dcrat | 4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b

Analysis

max time kernel
179s
max time network
183s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31-10-2022 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe
Size

1.3MB
MD5

ca3ac46b4772a1a78cb4a52e5f49521e
SHA1

3bc93ae4f50a8a54e38847e43de5c352ff023b41
SHA256

4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b
SHA512

70d04811fead8120c65a7b4be94e80d80a81e1d66d2cdb0eee2ef4452efab98ff51efad24a6048eda48b759a70c02d9ef3fa7790078e45a60fdd1f5c0ebabaa8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	4236	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	4236	schtasks.exe	70

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001ac1d-280.dat	dcrat
behavioral1/files/0x000600000001ac1d-281.dat	dcrat
behavioral1/memory/4892-282-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac21-546.dat	dcrat
behavioral1/files/0x000600000001ac21-547.dat	dcrat
behavioral1/files/0x000600000001ac21-622.dat	dcrat
behavioral1/files/0x000600000001ac21-629.dat	dcrat

Executes dropped EXE 4 IoCs

pid	Process
4892	DllCommonsvc.exe
5024	lsass.exe
3964	lsass.exe
3948	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Java\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\Offline\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\Offline\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SystemResources\Windows.UI.Shell\pris\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\SystemResources\Windows.UI.Shell\pris\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4576	schtasks.exe
4480	schtasks.exe
4408	schtasks.exe
5012	schtasks.exe
5016	schtasks.exe
4932	schtasks.exe
5052	schtasks.exe
4904	schtasks.exe
580	schtasks.exe
500	schtasks.exe
1632	schtasks.exe
4584	schtasks.exe
4628	schtasks.exe
4444	schtasks.exe
4460	schtasks.exe
4360	schtasks.exe
1596	schtasks.exe
1484	schtasks.exe
1200	schtasks.exe
1432	schtasks.exe
1380	schtasks.exe
1244	schtasks.exe
4464	schtasks.exe
840	schtasks.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4892	DllCommonsvc.exe
2204	powershell.exe
2204	powershell.exe
808	powershell.exe
808	powershell.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
808	powershell.exe
2204	powershell.exe
4640	powershell.exe
4640	powershell.exe
3336	powershell.exe
3336	powershell.exe
216	powershell.exe
216	powershell.exe
3048	powershell.exe
3048	powershell.exe
3336	powershell.exe
216	powershell.exe
3048	powershell.exe
2376	powershell.exe
2376	powershell.exe
2372	powershell.exe
2372	powershell.exe
4640	powershell.exe
2376	powershell.exe
2372	powershell.exe
2372	powershell.exe
4648	powershell.exe
4640	powershell.exe
3336	powershell.exe
2204	powershell.exe
2376	powershell.exe
216	powershell.exe
3048	powershell.exe
808	powershell.exe
5024	lsass.exe
5024	lsass.exe
3964	lsass.exe
3948	lsass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	DllCommonsvc.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	5024	lsass.exe
Token: SeIncreaseQuotaPrivilege	216	powershell.exe
Token: SeSecurityPrivilege	216	powershell.exe
Token: SeTakeOwnershipPrivilege	216	powershell.exe
Token: SeLoadDriverPrivilege	216	powershell.exe
Token: SeSystemProfilePrivilege	216	powershell.exe
Token: SeSystemtimePrivilege	216	powershell.exe
Token: SeProfSingleProcessPrivilege	216	powershell.exe
Token: SeIncBasePriorityPrivilege	216	powershell.exe
Token: SeCreatePagefilePrivilege	216	powershell.exe
Token: SeBackupPrivilege	216	powershell.exe
Token: SeRestorePrivilege	216	powershell.exe
Token: SeShutdownPrivilege	216	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeSystemEnvironmentPrivilege	216	powershell.exe
Token: SeRemoteShutdownPrivilege	216	powershell.exe
Token: SeUndockPrivilege	216	powershell.exe
Token: SeManageVolumePrivilege	216	powershell.exe
Token: 33	216	powershell.exe
Token: 34	216	powershell.exe
Token: 35	216	powershell.exe
Token: 36	216	powershell.exe
Token: SeIncreaseQuotaPrivilege	3048	powershell.exe
Token: SeSecurityPrivilege	3048	powershell.exe
Token: SeTakeOwnershipPrivilege	3048	powershell.exe
Token: SeLoadDriverPrivilege	3048	powershell.exe
Token: SeSystemProfilePrivilege	3048	powershell.exe
Token: SeSystemtimePrivilege	3048	powershell.exe
Token: SeProfSingleProcessPrivilege	3048	powershell.exe
Token: SeIncBasePriorityPrivilege	3048	powershell.exe
Token: SeCreatePagefilePrivilege	3048	powershell.exe
Token: SeBackupPrivilege	3048	powershell.exe
Token: SeRestorePrivilege	3048	powershell.exe
Token: SeShutdownPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeSystemEnvironmentPrivilege	3048	powershell.exe
Token: SeRemoteShutdownPrivilege	3048	powershell.exe
Token: SeUndockPrivilege	3048	powershell.exe
Token: SeManageVolumePrivilege	3048	powershell.exe
Token: 33	3048	powershell.exe
Token: 34	3048	powershell.exe
Token: 35	3048	powershell.exe
Token: 36	3048	powershell.exe
Token: SeIncreaseQuotaPrivilege	2372	powershell.exe
Token: SeSecurityPrivilege	2372	powershell.exe
Token: SeTakeOwnershipPrivilege	2372	powershell.exe
Token: SeLoadDriverPrivilege	2372	powershell.exe
Token: SeSystemProfilePrivilege	2372	powershell.exe
Token: SeSystemtimePrivilege	2372	powershell.exe
Token: SeProfSingleProcessPrivilege	2372	powershell.exe
Token: SeIncBasePriorityPrivilege	2372	powershell.exe
Token: SeCreatePagefilePrivilege	2372	powershell.exe
Token: SeBackupPrivilege	2372	powershell.exe
Token: SeRestorePrivilege	2372	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 1080	4708	4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe	66
PID 4708 wrote to memory of 1080	4708	4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe	66
PID 4708 wrote to memory of 1080	4708	4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe	66
PID 1080 wrote to memory of 4964	1080	WScript.exe	67
PID 1080 wrote to memory of 4964	1080	WScript.exe	67
PID 1080 wrote to memory of 4964	1080	WScript.exe	67
PID 4964 wrote to memory of 4892	4964	cmd.exe	69
PID 4964 wrote to memory of 4892	4964	cmd.exe	69
PID 4892 wrote to memory of 2204	4892	DllCommonsvc.exe	95
PID 4892 wrote to memory of 2204	4892	DllCommonsvc.exe	95
PID 4892 wrote to memory of 808	4892	DllCommonsvc.exe	97
PID 4892 wrote to memory of 808	4892	DllCommonsvc.exe	97
PID 4892 wrote to memory of 4648	4892	DllCommonsvc.exe	98
PID 4892 wrote to memory of 4648	4892	DllCommonsvc.exe	98
PID 4892 wrote to memory of 4640	4892	DllCommonsvc.exe	99
PID 4892 wrote to memory of 4640	4892	DllCommonsvc.exe	99
PID 4892 wrote to memory of 3336	4892	DllCommonsvc.exe	101
PID 4892 wrote to memory of 3336	4892	DllCommonsvc.exe	101
PID 4892 wrote to memory of 216	4892	DllCommonsvc.exe	104
PID 4892 wrote to memory of 216	4892	DllCommonsvc.exe	104
PID 4892 wrote to memory of 3048	4892	DllCommonsvc.exe	105
PID 4892 wrote to memory of 3048	4892	DllCommonsvc.exe	105
PID 4892 wrote to memory of 2372	4892	DllCommonsvc.exe	106
PID 4892 wrote to memory of 2372	4892	DllCommonsvc.exe	106
PID 4892 wrote to memory of 2376	4892	DllCommonsvc.exe	107
PID 4892 wrote to memory of 2376	4892	DllCommonsvc.exe	107
PID 4892 wrote to memory of 428	4892	DllCommonsvc.exe	113
PID 4892 wrote to memory of 428	4892	DllCommonsvc.exe	113
PID 428 wrote to memory of 1080	428	cmd.exe	115
PID 428 wrote to memory of 1080	428	cmd.exe	115
PID 428 wrote to memory of 5024	428	cmd.exe	116
PID 428 wrote to memory of 5024	428	cmd.exe	116
PID 5024 wrote to memory of 3204	5024	lsass.exe	118
PID 5024 wrote to memory of 3204	5024	lsass.exe	118
PID 3204 wrote to memory of 736	3204	cmd.exe	120
PID 3204 wrote to memory of 736	3204	cmd.exe	120
PID 3204 wrote to memory of 3964	3204	cmd.exe	121
PID 3204 wrote to memory of 3964	3204	cmd.exe	121
PID 3964 wrote to memory of 1484	3964	lsass.exe	123
PID 3964 wrote to memory of 1484	3964	lsass.exe	123
PID 1484 wrote to memory of 4468	1484	cmd.exe	124
PID 1484 wrote to memory of 4468	1484	cmd.exe	124
PID 1484 wrote to memory of 3948	1484	cmd.exe	125
PID 1484 wrote to memory of 3948	1484	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe
"C:\Users\Admin\AppData\Local\Temp\4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\Offline\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.Shell\pris\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3uQLPOrM4z.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:428
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1080
      - C:\Windows\DigitalLocker\en-US\lsass.exe
        
        "C:\Windows\DigitalLocker\en-US\lsass.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:736
        
        C:\Windows\DigitalLocker\en-US\lsass.exe
        
        "C:\Windows\DigitalLocker\en-US\lsass.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4468
        
        C:\Windows\DigitalLocker\en-US\lsass.exe
        
        "C:\Windows\DigitalLocker\en-US\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\ShellBrd\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\ShellBrd\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\Offline\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\Offline\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\Offline\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemResources\Windows.UI.Shell\pris\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.Shell\pris\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.UI.Shell\pris\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
245acaf788170370565db40a23672605

SHA1
d20693068b709bdd1d319caf92332f77a07d9dba

SHA256
6c589c3b27c4af33ce97f29491e1861d106d3b3d1acf225ab398ffbc67fafc3f

SHA512
6268f82a032c07e50a40e50fb431b7d19e482f052c11cc1dcdfe9f04b36af67d00bd7c85eb99c4c03bc5700ab632dc04c04bf936b2f6f69177ac16adb450759e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
245acaf788170370565db40a23672605

SHA1
d20693068b709bdd1d319caf92332f77a07d9dba

SHA256
6c589c3b27c4af33ce97f29491e1861d106d3b3d1acf225ab398ffbc67fafc3f

SHA512
6268f82a032c07e50a40e50fb431b7d19e482f052c11cc1dcdfe9f04b36af67d00bd7c85eb99c4c03bc5700ab632dc04c04bf936b2f6f69177ac16adb450759e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3uQLPOrM4z.bat

Filesize
205B

MD5
45296b1d232f5ed83f189af1ba60747c

SHA1
dba1f14e2bca85e0a22d6f80f03b17d7674f0eb6

SHA256
245d5f8b8dca4676f963f8162465ea1a7980fa87824f6e0f0c886c420c5addc2

SHA512
072d5e4962ba254eefc7d8e4a5b1fb4d2ee9e0e72737ad0fe297092ce240fa6f920a5550a267858ccb94efcb0f7d45670f4a87fe6dc9c585003a2fc8a2694c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat

Filesize
205B

MD5
15a9442583a792a0be0e04b33b51ab89

SHA1
45c9408297a47198273a295059ef5438fb8ad67d

SHA256
e75594bc8b8b8c2367b760f809f3458a9f22aa9ae063c56dec15dc8694c272f0

SHA512
ee3cae9eb4cb4ad9b3d554ecaac8d887c4b118d8a24444b6872c5327db8941a80bc4cb8d0113394aaf2b0a07f4bb27718dccd7b0f4130fe7252a3471793469ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat

Filesize
205B

MD5
2c1de5e3ad8e8604ca7d7e930d8b01ae

SHA1
e932f18b200b43380fbcaee042152b6c114a6683

SHA256
0382d7a24029164782d6b90b3e06e687e06fc10bfc89d7862e62a8ab9476b6e2

SHA512
59324d66ef01abd79a237feaf38f3f983c167fc1f9d3976f4fb2c5d097c80febe6334da3ed2def6413a7c9e407d6c596e286ef9621af11a34fdb92d7ccc7c379

Download Submit
C:\Windows\DigitalLocker\en-US\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\DigitalLocker\en-US\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\DigitalLocker\en-US\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\DigitalLocker\en-US\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1080-182-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1080-181-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-332-0x00000227C26A0000-0x00000227C26C2000-memory.dmp

Filesize
136KB

Download
memory/3964-624-0x00000000013F0000-0x0000000001402000-memory.dmp

Filesize
72KB

Download
memory/4640-362-0x0000021DE5730000-0x0000021DE57A6000-memory.dmp

Filesize
472KB

Download
memory/4708-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-165-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-166-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-168-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-167-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-169-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-170-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-171-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-172-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-173-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-174-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-175-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-176-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-177-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-178-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-179-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-154-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-153-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-116-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4892-286-0x00000000030B0000-0x00000000030BC000-memory.dmp

Filesize
48KB

Download
memory/4892-285-0x00000000030A0000-0x00000000030AC000-memory.dmp

Filesize
48KB

Download
memory/4892-284-0x00000000030C0000-0x00000000030CC000-memory.dmp

Filesize
48KB

Download
memory/4892-283-0x0000000003090000-0x00000000030A2000-memory.dmp

Filesize
72KB

Download
memory/4892-282-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/5024-558-0x0000000001310000-0x0000000001322000-memory.dmp

Filesize
72KB

Download