dcrat | 588530f4cba85b9874f6dd2b2a93ea052486147ef68cb9dfaaa32e450c180f48

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
Size

1.1MB
MD5

f8b17c21dbf4da6ea15d7bbd0ee4a380
SHA1

07c61110827fdee71cdaade2498d717ba8651197
SHA256

588530f4cba85b9874f6dd2b2a93ea052486147ef68cb9dfaaa32e450c180f48
SHA512

cd8466ffeb42b423d74398ab4f18380192de8352a39652645407af17efaed8f6606a7537348f3ae6ff30439f7ef71678ecd09ed2a1fd5025e74b6a4b26ac3625
SSDEEP

12288:El+4Tcyct/JWT7yckBlepmbMsBXYHOWyAh5+djVyKDGpiRe7FaS+ug82qGeJ3btU:Zyc5JWackYm7dZ1Oq2nn2qPJ3btV3+f

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2708	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2508-0-0x0000000000A20000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/files/0x00070000000153cf-17.dat	dcrat
behavioral1/files/0x0006000000016619-50.dat	dcrat
behavioral1/files/0x00360000000144a1-73.dat	dcrat
behavioral1/files/0x0011000000014b59-122.dat	dcrat
behavioral1/files/0x0011000000014b59-246.dat	dcrat
behavioral1/files/0x0011000000014b59-245.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1400	csrss.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\spoolsv.exe	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
File created	C:\Program Files\Microsoft Office\f3b6ecef712a24	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\RCX61E8.tmp	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\RCX61E9.tmp	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
File created	C:\Program Files\DVD Maker\it-IT\spoolsv.exe	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
File created	C:\Program Files\DVD Maker\it-IT\f3b6ecef712a24	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\spoolsv.exe	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX666F.tmp	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX6680.tmp	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
File opened for modification	C:\Program Files\Microsoft Office\spoolsv.exe	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2760	schtasks.exe
2980	schtasks.exe
2456	schtasks.exe
2036	schtasks.exe
1648	schtasks.exe
2740	schtasks.exe
2624	schtasks.exe
2588	schtasks.exe
268	schtasks.exe
2896	schtasks.exe
2824	schtasks.exe
2976	schtasks.exe
1520	schtasks.exe
796	schtasks.exe
2800	schtasks.exe
2852	schtasks.exe
2684	schtasks.exe
2108	schtasks.exe
1628	schtasks.exe
2788	schtasks.exe
1624	schtasks.exe
2596	schtasks.exe
2264	schtasks.exe
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
1800	powershell.exe
2748	powershell.exe
2464	powershell.exe
2404	powershell.exe
1924	powershell.exe
1428	powershell.exe
1088	powershell.exe
944	powershell.exe
1912	powershell.exe
1792	powershell.exe
1900	powershell.exe
1336	powershell.exe
1400	csrss.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1400	csrss.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2748	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	53
PID 2508 wrote to memory of 2748	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	53
PID 2508 wrote to memory of 2748	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	53
PID 2508 wrote to memory of 2464	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	56
PID 2508 wrote to memory of 2464	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	56
PID 2508 wrote to memory of 2464	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	56
PID 2508 wrote to memory of 1428	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	55
PID 2508 wrote to memory of 1428	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	55
PID 2508 wrote to memory of 1428	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	55
PID 2508 wrote to memory of 1792	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	58
PID 2508 wrote to memory of 1792	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	58
PID 2508 wrote to memory of 1792	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	58
PID 2508 wrote to memory of 2404	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	60
PID 2508 wrote to memory of 2404	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	60
PID 2508 wrote to memory of 2404	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	60
PID 2508 wrote to memory of 944	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	61
PID 2508 wrote to memory of 944	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	61
PID 2508 wrote to memory of 944	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	61
PID 2508 wrote to memory of 1336	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	75
PID 2508 wrote to memory of 1336	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	75
PID 2508 wrote to memory of 1336	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	75
PID 2508 wrote to memory of 1088	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	74
PID 2508 wrote to memory of 1088	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	74
PID 2508 wrote to memory of 1088	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	74
PID 2508 wrote to memory of 1800	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	72
PID 2508 wrote to memory of 1800	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	72
PID 2508 wrote to memory of 1800	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	72
PID 2508 wrote to memory of 1924	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	62
PID 2508 wrote to memory of 1924	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	62
PID 2508 wrote to memory of 1924	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	62
PID 2508 wrote to memory of 1912	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	70
PID 2508 wrote to memory of 1912	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	70
PID 2508 wrote to memory of 1912	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	70
PID 2508 wrote to memory of 1900	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	64
PID 2508 wrote to memory of 1900	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	64
PID 2508 wrote to memory of 1900	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	64
PID 2508 wrote to memory of 2020	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	77
PID 2508 wrote to memory of 2020	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	77
PID 2508 wrote to memory of 2020	2508	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe	77
PID 2020 wrote to memory of 2992	2020	cmd.exe	79
PID 2020 wrote to memory of 2992	2020	cmd.exe	79
PID 2020 wrote to memory of 2992	2020	cmd.exe	79
PID 2020 wrote to memory of 1400	2020	cmd.exe	80
PID 2020 wrote to memory of 1400	2020	cmd.exe	80
PID 2020 wrote to memory of 1400	2020	cmd.exe	80

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f8b17c21dbf4da6ea15d7bbd0ee4a380.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cQG8Pfyund.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2992
- - C:\Users\Default User\csrss.exe
    "C:\Users\Default User\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\dwm.exe

Filesize
1.1MB

MD5
a175bb91c5278536ef0051a17fb75550

SHA1
ed7e15e0f65de4d472d2241e691e3367d5d5ca9b

SHA256
46361dc7ca8bd26a5501ecd7fb0ced8080d4bd03ea4ad5a4fb61eb1af01fb97e

SHA512
fe9c9e6cbfafafa29e8930548727ea07857ff536709d93b1282c61fa6095ad64a60d18e353f73a8a7c203f00f346322abc5de0fbcb2bb887fc52cf9e4a752f2c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe

Filesize
1.1MB

MD5
fc69040bcdbfb5c9f8d0acaad375c594

SHA1
a83cd1c4cf570c1af738a983d9f38c14da7bf204

SHA256
b1d4e105c94360f19b42c2c7282a5e9beb0a80aecad4cfc416565293bd748ffc

SHA512
a24ae4072ca90ee648d2def93d9b6860f7145f5a8e5590f00143071f780f13aca36e0dc1c510324dea180d9f09b8c6f41c7638f61c13b1c3651fd2701f74955c

Download Submit
C:\Program Files\DVD Maker\it-IT\spoolsv.exe

Filesize
1.1MB

MD5
f8b17c21dbf4da6ea15d7bbd0ee4a380

SHA1
07c61110827fdee71cdaade2498d717ba8651197

SHA256
588530f4cba85b9874f6dd2b2a93ea052486147ef68cb9dfaaa32e450c180f48

SHA512
cd8466ffeb42b423d74398ab4f18380192de8352a39652645407af17efaed8f6606a7537348f3ae6ff30439f7ef71678ecd09ed2a1fd5025e74b6a4b26ac3625

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQG8Pfyund.bat

Filesize
196B

MD5
4131998cc659dc135f4604e448715fb2

SHA1
6f832bdbe507d02c73d6cd00fcfade5628e209ec

SHA256
003f5acf278ca7b24bc54fc37fb8243a830a744f1b833a7b3721413cf760852c

SHA512
cf1817103bca8363ed2e2b22e1e7bae33e91c0288cc38ec084814a43d855920ba1f9c2626c8c5f514b16e64a9655c8bebbb34a552d20c1f5fc1002c1655a00c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2KULA5YY0P7N5ON03DDN.temp

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b42bc2b2a2250c4b7523a034d000263

SHA1
39ea31968e67a956e32cd9a0411fec25f1ffc347

SHA256
eb7ddedfed0016284bad16ac18077a106347999eeccc3537012f727ca9349f92

SHA512
8f727822df9fba1ec260ce1286e51fbd3e3620efe8b6effd09e74fa547730135beeb95b4392e4fa5f4a19441f5644bc1807734252aef2262ac788889b6a05d53

Download Submit
C:\Users\Default User\csrss.exe

Filesize
1.1MB

MD5
3d687590f8e9dcf613d5311b0fcc6947

SHA1
42b9cc970baf18b487359d68a8a782059f34f706

SHA256
5f9d63bb8acba2d5611a22f804d2f5a3d7e655dc2e407a0c580f262321301178

SHA512
56f6a6b96fa12f6137ce03a645a7b797643e4416cc1203baaa9683579d58d1dc33bcd982880d5f9c2fdf1fd73966734f1b039733a7ed30a5af7c57b9d25bb28a

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.1MB

MD5
3d687590f8e9dcf613d5311b0fcc6947

SHA1
42b9cc970baf18b487359d68a8a782059f34f706

SHA256
5f9d63bb8acba2d5611a22f804d2f5a3d7e655dc2e407a0c580f262321301178

SHA512
56f6a6b96fa12f6137ce03a645a7b797643e4416cc1203baaa9683579d58d1dc33bcd982880d5f9c2fdf1fd73966734f1b039733a7ed30a5af7c57b9d25bb28a

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.1MB

MD5
3d687590f8e9dcf613d5311b0fcc6947

SHA1
42b9cc970baf18b487359d68a8a782059f34f706

SHA256
5f9d63bb8acba2d5611a22f804d2f5a3d7e655dc2e407a0c580f262321301178

SHA512
56f6a6b96fa12f6137ce03a645a7b797643e4416cc1203baaa9683579d58d1dc33bcd982880d5f9c2fdf1fd73966734f1b039733a7ed30a5af7c57b9d25bb28a

Download Submit
memory/944-198-0x0000000002A4B000-0x0000000002AB2000-memory.dmp

Filesize
412KB

Download
memory/944-218-0x0000000002A44000-0x0000000002A47000-memory.dmp

Filesize
12KB

Download
memory/944-206-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/1088-217-0x0000000002B2B000-0x0000000002B92000-memory.dmp

Filesize
412KB

Download
memory/1088-212-0x0000000002B24000-0x0000000002B27000-memory.dmp

Filesize
12KB

Download
memory/1088-199-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/1336-238-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/1336-241-0x00000000028DB000-0x0000000002942000-memory.dmp

Filesize
412KB

Download
memory/1428-219-0x000000000254B000-0x00000000025B2000-memory.dmp

Filesize
412KB

Download
memory/1428-214-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/1428-202-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/1792-232-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/1792-233-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/1792-231-0x00000000025FB000-0x0000000002662000-memory.dmp

Filesize
412KB

Download
memory/1792-234-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1800-204-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/1800-208-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/1800-216-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/1800-222-0x000000000286B000-0x00000000028D2000-memory.dmp

Filesize
412KB

Download
memory/1800-213-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/1800-154-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/1900-237-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/1900-235-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/1900-236-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1900-239-0x0000000002A4B000-0x0000000002AB2000-memory.dmp

Filesize
412KB

Download
memory/1900-242-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1900-240-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1912-207-0x0000000002A94000-0x0000000002A97000-memory.dmp

Filesize
12KB

Download
memory/1912-211-0x0000000002A9B000-0x0000000002B02000-memory.dmp

Filesize
412KB

Download
memory/1912-200-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/1924-229-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1924-226-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/1924-230-0x00000000025EB000-0x0000000002652000-memory.dmp

Filesize
412KB

Download
memory/1924-228-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2404-196-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2404-223-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-225-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2404-227-0x000000000299B000-0x0000000002A02000-memory.dmp

Filesize
412KB

Download
memory/2404-194-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2404-195-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-193-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-153-0x000000001B440000-0x000000001B722000-memory.dmp

Filesize
2.9MB

Download
memory/2464-224-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/2464-201-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/2464-220-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2464-209-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/2464-197-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2464-221-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2508-113-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/2508-4-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2508-1-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/2508-2-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/2508-192-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/2508-5-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2508-88-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/2508-8-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2508-0-0x0000000000A20000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/2508-7-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2508-6-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2508-3-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/2748-205-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2748-215-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/2748-203-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-210-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download