dcrat | bc657cb8e72afeb4f4d2a2f056162f0c3b8486fdfe80bc33a41d7871b35f8f4a

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-02-2023 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abedf09a962a9489dba07ff3b6a93e41.exe
Size

1.3MB
MD5

abedf09a962a9489dba07ff3b6a93e41
SHA1

25098fb30ee8b79bdeeee1e93eb9506b6f93832a
SHA256

bc657cb8e72afeb4f4d2a2f056162f0c3b8486fdfe80bc33a41d7871b35f8f4a
SHA512

33a334bdea2742505a200cb6af63f1239681296d9be50e6aefc0543887849d1a55e66f0336e355e5ab768fcfb79a57212aefad9218df2a18be51c4aee5f99a3e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1516	schtasks.exe

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/1712-65-0x0000000000940000-0x0000000000A50000-memory.dmp	dcrat
C:\Users\Public\Downloads\sppsvc.exe	dcrat
behavioral1/memory/1144-90-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
C:\Users\Public\Downloads\sppsvc.exe	dcrat
C:\Users\Public\Downloads\sppsvc.exe	dcrat
behavioral1/memory/2372-124-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
C:\Users\Public\Downloads\sppsvc.exe	dcrat
behavioral1/memory/2664-144-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
C:\Users\Public\Downloads\sppsvc.exe	dcrat
behavioral1/memory/2836-150-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
C:\Users\Public\Downloads\sppsvc.exe	dcrat
behavioral1/memory/3008-157-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
C:\Users\Public\Downloads\sppsvc.exe	dcrat

Executes dropped EXE 7 IoCs

Processes:

DllCommonsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid process

1712 DllCommonsvc.exe
1144 sppsvc.exe
2372 sppsvc.exe
2664 sppsvc.exe
2836 sppsvc.exe
3008 sppsvc.exe
1012 sppsvc.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

832 cmd.exe
832 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
832	cmd.exe
832	cmd.exe

Drops file in Program Files directory 4 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\plugins\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\75a57c1bdf437c	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\Aero\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1628	schtasks.exe
904	schtasks.exe
608	schtasks.exe
672	schtasks.exe
1680	schtasks.exe
1888	schtasks.exe
1572	schtasks.exe
1760	schtasks.exe
2040	schtasks.exe
1468	schtasks.exe
1496	schtasks.exe
2024	schtasks.exe
1112	schtasks.exe
856	schtasks.exe
272	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sppsvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	sppsvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	sppsvc.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid process

2372 sppsvc.exe
2664 sppsvc.exe
2836 sppsvc.exe
3008 sppsvc.exe
1012 sppsvc.exe

pid	process
2372	sppsvc.exe
2664	sppsvc.exe
2836	sppsvc.exe
3008	sppsvc.exe
1012	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DllCommonsvc.exesppsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	process
1712	DllCommonsvc.exe
1144	sppsvc.exe
964	powershell.exe
1580	powershell.exe
1108	powershell.exe
592	powershell.exe
996	powershell.exe
1480	powershell.exe
2372	sppsvc.exe
2664	sppsvc.exe
2836	sppsvc.exe
3008	sppsvc.exe
1012	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

DllCommonsvc.exesppsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	pid	process
Token: SeDebugPrivilege	1712	DllCommonsvc.exe
Token: SeDebugPrivilege	1144	sppsvc.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2372	sppsvc.exe
Token: SeDebugPrivilege	2664	sppsvc.exe
Token: SeDebugPrivilege	2836	sppsvc.exe
Token: SeDebugPrivilege	3008	sppsvc.exe
Token: SeDebugPrivilege	1012	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

abedf09a962a9489dba07ff3b6a93e41.exeWScript.execmd.exeDllCommonsvc.exesppsvc.execmd.exesppsvc.execmd.exesppsvc.execmd.exe

description	pid	process	target process
PID 108 wrote to memory of 1488	108	abedf09a962a9489dba07ff3b6a93e41.exe	WScript.exe
PID 108 wrote to memory of 1488	108	abedf09a962a9489dba07ff3b6a93e41.exe	WScript.exe
PID 108 wrote to memory of 1488	108	abedf09a962a9489dba07ff3b6a93e41.exe	WScript.exe
PID 108 wrote to memory of 1488	108	abedf09a962a9489dba07ff3b6a93e41.exe	WScript.exe
PID 1488 wrote to memory of 832	1488	WScript.exe	cmd.exe
PID 1488 wrote to memory of 832	1488	WScript.exe	cmd.exe
PID 1488 wrote to memory of 832	1488	WScript.exe	cmd.exe
PID 1488 wrote to memory of 832	1488	WScript.exe	cmd.exe
PID 832 wrote to memory of 1712	832	cmd.exe	DllCommonsvc.exe
PID 832 wrote to memory of 1712	832	cmd.exe	DllCommonsvc.exe
PID 832 wrote to memory of 1712	832	cmd.exe	DllCommonsvc.exe
PID 832 wrote to memory of 1712	832	cmd.exe	DllCommonsvc.exe
PID 1712 wrote to memory of 964	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 964	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 964	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 1580	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 1580	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 1580	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 1108	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 1108	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 1108	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 996	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 996	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 996	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 1480	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 1480	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 1480	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 592	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 592	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 592	1712	DllCommonsvc.exe	powershell.exe
PID 1712 wrote to memory of 1144	1712	DllCommonsvc.exe	sppsvc.exe
PID 1712 wrote to memory of 1144	1712	DllCommonsvc.exe	sppsvc.exe
PID 1712 wrote to memory of 1144	1712	DllCommonsvc.exe	sppsvc.exe
PID 1712 wrote to memory of 1144	1712	DllCommonsvc.exe	sppsvc.exe
PID 1712 wrote to memory of 1144	1712	DllCommonsvc.exe	sppsvc.exe
PID 1144 wrote to memory of 2216	1144	sppsvc.exe	cmd.exe
PID 1144 wrote to memory of 2216	1144	sppsvc.exe	cmd.exe
PID 1144 wrote to memory of 2216	1144	sppsvc.exe	cmd.exe
PID 2216 wrote to memory of 2260	2216	cmd.exe	w32tm.exe
PID 2216 wrote to memory of 2260	2216	cmd.exe	w32tm.exe
PID 2216 wrote to memory of 2260	2216	cmd.exe	w32tm.exe
PID 2216 wrote to memory of 2372	2216	cmd.exe	sppsvc.exe
PID 2216 wrote to memory of 2372	2216	cmd.exe	sppsvc.exe
PID 2216 wrote to memory of 2372	2216	cmd.exe	sppsvc.exe
PID 2216 wrote to memory of 2372	2216	cmd.exe	sppsvc.exe
PID 2216 wrote to memory of 2372	2216	cmd.exe	sppsvc.exe
PID 2372 wrote to memory of 2604	2372	sppsvc.exe	cmd.exe
PID 2372 wrote to memory of 2604	2372	sppsvc.exe	cmd.exe
PID 2372 wrote to memory of 2604	2372	sppsvc.exe	cmd.exe
PID 2604 wrote to memory of 2640	2604	cmd.exe	w32tm.exe
PID 2604 wrote to memory of 2640	2604	cmd.exe	w32tm.exe
PID 2604 wrote to memory of 2640	2604	cmd.exe	w32tm.exe
PID 2604 wrote to memory of 2664	2604	cmd.exe	sppsvc.exe
PID 2604 wrote to memory of 2664	2604	cmd.exe	sppsvc.exe
PID 2604 wrote to memory of 2664	2604	cmd.exe	sppsvc.exe
PID 2604 wrote to memory of 2664	2604	cmd.exe	sppsvc.exe
PID 2604 wrote to memory of 2664	2604	cmd.exe	sppsvc.exe
PID 2664 wrote to memory of 2780	2664	sppsvc.exe	cmd.exe
PID 2664 wrote to memory of 2780	2664	sppsvc.exe	cmd.exe
PID 2664 wrote to memory of 2780	2664	sppsvc.exe	cmd.exe
PID 2780 wrote to memory of 2816	2780	cmd.exe	w32tm.exe
PID 2780 wrote to memory of 2816	2780	cmd.exe	w32tm.exe
PID 2780 wrote to memory of 2816	2780	cmd.exe	w32tm.exe
PID 2780 wrote to memory of 2836	2780	cmd.exe	sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\abedf09a962a9489dba07ff3b6a93e41.exe
"C:\Users\Admin\AppData\Local\Temp\abedf09a962a9489dba07ff3b6a93e41.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\lsm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\WMIADAP.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\taskhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Users\Public\Downloads\sppsvc.exe
"C:\Users\Public\Downloads\sppsvc.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2260

C:\Users\Public\Downloads\sppsvc.exe
"C:\Users\Public\Downloads\sppsvc.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:2640

C:\Users\Public\Downloads\sppsvc.exe
"C:\Users\Public\Downloads\sppsvc.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:2816

C:\Users\Public\Downloads\sppsvc.exe
"C:\Users\Public\Downloads\sppsvc.exe"
11⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"
12⤵
PID:2944

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:2984

C:\Users\Public\Downloads\sppsvc.exe
"C:\Users\Public\Downloads\sppsvc.exe"
13⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
14⤵
PID:1468

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:1688

C:\Users\Public\Downloads\sppsvc.exe
"C:\Users\Public\Downloads\sppsvc.exe"
15⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\plugins\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Themes\Aero\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\Aero\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat

Filesize
201B

MD5
e470e53845f5397cfeb41e45684331e8

SHA1
fbbc190a20116255088c1f9df438406b0b1a7541

SHA256
4692c75e11cde23b912f347d63af87332b8da945277420bf61ca7a31bc5b4ad5

SHA512
3e166bb6a7de7a2cfdf37723f144f71b818f0ab53817f4298918d7edaca68de8f2f2399ac92b6d9e9d58bf9095298b6912e6f3f487bc97e5e5b27386c628f42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
201B

MD5
d3fb08eea886bf81b912df5968ba8e1f

SHA1
13b6f0e59438fd658ec762be8736efcd409d9dda

SHA256
97c606aa74f4fd0263be9735bb3428a5b20a3e288434a024d1284ac93fd043b3

SHA512
451ee160c94673720c353ef937433291f8c7f9d31ecd266ccbd3ad6904b80ce91143533b280d527e7f61e4bf530d4e15218183942fc9eefda087c10a7c84d822

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

Filesize
201B

MD5
0e2968fb3f8ac0f04a09c5a9d0b49184

SHA1
f658ffc425bf28fb34ecf6a76a5f3109e1be9958

SHA256
fa08b1a636252bf15d632cd60760e585591c3ed0441759e373f3fe16ee2b6749

SHA512
995b5c0390c218f67cb59db2b1eda65e5b02c0060c6f54d592ce805195bfeaf6721383a9554bfe9b5c27cb576a8d927b7d5824f1ec059c042555566b2279c11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

Filesize
201B

MD5
d6027e17b0a6addf1d1f9445627c82d7

SHA1
b61964808e2b37808e9426a38656cb9815e0cd07

SHA256
0bfb01dc1442db6436aaa17ab8e60651afae2f23a58eb454428ea41947e57b42

SHA512
9a0aa88d521c2fcd98b859f37c11de2c0bf046875a5c16620b49a1018e5ccae7c6a9819789fa6347fce683142e7513e8878a19a573508165915cf51699c4a018

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

Filesize
201B

MD5
633ec6735908c50a77f0f7406c86eb9a

SHA1
109095e4a2dba5c9d726f723d19499d50c0ad6df

SHA256
e0c1e0726389a0d6912de2a039813e27d6f79e2d09b19e887429ba6f880e3b67

SHA512
aa4cc3f835d6f874091ecb2c7a2d64699f8499e54e2a7dc757635832f68ea737e5691e19cc89923aab7ef6d97001d91f1e02ad1ee4d0c0e83d21a641c7050541

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8092ad442ed6a9077c830b14a62f1ef5

SHA1
b42ed3959259aa00dd358eb0b16a87f44cd53769

SHA256
cfffb941db996fc87e9628fee7332b3a1b6027874719440f4042130b45005779

SHA512
3bc01959487987a52c1cb32f04d58beece4399d4437295a52795e7a0174691f1118ad61b6d0089474259b16802494a712c407dad792af86a9f84deceee019479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8092ad442ed6a9077c830b14a62f1ef5

SHA1
b42ed3959259aa00dd358eb0b16a87f44cd53769

SHA256
cfffb941db996fc87e9628fee7332b3a1b6027874719440f4042130b45005779

SHA512
3bc01959487987a52c1cb32f04d58beece4399d4437295a52795e7a0174691f1118ad61b6d0089474259b16802494a712c407dad792af86a9f84deceee019479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8092ad442ed6a9077c830b14a62f1ef5

SHA1
b42ed3959259aa00dd358eb0b16a87f44cd53769

SHA256
cfffb941db996fc87e9628fee7332b3a1b6027874719440f4042130b45005779

SHA512
3bc01959487987a52c1cb32f04d58beece4399d4437295a52795e7a0174691f1118ad61b6d0089474259b16802494a712c407dad792af86a9f84deceee019479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8092ad442ed6a9077c830b14a62f1ef5

SHA1
b42ed3959259aa00dd358eb0b16a87f44cd53769

SHA256
cfffb941db996fc87e9628fee7332b3a1b6027874719440f4042130b45005779

SHA512
3bc01959487987a52c1cb32f04d58beece4399d4437295a52795e7a0174691f1118ad61b6d0089474259b16802494a712c407dad792af86a9f84deceee019479

Download Submit
C:\Users\Public\Downloads\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Downloads\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Downloads\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Downloads\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Downloads\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Downloads\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Downloads\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/592-97-0x000007FEEB970000-0x000007FEEC4CD000-memory.dmp

Filesize
11.4MB

Download
memory/592-77-0x0000000000000000-mapping.dmp

Download
memory/592-132-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/592-115-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/592-100-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/592-130-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/592-95-0x000007FEEC4D0000-0x000007FEECEF3000-memory.dmp

Filesize
10.1MB

Download
memory/832-59-0x0000000000000000-mapping.dmp

Download
memory/964-105-0x000007FEEB970000-0x000007FEEC4CD000-memory.dmp

Filesize
11.4MB

Download
memory/964-70-0x0000000000000000-mapping.dmp

Download
memory/964-74-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/964-131-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/964-129-0x00000000022EB000-0x000000000230A000-memory.dmp

Filesize
124KB

Download
memory/964-128-0x00000000022EB000-0x000000000230A000-memory.dmp

Filesize
124KB

Download
memory/964-117-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/964-111-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/964-102-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/964-83-0x000007FEEC4D0000-0x000007FEECEF3000-memory.dmp

Filesize
10.1MB

Download
memory/996-104-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/996-119-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/996-135-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/996-136-0x000000000264B000-0x000000000266A000-memory.dmp

Filesize
124KB

Download
memory/996-106-0x000007FEEB970000-0x000007FEEC4CD000-memory.dmp

Filesize
11.4MB

Download
memory/996-73-0x0000000000000000-mapping.dmp

Download
memory/996-93-0x000007FEEC4D0000-0x000007FEECEF3000-memory.dmp

Filesize
10.1MB

Download
memory/1012-161-0x0000000000000000-mapping.dmp

Download
memory/1108-114-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1108-125-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1108-96-0x000007FEEB970000-0x000007FEEC4CD000-memory.dmp

Filesize
11.4MB

Download
memory/1108-85-0x000007FEEC4D0000-0x000007FEECEF3000-memory.dmp

Filesize
10.1MB

Download
memory/1108-99-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1108-127-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1108-72-0x0000000000000000-mapping.dmp

Download
memory/1108-126-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1144-82-0x0000000000000000-mapping.dmp

Download
memory/1144-90-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/1468-158-0x0000000000000000-mapping.dmp

Download
memory/1480-134-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/1480-75-0x0000000000000000-mapping.dmp

Download
memory/1480-101-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/1480-113-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/1480-116-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/1480-94-0x000007FEEC4D0000-0x000007FEECEF3000-memory.dmp

Filesize
10.1MB

Download
memory/1480-133-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/1480-98-0x000007FEEB970000-0x000007FEEC4CD000-memory.dmp

Filesize
11.4MB

Download
memory/1488-55-0x0000000000000000-mapping.dmp

Download
memory/1580-137-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1580-84-0x000007FEEC4D0000-0x000007FEECEF3000-memory.dmp

Filesize
10.1MB

Download
memory/1580-71-0x0000000000000000-mapping.dmp

Download
memory/1580-103-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1580-107-0x000007FEEB970000-0x000007FEEC4CD000-memory.dmp

Filesize
11.4MB

Download
memory/1580-138-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1580-118-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1688-160-0x0000000000000000-mapping.dmp

Download
memory/1712-65-0x0000000000940000-0x0000000000A50000-memory.dmp

Filesize
1.1MB

Download
memory/1712-69-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/1712-66-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1712-63-0x0000000000000000-mapping.dmp

Download
memory/1712-67-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/1712-68-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2216-108-0x0000000000000000-mapping.dmp

Download
memory/2260-110-0x0000000000000000-mapping.dmp

Download
memory/2372-124-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2372-122-0x0000000000000000-mapping.dmp

Download
memory/2604-139-0x0000000000000000-mapping.dmp

Download
memory/2640-141-0x0000000000000000-mapping.dmp

Download
memory/2664-142-0x0000000000000000-mapping.dmp

Download
memory/2664-144-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2780-145-0x0000000000000000-mapping.dmp

Download
memory/2816-147-0x0000000000000000-mapping.dmp

Download
memory/2836-151-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2836-150-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/2836-148-0x0000000000000000-mapping.dmp

Download
memory/2944-152-0x0000000000000000-mapping.dmp

Download
memory/2984-154-0x0000000000000000-mapping.dmp

Download
memory/3008-157-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/3008-155-0x0000000000000000-mapping.dmp

Download