dcrat | db7e8f25662e1a54432abf68705b2ac077e174ba28a4ec80f6c07c55cc4ba338

Analysis

max time kernel
154s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F08A6E9C47EB0D630CDDD00A3D9E696C.exe
Size

831KB
MD5

f08a6e9c47eb0d630cddd00a3d9e696c
SHA1

daec48aa94f39454581ba677cf54c24212ecbbc8
SHA256

db7e8f25662e1a54432abf68705b2ac077e174ba28a4ec80f6c07c55cc4ba338
SHA512

8d4715addfc71063cb68768363bc086bd9cc70db4764590d2c1bea6e7858d95a583d2e268779ae8639ac72fda357aab839ecf63e4bef12ffe4d51191884dca16
SSDEEP

24576:fNJByB9O08sndZuYdSZ5XF8TYCVggA+r+gn:1JN0ldsXFvg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	3216	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3216	schtasks.exe	87

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2240-0-0x0000000000070000-0x0000000000146000-memory.dmp	dcrat
behavioral2/files/0x00070000000231be-13.dat	dcrat
behavioral2/files/0x00070000000231be-63.dat	dcrat
behavioral2/files/0x00060000000231dc-78.dat	dcrat
behavioral2/files/0x00060000000231dc-77.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	F08A6E9C47EB0D630CDDD00A3D9E696C.exe

Executes dropped EXE 1 IoCs

pid	Process
3308	schtasks.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Java\f3b6ecef712a24	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\schtasks.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\3a6fe29a7ceee6	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files (x86)\Windows Sidebar\Idle.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\3a6fe29a7ceee6	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\spoolsv.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\e6c9b481da804f	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files (x86)\Windows Sidebar\6ccacd8608530f	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cc11b995f2a76d	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files (x86)\Common Files\Java\spoolsv.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\886983d96e3d3e	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\schtasks.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\bcastdvr\7a0fd90576e088	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Windows\Web\Screen\RuntimeBroker.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Windows\Web\Screen\9e8d7a4ca61bd9	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
File created	C:\Windows\bcastdvr\explorer.exe	F08A6E9C47EB0D630CDDD00A3D9E696C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4560	schtasks.exe
384	schtasks.exe
4624	schtasks.exe
4304	schtasks.exe
1460	schtasks.exe
1076	schtasks.exe
2676	schtasks.exe
3616	schtasks.exe
4016	schtasks.exe
400	schtasks.exe
4384	schtasks.exe
3308	schtasks.exe
4196	schtasks.exe
4488	schtasks.exe
4052	schtasks.exe
3928	schtasks.exe
2564	schtasks.exe
4700	schtasks.exe
508	schtasks.exe
1372	schtasks.exe
2256	schtasks.exe
3544	schtasks.exe
744	schtasks.exe
396	schtasks.exe
4548	schtasks.exe
2500	schtasks.exe
4832	schtasks.exe
956	schtasks.exe
1160	schtasks.exe
4812	schtasks.exe
536	schtasks.exe
2152	schtasks.exe
4924	schtasks.exe
1772	schtasks.exe
2116	schtasks.exe
4312	schtasks.exe
4020	schtasks.exe
3488	schtasks.exe
772	schtasks.exe
3232	schtasks.exe
3096	schtasks.exe
3480	schtasks.exe
2820	schtasks.exe
4484	schtasks.exe
3852	schtasks.exe
4396	schtasks.exe
1452	schtasks.exe
4220	schtasks.exe
1888	schtasks.exe
4092	schtasks.exe
1288	schtasks.exe
2888	schtasks.exe
4856	schtasks.exe
3672	schtasks.exe
1572	schtasks.exe
4176	schtasks.exe
1960	schtasks.exe
688	schtasks.exe
5064	schtasks.exe
4500	schtasks.exe
4628	schtasks.exe
4420	schtasks.exe
3716	schtasks.exe
1764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
3184	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
3184	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
3184	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
3184	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
3184	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
3184	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
3308	schtasks.exe
3308	schtasks.exe
3308	schtasks.exe
3308	schtasks.exe
3308	schtasks.exe
3308	schtasks.exe
3308	schtasks.exe
3308	schtasks.exe
3308	schtasks.exe
3308	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
Token: SeDebugPrivilege	3184	F08A6E9C47EB0D630CDDD00A3D9E696C.exe
Token: SeDebugPrivilege	3308	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3184	2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe	117
PID 2240 wrote to memory of 3184	2240	F08A6E9C47EB0D630CDDD00A3D9E696C.exe	117
PID 3184 wrote to memory of 3308	3184	F08A6E9C47EB0D630CDDD00A3D9E696C.exe	171
PID 3184 wrote to memory of 3308	3184	F08A6E9C47EB0D630CDDD00A3D9E696C.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\F08A6E9C47EB0D630CDDD00A3D9E696C.exe
"C:\Users\Admin\AppData\Local\Temp\F08A6E9C47EB0D630CDDD00A3D9E696C.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\F08A6E9C47EB0D630CDDD00A3D9E696C.exe
  "C:\Users\Admin\AppData\Local\Temp\F08A6E9C47EB0D630CDDD00A3D9E696C.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\odt\schtasks.exe
    "C:\odt\schtasks.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Java\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Java\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "F08A6E9C47EB0D630CDDD00A3D9E696CF" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\F08A6E9C47EB0D630CDDD00A3D9E696C.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "F08A6E9C47EB0D630CDDD00A3D9E696C" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\F08A6E9C47EB0D630CDDD00A3D9E696C.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "F08A6E9C47EB0D630CDDD00A3D9E696CF" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\F08A6E9C47EB0D630CDDD00A3D9E696C.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Screen\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Web\Screen\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Screen\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\Default User\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\odt\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\odt\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\odt\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\explorer.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\bcastdvr\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\features\schtasks.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\schtasks.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\features\schtasks.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\121e5b5079f7c0

Filesize
285B

MD5
c64136d323cfe1de407328004c35731c

SHA1
30797edd7b3cc5a020a88cd789a534e45e5a8c1b

SHA256
4f9ed3088d2f7ca8bcecf05bca7e422ab7e307ff99b8abb7333f43b3bf4cbb09

SHA512
dd2505eef7eafe2f8dc00dae42233a0a69565a3285240565facdb172d79b3d832568260754a6138f3b9500c2ca4a337cb615b560334916561ebfa459bdbbc17d

Download Submit
C:\Recovery\WindowsRE\sysmon.exe

Filesize
831KB

MD5
f08a6e9c47eb0d630cddd00a3d9e696c

SHA1
daec48aa94f39454581ba677cf54c24212ecbbc8

SHA256
db7e8f25662e1a54432abf68705b2ac077e174ba28a4ec80f6c07c55cc4ba338

SHA512
8d4715addfc71063cb68768363bc086bd9cc70db4764590d2c1bea6e7858d95a583d2e268779ae8639ac72fda357aab839ecf63e4bef12ffe4d51191884dca16

Download Submit
C:\Recovery\WindowsRE\sysmon.exe

Filesize
831KB

MD5
f08a6e9c47eb0d630cddd00a3d9e696c

SHA1
daec48aa94f39454581ba677cf54c24212ecbbc8

SHA256
db7e8f25662e1a54432abf68705b2ac077e174ba28a4ec80f6c07c55cc4ba338

SHA512
8d4715addfc71063cb68768363bc086bd9cc70db4764590d2c1bea6e7858d95a583d2e268779ae8639ac72fda357aab839ecf63e4bef12ffe4d51191884dca16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\F08A6E9C47EB0D630CDDD00A3D9E696C.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fdc9f738e7cbeb89d61d8dcee24751789eb09c4.5.32abdb707433d79f3dbbed24838709cb436a97da7a

Filesize
1KB

MD5
490ca3739eb5f88f6d66350b865a1b81

SHA1
0803813e233efb94a37a5489dc622e1da9a3dafb

SHA256
2d3d78875ca2d1f04a1a3a756e462ebe09b1d1d44a967b2e28f27c10ed35ff80

SHA512
279acb6ce7b10bebd3d81417612abe7085f319c1cb95679c81b1cb69dded95a1d0d4ad9081f532f9327ad23c02f51d5086940d55187643e92759bddc1d40e1f0

Download Submit
C:\odt\schtasks.exe

Filesize
831KB

MD5
f08a6e9c47eb0d630cddd00a3d9e696c

SHA1
daec48aa94f39454581ba677cf54c24212ecbbc8

SHA256
db7e8f25662e1a54432abf68705b2ac077e174ba28a4ec80f6c07c55cc4ba338

SHA512
8d4715addfc71063cb68768363bc086bd9cc70db4764590d2c1bea6e7858d95a583d2e268779ae8639ac72fda357aab839ecf63e4bef12ffe4d51191884dca16

Download Submit
C:\odt\schtasks.exe

Filesize
831KB

MD5
f08a6e9c47eb0d630cddd00a3d9e696c

SHA1
daec48aa94f39454581ba677cf54c24212ecbbc8

SHA256
db7e8f25662e1a54432abf68705b2ac077e174ba28a4ec80f6c07c55cc4ba338

SHA512
8d4715addfc71063cb68768363bc086bd9cc70db4764590d2c1bea6e7858d95a583d2e268779ae8639ac72fda357aab839ecf63e4bef12ffe4d51191884dca16

Download Submit
memory/2240-1-0x00007FFC56A40000-0x00007FFC57501000-memory.dmp

Filesize
10.8MB

Download
memory/2240-0-0x0000000000070000-0x0000000000146000-memory.dmp

Filesize
856KB

Download
memory/2240-27-0x00007FFC56A40000-0x00007FFC57501000-memory.dmp

Filesize
10.8MB

Download
memory/2240-7-0x00007FFC56A40000-0x00007FFC57501000-memory.dmp

Filesize
10.8MB

Download
memory/2240-2-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2240-8-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/3184-52-0x000000001B290000-0x000000001B2A0000-memory.dmp

Filesize
64KB

Download
memory/3184-26-0x00007FFC56A40000-0x00007FFC57501000-memory.dmp

Filesize
10.8MB

Download
memory/3184-48-0x00007FFC56A40000-0x00007FFC57501000-memory.dmp

Filesize
10.8MB

Download
memory/3184-28-0x000000001B290000-0x000000001B2A0000-memory.dmp

Filesize
64KB

Download
memory/3184-80-0x00007FFC56A40000-0x00007FFC57501000-memory.dmp

Filesize
10.8MB

Download
memory/3308-79-0x00007FFC56A40000-0x00007FFC57501000-memory.dmp

Filesize
10.8MB

Download
memory/3308-81-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

Filesize
64KB

Download
memory/3308-82-0x00007FFC56A40000-0x00007FFC57501000-memory.dmp

Filesize
10.8MB

Download
memory/3308-83-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

Filesize
64KB

Download