dcrat | 9a9ac0169117b67557d8ba9932d908df0df543542a649e16db365c2c4d9829cb

Analysis

max time kernel
136s
max time network
230s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-01-2023 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Size

1.3MB
MD5

adde6baef89ebb01b5e60f15610ba470
SHA1

edc49b43aa822b754ee617db11c3ffc1a3e79ec1
SHA256

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458
SHA512

89ebfaafca6347cced23fd73aee44483118d4806c339048df9ba9da5f775f84ce6b6876a8399617abfbf1ae23cfd0b78825f85f50efdcc2c9e3c88cb8e122a30
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	272	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral7/memory/820-65-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe	dcrat
behavioral7/memory/2760-106-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

DllCommonsvc.exe

pid process

820 DllCommonsvc.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1768 cmd.exe
1768 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
820	DllCommonsvc.exe

pid	process
1768	cmd.exe
1768	cmd.exe

Drops file in Program Files directory 6 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description ioc process

File created C:\Windows\Cursors\886983d96e3d3e DllCommonsvc.exe
File created C:\Windows\Cursors\csrss.exe DllCommonsvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Cursors\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Cursors\csrss.exe	DllCommonsvc.exe

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2096	schtasks.exe
2268	schtasks.exe
1532	schtasks.exe
1104	schtasks.exe
1904	schtasks.exe
520	schtasks.exe
656	schtasks.exe
2172	schtasks.exe
2192	schtasks.exe
1620	schtasks.exe
564	schtasks.exe
868	schtasks.exe
1900	schtasks.exe
2132	schtasks.exe
2156	schtasks.exe
1576	schtasks.exe
1956	schtasks.exe
1652	schtasks.exe
1424	schtasks.exe
680	schtasks.exe
2012	schtasks.exe
1536	schtasks.exe
2244	schtasks.exe
592	schtasks.exe
1728	schtasks.exe
1116	schtasks.exe
1384	schtasks.exe
432	schtasks.exe
2224	schtasks.exe
1952	schtasks.exe
764	schtasks.exe
392	schtasks.exe
1632	schtasks.exe
1700	schtasks.exe
1256	schtasks.exe
2076	schtasks.exe
952	schtasks.exe
1660	schtasks.exe
832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

DllCommonsvc.exe

pid process

820 DllCommonsvc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DllCommonsvc.exe

description pid process

Token: SeDebugPrivilege 820 DllCommonsvc.exe

pid	process
820	DllCommonsvc.exe

description	pid	process
Token: SeDebugPrivilege	820	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exeWScript.execmd.exeDllCommonsvc.exe

description	pid	process	target process
PID 1068 wrote to memory of 1180	1068	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 1068 wrote to memory of 1180	1068	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 1068 wrote to memory of 1180	1068	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 1068 wrote to memory of 1180	1068	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 1180 wrote to memory of 1768	1180	WScript.exe	cmd.exe
PID 1180 wrote to memory of 1768	1180	WScript.exe	cmd.exe
PID 1180 wrote to memory of 1768	1180	WScript.exe	cmd.exe
PID 1180 wrote to memory of 1768	1180	WScript.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	cmd.exe	DllCommonsvc.exe
PID 1768 wrote to memory of 820	1768	cmd.exe	DllCommonsvc.exe
PID 1768 wrote to memory of 820	1768	cmd.exe	DllCommonsvc.exe
PID 1768 wrote to memory of 820	1768	cmd.exe	DllCommonsvc.exe
PID 820 wrote to memory of 2540	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2540	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2540	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2552	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2552	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2552	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2572	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2572	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2572	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2596	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2596	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2596	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2624	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2624	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2624	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2652	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2652	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2652	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2696	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2696	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2696	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2732	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2732	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2732	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2764	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2764	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2764	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2812	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2812	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2812	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2848	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2848	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2848	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2872	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2872	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2872	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2904	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2904	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2904	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2936	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2936	820	DllCommonsvc.exe	powershell.exe
PID 820 wrote to memory of 2936	820	DllCommonsvc.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
"C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
5⤵
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'
5⤵
PID:2572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'
5⤵
PID:2596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'
5⤵
PID:2624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
5⤵
PID:2652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\explorer.exe'
5⤵
PID:2696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
5⤵
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
5⤵
PID:2764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\dwm.exe'
5⤵
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
5⤵
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'
5⤵
PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\sppsvc.exe'
5⤵
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
5⤵
PID:2936

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe
"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
5⤵
PID:2760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"
6⤵
PID:3380

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat
Filesize
239B

MD5
5edc3425967e7f9d80b0a73d74953ca1

SHA1
f93606e46f078470338e0abb86540f4bc007a3c7

SHA256
44bf0e57753282b2b42ca3a4994d3058e41a87d5ac693e57e99267528f406ff0

SHA512
679fee63b5fa89570eb85ec02c96d154555c6d5d9b79da921f01b50d65a3de493a9ecffc5b9bfaac5b363894bb4a30318e9c431aeb51541142bdada12a862191

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cb2c8af6634dddc239cd1344bd768e9e

SHA1
53be0590d38b8503a5ddc80ba6769efc20d65ac8

SHA256
9603fcf4e7b326d618b0c108d4fe513b966b904fd99cf54370ebda59aceed56d

SHA512
07f75f7c96f5bd64ac4517434db137d267e6e7c33d265553db2928ad46a7bacc6093a8ce375d5d7b8c94336c8368fe282cfb998bee5e755bc5ba67960664702a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cb2c8af6634dddc239cd1344bd768e9e

SHA1
53be0590d38b8503a5ddc80ba6769efc20d65ac8

SHA256
9603fcf4e7b326d618b0c108d4fe513b966b904fd99cf54370ebda59aceed56d

SHA512
07f75f7c96f5bd64ac4517434db137d267e6e7c33d265553db2928ad46a7bacc6093a8ce375d5d7b8c94336c8368fe282cfb998bee5e755bc5ba67960664702a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cb2c8af6634dddc239cd1344bd768e9e

SHA1
53be0590d38b8503a5ddc80ba6769efc20d65ac8

SHA256
9603fcf4e7b326d618b0c108d4fe513b966b904fd99cf54370ebda59aceed56d

SHA512
07f75f7c96f5bd64ac4517434db137d267e6e7c33d265553db2928ad46a7bacc6093a8ce375d5d7b8c94336c8368fe282cfb998bee5e755bc5ba67960664702a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cb2c8af6634dddc239cd1344bd768e9e

SHA1
53be0590d38b8503a5ddc80ba6769efc20d65ac8

SHA256
9603fcf4e7b326d618b0c108d4fe513b966b904fd99cf54370ebda59aceed56d

SHA512
07f75f7c96f5bd64ac4517434db137d267e6e7c33d265553db2928ad46a7bacc6093a8ce375d5d7b8c94336c8368fe282cfb998bee5e755bc5ba67960664702a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cb2c8af6634dddc239cd1344bd768e9e

SHA1
53be0590d38b8503a5ddc80ba6769efc20d65ac8

SHA256
9603fcf4e7b326d618b0c108d4fe513b966b904fd99cf54370ebda59aceed56d

SHA512
07f75f7c96f5bd64ac4517434db137d267e6e7c33d265553db2928ad46a7bacc6093a8ce375d5d7b8c94336c8368fe282cfb998bee5e755bc5ba67960664702a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cb2c8af6634dddc239cd1344bd768e9e

SHA1
53be0590d38b8503a5ddc80ba6769efc20d65ac8

SHA256
9603fcf4e7b326d618b0c108d4fe513b966b904fd99cf54370ebda59aceed56d

SHA512
07f75f7c96f5bd64ac4517434db137d267e6e7c33d265553db2928ad46a7bacc6093a8ce375d5d7b8c94336c8368fe282cfb998bee5e755bc5ba67960664702a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cb2c8af6634dddc239cd1344bd768e9e

SHA1
53be0590d38b8503a5ddc80ba6769efc20d65ac8

SHA256
9603fcf4e7b326d618b0c108d4fe513b966b904fd99cf54370ebda59aceed56d

SHA512
07f75f7c96f5bd64ac4517434db137d267e6e7c33d265553db2928ad46a7bacc6093a8ce375d5d7b8c94336c8368fe282cfb998bee5e755bc5ba67960664702a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cb2c8af6634dddc239cd1344bd768e9e

SHA1
53be0590d38b8503a5ddc80ba6769efc20d65ac8

SHA256
9603fcf4e7b326d618b0c108d4fe513b966b904fd99cf54370ebda59aceed56d

SHA512
07f75f7c96f5bd64ac4517434db137d267e6e7c33d265553db2928ad46a7bacc6093a8ce375d5d7b8c94336c8368fe282cfb998bee5e755bc5ba67960664702a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cb2c8af6634dddc239cd1344bd768e9e

SHA1
53be0590d38b8503a5ddc80ba6769efc20d65ac8

SHA256
9603fcf4e7b326d618b0c108d4fe513b966b904fd99cf54370ebda59aceed56d

SHA512
07f75f7c96f5bd64ac4517434db137d267e6e7c33d265553db2928ad46a7bacc6093a8ce375d5d7b8c94336c8368fe282cfb998bee5e755bc5ba67960664702a

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/820-65-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/820-66-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/820-69-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/820-68-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/820-67-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/820-63-0x0000000000000000-mapping.dmp

Download
memory/1068-54-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/1180-55-0x0000000000000000-mapping.dmp

Download
memory/1768-59-0x0000000000000000-mapping.dmp

Download
memory/2540-141-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2540-128-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/2540-70-0x0000000000000000-mapping.dmp

Download
memory/2540-75-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmp

Filesize
8KB

Download
memory/2540-98-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/2552-71-0x0000000000000000-mapping.dmp

Download
memory/2572-140-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2572-72-0x0000000000000000-mapping.dmp

Download
memory/2572-124-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/2572-137-0x0000000002204000-0x0000000002207000-memory.dmp

Filesize
12KB

Download
memory/2596-133-0x0000000002234000-0x0000000002237000-memory.dmp

Filesize
12KB

Download
memory/2596-121-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/2596-148-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2596-73-0x0000000000000000-mapping.dmp

Download
memory/2624-74-0x0000000000000000-mapping.dmp

Download
memory/2624-130-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/2624-145-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2624-117-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/2652-127-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/2652-115-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2652-76-0x0000000000000000-mapping.dmp

Download
memory/2652-113-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/2696-143-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2696-125-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/2696-78-0x0000000000000000-mapping.dmp

Download
memory/2696-134-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/2732-80-0x0000000000000000-mapping.dmp

Download
memory/2732-149-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2732-119-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/2732-132-0x0000000001E84000-0x0000000001E87000-memory.dmp

Filesize
12KB

Download
memory/2760-106-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/2760-102-0x0000000000000000-mapping.dmp

Download
memory/2764-81-0x0000000000000000-mapping.dmp

Download
memory/2764-120-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/2764-142-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2764-138-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/2812-126-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2812-114-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2812-104-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/2812-84-0x0000000000000000-mapping.dmp

Download
memory/2848-129-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/2848-116-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/2848-147-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2848-86-0x0000000000000000-mapping.dmp

Download
memory/2872-122-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/2872-135-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/2872-88-0x0000000000000000-mapping.dmp

Download
memory/2872-146-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2904-90-0x0000000000000000-mapping.dmp

Download
memory/2904-131-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/2936-150-0x000007FEEB470000-0x000007FEEBFCD000-memory.dmp

Filesize
11.4MB

Download
memory/2936-91-0x0000000000000000-mapping.dmp

Download
memory/2936-136-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/2936-123-0x000007FEEBFD0000-0x000007FEEC9F3000-memory.dmp

Filesize
10.1MB

Download
memory/3380-139-0x0000000000000000-mapping.dmp

Download