dcrat | 1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-05-2023 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02357599.exe
Size

3.5MB
MD5

a29004d57b0582196965b9344e0eb7b4
SHA1

6e0ab8638b3559750dc40e4c23623552d84b5d8c
SHA256

1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
SHA512

b097b10dcf833740b4bbd922a035c3658e51d8aeb6dd4f27ff1e8661da8c2ea47593e53b6400af5096943e6eebb27407c1c92b3ea2c10913150edad2f593b5b1
SSDEEP

98304:XFXg7GTzJBVeXbdAWTUjpI5q05tzpMpKcvA0T:XFw7CzgXRAh9O4K5m

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1604	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

containerSvc.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
behavioral1/memory/1252-93-0x0000000000050000-0x0000000000360000-memory.dmp	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\csrss.exe	dcrat
C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe	dcrat
C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe	dcrat
behavioral1/memory/692-152-0x0000000001290000-0x00000000015A0000-memory.dmp	dcrat

Executes dropped EXE 5 IoCs

Processes:

DCRE.exeSLIPWARE.execontainerSvc.exedwm.exe

pid process

1336 DCRE.exe
568 SLIPWARE.exe
1252 containerSvc.exe
1240
692 dwm.exe
Loads dropped DLL 5 IoCs

Processes:

02357599.execmd.exe

pid process

1260 02357599.exe
1260 02357599.exe
808 cmd.exe
808 cmd.exe
1240
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1336	DCRE.exe
568	SLIPWARE.exe
1252	containerSvc.exe
1240
692	dwm.exe

pid	process
1260	02357599.exe
1260	02357599.exe
808	cmd.exe
808	cmd.exe
1240

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

containerSvc.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	containerSvc.exe

Drops file in Program Files directory 6 IoCs

Processes:

containerSvc.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\wininit.exe	containerSvc.exe
File created	C:\Program Files\Uninstall Information\56085415360792	containerSvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\wininit.exe	containerSvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\56085415360792	containerSvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe	containerSvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc	containerSvc.exe

Drops file in Windows directory 2 IoCs

Processes:

containerSvc.exe

description ioc process

File created C:\Windows\Logs\DPX\lsm.exe containerSvc.exe
File created C:\Windows\Logs\DPX\101b941d020240 containerSvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Logs\DPX\lsm.exe	containerSvc.exe
File created	C:\Windows\Logs\DPX\101b941d020240	containerSvc.exe

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
980	schtasks.exe
1676	schtasks.exe
928	schtasks.exe
848	schtasks.exe
1636	schtasks.exe
1172	schtasks.exe
1304	schtasks.exe
840	schtasks.exe
1348	schtasks.exe
316	schtasks.exe
1544	schtasks.exe
1876	schtasks.exe
1112	schtasks.exe
596	schtasks.exe
1028	schtasks.exe
860	schtasks.exe
1212	schtasks.exe
1632	schtasks.exe
1892	schtasks.exe
924	schtasks.exe
1548	schtasks.exe
928	schtasks.exe
692	schtasks.exe
1984	schtasks.exe
1720	schtasks.exe
1900	schtasks.exe
1524	schtasks.exe
1636	schtasks.exe
1520	schtasks.exe
528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SLIPWARE.execontainerSvc.exedwm.exe

pid	process
568	SLIPWARE.exe
1252	containerSvc.exe
1252	containerSvc.exe
568	SLIPWARE.exe
1252	containerSvc.exe
1252	containerSvc.exe
1252	containerSvc.exe
1252	containerSvc.exe
568	SLIPWARE.exe
1252	containerSvc.exe
1252	containerSvc.exe
1252	containerSvc.exe
568	SLIPWARE.exe
568	SLIPWARE.exe
568	SLIPWARE.exe
568	SLIPWARE.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
568	SLIPWARE.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
568	SLIPWARE.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
568	SLIPWARE.exe
692	dwm.exe
692	dwm.exe
568	SLIPWARE.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
568	SLIPWARE.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
568	SLIPWARE.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
568	SLIPWARE.exe
692	dwm.exe
692	dwm.exe
568	SLIPWARE.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
692	dwm.exe
568	SLIPWARE.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

containerSvc.exeSLIPWARE.exedwm.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1252	containerSvc.exe
Token: SeDebugPrivilege	568	SLIPWARE.exe
Token: SeDebugPrivilege	692	dwm.exe
Token: SeBackupPrivilege	1008	vssvc.exe
Token: SeRestorePrivilege	1008	vssvc.exe
Token: SeAuditPrivilege	1008	vssvc.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

02357599.exeDCRE.exeWScript.execmd.execontainerSvc.execmd.exedwm.exe

description	pid	process	target process
PID 1260 wrote to memory of 1336	1260	02357599.exe	DCRE.exe
PID 1260 wrote to memory of 1336	1260	02357599.exe	DCRE.exe
PID 1260 wrote to memory of 1336	1260	02357599.exe	DCRE.exe
PID 1260 wrote to memory of 1336	1260	02357599.exe	DCRE.exe
PID 1260 wrote to memory of 568	1260	02357599.exe	SLIPWARE.exe
PID 1260 wrote to memory of 568	1260	02357599.exe	SLIPWARE.exe
PID 1260 wrote to memory of 568	1260	02357599.exe	SLIPWARE.exe
PID 1260 wrote to memory of 568	1260	02357599.exe	SLIPWARE.exe
PID 1336 wrote to memory of 1000	1336	DCRE.exe	WScript.exe
PID 1336 wrote to memory of 1000	1336	DCRE.exe	WScript.exe
PID 1336 wrote to memory of 1000	1336	DCRE.exe	WScript.exe
PID 1336 wrote to memory of 1000	1336	DCRE.exe	WScript.exe
PID 1336 wrote to memory of 1396	1336	DCRE.exe	WScript.exe
PID 1336 wrote to memory of 1396	1336	DCRE.exe	WScript.exe
PID 1336 wrote to memory of 1396	1336	DCRE.exe	WScript.exe
PID 1336 wrote to memory of 1396	1336	DCRE.exe	WScript.exe
PID 1000 wrote to memory of 808	1000	WScript.exe	cmd.exe
PID 1000 wrote to memory of 808	1000	WScript.exe	cmd.exe
PID 1000 wrote to memory of 808	1000	WScript.exe	cmd.exe
PID 1000 wrote to memory of 808	1000	WScript.exe	cmd.exe
PID 808 wrote to memory of 1252	808	cmd.exe	containerSvc.exe
PID 808 wrote to memory of 1252	808	cmd.exe	containerSvc.exe
PID 808 wrote to memory of 1252	808	cmd.exe	containerSvc.exe
PID 808 wrote to memory of 1252	808	cmd.exe	containerSvc.exe
PID 1252 wrote to memory of 1544	1252	containerSvc.exe	cmd.exe
PID 1252 wrote to memory of 1544	1252	containerSvc.exe	cmd.exe
PID 1252 wrote to memory of 1544	1252	containerSvc.exe	cmd.exe
PID 1544 wrote to memory of 700	1544	cmd.exe	w32tm.exe
PID 1544 wrote to memory of 700	1544	cmd.exe	w32tm.exe
PID 1544 wrote to memory of 700	1544	cmd.exe	w32tm.exe
PID 1544 wrote to memory of 692	1544	cmd.exe	dwm.exe
PID 1544 wrote to memory of 692	1544	cmd.exe	dwm.exe
PID 1544 wrote to memory of 692	1544	cmd.exe	dwm.exe
PID 692 wrote to memory of 1252	692	dwm.exe	WScript.exe
PID 692 wrote to memory of 1252	692	dwm.exe	WScript.exe
PID 692 wrote to memory of 1252	692	dwm.exe	WScript.exe
PID 692 wrote to memory of 1900	692	dwm.exe	WScript.exe
PID 692 wrote to memory of 1900	692	dwm.exe	WScript.exe
PID 692 wrote to memory of 1900	692	dwm.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

dwm.execontainerSvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\02357599.exe
"C:\Users\Admin\AppData\Local\Temp\02357599.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\DCRE.exe
"C:\Users\Admin\AppData\Local\Temp\DCRE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitorDll\OD39V0ZVybL6mpt7I8.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\msMonitorDll\150EIi8HhNIkntcrdLIIm.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
"C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6YTAlEh9Xt.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:700

C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe
"C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe"
7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:692

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1714a88d-4d30-4fb5-92ca-b2df03d3d32b.vbs"
8⤵
PID:1252

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d320d104-e9aa-4ffa-a339-ce35707fc55a.vbs"
8⤵
PID:1900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitorDll\file.vbs"
3⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
"C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\DPX\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\DPX\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\1714a88d-4d30-4fb5-92ca-b2df03d3d32b.vbs
Filesize
731B

MD5
86ce23854635842931cf5a5b908839f0

SHA1
6ed00f79e575bfd749db8f5cfe4b9d413da0dbdf

SHA256
b532c10fe8288eb658c1c121aa2217aa761d2dffac5e0d173d9b361c2044f081

SHA512
e0ddfd224b7c4519b9d2335c3e4da03c4d19a83e88c632d39fd66f82c18c9140258a3292923042d2e4733847e752ff055b31fd7f1a1f32d94bf741504f8ba44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6YTAlEh9Xt.bat
Filesize
221B

MD5
db170950e408dd8afd24d32569268192

SHA1
c435207977ca0c12906639aa2c7f2ecd6585acf9

SHA256
ada317f484e1da450c9bd615212846eb5bf59289e578e3c38a2de08cee5f7b7d

SHA512
4b18b177ee19c381a1729b8094ccbfaf7afb47804aa36f997e11550af8481af18830522c8ae513745b1794faa0c2b126ee02db3cbd02f93f5dc368fa7f1e54a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d320d104-e9aa-4ffa-a339-ce35707fc55a.vbs
Filesize
508B

MD5
aa2398ba875cd8a70629e42ba5bdad5b

SHA1
c08687badf69a98aa7d842bf407a282ee89fbc29

SHA256
a6bea157d8de2d030953746cfbcf1ade9881a2bf4ff7e888428881172676101a

SHA512
a46f37d63b5d7abfaaa28a140cf6b0171d7e29f32ea0116e8fba3273bb02f98124d9e8493d45c06af5cc8552877ca0e49965c956bc110c9c806c12be0637cd1b

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\150EIi8HhNIkntcrdLIIm.bat
Filesize
41B

MD5
6daccbefb453cde7378d378574cc9c7b

SHA1
92b2145db1421878ffbdad18ba046247b2a4b159

SHA256
6a770c19c51d3806aedcff4d99c12b2e74e979050d68ea84c17adf5f10684041

SHA512
7cbbed8110e59c03aedbac23c8a85c4afac7c1671b36bb1a0947b3bcb1e35305cc8dd75104993d07de18c385a73840caa3a7ca2d2e5e8d444dcf56f420104308

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\OD39V0ZVybL6mpt7I8.vbe
Filesize
217B

MD5
e176c5bbb3e43b082a130d9b7af304c8

SHA1
cde44f62e6a436279028c7009833b8daf5171476

SHA256
f188560cf6c0b289e72f5d142d22f7b52b856928769a09acae5464671b54e84a

SHA512
95ec5a92acbbf337ff2519ac511fba3fe1cc56c8baa4c283e130ea2550b275b8b42c65f773d3fbe5f900f08fb788117b1d3e22574cf09210ada4224077455dbe

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\csrss.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
memory/568-82-0x0000000000130000-0x00000000001C2000-memory.dmp

Filesize
584KB

Download
memory/568-170-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/568-169-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/568-116-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/568-87-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/568-168-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/568-86-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/568-102-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/568-85-0x0000000000200000-0x000000000021A000-memory.dmp

Filesize
104KB

Download
memory/568-157-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/568-158-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/568-115-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/568-84-0x00000000001F0000-0x00000000001FE000-memory.dmp

Filesize
56KB

Download
memory/568-114-0x000000001C190000-0x000000001C191000-memory.dmp

Filesize
4KB

Download
memory/568-83-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/568-153-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/692-171-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/692-152-0x0000000001290000-0x00000000015A0000-memory.dmp

Filesize
3.1MB

Download
memory/692-154-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/692-155-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/692-156-0x0000000000990000-0x00000000009E6000-memory.dmp

Filesize
344KB

Download
memory/692-177-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/692-196-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/1252-107-0x000000001A9E0000-0x000000001AA36000-memory.dmp

Filesize
344KB

Download
memory/1252-119-0x000000001AE60000-0x000000001AE6E000-memory.dmp

Filesize
56KB

Download
memory/1252-120-0x000000001AE70000-0x000000001AE78000-memory.dmp

Filesize
32KB

Download
memory/1252-121-0x000000001AE80000-0x000000001AE8E000-memory.dmp

Filesize
56KB

Download
memory/1252-122-0x000000001AE90000-0x000000001AE98000-memory.dmp

Filesize
32KB

Download
memory/1252-123-0x000000001AEA0000-0x000000001AEAC000-memory.dmp

Filesize
48KB

Download
memory/1252-124-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

Filesize
48KB

Download
memory/1252-118-0x000000001AE50000-0x000000001AE5A000-memory.dmp

Filesize
40KB

Download
memory/1252-117-0x000000001AE40000-0x000000001AE4C000-memory.dmp

Filesize
48KB

Download
memory/1252-113-0x000000001AE30000-0x000000001AE38000-memory.dmp

Filesize
32KB

Download
memory/1252-112-0x000000001AE20000-0x000000001AE2C000-memory.dmp

Filesize
48KB

Download
memory/1252-111-0x000000001A950000-0x000000001A958000-memory.dmp

Filesize
32KB

Download
memory/1252-110-0x000000001A940000-0x000000001A952000-memory.dmp

Filesize
72KB

Download
memory/1252-109-0x000000001A930000-0x000000001A938000-memory.dmp

Filesize
32KB

Download
memory/1252-108-0x0000000002410000-0x000000000241C000-memory.dmp

Filesize
48KB

Download
memory/1252-106-0x0000000002120000-0x000000000212A000-memory.dmp

Filesize
40KB

Download
memory/1252-105-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/1252-104-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/1252-100-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/1252-103-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/1252-101-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1252-97-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/1252-96-0x0000000000890000-0x00000000008AC000-memory.dmp

Filesize
112KB

Download
memory/1252-95-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/1252-94-0x00000000006E0000-0x00000000006EE000-memory.dmp

Filesize
56KB

Download
memory/1252-93-0x0000000000050000-0x0000000000360000-memory.dmp

Filesize
3.1MB

Download