dcrat | 7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f

max time kernel
1753s
max time network
1805s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
26/08/2023, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YammiBeta.exe
Size

1.1MB
MD5

6b5050c12abc27bad622f9af8ed7ebe3
SHA1

506be642a7d276c783bfd32a754a9bd1373abaea
SHA256

7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
SHA512

22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
SSDEEP

24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	164	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3624	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3624	schtasks.exe	75

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000800000001af6b-11.dat	dcrat
behavioral2/files/0x000800000001af6b-14.dat	dcrat
behavioral2/files/0x000700000001b010-32.dat	dcrat
behavioral2/files/0x000700000001b010-33.dat	dcrat
behavioral2/memory/1960-34-0x0000000000F30000-0x00000000010B0000-memory.dmp	dcrat
behavioral2/files/0x000600000001b015-48.dat	dcrat
behavioral2/files/0x000600000001b01e-70.dat	dcrat
behavioral2/files/0x000600000001b01e-66.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4404	Loader.exe
1960	MsServerfont.exe
2128	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3828	YammiBeta.exe
3828	YammiBeta.exe
3828	YammiBeta.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\smss.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Defender\69ddcba757bf72	MsServerfont.exe
File created	C:\Program Files\Google\csrss.exe	MsServerfont.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\sihost.exe	MsServerfont.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\66fc9ff0ee96c2	MsServerfont.exe
File created	C:\Program Files\Windows Photo Viewer\886983d96e3d3e	MsServerfont.exe
File created	C:\Program Files\Google\886983d96e3d3e	MsServerfont.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\sihost.exe	MsServerfont.exe
File created	C:\Program Files\Windows Photo Viewer\csrss.exe	MsServerfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2236	schtasks.exe
2780	schtasks.exe
3136	schtasks.exe
3296	schtasks.exe
4120	schtasks.exe
2924	schtasks.exe
4836	schtasks.exe
340	schtasks.exe
2776	schtasks.exe
5080	schtasks.exe
220	schtasks.exe
4888	schtasks.exe
2808	schtasks.exe
2708	schtasks.exe
3800	schtasks.exe
1844	schtasks.exe
3760	schtasks.exe
4496	schtasks.exe
1676	schtasks.exe
3120	schtasks.exe
2188	schtasks.exe
164	schtasks.exe
2864	schtasks.exe
3488	schtasks.exe
4964	schtasks.exe
4168	schtasks.exe
2548	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings	Loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	MsServerfont.exe
1960	MsServerfont.exe
1960	MsServerfont.exe
4600	powershell.exe
4600	powershell.exe
3108	powershell.exe
3108	powershell.exe
3804	powershell.exe
3804	powershell.exe
2960	powershell.exe
2960	powershell.exe
240	powershell.exe
240	powershell.exe
4420	powershell.exe
4420	powershell.exe
3832	powershell.exe
3832	powershell.exe
4384	powershell.exe
4384	powershell.exe
4024	powershell.exe
4024	powershell.exe
4996	powershell.exe
4996	powershell.exe
1768	powershell.exe
1768	powershell.exe
4236	powershell.exe
4236	powershell.exe
2128	winlogon.exe
2128	winlogon.exe
2960	powershell.exe
3804	powershell.exe
3108	powershell.exe
240	powershell.exe
4600	powershell.exe
4420	powershell.exe
4384	powershell.exe
3832	powershell.exe
4236	powershell.exe
4996	powershell.exe
1768	powershell.exe
4024	powershell.exe
240	powershell.exe
4420	powershell.exe
2960	powershell.exe
3108	powershell.exe
3108	powershell.exe
4600	powershell.exe
3804	powershell.exe
3832	powershell.exe
4236	powershell.exe
4996	powershell.exe
4384	powershell.exe
1768	powershell.exe
4024	powershell.exe
2128	winlogon.exe
2128	winlogon.exe
2128	winlogon.exe
2128	winlogon.exe
2128	winlogon.exe
2128	winlogon.exe
2128	winlogon.exe
2128	winlogon.exe
2128	winlogon.exe
2128	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2128	winlogon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3828	YammiBeta.exe
Token: SeDebugPrivilege	1960	MsServerfont.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeDebugPrivilege	2128	winlogon.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeIncreaseQuotaPrivilege	240	powershell.exe
Token: SeSecurityPrivilege	240	powershell.exe
Token: SeTakeOwnershipPrivilege	240	powershell.exe
Token: SeLoadDriverPrivilege	240	powershell.exe
Token: SeSystemProfilePrivilege	240	powershell.exe
Token: SeSystemtimePrivilege	240	powershell.exe
Token: SeProfSingleProcessPrivilege	240	powershell.exe
Token: SeIncBasePriorityPrivilege	240	powershell.exe
Token: SeCreatePagefilePrivilege	240	powershell.exe
Token: SeBackupPrivilege	240	powershell.exe
Token: SeRestorePrivilege	240	powershell.exe
Token: SeShutdownPrivilege	240	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeSystemEnvironmentPrivilege	240	powershell.exe
Token: SeRemoteShutdownPrivilege	240	powershell.exe
Token: SeUndockPrivilege	240	powershell.exe
Token: SeManageVolumePrivilege	240	powershell.exe
Token: 33	240	powershell.exe
Token: 34	240	powershell.exe
Token: 35	240	powershell.exe
Token: 36	240	powershell.exe
Token: SeIncreaseQuotaPrivilege	4420	powershell.exe
Token: SeSecurityPrivilege	4420	powershell.exe
Token: SeTakeOwnershipPrivilege	4420	powershell.exe
Token: SeLoadDriverPrivilege	4420	powershell.exe
Token: SeSystemProfilePrivilege	4420	powershell.exe
Token: SeSystemtimePrivilege	4420	powershell.exe
Token: SeProfSingleProcessPrivilege	4420	powershell.exe
Token: SeIncBasePriorityPrivilege	4420	powershell.exe
Token: SeCreatePagefilePrivilege	4420	powershell.exe
Token: SeBackupPrivilege	4420	powershell.exe
Token: SeRestorePrivilege	4420	powershell.exe
Token: SeShutdownPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeSystemEnvironmentPrivilege	4420	powershell.exe
Token: SeRemoteShutdownPrivilege	4420	powershell.exe
Token: SeUndockPrivilege	4420	powershell.exe
Token: SeManageVolumePrivilege	4420	powershell.exe
Token: 33	4420	powershell.exe
Token: 34	4420	powershell.exe
Token: 35	4420	powershell.exe
Token: 36	4420	powershell.exe
Token: SeIncreaseQuotaPrivilege	3108	powershell.exe
Token: SeSecurityPrivilege	3108	powershell.exe
Token: SeTakeOwnershipPrivilege	3108	powershell.exe
Token: SeLoadDriverPrivilege	3108	powershell.exe
Token: SeSystemProfilePrivilege	3108	powershell.exe
Token: SeSystemtimePrivilege	3108	powershell.exe
Token: SeProfSingleProcessPrivilege	3108	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3828	YammiBeta.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 4404	3828	YammiBeta.exe	70
PID 3828 wrote to memory of 4404	3828	YammiBeta.exe	70
PID 3828 wrote to memory of 4404	3828	YammiBeta.exe	70
PID 4404 wrote to memory of 4644	4404	Loader.exe	71
PID 4404 wrote to memory of 4644	4404	Loader.exe	71
PID 4404 wrote to memory of 4644	4404	Loader.exe	71
PID 4644 wrote to memory of 3500	4644	WScript.exe	72
PID 4644 wrote to memory of 3500	4644	WScript.exe	72
PID 4644 wrote to memory of 3500	4644	WScript.exe	72
PID 3500 wrote to memory of 1960	3500	cmd.exe	74
PID 3500 wrote to memory of 1960	3500	cmd.exe	74
PID 1960 wrote to memory of 2960	1960	MsServerfont.exe	126
PID 1960 wrote to memory of 2960	1960	MsServerfont.exe	126
PID 1960 wrote to memory of 3804	1960	MsServerfont.exe	125
PID 1960 wrote to memory of 3804	1960	MsServerfont.exe	125
PID 1960 wrote to memory of 4600	1960	MsServerfont.exe	124
PID 1960 wrote to memory of 4600	1960	MsServerfont.exe	124
PID 1960 wrote to memory of 3832	1960	MsServerfont.exe	123
PID 1960 wrote to memory of 3832	1960	MsServerfont.exe	123
PID 1960 wrote to memory of 4420	1960	MsServerfont.exe	122
PID 1960 wrote to memory of 4420	1960	MsServerfont.exe	122
PID 1960 wrote to memory of 4236	1960	MsServerfont.exe	103
PID 1960 wrote to memory of 4236	1960	MsServerfont.exe	103
PID 1960 wrote to memory of 3108	1960	MsServerfont.exe	121
PID 1960 wrote to memory of 3108	1960	MsServerfont.exe	121
PID 1960 wrote to memory of 1768	1960	MsServerfont.exe	111
PID 1960 wrote to memory of 1768	1960	MsServerfont.exe	111
PID 1960 wrote to memory of 4996	1960	MsServerfont.exe	109
PID 1960 wrote to memory of 4996	1960	MsServerfont.exe	109
PID 1960 wrote to memory of 4384	1960	MsServerfont.exe	108
PID 1960 wrote to memory of 4384	1960	MsServerfont.exe	108
PID 1960 wrote to memory of 4024	1960	MsServerfont.exe	106
PID 1960 wrote to memory of 4024	1960	MsServerfont.exe	106
PID 1960 wrote to memory of 240	1960	MsServerfont.exe	104
PID 1960 wrote to memory of 240	1960	MsServerfont.exe	104
PID 1960 wrote to memory of 2128	1960	MsServerfont.exe	127
PID 1960 wrote to memory of 2128	1960	MsServerfont.exe	127

C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe
"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:240
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
      - C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\winlogon.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\winlogon.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36d9d45b5b9719e7c23de4986b8e62fd

SHA1
3b36e64bdf564cef6a67462e5fa96878e58e7b9a

SHA256
1e77d8ec0640acb37b18a352082eeb1aba90f24e612107a791e14ea7a8c1bf8e

SHA512
db0966e52f05a5b7010d74116e8a91cc2176e1228f112c9056da6f0d32e1965f4601c1e2e864cf1e2eca57e39b77cde15f1adb88077caf22dab084e971af5918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
126fd9cd58f1ee714578f31d05299660

SHA1
a2d7369c58f723bfe6d5e2494e023d95f4b8a47f

SHA256
4a27e3d2e8e7ebad5cbc9a629579ff9fd0eda8a370184981cbd6c95ee889bf7c

SHA512
672db0857ea272e7c746e100379c9c6c68498435daa62b402b5ac29608ff8cbeff92ebf0b0129e4ad5b5faa16bf71958284ebf261c95b5a88d920103aee04153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a6da8d95dc02094b78edd222cde47e8c

SHA1
560c2734bb380e8b62ba3e4a950d1496fbf6d91f

SHA256
de5be1b358c7364230271f317386d67925853594d48ca2510a6082c020d03e06

SHA512
bec46aaff0be8ea7d7c4bccbd96575dab67e016741ab554d176f211290854c592772ec2d2c85929e2abb5ff568803883e990fe72aedb74036605710d5ce5e466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a6da8d95dc02094b78edd222cde47e8c

SHA1
560c2734bb380e8b62ba3e4a950d1496fbf6d91f

SHA256
de5be1b358c7364230271f317386d67925853594d48ca2510a6082c020d03e06

SHA512
bec46aaff0be8ea7d7c4bccbd96575dab67e016741ab554d176f211290854c592772ec2d2c85929e2abb5ff568803883e990fe72aedb74036605710d5ce5e466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b70459cf1365680f5d2220118af9215b

SHA1
66122410eeb565d5dbac4adab904c1c79cd98bd1

SHA256
383bcf341f4210c2a1aa5101025becacfb7c03e8a7621673d4765d3f072bb714

SHA512
e8df4f310290ab876320f3406e43c463af75a7cc8e6b7255344af8c7c61ee5e2faf46dde66486809a2c5155521e489aded9542dfa291413aa44f18e5d1a9c5d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7219572ee3c702ad0750e61ee79fd201

SHA1
81a4067e507ad47aa48b1adddbdaf2f78c0a584a

SHA256
bf7ff2b489311335e3e4743ee533fc2ba2a3123b20e85137f7662381b19315a5

SHA512
735386c5648e579ca968b770d18b91a4154b4d418f4ef9ef2cd167129caaca3d6d82233ef9b2af6c531ee88a24bc5f32398aaf77e6b27475ac45c8441eca8745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7219572ee3c702ad0750e61ee79fd201

SHA1
81a4067e507ad47aa48b1adddbdaf2f78c0a584a

SHA256
bf7ff2b489311335e3e4743ee533fc2ba2a3123b20e85137f7662381b19315a5

SHA512
735386c5648e579ca968b770d18b91a4154b4d418f4ef9ef2cd167129caaca3d6d82233ef9b2af6c531ee88a24bc5f32398aaf77e6b27475ac45c8441eca8745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
81cabd8f3d4314a3845b469c34e3470d

SHA1
dba95d59050661ba208a5100207e32498e07954b

SHA256
9b1757f539bbbe0f66070b6302a018c79e8c572dfe35c51743a40d3da6bd790e

SHA512
3e2d3b35908fff4ace2e050290913e5eacd6985ced7c4cfa4565d946ab3aa48f6b65dcef59a7558d9939601bc38cbc988a58f9987a22ff48974b0591985fcfdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc56f8f7d3e201d81978d203859b11df

SHA1
756b5ce3df03839f5a855c4ec684cc60e41a2be7

SHA256
748baf5bf62f5567ab93ea13c2f925e1deaf097a35112995b211483d1a973187

SHA512
e2e02af3e01f90039b80a3c7ca85dd530eaa366fc16d7a26a9eb2533fe7165b064ab0a6540e11fc73280b9cfbeca09acb5eab9bd4ee78affa86176097e081f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc56f8f7d3e201d81978d203859b11df

SHA1
756b5ce3df03839f5a855c4ec684cc60e41a2be7

SHA256
748baf5bf62f5567ab93ea13c2f925e1deaf097a35112995b211483d1a973187

SHA512
e2e02af3e01f90039b80a3c7ca85dd530eaa366fc16d7a26a9eb2533fe7165b064ab0a6540e11fc73280b9cfbeca09acb5eab9bd4ee78affa86176097e081f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1f30c304b20bbe96851b4aef7f2632b2

SHA1
58743a60afc2b31ae8b92b0111fd9567812b3c5c

SHA256
0ecf0905fd61e0ee03cb72814224526d0396b1394986138609a87c558f1dfb1a

SHA512
05557d984d69506a824ae2e68a392e54d03bb6f8b06cdba80d156226c03f4f824ba04c530e02c55e10adcd0f880508d5516adecde0d834969e1b16fe62345e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\FqW7BxKDuW

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe

Filesize
214B

MD5
f246d91170758c560dcc804e79b689ce

SHA1
8e9820729c33e492c5d76722607a38379b1cbd38

SHA256
8558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665

SHA512
dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat

Filesize
37B

MD5
c87d31ff7b6bc8e971808bc819561137

SHA1
000f77a2d2596c87d3e2085ad74794b0627c034a

SHA256
738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872

SHA512
34d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RC9RfawKsh

Filesize
92KB

MD5
2142bae14dcae3bbff55f6c26f638578

SHA1
a933fac3b4acec7a60fe75b414d1478ffaf031d0

SHA256
4020f8f89d9285f9149f5fc4f098848ab7ed8b3a7eb15ca6657bd485d69972d0

SHA512
7c785f9d606cc90ea6ff30e7109d20a457faa917398fbb4f56853b4912d8a4e76fb8150136a496ac39ffcaa169eda3d89e289b968dda88aa31c07d1e21f26e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gy0p5t1p.tbl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz6LcPi0pt

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\winlogon.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
memory/240-114-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/240-236-0x000001F9ED0D0000-0x000001F9ED0E0000-memory.dmp

Filesize
64KB

Download
memory/240-161-0x000001F9ED1E0000-0x000001F9ED256000-memory.dmp

Filesize
472KB

Download
memory/240-149-0x000001F9ED0D0000-0x000001F9ED0E0000-memory.dmp

Filesize
64KB

Download
memory/240-129-0x000001F9ED0D0000-0x000001F9ED0E0000-memory.dmp

Filesize
64KB

Download
memory/1768-141-0x00000239DB0C0000-0x00000239DB0D0000-memory.dmp

Filesize
64KB

Download
memory/1768-139-0x00000239DB0C0000-0x00000239DB0D0000-memory.dmp

Filesize
64KB

Download
memory/1768-124-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/1960-39-0x000000001BCC0000-0x000000001BCD6000-memory.dmp

Filesize
88KB

Download
memory/1960-42-0x000000001BCE0000-0x000000001BCEE000-memory.dmp

Filesize
56KB

Download
memory/1960-34-0x0000000000F30000-0x00000000010B0000-memory.dmp

Filesize
1.5MB

Download
memory/1960-83-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/1960-35-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/1960-36-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/1960-37-0x000000001BCA0000-0x000000001BCBC000-memory.dmp

Filesize
112KB

Download
memory/1960-38-0x000000001BD10000-0x000000001BD60000-memory.dmp

Filesize
320KB

Download
memory/1960-43-0x000000001BCF0000-0x000000001BCFE000-memory.dmp

Filesize
56KB

Download
memory/1960-44-0x000000001BD00000-0x000000001BD0A000-memory.dmp

Filesize
40KB

Download
memory/1960-45-0x000000001BD60000-0x000000001BD6C000-memory.dmp

Filesize
48KB

Download
memory/1960-40-0x0000000003190000-0x00000000031A0000-memory.dmp

Filesize
64KB

Download
memory/1960-41-0x00000000031B0000-0x00000000031BC000-memory.dmp

Filesize
48KB

Download
memory/2128-145-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2960-127-0x000001E524B20000-0x000001E524B30000-memory.dmp

Filesize
64KB

Download
memory/2960-148-0x000001E524B20000-0x000001E524B30000-memory.dmp

Filesize
64KB

Download
memory/2960-146-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2960-237-0x000001E524B20000-0x000001E524B30000-memory.dmp

Filesize
64KB

Download
memory/3108-421-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/3108-238-0x0000022C24190000-0x0000022C241A0000-memory.dmp

Filesize
64KB

Download
memory/3108-93-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/3804-143-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/3804-147-0x000001D9690D0000-0x000001D9690E0000-memory.dmp

Filesize
64KB

Download
memory/3804-125-0x000001D968D60000-0x000001D968D82000-memory.dmp

Filesize
136KB

Download
memory/3828-25-0x0000000006DC0000-0x0000000006E52000-memory.dmp

Filesize
584KB

Download
memory/3828-1-0x00000000010E0000-0x000000000145E000-memory.dmp

Filesize
3.5MB

Download
memory/3828-3-0x0000000005F90000-0x0000000005FA0000-memory.dmp

Filesize
64KB

Download
memory/3828-2-0x0000000072FA0000-0x000000007368E000-memory.dmp

Filesize
6.9MB

Download
memory/3828-4-0x00000000010E0000-0x000000000145E000-memory.dmp

Filesize
3.5MB

Download
memory/3828-28-0x00000000010E0000-0x000000000145E000-memory.dmp

Filesize
3.5MB

Download
memory/3828-24-0x00000000071D0000-0x00000000076CE000-memory.dmp

Filesize
5.0MB

Download
memory/3828-29-0x0000000072FA0000-0x000000007368E000-memory.dmp

Filesize
6.9MB

Download
memory/3828-6-0x0000000072FA0000-0x000000007368E000-memory.dmp

Filesize
6.9MB

Download
memory/3828-7-0x0000000005F90000-0x0000000005FA0000-memory.dmp

Filesize
64KB

Download
memory/3828-0-0x00000000010E0000-0x000000000145E000-memory.dmp

Filesize
3.5MB

Download
memory/3832-131-0x00000268A4CD0000-0x00000268A4CE0000-memory.dmp

Filesize
64KB

Download
memory/3832-132-0x00000268A4CD0000-0x00000268A4CE0000-memory.dmp

Filesize
64KB

Download
memory/3832-102-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4024-126-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4024-138-0x0000026624000000-0x0000026624010000-memory.dmp

Filesize
64KB

Download
memory/4236-136-0x0000019DCF9F0000-0x0000019DCFA00000-memory.dmp

Filesize
64KB

Download
memory/4236-137-0x0000019DCF9F0000-0x0000019DCFA00000-memory.dmp

Filesize
64KB

Download
memory/4236-123-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4384-134-0x0000026025900000-0x0000026025910000-memory.dmp

Filesize
64KB

Download
memory/4384-135-0x0000026025900000-0x0000026025910000-memory.dmp

Filesize
64KB

Download
memory/4384-120-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4420-235-0x00000274802B0000-0x00000274802C0000-memory.dmp

Filesize
64KB

Download
memory/4420-128-0x00000274802B0000-0x00000274802C0000-memory.dmp

Filesize
64KB

Download
memory/4420-130-0x00000274802B0000-0x00000274802C0000-memory.dmp

Filesize
64KB

Download
memory/4420-144-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4600-75-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4600-378-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4600-239-0x000001C0C9A50000-0x000001C0C9A60000-memory.dmp

Filesize
64KB

Download
memory/4996-133-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4996-142-0x0000012C686B0000-0x0000012C686C0000-memory.dmp

Filesize
64KB

Download
memory/4996-140-0x0000012C686B0000-0x0000012C686C0000-memory.dmp

Filesize
64KB

Download