dcrat | 72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a

Analysis

max time kernel
129s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
31/10/2022, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe
Size

1.3MB
MD5

22abe89f8f3ac704829c29e7197e0fd2
SHA1

2913dbf57df2a0c2ab5040e2563daa07026a9b68
SHA256

72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a
SHA512

58013ec6b158dc0d403e04e790d17093b48361108e2652f74749dcadab86f3f6f92e63443797dc6918019dcde594e98f36eb346dba449d195fd0b5edcfd5fcb9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	4304	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4304	schtasks.exe	70

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abee-281.dat	dcrat
behavioral1/files/0x000800000001abee-282.dat	dcrat
behavioral1/memory/3920-283-0x0000000000C00000-0x0000000000D10000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac24-606.dat	dcrat
behavioral1/files/0x000600000001ac24-605.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
3920	DllCommonsvc.exe
4036	Idle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\cmd.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4800	schtasks.exe
3944	schtasks.exe
4332	schtasks.exe
3976	schtasks.exe
324	schtasks.exe
3420	schtasks.exe
4504	schtasks.exe
4472	schtasks.exe
544	schtasks.exe
4872	schtasks.exe
4832	schtasks.exe
4752	schtasks.exe
3676	schtasks.exe
3140	schtasks.exe
3844	schtasks.exe
3992	schtasks.exe
4884	schtasks.exe
1452	schtasks.exe
380	schtasks.exe
4844	schtasks.exe
4724	schtasks.exe
4460	schtasks.exe
4792	schtasks.exe
4476	schtasks.exe
4816	schtasks.exe
4916	schtasks.exe
400	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
3920	DllCommonsvc.exe
3920	DllCommonsvc.exe
3920	DllCommonsvc.exe
3920	DllCommonsvc.exe
3920	DllCommonsvc.exe
4964	powershell.exe
4868	powershell.exe
1408	powershell.exe
1884	powershell.exe
1148	powershell.exe
1184	powershell.exe
308	powershell.exe
192	powershell.exe
3272	powershell.exe
2792	powershell.exe
1148	powershell.exe
308	powershell.exe
2792	powershell.exe
3272	powershell.exe
4964	powershell.exe
4964	powershell.exe
1148	powershell.exe
1148	powershell.exe
308	powershell.exe
308	powershell.exe
1408	powershell.exe
1408	powershell.exe
1884	powershell.exe
1884	powershell.exe
4868	powershell.exe
4868	powershell.exe
1184	powershell.exe
192	powershell.exe
192	powershell.exe
3272	powershell.exe
3272	powershell.exe
2792	powershell.exe
2792	powershell.exe
4964	powershell.exe
1884	powershell.exe
1408	powershell.exe
4868	powershell.exe
1184	powershell.exe
1184	powershell.exe
192	powershell.exe
4036	Idle.exe
4036	Idle.exe
4036	Idle.exe
4036	Idle.exe
4036	Idle.exe
4036	Idle.exe
4036	Idle.exe
4036	Idle.exe
4036	Idle.exe
4036	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4036	Idle.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	DllCommonsvc.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	192	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeIncreaseQuotaPrivilege	308	powershell.exe
Token: SeSecurityPrivilege	308	powershell.exe
Token: SeTakeOwnershipPrivilege	308	powershell.exe
Token: SeLoadDriverPrivilege	308	powershell.exe
Token: SeSystemProfilePrivilege	308	powershell.exe
Token: SeSystemtimePrivilege	308	powershell.exe
Token: SeProfSingleProcessPrivilege	308	powershell.exe
Token: SeIncBasePriorityPrivilege	308	powershell.exe
Token: SeCreatePagefilePrivilege	308	powershell.exe
Token: SeBackupPrivilege	308	powershell.exe
Token: SeRestorePrivilege	308	powershell.exe
Token: SeShutdownPrivilege	308	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeSystemEnvironmentPrivilege	308	powershell.exe
Token: SeRemoteShutdownPrivilege	308	powershell.exe
Token: SeUndockPrivilege	308	powershell.exe
Token: SeManageVolumePrivilege	308	powershell.exe
Token: 33	308	powershell.exe
Token: 34	308	powershell.exe
Token: 35	308	powershell.exe
Token: 36	308	powershell.exe
Token: SeIncreaseQuotaPrivilege	1148	powershell.exe
Token: SeSecurityPrivilege	1148	powershell.exe
Token: SeTakeOwnershipPrivilege	1148	powershell.exe
Token: SeLoadDriverPrivilege	1148	powershell.exe
Token: SeSystemProfilePrivilege	1148	powershell.exe
Token: SeSystemtimePrivilege	1148	powershell.exe
Token: SeProfSingleProcessPrivilege	1148	powershell.exe
Token: SeIncBasePriorityPrivilege	1148	powershell.exe
Token: SeCreatePagefilePrivilege	1148	powershell.exe
Token: SeBackupPrivilege	1148	powershell.exe
Token: SeRestorePrivilege	1148	powershell.exe
Token: SeShutdownPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeSystemEnvironmentPrivilege	1148	powershell.exe
Token: SeRemoteShutdownPrivilege	1148	powershell.exe
Token: SeUndockPrivilege	1148	powershell.exe
Token: SeManageVolumePrivilege	1148	powershell.exe
Token: 33	1148	powershell.exe
Token: 34	1148	powershell.exe
Token: 35	1148	powershell.exe
Token: 36	1148	powershell.exe
Token: SeIncreaseQuotaPrivilege	3272	powershell.exe
Token: SeSecurityPrivilege	3272	powershell.exe
Token: SeTakeOwnershipPrivilege	3272	powershell.exe
Token: SeLoadDriverPrivilege	3272	powershell.exe
Token: SeSystemProfilePrivilege	3272	powershell.exe
Token: SeSystemtimePrivilege	3272	powershell.exe
Token: SeProfSingleProcessPrivilege	3272	powershell.exe
Token: SeIncBasePriorityPrivilege	3272	powershell.exe
Token: SeCreatePagefilePrivilege	3272	powershell.exe
Token: SeBackupPrivilege	3272	powershell.exe
Token: SeRestorePrivilege	3272	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4236	3052	72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe	66
PID 3052 wrote to memory of 4236	3052	72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe	66
PID 3052 wrote to memory of 4236	3052	72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe	66
PID 4236 wrote to memory of 4636	4236	WScript.exe	67
PID 4236 wrote to memory of 4636	4236	WScript.exe	67
PID 4236 wrote to memory of 4636	4236	WScript.exe	67
PID 4636 wrote to memory of 3920	4636	cmd.exe	69
PID 4636 wrote to memory of 3920	4636	cmd.exe	69
PID 3920 wrote to memory of 4964	3920	DllCommonsvc.exe	98
PID 3920 wrote to memory of 4964	3920	DllCommonsvc.exe	98
PID 3920 wrote to memory of 4868	3920	DllCommonsvc.exe	111
PID 3920 wrote to memory of 4868	3920	DllCommonsvc.exe	111
PID 3920 wrote to memory of 1408	3920	DllCommonsvc.exe	99
PID 3920 wrote to memory of 1408	3920	DllCommonsvc.exe	99
PID 3920 wrote to memory of 1884	3920	DllCommonsvc.exe	100
PID 3920 wrote to memory of 1884	3920	DllCommonsvc.exe	100
PID 3920 wrote to memory of 1148	3920	DllCommonsvc.exe	107
PID 3920 wrote to memory of 1148	3920	DllCommonsvc.exe	107
PID 3920 wrote to memory of 1184	3920	DllCommonsvc.exe	102
PID 3920 wrote to memory of 1184	3920	DllCommonsvc.exe	102
PID 3920 wrote to memory of 308	3920	DllCommonsvc.exe	103
PID 3920 wrote to memory of 308	3920	DllCommonsvc.exe	103
PID 3920 wrote to memory of 3272	3920	DllCommonsvc.exe	104
PID 3920 wrote to memory of 3272	3920	DllCommonsvc.exe	104
PID 3920 wrote to memory of 192	3920	DllCommonsvc.exe	112
PID 3920 wrote to memory of 192	3920	DllCommonsvc.exe	112
PID 3920 wrote to memory of 2792	3920	DllCommonsvc.exe	113
PID 3920 wrote to memory of 2792	3920	DllCommonsvc.exe	113
PID 3920 wrote to memory of 4740	3920	DllCommonsvc.exe	118
PID 3920 wrote to memory of 4740	3920	DllCommonsvc.exe	118
PID 4740 wrote to memory of 4576	4740	cmd.exe	120
PID 4740 wrote to memory of 4576	4740	cmd.exe	120
PID 4740 wrote to memory of 4036	4740	cmd.exe	122
PID 4740 wrote to memory of 4036	4740	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe
"C:\Users\Admin\AppData\Local\Temp\72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYBQkdjd5v.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4576
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cac58d71553fb5c8fcca2a4d67002929

SHA1
f2382f89fab6bb260924501f2035f1ce5f71c7b9

SHA256
ec4969da8e58d00bb5bf07116a4b7fa4191e2bbfb78282050c6437b83d2f0aed

SHA512
4c8a80b2e068286017cbc33c17bab867272be569a8ef4b1385f37c96e554b1f13a5702ddf697acd45269485539ed98d669cecbc3aa09e32bf32e76458c00e201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
07254e3fc3a6900d0dc4dbc16fbbe830

SHA1
d09afdf5beb74c39c33e92e058d29a933c34c905

SHA256
e5c7cf6589d27660c3ebc2b496dd1a3ed9ca0796320ff908816ff65e4f8e3915

SHA512
68fcf859b40d40f1b3f160a1d186f01504540339a76a994a53c3a5df07459b96c9ed9b3f8a9653876b78b7cf3cac9b02f1db9d2649ea0ec9595c594a2fcc4b38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac0b8570e487a06c5ca82c83220de58e

SHA1
6783fed755cda3a980bdb940c337e43fdb75c0de

SHA256
3ec7a2a05e8752f84f52cf670c85272d4d6b87d256a70430edf22538199038f5

SHA512
72e002db275cd04a57dcb5270fa05a66441cc0a8d150b75e19e60cb4ebe1e9c84975336764928312ddb235c11913d501293e09fdef21bdac90d471bef52c323f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69637575f793d473810b4b7c17379c9c

SHA1
7f09851085fe4c31324521d115cf4c942ec636ad

SHA256
14a4f27742736e144647c55394c664f8d95797e0deb226ce9c7d6f7949cb96b4

SHA512
33bdcba4da8472cc3688cb4818bf4f1b188e3a99aea1bad24a38547db0551f657fbe12a173ba8220fb45c2e54739fc8633db375353812096e019c35aa5d6e4b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
28ebf3e444c8c63dc3864b247a6063a6

SHA1
571d5d042e4e667ec73d51767a4d1b31b2600dce

SHA256
ac173a097847e5b7b272ea237a8caf1109cec2d3fb4ea348172b48a19cca8a8a

SHA512
d0f7dffbe6fe215d1fdb31d5f9b915c8ea65a3b840c7c7e059e7a566f42fc4b93b327e60c300954c6f653212200c7af06baba741750a33c98fa8d439b20d120f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af04c3c58fb2bdff6bd270caf52a2139

SHA1
b6c59986624cc12fd4d702260a152e8d148cf89a

SHA256
85fbb4e1fcabe7758263c5c2aa5fb93bb87ca70dbe4a9aae8c4c8b1d94a39f1a

SHA512
a1de79ea8930c7933c1645323a3fbcc0d524196a49a7d0248d08945fefdf5c96862bbfb4ac04d70477d63f16ae8bf57211d419f978873072504dca47cda5571e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af04c3c58fb2bdff6bd270caf52a2139

SHA1
b6c59986624cc12fd4d702260a152e8d148cf89a

SHA256
85fbb4e1fcabe7758263c5c2aa5fb93bb87ca70dbe4a9aae8c4c8b1d94a39f1a

SHA512
a1de79ea8930c7933c1645323a3fbcc0d524196a49a7d0248d08945fefdf5c96862bbfb4ac04d70477d63f16ae8bf57211d419f978873072504dca47cda5571e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a3053fdf5dbf38e72a700a879328dcf

SHA1
960bc56f195e7e4b884ca38191d30c6c05b7be37

SHA256
6bf95713b41e13ae8bd8365c7bb3a497a01a8af65f02fe358644a67c9f2c8544

SHA512
80325b3b827909768f06458eeccc00d501eaecc35afa3a0db46ac94f3bd9a17b63408a29d2f1b45fc17b4e11306db9c75a0b203045f77aba3aefcc6e83bb8076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a3053fdf5dbf38e72a700a879328dcf

SHA1
960bc56f195e7e4b884ca38191d30c6c05b7be37

SHA256
6bf95713b41e13ae8bd8365c7bb3a497a01a8af65f02fe358644a67c9f2c8544

SHA512
80325b3b827909768f06458eeccc00d501eaecc35afa3a0db46ac94f3bd9a17b63408a29d2f1b45fc17b4e11306db9c75a0b203045f77aba3aefcc6e83bb8076

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYBQkdjd5v.bat

Filesize
227B

MD5
1a72a0ee747b6d2dc84d5c9b6c9bb4c5

SHA1
95e4031920e95d84081e467f13b97ce0c7a0b18c

SHA256
7bc5fb31db47d33f3ac0198cdaebc2e1b8fa414169341433163abc564aa3851a

SHA512
32ae2606c0af25437fff99e6c6702f78209b2bcf778639d834143b15d3f91299c711c31f7a5d5ec291d5ddb87ae05549854a57bd66196e9cf92cace38a194798

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1148-353-0x000001E9F4720000-0x000001E9F4796000-memory.dmp

Filesize
472KB

Download
memory/3052-145-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-134-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-146-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-148-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-147-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-149-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-150-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-151-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-152-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-153-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-154-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-155-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-156-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-157-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-158-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-159-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-160-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-161-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-162-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-163-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-164-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-165-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-166-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-167-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-168-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-169-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-170-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-171-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-172-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-173-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-174-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-175-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-176-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-177-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-178-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-179-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-180-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-118-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-119-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-120-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-144-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-143-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-122-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-123-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-142-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-141-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-125-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-126-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-127-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-129-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-130-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-140-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-139-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-138-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-137-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-136-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-131-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-128-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-135-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-117-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-132-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3052-133-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-283-0x0000000000C00000-0x0000000000D10000-memory.dmp

Filesize
1.1MB

Download
memory/3920-287-0x00000000012B0000-0x00000000012BC000-memory.dmp

Filesize
48KB

Download
memory/3920-285-0x0000000001500000-0x000000000150C000-memory.dmp

Filesize
48KB

Download
memory/3920-286-0x00000000012A0000-0x00000000012AC000-memory.dmp

Filesize
48KB

Download
memory/3920-284-0x0000000001290000-0x00000000012A2000-memory.dmp

Filesize
72KB

Download
memory/4036-618-0x0000000000A40000-0x0000000000A52000-memory.dmp

Filesize
72KB

Download
memory/4236-182-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4236-183-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4964-339-0x000002AF5CD80000-0x000002AF5CDA2000-memory.dmp

Filesize
136KB

Download