dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
0s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-12-2022 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Size

1.3MB
MD5

adde6baef89ebb01b5e60f15610ba470
SHA1

edc49b43aa822b754ee617db11c3ffc1a3e79ec1
SHA256

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458
SHA512

89ebfaafca6347cced23fd73aee44483118d4806c339048df9ba9da5f775f84ce6b6876a8399617abfbf1ae23cfd0b78825f85f50efdcc2c9e3c88cb8e122a30
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1180	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	1180	schtasks.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
\providercommon\DllCommonsvc.exe	dcrat
behavioral11/memory/1988-65-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral11/memory/2884-105-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe	dcrat
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe	dcrat
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe	dcrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2272	schtasks.exe
2248	schtasks.exe
1212	schtasks.exe
1112	schtasks.exe
1008	schtasks.exe
1672	schtasks.exe
332	schtasks.exe
1664	schtasks.exe
1520	schtasks.exe
1168	schtasks.exe
2316	schtasks.exe
2292	schtasks.exe
2228	schtasks.exe
1972	schtasks.exe
1700	schtasks.exe
1248	schtasks.exe
856	schtasks.exe
1688	schtasks.exe
684	schtasks.exe
2332	schtasks.exe
2160	schtasks.exe
1656	schtasks.exe
1428	schtasks.exe
2092	schtasks.exe
1544	schtasks.exe
1732	schtasks.exe
1144	schtasks.exe
2132	schtasks.exe
2204	schtasks.exe
2108	schtasks.exe
1576	schtasks.exe
1828	schtasks.exe
840	schtasks.exe
2068	schtasks.exe
1980	schtasks.exe
1888	schtasks.exe
620	schtasks.exe
1128	schtasks.exe
2176	schtasks.exe
2032	schtasks.exe
900	schtasks.exe
1724	schtasks.exe
1620	schtasks.exe
1644	schtasks.exe
1736	schtasks.exe
688	schtasks.exe
1880	schtasks.exe
824	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
"C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe"
1⤵
PID:1904

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
3⤵
PID:2040

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe'
5⤵
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'
5⤵
PID:2756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
5⤵
PID:2808

C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe
"C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe"
5⤵
PID:2884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"
6⤵
PID:2652

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:1496

C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe
"C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe"
7⤵
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
5⤵
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'
5⤵
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'
5⤵
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'
5⤵
PID:2596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\Idle.exe'
5⤵
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\conhost.exe'
5⤵
PID:2536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'
5⤵
PID:2508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\cmd.exe'
5⤵
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
5⤵
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\winlogon.exe'
5⤵
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
5⤵
PID:2408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\DllCommonsvc.exe'
5⤵
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\Idle.exe'
5⤵
PID:2364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\ja-JP\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe
Filesize
320KB

MD5
3f9a956b946af71376afda8248756045

SHA1
506f37c812920db4ea3f89fd92aeff72182b9e02

SHA256
9b4e1f65207fad40d12a265571654abeb3c8e2af8547e5895fd67135f7c1d363

SHA512
4141f3a98a3311332ac09f3da449c8359fea841b487405dfc6a4891dd953eafed24c037009efb01381a7b0481974623ac3b9686f9e3d9787d731efda1468b1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat
Filesize
221B

MD5
8cc4b8cc3ee6063e1f307a1b34df8309

SHA1
dca6728bc9d4b09f66790321d653b5865c11d423

SHA256
3131ddc1578219418e5a4055610587366194a1a9da184ef82d8d2705038b48ef

SHA512
b6c860b2a2e32abea42d00557ce156d125a3c3d8f018925a35e1c29b7c8f20004cdfd8f2a5192c4838cfbe29a6906effb5a8d384f0fd5d42a8297554f2e9159e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf6a0ee29edf655d61cf44fdc2495baa

SHA1
da9f7dab167169027e65569fa68b4b758c4cbb1f

SHA256
ce9a6a5ad0c02bc37d5991b397743c4229f33c984bcdd6cc3ed778de096b8382

SHA512
cdb902b0cd24f2a3dd2925f59acad28b244fa9033bebfab7d0f012ac817557c6f66c1b141b6d9965560880d19b23246f9185fcdf6c8a0343c8c9b330c2f53337

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1496-127-0x0000000000000000-mapping.dmp

Download
memory/1904-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1988-66-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/1988-65-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/1988-68-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1988-69-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1988-67-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/1988-63-0x0000000000000000-mapping.dmp

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download
memory/2044-55-0x0000000000000000-mapping.dmp

Download
memory/2352-70-0x0000000000000000-mapping.dmp

Download
memory/2352-76-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

Filesize
8KB

Download
memory/2352-90-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2364-132-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2364-71-0x0000000000000000-mapping.dmp

Download
memory/2376-138-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2376-72-0x0000000000000000-mapping.dmp

Download
memory/2384-136-0x0000000000000000-mapping.dmp

Download
memory/2408-99-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2408-73-0x0000000000000000-mapping.dmp

Download
memory/2420-133-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2420-74-0x0000000000000000-mapping.dmp

Download
memory/2456-129-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2456-75-0x0000000000000000-mapping.dmp

Download
memory/2488-124-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2488-77-0x0000000000000000-mapping.dmp

Download
memory/2508-134-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2508-78-0x0000000000000000-mapping.dmp

Download
memory/2536-79-0x0000000000000000-mapping.dmp

Download
memory/2536-141-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2580-140-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2580-81-0x0000000000000000-mapping.dmp

Download
memory/2596-82-0x0000000000000000-mapping.dmp

Download
memory/2596-130-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2628-131-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2628-83-0x0000000000000000-mapping.dmp

Download
memory/2644-84-0x0000000000000000-mapping.dmp

Download
memory/2644-122-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2652-123-0x0000000000000000-mapping.dmp

Download
memory/2704-135-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2704-86-0x0000000000000000-mapping.dmp

Download
memory/2732-128-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2732-88-0x0000000000000000-mapping.dmp

Download
memory/2756-89-0x0000000000000000-mapping.dmp

Download
memory/2756-137-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2808-91-0x0000000000000000-mapping.dmp

Download
memory/2808-139-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/2884-98-0x0000000000000000-mapping.dmp

Download
memory/2884-105-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download