744e

SHA512
0b3e60339d1b4a7e7d889b4db6f7187a0a10a7adb77ac21b664cd6434a9836ccb6ae7de005d4f41aeb49179fe36f09230cd5b0ed4b4695d0e1321794a3816536

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4dB2r8yAb.bat
Filesize
191B

MD5
07f3aa5608cb0a6a971c457f7619e272

SHA1
c4fcd56ea1634200b351f4d139b21f5f89add0a5

SHA256
b225a92385c63d0ac3b58bf8260fce2116866208b1dcca611d7c0b7486d41f67

SHA512
131c869b0b0775012cc37ea5917f5991ba68bd0b1d86f5823cf8e05521040ff5e8668437dd4927d17b918a7a67c2b50da2f5ab8d3e139338b5c6468ea95b946f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e1dbb24524264a40953c2be3bcfde29

SHA1
d72d0074b979097e0693e789725fe9f97da0bad7

SHA256
ca7b044efd6d440ffacbcfe62309324d3955b4279608abda00ad4307ebf69533

SHA512
0765d9e3fee8d4c3cd3a2b91e11331baa7667edec15b278be46ed85be4b40ab9d641340aa312599789b1a06d527ff5ec86f4b563db62d10eb89bf528dad77a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e1dbb24524264a40953c2be3bcfde29

SHA1
d72d0074b979097e0693e789725fe9f97da0bad7

SHA256
ca7b044efd6d440ffacbcfe62309324d3955b4279608abda00ad4307ebf69533

SHA512
0765d9e3fee8d4c3cd3a2b91e11331baa7667edec15b278be46ed85be4b40ab9d641340aa312599789b1a06d527ff5ec86f4b563db62d10eb89bf528dad77a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e1dbb24524264a40953c2be3bcfde29

SHA1
d72d0074b979097e0693e789725fe9f97da0bad7

SHA256
ca7b044efd6d440ffacbcfe62309324d3955b4279608abda00ad4307ebf69533

SHA512
0765d9e3fee8d4c3cd3a2b91e11331baa7667edec15b278be46ed85be4b40ab9d641340aa312599789b1a06d527ff5ec86f4b563db62d10eb89bf528dad77a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e1dbb24524264a40953c2be3bcfde29

SHA1
d72d0074b979097e0693e789725fe9f97da0bad7

SHA256
ca7b044efd6d440ffacbcfe62309324d3955b4279608abda00ad4307ebf69533

SHA512
0765d9e3fee8d4c3cd3a2b91e11331baa7667edec15b278be46ed85be4b40ab9d641340aa312599789b1a06d527ff5ec86f4b563db62d10eb89bf528dad77a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e1dbb24524264a40953c2be3bcfde29

SHA1
d72d0074b979097e0693e789725fe9f97da0bad7

SHA256
ca7b044efd6d440ffacbcfe62309324d3955b4279608abda00ad4307ebf69533

SHA512
0765d9e3fee8d4c3cd3a2b91e11331baa7667edec15b278be46ed85be4b40ab9d641340aa312599789b1a06d527ff5ec86f4b563db62d10eb89bf528dad77a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e1dbb24524264a40953c2be3bcfde29

SHA1
d72d0074b979097e0693e789725fe9f97da0bad7

SHA256
ca7b044efd6d440ffacbcfe62309324d3955b4279608abda00ad4307ebf69533

SHA512
0765d9e3fee8d4c3cd3a2b91e11331baa7667edec15b278be46ed85be4b40ab9d641340aa312599789b1a06d527ff5ec86f4b563db62d10eb89bf528dad77a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e1dbb24524264a40953c2be3bcfde29

SHA1
d72d0074b979097e0693e789725fe9f97da0bad7

SHA256
ca7b044efd6d440ffacbcfe62309324d3955b4279608abda00ad4307ebf69533

SHA512
0765d9e3fee8d4c3cd3a2b91e11331baa7667edec15b278be46ed85be4b40ab9d641340aa312599789b1a06d527ff5ec86f4b563db62d10eb89bf528dad77a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e1dbb24524264a40953c2be3bcfde29

SHA1
d72d0074b979097e0693e789725fe9f97da0bad7

SHA256
ca7b044efd6d440ffacbcfe62309324d3955b4279608abda00ad4307ebf69533

SHA512
0765d9e3fee8d4c3cd3a2b91e11331baa7667edec15b278be46ed85be4b40ab9d641340aa312599789b1a06d527ff5ec86f4b563db62d10eb89bf528dad77a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e1dbb24524264a40953c2be3bcfde29

SHA1
d72d0074b979097e0693e789725fe9f97da0bad7

SHA256
ca7b044efd6d440ffacbcfe62309324d3955b4279608abda00ad4307ebf69533

SHA512
0765d9e3fee8d4c3cd3a2b91e11331baa7667edec15b278be46ed85be4b40ab9d641340aa312599789b1a06d527ff5ec86f4b563db62d10eb89bf528dad77a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e1dbb24524264a40953c2be3bcfde29

SHA1
d72d0074b979097e0693e789725fe9f97da0bad7

SHA256
ca7b044efd6d440ffacbcfe62309324d3955b4279608abda00ad4307ebf69533

SHA512
0765d9e3fee8d4c3cd3a2b91e11331baa7667edec15b278be46ed85be4b40ab9d641340aa312599789b1a06d527ff5ec86f4b563db62d10eb89bf528dad77a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L96K8G6PX5RW6SMJEPPJ.temp
Filesize
7KB

MD5
9e1dbb24524264a40953c2be3bcfde29

SHA1
d72d0074b979097e0693e789725fe9f97da0bad7

SHA256
ca7b044efd6d440ffacbcfe62309324d3955b4279608abda00ad4307ebf69533

SHA512
0765d9e3fee8d4c3cd3a2b91e11331baa7667edec15b278be46ed85be4b40ab9d641340aa312599789b1a06d527ff5ec86f4b563db62d10eb89bf528dad77a43

Download Submit
C:\Windows\PLA\spoolsv.exe
Filesize
2.5MB

MD5
1fff5ee9044814883cfa8d76e281284c

SHA1
519f65b397de210f1a69c95d8d6b4aebccdf6cee

SHA256
dcca5dae3518d25030ca6e89ab90cd5631ea028b8376e01a8d2a151eff2a744e

SHA512
0b3e60339d1b4a7e7d889b4db6f7187a0a10a7adb77ac21b664cd6434a9836ccb6ae7de005d4f41aeb49179fe36f09230cd5b0ed4b4695d0e1321794a3816536

Download Submit
C:\Windows\PLA\spoolsv.exe
Filesize
2.5MB

MD5
1fff5ee9044814883cfa8d76e281284c

SHA1
519f65b397de210f1a69c95d8d6b4aebccdf6cee

SHA256
dcca5dae3518d25030ca6e89ab90cd5631ea028b8376e01a8d2a151eff2a744e

SHA512
0b3e60339d1b4a7e7d889b4db6f7187a0a10a7adb77ac21b664cd6434a9836ccb6ae7de005d4f41aeb49179fe36f09230cd5b0ed4b4695d0e1321794a3816536

Download Submit
memory/632-236-0x00000000020F0000-0x0000000002170000-memory.dmp

Filesize
512KB

Download
memory/632-246-0x00000000020F0000-0x0000000002170000-memory.dmp

Filesize
512KB

Download
memory/632-264-0x00000000020FB000-0x0000000002132000-memory.dmp

Filesize
220KB

Download
memory/1068-230-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/1068-257-0x000000000298B000-0x00000000029C2000-memory.dmp

Filesize
220KB

Download
memory/1068-253-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/1296-248-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/1296-231-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/1296-263-0x000000000284B000-0x0000000002882000-memory.dmp

Filesize
220KB

Download
memory/1296-225-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/1320-251-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/1320-261-0x00000000022AB000-0x00000000022E2000-memory.dmp

Filesize
220KB

Download
memory/1320-226-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/1348-228-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1348-227-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1348-262-0x000000000268B000-0x00000000026C2000-memory.dmp

Filesize
220KB

Download
memory/1348-250-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1664-224-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/1664-255-0x00000000029CB000-0x0000000002A02000-memory.dmp

Filesize
220KB

Download
memory/1664-254-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1664-242-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1664-239-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1708-240-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1708-260-0x000000000282B000-0x0000000002862000-memory.dmp

Filesize
220KB

Download
memory/1708-244-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1708-241-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1732-258-0x00000000029BB000-0x00000000029F2000-memory.dmp

Filesize
220KB

Download
memory/1732-229-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1732-245-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1788-272-0x000000000240B000-0x0000000002442000-memory.dmp

Filesize
220KB

Download
memory/1788-247-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/1788-233-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/1788-223-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/1792-243-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/1792-235-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/1792-256-0x000000000234B000-0x0000000002382000-memory.dmp

Filesize
220KB

Download
memory/1856-249-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1856-265-0x000000000294B000-0x0000000002982000-memory.dmp

Filesize
220KB

Download
memory/1856-237-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1856-238-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2020-153-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/2020-54-0x00000000001B0000-0x0000000000436000-memory.dmp

Filesize
2.5MB

Download
memory/2020-55-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/2020-56-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/2020-63-0x000000001A8E0000-0x000000001A8EC000-memory.dmp

Filesize
48KB

Download
memory/2020-62-0x000000001A8D0000-0x000000001A8DE000-memory.dmp

Filesize
56KB

Download
memory/2020-57-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/2020-61-0x000000001A8A0000-0x000000001A8B2000-memory.dmp

Filesize
72KB

Download
memory/2020-60-0x0000000002060000-0x00000000020B6000-memory.dmp

Filesize
344KB

Download
memory/2020-58-0x0000000002040000-0x0000000002056000-memory.dmp

Filesize
88KB

Download
memory/2020-59-0x0000000001FB0000-0x0000000001FC0000-memory.dmp

Filesize
64KB

Download
memory/2024-234-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/2024-232-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/2024-259-0x000000000242B000-0x0000000002462000-memory.dmp

Filesize
220KB

Download
memory/2024-252-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/2712-268-0x0000000001150000-0x00000000013D6000-memory.dmp

Filesize
2.5MB

Download
memory/2712-269-0x0000000000960000-0x00000000009B6000-memory.dmp

Filesize
344KB

Download
memory/2712-270-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2712-271-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2712-273-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2712-279-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2712-295-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download