dcrat | 3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/01/2025, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
Size

1.6MB
MD5

13a9fe232c423531f428e7ebf5bcc3ce
SHA1

7940d3296d943f8f54e6d2e58982812de6f66a79
SHA256

3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3
SHA512

ed6f68b31f034c49b6ef9a79a793d5ba46d6a8cffca33f1f5cdbb3db51ac6ae9ea5aa39ea7dede138c832b2a47c9f484441f549b163254bdbf5566a4590042f5
SSDEEP

24576:Dl2UpmjCMYU6XtQCBRSybXZgRRNsSSzUcYUHcAtRTjeXRE7QSvMllsWH4Xsmnobb:BdtdQCBRZX3HYUPtRTjmcQSTWH4Xshb

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2144	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2144	schtasks.exe	31

Executes dropped EXE 16 IoCs

pid	Process
2388	lsass.exe
1308	lsass.exe
1704	lsass.exe
1000	lsass.exe
2808	lsass.exe
2892	lsass.exe
2712	lsass.exe
2236	lsass.exe
2936	lsass.exe
1672	lsass.exe
2912	lsass.exe
884	lsass.exe
2752	lsass.exe
2884	lsass.exe
2664	lsass.exe
1912	lsass.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\OSPPSVC.exe	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\1610b97d3ab4a7	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\WMIADAP.exe	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
File created	C:\Windows\Tasks\75a57c1bdf437c	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
File created	C:\Windows\debug\lsass.exe	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
File created	C:\Windows\debug\6203df4a6bafc7	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
File created	C:\Windows\Tasks\WMIADAP.exe	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2440	PING.EXE
1840	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2440	PING.EXE
1840	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2272	schtasks.exe
1620	schtasks.exe
2616	schtasks.exe
2596	schtasks.exe
1888	schtasks.exe
2760	schtasks.exe
2892	schtasks.exe
1616	schtasks.exe
1596	schtasks.exe
2828	schtasks.exe
2560	schtasks.exe
2620	schtasks.exe
2152	schtasks.exe
644	schtasks.exe
2424	schtasks.exe
2860	schtasks.exe
2236	schtasks.exe
1664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
2388	lsass.exe
2388	lsass.exe
2388	lsass.exe
2388	lsass.exe
2388	lsass.exe
2388	lsass.exe
2388	lsass.exe
2388	lsass.exe
2388	lsass.exe
2388	lsass.exe
2388	lsass.exe
2388	lsass.exe
1308	lsass.exe
1308	lsass.exe
1308	lsass.exe
1308	lsass.exe
1308	lsass.exe
1308	lsass.exe
1308	lsass.exe
1308	lsass.exe
1308	lsass.exe
1308	lsass.exe
1308	lsass.exe
1308	lsass.exe
1704	lsass.exe
1704	lsass.exe
1704	lsass.exe
1704	lsass.exe
1704	lsass.exe
1704	lsass.exe
1704	lsass.exe
1704	lsass.exe
1704	lsass.exe
1704	lsass.exe
1704	lsass.exe
1704	lsass.exe
1000	lsass.exe
1000	lsass.exe
1000	lsass.exe
1000	lsass.exe
1000	lsass.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
Token: SeDebugPrivilege	2388	lsass.exe
Token: SeDebugPrivilege	1308	lsass.exe
Token: SeDebugPrivilege	1704	lsass.exe
Token: SeDebugPrivilege	1000	lsass.exe
Token: SeDebugPrivilege	2808	lsass.exe
Token: SeDebugPrivilege	2892	lsass.exe
Token: SeDebugPrivilege	2712	lsass.exe
Token: SeDebugPrivilege	2236	lsass.exe
Token: SeDebugPrivilege	2936	lsass.exe
Token: SeDebugPrivilege	1672	lsass.exe
Token: SeDebugPrivilege	2912	lsass.exe
Token: SeDebugPrivilege	884	lsass.exe
Token: SeDebugPrivilege	2752	lsass.exe
Token: SeDebugPrivilege	2884	lsass.exe
Token: SeDebugPrivilege	2664	lsass.exe
Token: SeDebugPrivilege	1912	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2008	2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe	50
PID 2084 wrote to memory of 2008	2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe	50
PID 2084 wrote to memory of 2008	2084	3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe	50
PID 2008 wrote to memory of 2104	2008	cmd.exe	52
PID 2008 wrote to memory of 2104	2008	cmd.exe	52
PID 2008 wrote to memory of 2104	2008	cmd.exe	52
PID 2008 wrote to memory of 2148	2008	cmd.exe	53
PID 2008 wrote to memory of 2148	2008	cmd.exe	53
PID 2008 wrote to memory of 2148	2008	cmd.exe	53
PID 2008 wrote to memory of 2388	2008	cmd.exe	54
PID 2008 wrote to memory of 2388	2008	cmd.exe	54
PID 2008 wrote to memory of 2388	2008	cmd.exe	54
PID 2388 wrote to memory of 1916	2388	lsass.exe	55
PID 2388 wrote to memory of 1916	2388	lsass.exe	55
PID 2388 wrote to memory of 1916	2388	lsass.exe	55
PID 1916 wrote to memory of 696	1916	cmd.exe	57
PID 1916 wrote to memory of 696	1916	cmd.exe	57
PID 1916 wrote to memory of 696	1916	cmd.exe	57
PID 1916 wrote to memory of 828	1916	cmd.exe	58
PID 1916 wrote to memory of 828	1916	cmd.exe	58
PID 1916 wrote to memory of 828	1916	cmd.exe	58
PID 1916 wrote to memory of 1308	1916	cmd.exe	59
PID 1916 wrote to memory of 1308	1916	cmd.exe	59
PID 1916 wrote to memory of 1308	1916	cmd.exe	59
PID 1308 wrote to memory of 2016	1308	lsass.exe	60
PID 1308 wrote to memory of 2016	1308	lsass.exe	60
PID 1308 wrote to memory of 2016	1308	lsass.exe	60
PID 2016 wrote to memory of 2112	2016	cmd.exe	62
PID 2016 wrote to memory of 2112	2016	cmd.exe	62
PID 2016 wrote to memory of 2112	2016	cmd.exe	62
PID 2016 wrote to memory of 1468	2016	cmd.exe	63
PID 2016 wrote to memory of 1468	2016	cmd.exe	63
PID 2016 wrote to memory of 1468	2016	cmd.exe	63
PID 2016 wrote to memory of 1704	2016	cmd.exe	64
PID 2016 wrote to memory of 1704	2016	cmd.exe	64
PID 2016 wrote to memory of 1704	2016	cmd.exe	64
PID 1704 wrote to memory of 2508	1704	lsass.exe	65
PID 1704 wrote to memory of 2508	1704	lsass.exe	65
PID 1704 wrote to memory of 2508	1704	lsass.exe	65
PID 2508 wrote to memory of 1952	2508	cmd.exe	67
PID 2508 wrote to memory of 1952	2508	cmd.exe	67
PID 2508 wrote to memory of 1952	2508	cmd.exe	67
PID 2508 wrote to memory of 3028	2508	cmd.exe	68
PID 2508 wrote to memory of 3028	2508	cmd.exe	68
PID 2508 wrote to memory of 3028	2508	cmd.exe	68
PID 2508 wrote to memory of 1000	2508	cmd.exe	69
PID 2508 wrote to memory of 1000	2508	cmd.exe	69
PID 2508 wrote to memory of 1000	2508	cmd.exe	69
PID 1000 wrote to memory of 3024	1000	lsass.exe	70
PID 1000 wrote to memory of 3024	1000	lsass.exe	70
PID 1000 wrote to memory of 3024	1000	lsass.exe	70
PID 3024 wrote to memory of 1640	3024	cmd.exe	72
PID 3024 wrote to memory of 1640	3024	cmd.exe	72
PID 3024 wrote to memory of 1640	3024	cmd.exe	72
PID 3024 wrote to memory of 1768	3024	cmd.exe	73
PID 3024 wrote to memory of 1768	3024	cmd.exe	73
PID 3024 wrote to memory of 1768	3024	cmd.exe	73
PID 3024 wrote to memory of 2808	3024	cmd.exe	74
PID 3024 wrote to memory of 2808	3024	cmd.exe	74
PID 3024 wrote to memory of 2808	3024	cmd.exe	74
PID 2808 wrote to memory of 1564	2808	lsass.exe	75
PID 2808 wrote to memory of 1564	2808	lsass.exe	75
PID 2808 wrote to memory of 1564	2808	lsass.exe	75
PID 1564 wrote to memory of 2156	1564	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\egjIRj3ANc.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2104
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2148
- - C:\Windows\debug\lsass.exe
    "C:\Windows\debug\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bzGZZMGSnB.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:696
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:828
    - - C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ub5pO60uUj.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1468
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dl1lNRuX9F.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3028
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqzjdZvm8E.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1768
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2440
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KvMN3vAFGm.bat"
        14⤵
        
        PID:2620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2132
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6gfTO1Diev.bat"
        16⤵
        
        PID:664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1228
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UVjCyjlRMB.bat"
        18⤵
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:908
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6bJqyfyFWM.bat"
        20⤵
        
        PID:1288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2500
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\52fFI3PgWJ.bat"
        22⤵
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2172
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dlM0lquDlv.bat"
        24⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1840
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aTXMUe3k.bat"
        26⤵
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2552
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tx5bI8CrM8.bat"
        28⤵
        
        PID:1416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2812
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat"
        30⤵
        
        PID:924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:1964
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U6Y6MWxFQU.bat"
        32⤵
        
        PID:1176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2580
        
        C:\Windows\debug\lsass.exe
        
        "C:\Windows\debug\lsass.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k4B7WkvJxo.bat"
        34⤵
        
        PID:1420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:1136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\debug\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Hearts\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Hearts\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Tasks\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a33" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a33" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52fFI3PgWJ.bat

Filesize
202B

MD5
2ea906a99206e6aa07e6d74e5a40188d

SHA1
7ad7a290e59f49166ab666dbe0e12bebcbfc4c22

SHA256
7938b12fa5fdc03ea782d45ad4bab981228266f61c8dd8e7fad83fde3fe53949

SHA512
77bc3431d87bdada5407624ea11c3cbe04424220ddacef0f02892bb78e15447b631a271d141489bda893882555f057f63a68c6aae6e4b26d570e6acd1d442a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bJqyfyFWM.bat

Filesize
202B

MD5
ceb21679d7837b233a4a2a7298cf5671

SHA1
b7cfa3f39ac9801e454e0e896503eab937425466

SHA256
3bf1d1abb874be7771d97107e5331993850f36642b6075dd27dc2bea4c89b929

SHA512
1d8337325dfcca44bd5c341fbfa850b6f4e021db91d85349d75c3d44bdfa2586463b7020d3c786a6d17290b766361f943abb432090f66329630f23158a18a4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6gfTO1Diev.bat

Filesize
202B

MD5
f349acf674c6c8a0c35fbd82ebf1c719

SHA1
440b5fc55bf92b5d9102cec2ae118c005fc83420

SHA256
d5b27580bcd6b9327f43640027d7d2f373f8c50e6fabd0b7c3df319533aa9f94

SHA512
d928331d0d435826234f90ce3ca2bb4b1a42320df016ebad267db56c533c628082e50ccc1ce106136e16d3011332645ca5e9ac4510a64bf09b2c05af5dc64337

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dl1lNRuX9F.bat

Filesize
202B

MD5
7138321c1d5fa3bfc8f374103ea3e0b4

SHA1
aa83b6e853b3b17cef4e3fe70bfe26fe39d48d36

SHA256
a7ee866ca139fd7d661ecf6cb508bdcd79be8c87133f0d69f3a92e8bdf2ac971

SHA512
9cc940d819bf79064adf8e67e9c6b2eefe344d4be4edfc5961ae860f6031d452f444b7dae222fd7fec28f40f0c4bcd632d6c50222243f925ab8e2926cccb1d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2aTXMUe3k.bat

Filesize
202B

MD5
3fd4f772b2976519534927fd9ea27b54

SHA1
25b1cb8d885b8fa669f6abc5637d74b368fa177f

SHA256
d4dfd6d82e1e1f30d1abc85f2e822bce53f578ff40861e8ba477679d24305e32

SHA512
780874e6804c68f8c905c00ac977dbbc70eab1b1dce8f091bb5f4834dcaef88000e7bbd7420a4a414d676189f60b7eff0c9f80b3fad9694158a9d03d6b199e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqzjdZvm8E.bat

Filesize
202B

MD5
bf1597dc2c17970e7970bd7afe2868ee

SHA1
b4f52a4d4fbed085159e8c1aade9afa5bc35b764

SHA256
3db5c7956d6ee1426d70f16cc72a6d70d54f77f8ff585c9f5effac3469923545

SHA512
4237b9564bd40766c06a32ca91d993c5c72db70438ecb219e2d8004f1b8dd0dfa07a09e3bea8b28e385567f2b0cce32cbc8d44c926cc46b98dcfecd7cd0d9e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KvMN3vAFGm.bat

Filesize
202B

MD5
b8a81c4f1b7f11ceceff683c4e574597

SHA1
9f168117af45bfd6d4b3fcdb47d7f6e4615c873c

SHA256
3e2ab0ddca1204a33d77d4ca5dd4e6a8aec67e38471e04d0b8e7494d11b2ead7

SHA512
275956fdd44d0d3d1eeb45f84ae7882748ff6ecd5a6e790dad54429c0462295e2e71633e9be88a2112ca33dfecfae8207e25830af88aa7f15f714da25ca21291

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tx5bI8CrM8.bat

Filesize
202B

MD5
e7d46ab835d9273da75929c9adbae139

SHA1
2c74c6299876491c4cdce0db039d1c169290cae2

SHA256
5e1e9e6500a27dfb8b11c6ad2bf538a08e75be27e231d21557e25c196e55fb5d

SHA512
3d030d7e455bfb181101f67a394e6ab475601b9b6db28fd0781b846dc853a94c68e5e1ba29eb5030ac74c244f8519910387309d4031ba6ea434bae8491a4695c

Download Submit
C:\Users\Admin\AppData\Local\Temp\U6Y6MWxFQU.bat

Filesize
202B

MD5
696bdd967a891c7786f709bacfc7e40c

SHA1
94ff90a47068218c7fe1e6193307521362be84c8

SHA256
03fb16bf098fc62e821c70d01101318c151d73db397ee4d0e138608c418bd5a4

SHA512
79cab5cb95ed7d0fd28ffbb1fe6b9fe4fe6c816d17fa7fee4c6002ddbd1ffc82e01b184381770ebacf51571784a146e512a94f0937029976b9d8e2b64270b90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UVjCyjlRMB.bat

Filesize
202B

MD5
89231d2456fc80c4a78f3ae00a6de4c8

SHA1
5fdf4e8a884fac97baae46e6c229276ddbe50bea

SHA256
28e85626ccd382c9634d0bf0e7e923675ffb018a33f35cecd43b78d90fbd8458

SHA512
8ebd38a5bd602514b011a6ca99ac4d611c5bd4a622eeba76ae45fa9599824a56ed8af08fbad49e9b5384af3f6f1ce3f3f009bfac0b552dca3dc26065ae764fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ub5pO60uUj.bat

Filesize
202B

MD5
05e2c38b05b72496ef2acf6728bd1d49

SHA1
06f9111a0f8c5cf006b2e67fca0694c73ff7644c

SHA256
5da77f4c3e9a73d26afd6651e1467bf1f8104eea2f59d34f62a0e789f4a61d17

SHA512
0771526e2ca576abba8da69c9f8cb7d9143d77de07c23b68d40fdc79f540a8227c8fb28e8657533e1f8d5a92bb6b8f64533e113aea77939010a5a6014eeb3cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzGZZMGSnB.bat

Filesize
202B

MD5
5082430423d6a52017bcdb477d45fe2a

SHA1
f996581a0c2dd1a018d97ff242a95782fbaadd4c

SHA256
c6b7de5742b7ef60556f95d81cb06159452cc16746348e50631e930d5a56bb96

SHA512
ee7820d0f47782d9639ab772f674b15a7f58ea13f1c8ae4ee43e38856f748705e0e334b415bb244dd4f39a0eb1666eec62679de5f818a453993473a67656a4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlM0lquDlv.bat

Filesize
154B

MD5
08c26282ca04066a623c0ea73d322d4e

SHA1
e873d5181c803a1ddb6a149aa079917912445a95

SHA256
404a0facaab29713c45d6462a95da6ac441b231a7794944d6b48121a8e459ce5

SHA512
14d853ae1a50559f2c8f430922c4dfe537f3ff1640a8c4d2ac80741c3d1a68dfadee491b315de5ef9334c703a99a3fc34d23b8c7b3298652ab09b613492456ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat

Filesize
202B

MD5
44d5d01ee8708748dcd09946be163bf5

SHA1
c7685929523740b67653ba9a4526357280a38b64

SHA256
51e79e51adeb47489808adc9fec707a8a176e0cd7541f386722e0b14df79eea8

SHA512
0ecb48f0d5596a8aafa5c4d1bfe6e1e6b2186e3b844285214162108807cbb6bfe9afb2527fc54103997ff740ddd6bab13e1ba62855a436d7d1f221686bbbde7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\egjIRj3ANc.bat

Filesize
202B

MD5
018a6f27d1a6a274cd1378a9e8d6a3d5

SHA1
205991aa65a091c656a9a93787eb2f4f10f4dff7

SHA256
e6c4dc90d3e59f26edb8b137d3eef8315c371177f9fe12afb84f1bc1d5d5348d

SHA512
90effb9e0a14e58b2f049371ead539037843908317863f9cad8046f92d6127190360b28d0d4ef45fa7070a16366915effe505aa9e6d5f6a57d31528ce7f19905

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4B7WkvJxo.bat

Filesize
202B

MD5
bf71c2b612abd18de4a76a59ecc18e92

SHA1
7eb852438deafb786f53431289eeaf84026cf12c

SHA256
9b79c89a9272e6c9a4beb8d5ed888885538033112b0d1a3d0b5699c6e3d88c40

SHA512
b21742443231fa1927a331dc4b6490fdc1344d1fd6797bd584979e816cddf52dc105818f6d4be1ffb35aab1a5a082510912e900a26b0a3b8ad8e855c6608a30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat

Filesize
154B

MD5
3993a8722a1701000ff2c92afc45319f

SHA1
9c570e821addf2b6a1aecbe1302685b0a32e671e

SHA256
a72ead029a951c7b5ca324b4c1fbd05da97c4780146f0ec01e8baac5d40ab8fc

SHA512
6fe224323992e0ed3b958758d8e4b9d2caec71c17c1737c7f3c852c6ee7452aba41f12b6f7f9d6abb33ee49bdf6e16547ad80e8c0f9ee27fae34db4b60975c36

Download Submit
C:\Windows\debug\lsass.exe

Filesize
1.6MB

MD5
13a9fe232c423531f428e7ebf5bcc3ce

SHA1
7940d3296d943f8f54e6d2e58982812de6f66a79

SHA256
3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3

SHA512
ed6f68b31f034c49b6ef9a79a793d5ba46d6a8cffca33f1f5cdbb3db51ac6ae9ea5aa39ea7dede138c832b2a47c9f484441f549b163254bdbf5566a4590042f5

Download Submit
memory/1308-36-0x0000000000CE0000-0x0000000000E82000-memory.dmp

Filesize
1.6MB

Download
memory/1672-97-0x0000000000C90000-0x0000000000E32000-memory.dmp

Filesize
1.6MB

Download
memory/2084-1-0x0000000000C40000-0x0000000000DE2000-memory.dmp

Filesize
1.6MB

Download
memory/2084-6-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/2084-9-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2084-3-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2084-4-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2084-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2084-24-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2084-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2084-8-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2388-28-0x00000000003C0000-0x0000000000562000-memory.dmp

Filesize
1.6MB

Download
memory/2664-136-0x0000000001290000-0x0000000001432000-memory.dmp

Filesize
1.6MB

Download
memory/2808-58-0x0000000001120000-0x00000000012C2000-memory.dmp

Filesize
1.6MB

Download
memory/2912-106-0x00000000010E0000-0x0000000001282000-memory.dmp

Filesize
1.6MB

Download
memory/2936-89-0x00000000001B0000-0x0000000000352000-memory.dmp

Filesize
1.6MB

Download