dcrat | f69b0f6580e0810ca1f34e4e954b0e96cf47cbb1a6e0d6b5498dbfb2b825dc70

Analysis

max time kernel
138s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
31/10/2022, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f69b0f6580e0810ca1f34e4e954b0e96cf47cbb1a6e0d6b5498dbfb2b825dc70.exe
Size

1.3MB
MD5

30792b48c912b4213429ec5e9d96b7a0
SHA1

64be8939e9d82ef74141b832a0359a23c085a835
SHA256

f69b0f6580e0810ca1f34e4e954b0e96cf47cbb1a6e0d6b5498dbfb2b825dc70
SHA512

d974a6e3474c12f2c117a939961faf8c72ce067e1374800c8f1f374978ad5566e3f4d0326505d6ba43a4abf36b84fa16f917dd449dd3800f0478e16c76421661
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	2232	schtasks.exe	70

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac10-284.dat	dcrat
behavioral1/files/0x000800000001ac10-285.dat	dcrat
behavioral1/memory/2112-286-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/files/0x000800000001ac10-495.dat	dcrat
behavioral1/files/0x000900000001ac31-654.dat	dcrat
behavioral1/files/0x000900000001ac31-655.dat	dcrat

Executes dropped EXE 3 IoCs

pid	Process
2112	DllCommonsvc.exe
4716	DllCommonsvc.exe
68	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\uninstall\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4416	schtasks.exe
240	schtasks.exe
3988	schtasks.exe
4616	schtasks.exe
4104	schtasks.exe
3588	schtasks.exe
4984	schtasks.exe
2268	schtasks.exe
3244	schtasks.exe
4656	schtasks.exe
4432	schtasks.exe
2292	schtasks.exe
4188	schtasks.exe
4692	schtasks.exe
4680	schtasks.exe
4716	schtasks.exe
4784	schtasks.exe
4420	schtasks.exe
2180	schtasks.exe
4544	schtasks.exe
1316	schtasks.exe
3796	schtasks.exe
2280	schtasks.exe
4624	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	f69b0f6580e0810ca1f34e4e954b0e96cf47cbb1a6e0d6b5498dbfb2b825dc70.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2112	DllCommonsvc.exe
3176	powershell.exe
3664	powershell.exe
3664	powershell.exe
4796	powershell.exe
540	powershell.exe
1116	powershell.exe
1116	powershell.exe
1200	powershell.exe
1200	powershell.exe
3176	powershell.exe
4796	powershell.exe
1200	powershell.exe
3664	powershell.exe
1116	powershell.exe
540	powershell.exe
3176	powershell.exe
4796	powershell.exe
540	powershell.exe
4716	DllCommonsvc.exe
3856	powershell.exe
3860	powershell.exe
4940	powershell.exe
4940	powershell.exe
3860	powershell.exe
4300	powershell.exe
4940	powershell.exe
3856	powershell.exe
3860	powershell.exe
4300	powershell.exe
3856	powershell.exe
4300	powershell.exe
68	explorer.exe
68	explorer.exe
68	explorer.exe
68	explorer.exe
68	explorer.exe
68	explorer.exe
68	explorer.exe
68	explorer.exe
68	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
68	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	DllCommonsvc.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeIncreaseQuotaPrivilege	1200	powershell.exe
Token: SeSecurityPrivilege	1200	powershell.exe
Token: SeTakeOwnershipPrivilege	1200	powershell.exe
Token: SeLoadDriverPrivilege	1200	powershell.exe
Token: SeSystemProfilePrivilege	1200	powershell.exe
Token: SeSystemtimePrivilege	1200	powershell.exe
Token: SeProfSingleProcessPrivilege	1200	powershell.exe
Token: SeIncBasePriorityPrivilege	1200	powershell.exe
Token: SeCreatePagefilePrivilege	1200	powershell.exe
Token: SeBackupPrivilege	1200	powershell.exe
Token: SeRestorePrivilege	1200	powershell.exe
Token: SeShutdownPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeSystemEnvironmentPrivilege	1200	powershell.exe
Token: SeRemoteShutdownPrivilege	1200	powershell.exe
Token: SeUndockPrivilege	1200	powershell.exe
Token: SeManageVolumePrivilege	1200	powershell.exe
Token: 33	1200	powershell.exe
Token: 34	1200	powershell.exe
Token: 35	1200	powershell.exe
Token: 36	1200	powershell.exe
Token: SeIncreaseQuotaPrivilege	1116	powershell.exe
Token: SeSecurityPrivilege	1116	powershell.exe
Token: SeTakeOwnershipPrivilege	1116	powershell.exe
Token: SeLoadDriverPrivilege	1116	powershell.exe
Token: SeSystemProfilePrivilege	1116	powershell.exe
Token: SeSystemtimePrivilege	1116	powershell.exe
Token: SeProfSingleProcessPrivilege	1116	powershell.exe
Token: SeIncBasePriorityPrivilege	1116	powershell.exe
Token: SeCreatePagefilePrivilege	1116	powershell.exe
Token: SeBackupPrivilege	1116	powershell.exe
Token: SeRestorePrivilege	1116	powershell.exe
Token: SeShutdownPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeSystemEnvironmentPrivilege	1116	powershell.exe
Token: SeRemoteShutdownPrivilege	1116	powershell.exe
Token: SeUndockPrivilege	1116	powershell.exe
Token: SeManageVolumePrivilege	1116	powershell.exe
Token: 33	1116	powershell.exe
Token: 34	1116	powershell.exe
Token: 35	1116	powershell.exe
Token: 36	1116	powershell.exe
Token: SeIncreaseQuotaPrivilege	3664	powershell.exe
Token: SeSecurityPrivilege	3664	powershell.exe
Token: SeTakeOwnershipPrivilege	3664	powershell.exe
Token: SeLoadDriverPrivilege	3664	powershell.exe
Token: SeSystemProfilePrivilege	3664	powershell.exe
Token: SeSystemtimePrivilege	3664	powershell.exe
Token: SeProfSingleProcessPrivilege	3664	powershell.exe
Token: SeIncBasePriorityPrivilege	3664	powershell.exe
Token: SeCreatePagefilePrivilege	3664	powershell.exe
Token: SeBackupPrivilege	3664	powershell.exe
Token: SeRestorePrivilege	3664	powershell.exe
Token: SeShutdownPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeSystemEnvironmentPrivilege	3664	powershell.exe
Token: SeRemoteShutdownPrivilege	3664	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 3332	1532	f69b0f6580e0810ca1f34e4e954b0e96cf47cbb1a6e0d6b5498dbfb2b825dc70.exe	66
PID 1532 wrote to memory of 3332	1532	f69b0f6580e0810ca1f34e4e954b0e96cf47cbb1a6e0d6b5498dbfb2b825dc70.exe	66
PID 1532 wrote to memory of 3332	1532	f69b0f6580e0810ca1f34e4e954b0e96cf47cbb1a6e0d6b5498dbfb2b825dc70.exe	66
PID 3332 wrote to memory of 4300	3332	WScript.exe	67
PID 3332 wrote to memory of 4300	3332	WScript.exe	67
PID 3332 wrote to memory of 4300	3332	WScript.exe	67
PID 4300 wrote to memory of 2112	4300	cmd.exe	69
PID 4300 wrote to memory of 2112	4300	cmd.exe	69
PID 2112 wrote to memory of 3664	2112	DllCommonsvc.exe	86
PID 2112 wrote to memory of 3664	2112	DllCommonsvc.exe	86
PID 2112 wrote to memory of 3176	2112	DllCommonsvc.exe	97
PID 2112 wrote to memory of 3176	2112	DllCommonsvc.exe	97
PID 2112 wrote to memory of 4796	2112	DllCommonsvc.exe	96
PID 2112 wrote to memory of 4796	2112	DllCommonsvc.exe	96
PID 2112 wrote to memory of 1116	2112	DllCommonsvc.exe	95
PID 2112 wrote to memory of 1116	2112	DllCommonsvc.exe	95
PID 2112 wrote to memory of 540	2112	DllCommonsvc.exe	90
PID 2112 wrote to memory of 540	2112	DllCommonsvc.exe	90
PID 2112 wrote to memory of 1200	2112	DllCommonsvc.exe	92
PID 2112 wrote to memory of 1200	2112	DllCommonsvc.exe	92
PID 2112 wrote to memory of 204	2112	DllCommonsvc.exe	98
PID 2112 wrote to memory of 204	2112	DllCommonsvc.exe	98
PID 204 wrote to memory of 3472	204	cmd.exe	100
PID 204 wrote to memory of 3472	204	cmd.exe	100
PID 204 wrote to memory of 4716	204	cmd.exe	102
PID 204 wrote to memory of 4716	204	cmd.exe	102
PID 4716 wrote to memory of 3856	4716	DllCommonsvc.exe	112
PID 4716 wrote to memory of 3856	4716	DllCommonsvc.exe	112
PID 4716 wrote to memory of 4940	4716	DllCommonsvc.exe	119
PID 4716 wrote to memory of 4940	4716	DllCommonsvc.exe	119
PID 4716 wrote to memory of 4300	4716	DllCommonsvc.exe	118
PID 4716 wrote to memory of 4300	4716	DllCommonsvc.exe	118
PID 4716 wrote to memory of 3860	4716	DllCommonsvc.exe	117
PID 4716 wrote to memory of 3860	4716	DllCommonsvc.exe	117
PID 4716 wrote to memory of 3560	4716	DllCommonsvc.exe	120
PID 4716 wrote to memory of 3560	4716	DllCommonsvc.exe	120
PID 3560 wrote to memory of 704	3560	cmd.exe	122
PID 3560 wrote to memory of 704	3560	cmd.exe	122
PID 3560 wrote to memory of 68	3560	cmd.exe	123
PID 3560 wrote to memory of 68	3560	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\f69b0f6580e0810ca1f34e4e954b0e96cf47cbb1a6e0d6b5498dbfb2b825dc70.exe
"C:\Users\Admin\AppData\Local\Temp\f69b0f6580e0810ca1f34e4e954b0e96cf47cbb1a6e0d6b5498dbfb2b825dc70.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zq1Fy1aHNJ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:204
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3472
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\explorer.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XJfMFGF4rs.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:704
        
        C:\Program Files\Mozilla Firefox\uninstall\explorer.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:68

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\uninstall\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\uninstall\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\uninstall\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\uninstall\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ea8eb4c93b171a1bd8f78c2f8d3c5f91

SHA1
c974b8f55f8e9523e09efcca15e98bbc3fdaecf9

SHA256
c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa

SHA512
842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ea8eb4c93b171a1bd8f78c2f8d3c5f91

SHA1
c974b8f55f8e9523e09efcca15e98bbc3fdaecf9

SHA256
c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa

SHA512
842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6c77a89b52a91d9a5943cdcc73ea2b6

SHA1
58c3c3243ec0eeae2c428cf3ea711a7561fd4545

SHA256
7b93d21d57e318e9d5501ea85f3f6111912bf1e21a6cb8cb0cd997078c958a55

SHA512
6df851ebd97420b056255e00fdc2f797f34f8075bab36226b9342e32d53a7c3fb8216d3a79ddea0130e5830b6289376cabd8668e0bad309e00ec8ff01b5765da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0a83f6e45655d06f21e4e2bb5fad5bf

SHA1
378b9a8457520554a760a366fef29d169259e96e

SHA256
2746a0aff175d51ffb274e6eab1c9a0fa49b505642b0ef498c3203ec259f08df

SHA512
80796c8204fefd5d9ea79eb37012069283b89cac0965a6b3193c7acca08cfdf05864f405a2917a9a339bb552ad8415aee764860e172a8a6abc4c3379f79590ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
764520cf3955cacaf41b3ae895722a3b

SHA1
f4e3184d4dd31ee9cfdd4fc601211a123f1d56eb

SHA256
293c219f770dfaaeae310ca4271896edcbb0c557b4dd2dd7f95859a9a3fa2a01

SHA512
9315de9a25d64f455e796694867304833ede0416769b6734feb1b9d712469f2f1b0a7587c9b2d294e66dfe514cb6057e916fb5e175c4c927c812926fcaeafadd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
764520cf3955cacaf41b3ae895722a3b

SHA1
f4e3184d4dd31ee9cfdd4fc601211a123f1d56eb

SHA256
293c219f770dfaaeae310ca4271896edcbb0c557b4dd2dd7f95859a9a3fa2a01

SHA512
9315de9a25d64f455e796694867304833ede0416769b6734feb1b9d712469f2f1b0a7587c9b2d294e66dfe514cb6057e916fb5e175c4c927c812926fcaeafadd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f7b90e93c2692f8e844c96ea3f3fad32

SHA1
eca94c4f0811b6f2f839babf3aafbda709469fb2

SHA256
0422e9b605827e3f29b77813d428a8f6474c9eba0d143d5e666485eea582f8a9

SHA512
fecc6f7d7cc5024b7288f52ef2f698735513d642c32bc34fdf66bd4b92031818642886505479d54bedb2a356c93a3341f86db3f09705d656e525be62331f3806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
31afca4103fccd0ebf62fa203c4bb1e6

SHA1
646890d85ddb89247309e5ef98fc5dc69c7c9bc4

SHA256
de934f4d32fb1cd27e703f1d8fae96169d8b2451a87971066d5cfbd62304ff4b

SHA512
53d289e1a7b8db5123ace63cbb281ffa8f2858babb3df72354328eb2de6cd83f5bb7a51089986f0d44ff621b1cbc511d57d70eeff701658a24352d1dbc2db794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf44e1f2adca83d8ced85b58f28b9dbb

SHA1
d7dee434a321174aab79f60749109c7a902e23f0

SHA256
91104cb3a78bcc3ae486f98031122bf4d482cfef66239c8fbf5c598b2d945432

SHA512
4fb7b3676508e54541b6b8e12cdfddeee12dd31656dcb00e8f567cf7da50ba26fa52b44de4f98fa9034df00015f8685656baf8ddc6c0a9fca07e2a91a8be0f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\XJfMFGF4rs.bat

Filesize
220B

MD5
1785e8d2becd48fe2d7e5556c3a583fb

SHA1
c5042d42e842055412acced3c2ef698ae4a20faa

SHA256
7ed4b49a6056287c57b41d1e8a517b898c305a8f7ec5bdca946116a7cf7fd519

SHA512
0267f5f2c42a84f857a712647caf9cc4396b68a5637dd17b89915c7b7b9b46c0c475303d4fec42008a528b0d89cd4d9824640a058a4c59da90e88c21645c2ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zq1Fy1aHNJ.bat

Filesize
199B

MD5
88e5b306242713e990fe768354de76dd

SHA1
773583f4bab6e095bdf9b0b7e2976a2796dde01b

SHA256
3ff6e25b65e1a6d375c8d1697b53baee3204d6aa27b713dee766dc224ed7c9d9

SHA512
82f6b8c9ca6e6e86df69f05accad8dc47f3ba71dbea82a9b597807647abf6c530b00545c2ba17c95f0e8d5eb9308d7073970171a2fe7a0fa2439be466a1f3d71

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/68-656-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/1532-178-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-146-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-151-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-152-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-153-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-154-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-155-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-156-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-157-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-158-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-159-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-160-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-161-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-162-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-163-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-164-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-165-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-166-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-167-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-168-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-169-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-170-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-171-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-173-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-174-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-172-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-175-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-176-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-177-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-120-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-179-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-180-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-181-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-182-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-183-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-121-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-122-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-123-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-149-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-148-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-125-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-126-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-147-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-150-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-128-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-129-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-130-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-131-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-132-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-133-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-145-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-144-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-143-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-134-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-136-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-142-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-137-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-141-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-138-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-135-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-139-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-140-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2112-290-0x0000000002A50000-0x0000000002A5C000-memory.dmp

Filesize
48KB

Download
memory/2112-286-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download
memory/2112-287-0x00000000010F0000-0x0000000001102000-memory.dmp

Filesize
72KB

Download
memory/2112-288-0x0000000002A60000-0x0000000002A6C000-memory.dmp

Filesize
48KB

Download
memory/2112-289-0x0000000002A40000-0x0000000002A4C000-memory.dmp

Filesize
48KB

Download
memory/3332-185-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3332-186-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3664-322-0x0000027BBE3E0000-0x0000027BBE402000-memory.dmp

Filesize
136KB

Download
memory/3664-331-0x0000027BBE590000-0x0000027BBE606000-memory.dmp

Filesize
472KB

Download
memory/4716-498-0x0000000001860000-0x0000000001872000-memory.dmp

Filesize
72KB

Download