Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    48s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2023 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    1.6MB

  • MD5

    373992db74a918562686a9e9144ecbbe

  • SHA1

    953c7daaec55cdf106b371b555bc73f83a127b26

  • SHA256

    c17ee50458ad78fb43b23fd8001002cd35bb8effac19ec33091ddadefbc7dcac

  • SHA512

    ddf9af3d9b765708ce9e91f1ba7631f4111202016deae60f0da80026688fd465e9877fe55ec175be0296db153e300188a5aeadd5566b2e72fc8cf0e1bb8a80e4

  • SSDEEP

    24576:U2G/nvxW3Ww0t1urfikuV13mFFkwIuKOaZDIpw6P/KlBrJ/GB+8xNEJnw:UbA30Wiku13qF1jtpwG/KR/YxNEJw

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\vQ3VIYUYL2xofTcP0gCIzAw.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\mQTPECbUX38DuLpdMmoUBOwQ.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe
          "C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\wininit.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2072
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\WMIADAP.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\cmd.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2096
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\lsm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2168
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\wininit.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2176
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2184
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\WmiPrvSE.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2160
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\taskhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\dwm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\lsm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2136
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\conhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\componentMonitorcommon.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\es-ES\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\lsass.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2104
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TgLqL7e1fH.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2396
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2596
              • C:\Windows\PLA\Reports\es-ES\spoolsv.exe
                "C:\Windows\PLA\Reports\es-ES\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\WMIADAP.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Admin\Music\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1796
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:428
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\twain_32\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Reports\es-ES\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\es-ES\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Reports\es-ES\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "componentMonitorcommonc" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\componentMonitorcommon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "componentMonitorcommon" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\componentMonitorcommon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "componentMonitorcommonc" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\componentMonitorcommon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1660
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1584
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1488
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\SIGNUP\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1080
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1356
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\SIGNUP\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1732
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1908

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Install Root Certificate

    1
    T1130

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\cmd.exe
      Filesize

      1.3MB

      MD5

      231efb7ab5b36cda91e06456480228c1

      SHA1

      11edb782a254ead91bef459fb4dac0ca393ffeaf

      SHA256

      5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

      SHA512

      c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      62KB

      MD5

      b5fcc55cffd66f38d548e8b63206c5e6

      SHA1

      79db08ababfa33a4f644fa8fe337195b5aba44c7

      SHA256

      7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

      SHA512

      aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab9D8A.tmp
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TgLqL7e1fH.bat
      Filesize

      205B

      MD5

      f77bd7db243a55e513e341fd16a699d3

      SHA1

      c6da92574f8e3ff122d7213ce029b956474343e6

      SHA256

      60e915c91e26bde033bcbf91b13bb05847020578a432e0fe32e2e94795c6ce9f

      SHA512

      1f7da40dd83ac81c48782d1d601306448a207bb8eefdb150d56c678441811d02d4f13f217acca9ce591839cccc221ab92e4159041c1bec3d06b14662fd2c3c62

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T2289FNM54KTB31E0PNT.temp
      Filesize

      7KB

      MD5

      9007e6dd4e86088853dbf8cc5aeb70e4

      SHA1

      f82a2e9f97df8f2ccf60e03035e288925ae258e0

      SHA256

      4de830c2166f329b1e0a778834d12da10715159b921a4058fa753d33939ddc3c

      SHA512

      82b75ccf85d8ff3e602bc24048ca6c2aa606342876a19959404be54645ce37be5b1f87b4c820b7ac48e55d9be3a464c4f44bc6369c7353948694751a974a524f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe
      Filesize

      1.3MB

      MD5

      231efb7ab5b36cda91e06456480228c1

      SHA1

      11edb782a254ead91bef459fb4dac0ca393ffeaf

      SHA256

      5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

      SHA512

      c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

      Download Submit
    • C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe
      Filesize

      1.3MB

      MD5

      231efb7ab5b36cda91e06456480228c1

      SHA1

      11edb782a254ead91bef459fb4dac0ca393ffeaf

      SHA256

      5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

      SHA512

      c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

      Download Submit
    • C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\mQTPECbUX38DuLpdMmoUBOwQ.bat
      Filesize

      55B

      MD5

      4eca9a6bf6c52d04c26fa14ea74bf227

      SHA1

      ca0fea58051517e6295da2da5e3f249ad4ff3504

      SHA256

      96ca7d8a38fd1f411bf623f952bbd4b8e93243167c2158917eba0d68f00e85cc

      SHA512

      3d818f8e1ea332deb3a0aaff2284deb6380639a56dc30a7e675cfe76c253f0c626783e5b7652cd6dbad541022ccb6058376ec5d7f12d0674a4478cfefef9df18

      Download Submit
    • C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\vQ3VIYUYL2xofTcP0gCIzAw.vbe
      Filesize

      224B

      MD5

      7b5df8b8d4d8d1b95b3313ffaf3c420b

      SHA1

      70c9cb3ea22d5349044e03f7e6fa4d98e6bc208d

      SHA256

      1c307726e10a7546162838a9981c0d0565306998ed731ee73a047d664d72a3ea

      SHA512

      ddc870977887cd25ca709ff3b3be1311d7478e5c361936d3ff3dd845aa04633fcc081a27bc088e20001f1105862c88972d9325a3b40126157906400ccda65270

      Download Submit
    • C:\Windows\PLA\Reports\es-ES\spoolsv.exe
      Filesize

      1.3MB

      MD5

      231efb7ab5b36cda91e06456480228c1

      SHA1

      11edb782a254ead91bef459fb4dac0ca393ffeaf

      SHA256

      5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

      SHA512

      c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

      Download Submit
    • C:\Windows\PLA\Reports\es-ES\spoolsv.exe
      Filesize

      1.3MB

      MD5

      231efb7ab5b36cda91e06456480228c1

      SHA1

      11edb782a254ead91bef459fb4dac0ca393ffeaf

      SHA256

      5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

      SHA512

      c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

      Download Submit
    • \Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe
      Filesize

      1.3MB

      MD5

      231efb7ab5b36cda91e06456480228c1

      SHA1

      11edb782a254ead91bef459fb4dac0ca393ffeaf

      SHA256

      5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

      SHA512

      c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

      Download Submit
    • \Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe
      Filesize

      1.3MB

      MD5

      231efb7ab5b36cda91e06456480228c1

      SHA1

      11edb782a254ead91bef459fb4dac0ca393ffeaf

      SHA256

      5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

      SHA512

      c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

      Download Submit
    • memory/1340-71-0x0000000000690000-0x000000000069E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1340-68-0x0000000000440000-0x000000000045C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1340-72-0x00000000006A0000-0x00000000006AC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1340-67-0x0000000000960000-0x0000000000AB4000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1340-70-0x00000000004E0000-0x00000000004EE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1340-77-0x0000000000460000-0x00000000004E0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1340-69-0x0000000000670000-0x0000000000686000-memory.dmp
      Filesize

      88KB

      Download
    • memory/2064-199-0x0000000002750000-0x00000000027D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2064-189-0x0000000002750000-0x00000000027D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2064-233-0x000000000275B000-0x0000000002792000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2072-220-0x00000000026F0000-0x0000000002770000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2072-226-0x00000000026FB000-0x0000000002732000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2072-182-0x00000000026F0000-0x0000000002770000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2072-181-0x00000000026F0000-0x0000000002770000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2088-222-0x00000000028CB000-0x0000000002902000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2088-194-0x00000000028C0000-0x0000000002940000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2088-196-0x00000000028C0000-0x0000000002940000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2088-193-0x00000000028C0000-0x0000000002940000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2096-197-0x0000000002400000-0x0000000002480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2096-192-0x0000000002400000-0x0000000002480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2096-231-0x000000000240B000-0x0000000002442000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2096-195-0x0000000002400000-0x0000000002480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2104-217-0x0000000002430000-0x00000000024B0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2104-188-0x0000000002430000-0x00000000024B0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2104-221-0x000000000243B000-0x0000000002472000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2104-187-0x0000000002430000-0x00000000024B0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2112-209-0x0000000002910000-0x0000000002990000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2112-180-0x0000000002910000-0x0000000002990000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2112-227-0x000000000291B000-0x0000000002952000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2120-224-0x0000000002A5B000-0x0000000002A92000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2120-205-0x0000000002A50000-0x0000000002AD0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2120-201-0x0000000002A50000-0x0000000002AD0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2120-204-0x0000000002A50000-0x0000000002AD0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2128-214-0x0000000002940000-0x00000000029C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2128-216-0x0000000002940000-0x00000000029C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2128-215-0x0000000002940000-0x00000000029C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2128-232-0x000000000294B000-0x0000000002982000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2136-185-0x00000000023D0000-0x0000000002450000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2136-200-0x00000000023D0000-0x0000000002450000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2136-186-0x00000000023D0000-0x0000000002450000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2136-223-0x00000000023DB000-0x0000000002412000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2144-183-0x00000000027D0000-0x0000000002850000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2144-206-0x00000000027D0000-0x0000000002850000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2144-228-0x00000000027DB000-0x0000000002812000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2152-229-0x00000000027EB000-0x0000000002822000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2152-203-0x00000000027E0000-0x0000000002860000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2152-211-0x00000000027E0000-0x0000000002860000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2152-210-0x00000000027E0000-0x0000000002860000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2160-212-0x0000000002A70000-0x0000000002AF0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2160-190-0x0000000002A70000-0x0000000002AF0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2160-234-0x0000000002A7B000-0x0000000002AB2000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2160-191-0x0000000002A70000-0x0000000002AF0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2160-169-0x000000001B2D0000-0x000000001B5B2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2168-198-0x0000000002260000-0x00000000022E0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2168-184-0x0000000002260000-0x00000000022E0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2168-170-0x0000000002460000-0x0000000002468000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2176-213-0x0000000002340000-0x00000000023C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2176-230-0x000000000234B000-0x0000000002382000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2176-219-0x0000000002340000-0x00000000023C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2176-218-0x0000000002340000-0x00000000023C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2184-225-0x000000000258B000-0x00000000025C2000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2184-202-0x0000000002580000-0x0000000002600000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2184-207-0x0000000002580000-0x0000000002600000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2184-208-0x0000000002580000-0x0000000002600000-memory.dmp
      Filesize

      512KB

      Download