dcrat | 050f95f53cfe505258bacecc315055a80d61188127430c6c078ec4730869405e

Analysis

max time kernel
142s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03-02-2023 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

050f95f53cfe505258bacecc315055a80d61188127430c6c078ec4730869405e.exe
Size

1.3MB
MD5

bb032d77190a98820331cfd60e051e26
SHA1

b6b4e88d497bfb13ff22448f4851d1b38c40477b
SHA256

050f95f53cfe505258bacecc315055a80d61188127430c6c078ec4730869405e
SHA512

31c1c2c31bbf8f4032ed1d8b26bea015501f2d07c380d2016712e92beb9e2527db59614c5814e5f81e7027bed793d763a751d8d754bbfcf5c5da9f9082e68719
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	4256	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	4256	schtasks.exe	70

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abed-279.dat	dcrat
behavioral1/files/0x000800000001abed-280.dat	dcrat
behavioral1/memory/5000-281-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/files/0x000700000001ac0c-338.dat	dcrat
behavioral1/files/0x000700000001ac0c-340.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
5000	DllCommonsvc.exe
2664	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4408	schtasks.exe
1784	schtasks.exe
1144	schtasks.exe
776	schtasks.exe
4540	schtasks.exe
4304	schtasks.exe
4940	schtasks.exe
2456	schtasks.exe
4316	schtasks.exe
4308	schtasks.exe
4520	schtasks.exe
4552	schtasks.exe
656	schtasks.exe
2148	schtasks.exe
4488	schtasks.exe
4836	schtasks.exe
4460	schtasks.exe
3992	schtasks.exe
3688	schtasks.exe
3792	schtasks.exe
4516	schtasks.exe
3160	schtasks.exe
4444	schtasks.exe
4336	schtasks.exe
820	schtasks.exe
3188	schtasks.exe
1276	schtasks.exe
816	schtasks.exe
4244	schtasks.exe
4808	schtasks.exe
4396	schtasks.exe
652	schtasks.exe
4948	schtasks.exe
4404	schtasks.exe
60	schtasks.exe
912	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	050f95f53cfe505258bacecc315055a80d61188127430c6c078ec4730869405e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5000	DllCommonsvc.exe
5000	DllCommonsvc.exe
5000	DllCommonsvc.exe
5000	DllCommonsvc.exe
5000	DllCommonsvc.exe
1588	powershell.exe
1588	powershell.exe
1440	powershell.exe
1440	powershell.exe
1588	powershell.exe
1068	powershell.exe
1068	powershell.exe
1440	powershell.exe
1436	powershell.exe
1436	powershell.exe
200	powershell.exe
200	powershell.exe
1588	powershell.exe
1708	powershell.exe
1708	powershell.exe
4528	powershell.exe
4528	powershell.exe
2096	powershell.exe
2096	powershell.exe
496	powershell.exe
496	powershell.exe
1792	powershell.exe
1792	powershell.exe
2372	powershell.exe
2372	powershell.exe
3040	powershell.exe
3040	powershell.exe
3880	powershell.exe
3880	powershell.exe
1440	powershell.exe
1708	powershell.exe
1068	powershell.exe
2096	powershell.exe
496	powershell.exe
2664	csrss.exe
2664	csrss.exe
1708	powershell.exe
200	powershell.exe
1436	powershell.exe
4528	powershell.exe
2372	powershell.exe
1792	powershell.exe
3040	powershell.exe
3880	powershell.exe
1068	powershell.exe
2096	powershell.exe
496	powershell.exe
200	powershell.exe
1436	powershell.exe
4528	powershell.exe
2372	powershell.exe
1792	powershell.exe
3040	powershell.exe
3880	powershell.exe
2664	csrss.exe
2664	csrss.exe
2664	csrss.exe
2664	csrss.exe
2664	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2664	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	DllCommonsvc.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	200	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	496	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2664	csrss.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeIncreaseQuotaPrivilege	1588	powershell.exe
Token: SeSecurityPrivilege	1588	powershell.exe
Token: SeTakeOwnershipPrivilege	1588	powershell.exe
Token: SeLoadDriverPrivilege	1588	powershell.exe
Token: SeSystemProfilePrivilege	1588	powershell.exe
Token: SeSystemtimePrivilege	1588	powershell.exe
Token: SeProfSingleProcessPrivilege	1588	powershell.exe
Token: SeIncBasePriorityPrivilege	1588	powershell.exe
Token: SeCreatePagefilePrivilege	1588	powershell.exe
Token: SeBackupPrivilege	1588	powershell.exe
Token: SeRestorePrivilege	1588	powershell.exe
Token: SeShutdownPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeSystemEnvironmentPrivilege	1588	powershell.exe
Token: SeRemoteShutdownPrivilege	1588	powershell.exe
Token: SeUndockPrivilege	1588	powershell.exe
Token: SeManageVolumePrivilege	1588	powershell.exe
Token: 33	1588	powershell.exe
Token: 34	1588	powershell.exe
Token: 35	1588	powershell.exe
Token: 36	1588	powershell.exe
Token: SeIncreaseQuotaPrivilege	1440	powershell.exe
Token: SeSecurityPrivilege	1440	powershell.exe
Token: SeTakeOwnershipPrivilege	1440	powershell.exe
Token: SeLoadDriverPrivilege	1440	powershell.exe
Token: SeSystemProfilePrivilege	1440	powershell.exe
Token: SeSystemtimePrivilege	1440	powershell.exe
Token: SeProfSingleProcessPrivilege	1440	powershell.exe
Token: SeIncBasePriorityPrivilege	1440	powershell.exe
Token: SeCreatePagefilePrivilege	1440	powershell.exe
Token: SeBackupPrivilege	1440	powershell.exe
Token: SeRestorePrivilege	1440	powershell.exe
Token: SeShutdownPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeSystemEnvironmentPrivilege	1440	powershell.exe
Token: SeRemoteShutdownPrivilege	1440	powershell.exe
Token: SeUndockPrivilege	1440	powershell.exe
Token: SeManageVolumePrivilege	1440	powershell.exe
Token: 33	1440	powershell.exe
Token: 34	1440	powershell.exe
Token: 35	1440	powershell.exe
Token: 36	1440	powershell.exe
Token: SeIncreaseQuotaPrivilege	1708	powershell.exe
Token: SeSecurityPrivilege	1708	powershell.exe
Token: SeTakeOwnershipPrivilege	1708	powershell.exe
Token: SeLoadDriverPrivilege	1708	powershell.exe
Token: SeSystemProfilePrivilege	1708	powershell.exe
Token: SeSystemtimePrivilege	1708	powershell.exe
Token: SeProfSingleProcessPrivilege	1708	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2160	2664	050f95f53cfe505258bacecc315055a80d61188127430c6c078ec4730869405e.exe	66
PID 2664 wrote to memory of 2160	2664	050f95f53cfe505258bacecc315055a80d61188127430c6c078ec4730869405e.exe	66
PID 2664 wrote to memory of 2160	2664	050f95f53cfe505258bacecc315055a80d61188127430c6c078ec4730869405e.exe	66
PID 2160 wrote to memory of 68	2160	WScript.exe	67
PID 2160 wrote to memory of 68	2160	WScript.exe	67
PID 2160 wrote to memory of 68	2160	WScript.exe	67
PID 68 wrote to memory of 5000	68	cmd.exe	69
PID 68 wrote to memory of 5000	68	cmd.exe	69
PID 5000 wrote to memory of 1068	5000	DllCommonsvc.exe	107
PID 5000 wrote to memory of 1068	5000	DllCommonsvc.exe	107
PID 5000 wrote to memory of 1588	5000	DllCommonsvc.exe	110
PID 5000 wrote to memory of 1588	5000	DllCommonsvc.exe	110
PID 5000 wrote to memory of 1440	5000	DllCommonsvc.exe	109
PID 5000 wrote to memory of 1440	5000	DllCommonsvc.exe	109
PID 5000 wrote to memory of 4528	5000	DllCommonsvc.exe	111
PID 5000 wrote to memory of 4528	5000	DllCommonsvc.exe	111
PID 5000 wrote to memory of 200	5000	DllCommonsvc.exe	112
PID 5000 wrote to memory of 200	5000	DllCommonsvc.exe	112
PID 5000 wrote to memory of 1436	5000	DllCommonsvc.exe	113
PID 5000 wrote to memory of 1436	5000	DllCommonsvc.exe	113
PID 5000 wrote to memory of 2096	5000	DllCommonsvc.exe	117
PID 5000 wrote to memory of 2096	5000	DllCommonsvc.exe	117
PID 5000 wrote to memory of 1708	5000	DllCommonsvc.exe	118
PID 5000 wrote to memory of 1708	5000	DllCommonsvc.exe	118
PID 5000 wrote to memory of 496	5000	DllCommonsvc.exe	119
PID 5000 wrote to memory of 496	5000	DllCommonsvc.exe	119
PID 5000 wrote to memory of 1792	5000	DllCommonsvc.exe	122
PID 5000 wrote to memory of 1792	5000	DllCommonsvc.exe	122
PID 5000 wrote to memory of 2372	5000	DllCommonsvc.exe	123
PID 5000 wrote to memory of 2372	5000	DllCommonsvc.exe	123
PID 5000 wrote to memory of 3880	5000	DllCommonsvc.exe	126
PID 5000 wrote to memory of 3880	5000	DllCommonsvc.exe	126
PID 5000 wrote to memory of 3040	5000	DllCommonsvc.exe	127
PID 5000 wrote to memory of 3040	5000	DllCommonsvc.exe	127
PID 5000 wrote to memory of 2664	5000	DllCommonsvc.exe	133
PID 5000 wrote to memory of 2664	5000	DllCommonsvc.exe	133

C:\Users\Admin\AppData\Local\Temp\050f95f53cfe505258bacecc315055a80d61188127430c6c078ec4730869405e.exe
"C:\Users\Admin\AppData\Local\Temp\050f95f53cfe505258bacecc315055a80d61188127430c6c078ec4730869405e.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:68
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mozilla\SystemExtensionsDev\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\SystemExtensionsDev\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\SystemExtensionsDev\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\SystemExtensionsDev\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Fonts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9c5899beca92da6acfa2d4d72844142

SHA1
9e97ee32c2f054c089b9ce650e89f680bbbd1808

SHA256
959be835fa9d766f3c091981933ac029cc759e135e721de5eb302f9f5371e558

SHA512
f61d19147d5d23b2a8b9a48fa1e40c6f05ac109b50e5270965e0d1ad04f3c38353a9814869b858c5bdccca017377e52906d453fac45f20189113a117f9dcd2b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9d58dc09836f40fea9f9e84ba852cb4d

SHA1
82f0c200e7f60c7aa86b5e06ac71bbc1a6d03379

SHA256
d0ece664ecbf1dd4c2d7b81f4f9fb2d3027d0014ab75af17c4ec0c0219d95485

SHA512
603563df55b0ef42b522a7737eacc7ec45ef904abfa0dafd7955e976179fed0718970e49cf1f2895761d219ec741074ae7be94471ca0cb07296bc782d19f69b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0385275951b68ccd8860745f86de1333

SHA1
100255d2770aeffcb187107405513766f9e47ebb

SHA256
2d1f086ee03fa0ef8622d5e7b891a61eb85a5fb2f0768c7a26d966b8e78dbfac

SHA512
93bf01d0fdd8fb0ab9bf59ef37343f743172eada6f4249f63100f5747258e21e8a960dc2b158906f002b852dbd3242fd7461eb482cafe9447a64baf8bea05a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0385275951b68ccd8860745f86de1333

SHA1
100255d2770aeffcb187107405513766f9e47ebb

SHA256
2d1f086ee03fa0ef8622d5e7b891a61eb85a5fb2f0768c7a26d966b8e78dbfac

SHA512
93bf01d0fdd8fb0ab9bf59ef37343f743172eada6f4249f63100f5747258e21e8a960dc2b158906f002b852dbd3242fd7461eb482cafe9447a64baf8bea05a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e9915e65d7a5aec615aee16e64ff1b35

SHA1
62357122f971e69107a63745b97ee5b3585d652f

SHA256
14ec8ad51351d1a87db4dfde74a01256ae35af2a499ad5296edee55b5b59d147

SHA512
74d1d3f617e0de60595f79cb93fab79446a585ecbf6957fcc52bfa5794afbadd994a81307b822f4829831c839705addde30ad2ffe9e91a54287f2d8d54f25ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f85d4f46d45768d2ac4389f1df438544

SHA1
c9f9556a3fdcbbe31bf201b19ea769876a1e9bb5

SHA256
5a88d106288109cb7def8d47781ee5b29f6d7479a5e6ebb19ddef074deaa5f9a

SHA512
4a181a5b1485559b7edf3c2e2f5a5145b8e7aa8f2ef3d7d084b0cbfad94091843a87403c84d54d885b44ac044cda85bbb41b7fbf78f8f223f533f24ffc2ae5f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d95a9865506ac32268c0388f8549a004

SHA1
30d102f0d293abe78b4594933dfceaaed69c2706

SHA256
17b28959d997b5a2e0d6a7ab08798a76e7a7c3b37ed1a6494a5e90ddb844e08f

SHA512
ff4fddb63ec196a5e0851866df4dc322ceb9e3c5b3817c30fc481b9acbaa9404479dcb990b935fb330e525fa90896852b35533a470dba9036483239fb87c482e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abe145b4f690c950ec4ee672c4b96f98

SHA1
4c4dbd01b8d52871448cc91c67d1138c81cf5534

SHA256
4f938e6a71fdc1a57e2a148803d1245f72feaafa9d727952cb5bcdec66bb762d

SHA512
ddd1ded9d1eeccd4a41067dc17a8902f8af3a2630448c81cfeace7012873f6c1c236b23f7ad90715dfd0e5c570d77b920a6bb4d0f01df46481b902a63a41e5fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aae132d87bada24f9005aa943cd41c38

SHA1
27ac7f46e309f74e84d4f2ddda2b598a6a5a7bf7

SHA256
7d17b6e19af2793afb56252831cf65d3794e2cf736cf6984deb414e2eb36837e

SHA512
2c15c5ede8dc68ca9cca5885a41f23110c3409a0f36db49ab95f58794d86579b3563e4ed777efb9d8eb42aa493c7a0fb83fb2f9ff5413a89d962c670677bee41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02f293bc4657c8b63f2babb99837f9d1

SHA1
8c0d364cd74745ba3e8aed2c97403097590e8d67

SHA256
0d438ac6cfdfa5ae2e32ab6ae0905a26c963e2c6a8ee18140e645cf1095e1a4c

SHA512
2e6674f957602b8c96994e1f665ada22b4978e293e9bbd893107bfe09d8a1fcc4b6c49f3466bf3ef8f0963b1b296f328becbc66c6c5176e341874f7620d0be36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a7b4fc8bc5cac9298d3e63d1489f87cb

SHA1
315b7dc768cbdcfa48735ae8e4bd11d1ee848651

SHA256
93759c3903200c3c42ca5563c239c647b71d7d9195b3bc87781508db41c44cf1

SHA512
81b7a71fa79cb74d5b97916ebb422d6045918fdc7c6790e528b3f31cc10c1fb9b9992d014fc118cf17c1a3625bbc8709bdd51aa9f37aa55bec06e9096b77320a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c0c55d0babe4388d1da37e2ba1eb883

SHA1
43296dca989988dcb6a27ce01251dc8ceb873329

SHA256
26b162de58f43510342b05452094a8d54e52ff70110d84deee9c483c47576dc3

SHA512
e9ac2902b5d2a1fcd7ab3c6268cfa0ab56444a9e29e55d97751bb67e95d10458d0e71ac73c99d23f4e125130aa0d7acda01207b221aa8e9374ae99043831778a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/68-255-0x0000000000000000-mapping.dmp

Download
memory/200-290-0x0000000000000000-mapping.dmp

Download
memory/496-294-0x0000000000000000-mapping.dmp

Download
memory/1068-286-0x0000000000000000-mapping.dmp

Download
memory/1436-291-0x0000000000000000-mapping.dmp

Download
memory/1440-288-0x0000000000000000-mapping.dmp

Download
memory/1440-354-0x00000191743B0000-0x00000191743D2000-memory.dmp

Filesize
136KB

Download
memory/1588-287-0x0000000000000000-mapping.dmp

Download
memory/1588-357-0x0000021BD9070000-0x0000021BD90E6000-memory.dmp

Filesize
472KB

Download
memory/1708-293-0x0000000000000000-mapping.dmp

Download
memory/1792-295-0x0000000000000000-mapping.dmp

Download
memory/2096-292-0x0000000000000000-mapping.dmp

Download
memory/2160-179-0x0000000000000000-mapping.dmp

Download
memory/2160-181-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-180-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2372-298-0x0000000000000000-mapping.dmp

Download
memory/2664-144-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-134-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-154-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-155-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-156-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-157-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-158-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-159-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-160-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-161-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-162-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-163-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-164-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-166-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-165-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-167-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-168-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-169-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-170-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-171-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-172-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-173-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-174-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-175-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-176-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-177-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-178-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-152-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-151-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-150-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-149-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-148-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-147-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-116-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-146-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-145-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-117-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-118-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-120-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-121-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-123-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-115-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-124-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-143-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-142-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-141-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-140-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-139-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-138-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-137-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-136-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-125-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-135-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-126-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-330-0x0000000000000000-mapping.dmp

Download
memory/2664-153-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-133-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-132-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-131-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-364-0x0000000001580000-0x0000000001592000-memory.dmp

Filesize
72KB

Download
memory/2664-130-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-129-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-128-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-127-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-305-0x0000000000000000-mapping.dmp

Download
memory/3880-303-0x0000000000000000-mapping.dmp

Download
memory/4528-289-0x0000000000000000-mapping.dmp

Download
memory/5000-285-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/5000-284-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/5000-283-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/5000-282-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/5000-281-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/5000-278-0x0000000000000000-mapping.dmp

Download