dcrat | 7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f

max time kernel
1787s
max time network
1805s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
26/08/2023, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YammiBeta.exe
Size

1.1MB
MD5

6b5050c12abc27bad622f9af8ed7ebe3
SHA1

506be642a7d276c783bfd32a754a9bd1373abaea
SHA256

7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
SHA512

22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
SSDEEP

24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	1552	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1552	schtasks.exe	74

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000800000001af2a-11.dat	dcrat
behavioral2/files/0x000800000001af2a-14.dat	dcrat
behavioral2/files/0x000700000001afae-28.dat	dcrat
behavioral2/files/0x000700000001afae-29.dat	dcrat
behavioral2/memory/2108-32-0x0000000000A20000-0x0000000000BA0000-memory.dmp	dcrat
behavioral2/files/0x000600000001afb3-48.dat	dcrat
behavioral2/files/0x000600000001afbd-72.dat	dcrat
behavioral2/files/0x000600000001afbd-73.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3996	Loader.exe
2108	MsServerfont.exe
2524	System.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
748	YammiBeta.exe
748	YammiBeta.exe
748	YammiBeta.exe
748	YammiBeta.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\ja-JP\sysmon.exe	MsServerfont.exe
File created	C:\Program Files\Windows Media Player\ja-JP\121e5b5079f7c0	MsServerfont.exe
File created	C:\Program Files\Windows Security\BrowserCore\System.exe	MsServerfont.exe
File created	C:\Program Files\Windows Security\BrowserCore\27d1bcfc3c54e0	MsServerfont.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\System.exe	MsServerfont.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\27d1bcfc3c54e0	MsServerfont.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\security\templates\lsass.exe	MsServerfont.exe
File created	C:\Windows\security\templates\6203df4a6bafc7	MsServerfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4244	schtasks.exe
4508	schtasks.exe
4976	schtasks.exe
4428	schtasks.exe
2116	schtasks.exe
1072	schtasks.exe
1704	schtasks.exe
3148	schtasks.exe
2032	schtasks.exe
3296	schtasks.exe
4240	schtasks.exe
4532	schtasks.exe
4600	schtasks.exe
4128	schtasks.exe
4804	schtasks.exe
4492	schtasks.exe
2132	schtasks.exe
4852	schtasks.exe
1076	schtasks.exe
4212	schtasks.exe
5016	schtasks.exe
2488	schtasks.exe
4236	schtasks.exe
912	schtasks.exe
4024	schtasks.exe
4960	schtasks.exe
5092	schtasks.exe
4996	schtasks.exe
4056	schtasks.exe
3936	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	Loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	MsServerfont.exe
2108	MsServerfont.exe
2108	MsServerfont.exe
2108	MsServerfont.exe
2108	MsServerfont.exe
2108	MsServerfont.exe
2108	MsServerfont.exe
1880	powershell.exe
1880	powershell.exe
660	powershell.exe
660	powershell.exe
2076	powershell.exe
2076	powershell.exe
744	powershell.exe
744	powershell.exe
5052	powershell.exe
5052	powershell.exe
424	powershell.exe
424	powershell.exe
2940	powershell.exe
2940	powershell.exe
652	powershell.exe
652	powershell.exe
1068	powershell.exe
1068	powershell.exe
4760	powershell.exe
4760	powershell.exe
4564	powershell.exe
4564	powershell.exe
916	powershell.exe
916	powershell.exe
2524	System.exe
2524	System.exe
1880	powershell.exe
1068	powershell.exe
660	powershell.exe
4760	powershell.exe
2076	powershell.exe
744	powershell.exe
5052	powershell.exe
652	powershell.exe
424	powershell.exe
4564	powershell.exe
916	powershell.exe
2940	powershell.exe
4760	powershell.exe
1880	powershell.exe
660	powershell.exe
1068	powershell.exe
2076	powershell.exe
916	powershell.exe
652	powershell.exe
5052	powershell.exe
5052	powershell.exe
424	powershell.exe
744	powershell.exe
744	powershell.exe
4564	powershell.exe
2940	powershell.exe
2524	System.exe
2524	System.exe
2524	System.exe
2524	System.exe
2524	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2524	System.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	YammiBeta.exe
Token: SeDebugPrivilege	2108	MsServerfont.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	2524	System.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeIncreaseQuotaPrivilege	1880	powershell.exe
Token: SeSecurityPrivilege	1880	powershell.exe
Token: SeTakeOwnershipPrivilege	1880	powershell.exe
Token: SeLoadDriverPrivilege	1880	powershell.exe
Token: SeSystemProfilePrivilege	1880	powershell.exe
Token: SeSystemtimePrivilege	1880	powershell.exe
Token: SeProfSingleProcessPrivilege	1880	powershell.exe
Token: SeIncBasePriorityPrivilege	1880	powershell.exe
Token: SeCreatePagefilePrivilege	1880	powershell.exe
Token: SeBackupPrivilege	1880	powershell.exe
Token: SeRestorePrivilege	1880	powershell.exe
Token: SeShutdownPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeSystemEnvironmentPrivilege	1880	powershell.exe
Token: SeRemoteShutdownPrivilege	1880	powershell.exe
Token: SeUndockPrivilege	1880	powershell.exe
Token: SeManageVolumePrivilege	1880	powershell.exe
Token: 33	1880	powershell.exe
Token: 34	1880	powershell.exe
Token: 35	1880	powershell.exe
Token: 36	1880	powershell.exe
Token: SeIncreaseQuotaPrivilege	4760	powershell.exe
Token: SeSecurityPrivilege	4760	powershell.exe
Token: SeTakeOwnershipPrivilege	4760	powershell.exe
Token: SeLoadDriverPrivilege	4760	powershell.exe
Token: SeSystemProfilePrivilege	4760	powershell.exe
Token: SeSystemtimePrivilege	4760	powershell.exe
Token: SeProfSingleProcessPrivilege	4760	powershell.exe
Token: SeIncBasePriorityPrivilege	4760	powershell.exe
Token: SeCreatePagefilePrivilege	4760	powershell.exe
Token: SeBackupPrivilege	4760	powershell.exe
Token: SeRestorePrivilege	4760	powershell.exe
Token: SeShutdownPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeSystemEnvironmentPrivilege	4760	powershell.exe
Token: SeRemoteShutdownPrivilege	4760	powershell.exe
Token: SeUndockPrivilege	4760	powershell.exe
Token: SeManageVolumePrivilege	4760	powershell.exe
Token: 33	4760	powershell.exe
Token: 34	4760	powershell.exe
Token: 35	4760	powershell.exe
Token: 36	4760	powershell.exe
Token: SeIncreaseQuotaPrivilege	660	powershell.exe
Token: SeSecurityPrivilege	660	powershell.exe
Token: SeTakeOwnershipPrivilege	660	powershell.exe
Token: SeLoadDriverPrivilege	660	powershell.exe
Token: SeSystemProfilePrivilege	660	powershell.exe
Token: SeSystemtimePrivilege	660	powershell.exe
Token: SeProfSingleProcessPrivilege	660	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
748	YammiBeta.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 3996	748	YammiBeta.exe	69
PID 748 wrote to memory of 3996	748	YammiBeta.exe	69
PID 748 wrote to memory of 3996	748	YammiBeta.exe	69
PID 3996 wrote to memory of 4496	3996	Loader.exe	70
PID 3996 wrote to memory of 4496	3996	Loader.exe	70
PID 3996 wrote to memory of 4496	3996	Loader.exe	70
PID 4496 wrote to memory of 792	4496	WScript.exe	71
PID 4496 wrote to memory of 792	4496	WScript.exe	71
PID 4496 wrote to memory of 792	4496	WScript.exe	71
PID 792 wrote to memory of 2108	792	cmd.exe	73
PID 792 wrote to memory of 2108	792	cmd.exe	73
PID 2108 wrote to memory of 4760	2108	MsServerfont.exe	105
PID 2108 wrote to memory of 4760	2108	MsServerfont.exe	105
PID 2108 wrote to memory of 424	2108	MsServerfont.exe	128
PID 2108 wrote to memory of 424	2108	MsServerfont.exe	128
PID 2108 wrote to memory of 2076	2108	MsServerfont.exe	127
PID 2108 wrote to memory of 2076	2108	MsServerfont.exe	127
PID 2108 wrote to memory of 4564	2108	MsServerfont.exe	126
PID 2108 wrote to memory of 4564	2108	MsServerfont.exe	126
PID 2108 wrote to memory of 1880	2108	MsServerfont.exe	125
PID 2108 wrote to memory of 1880	2108	MsServerfont.exe	125
PID 2108 wrote to memory of 2940	2108	MsServerfont.exe	124
PID 2108 wrote to memory of 2940	2108	MsServerfont.exe	124
PID 2108 wrote to memory of 660	2108	MsServerfont.exe	122
PID 2108 wrote to memory of 660	2108	MsServerfont.exe	122
PID 2108 wrote to memory of 1068	2108	MsServerfont.exe	121
PID 2108 wrote to memory of 1068	2108	MsServerfont.exe	121
PID 2108 wrote to memory of 5052	2108	MsServerfont.exe	120
PID 2108 wrote to memory of 5052	2108	MsServerfont.exe	120
PID 2108 wrote to memory of 744	2108	MsServerfont.exe	119
PID 2108 wrote to memory of 744	2108	MsServerfont.exe	119
PID 2108 wrote to memory of 916	2108	MsServerfont.exe	118
PID 2108 wrote to memory of 916	2108	MsServerfont.exe	118
PID 2108 wrote to memory of 652	2108	MsServerfont.exe	107
PID 2108 wrote to memory of 652	2108	MsServerfont.exe	107
PID 2108 wrote to memory of 2524	2108	MsServerfont.exe	129
PID 2108 wrote to memory of 2524	2108	MsServerfont.exe	129

C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe
"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:424
      - C:\Program Files\Windows Security\BrowserCore\System.exe
        
        "C:\Program Files\Windows Security\BrowserCore\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\MsServerfont.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfont" /sc ONLOGON /tr "'C:\Users\Default\Music\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\ja-JP\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\ja-JP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\security\templates\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\security\templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\security\templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Network Sharing\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Network Sharing\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\ja-JP\sysmon.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Windows Security\BrowserCore\System.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Windows Security\BrowserCore\System.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
661d1a9fefac8b34c628e18b4d77dfd0

SHA1
cba0046168841589cdebce6758cbc6c6d3f33054

SHA256
1d7bad38d3f94a81dc5fe8c7e4cddf18f246f38ac08f4992add584b3910cde22

SHA512
4260a9b736171c1552aa8af13bd30374300f0f41899ad2fb1e6668ab32bb6eef9ebe2ca0fba9f50fb3053075ff4c60f3ac0c3c56a01bad2dc8079c0b2f0368c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
661d1a9fefac8b34c628e18b4d77dfd0

SHA1
cba0046168841589cdebce6758cbc6c6d3f33054

SHA256
1d7bad38d3f94a81dc5fe8c7e4cddf18f246f38ac08f4992add584b3910cde22

SHA512
4260a9b736171c1552aa8af13bd30374300f0f41899ad2fb1e6668ab32bb6eef9ebe2ca0fba9f50fb3053075ff4c60f3ac0c3c56a01bad2dc8079c0b2f0368c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9ae1e29802eb3bc242c3f919b09d49a

SHA1
c7bf066f587a16924b82fc2cef5d29df5667e1b3

SHA256
9d538ac91a4ea0915aaec15afa70f4c2af2ff2727f9eedb487cdff4acdf85179

SHA512
4e3600c084c7104db0370c948a04aa46aeb8fa203910274f8664062d56274f6af63bfcdb7882f08eed690e1a70b6568d5e5785e63f3e6dda44e5c371707f9219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9ae1e29802eb3bc242c3f919b09d49a

SHA1
c7bf066f587a16924b82fc2cef5d29df5667e1b3

SHA256
9d538ac91a4ea0915aaec15afa70f4c2af2ff2727f9eedb487cdff4acdf85179

SHA512
4e3600c084c7104db0370c948a04aa46aeb8fa203910274f8664062d56274f6af63bfcdb7882f08eed690e1a70b6568d5e5785e63f3e6dda44e5c371707f9219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1490826229bdfb7921fe03033af501a9

SHA1
2022b014af6c18aad9d01e10a5844bac8c762a1a

SHA256
a3d5d43521e67a1588b463ed5f1461e7caad4633566415afb54e09be94d33b55

SHA512
af171d12aba3bdc634983cdbb9db551751910df4945b5253f8f9fa6c1612da35f7b18f66e5828bd4444893c27ab7e606eca7b1c366fcbfa914db2b465c361788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8090e29726a700503a01020f544b0921

SHA1
ba11365a84e93cdda24b71db81a475b7945bde2a

SHA256
4d167349d02982eae78a711205c7e8487878ccd99d9252eb9eea3890fd4d37fe

SHA512
45fcbb591211c78caf4308e5052817c5d42a5d67f55cc1988caaf31eff8c06f127a523107620038750b06bb455a17516f4b05f321b6f8db8922dd99689624d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8090e29726a700503a01020f544b0921

SHA1
ba11365a84e93cdda24b71db81a475b7945bde2a

SHA256
4d167349d02982eae78a711205c7e8487878ccd99d9252eb9eea3890fd4d37fe

SHA512
45fcbb591211c78caf4308e5052817c5d42a5d67f55cc1988caaf31eff8c06f127a523107620038750b06bb455a17516f4b05f321b6f8db8922dd99689624d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8090e29726a700503a01020f544b0921

SHA1
ba11365a84e93cdda24b71db81a475b7945bde2a

SHA256
4d167349d02982eae78a711205c7e8487878ccd99d9252eb9eea3890fd4d37fe

SHA512
45fcbb591211c78caf4308e5052817c5d42a5d67f55cc1988caaf31eff8c06f127a523107620038750b06bb455a17516f4b05f321b6f8db8922dd99689624d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
630bc39ce098cd355988d9fa8853aff0

SHA1
8bcf8c166d72230253d1998cf30fa0a4df9f77d3

SHA256
3fd6649877e7fcee0194234570a990e76db680aa536fbb006b2874288ce2efd8

SHA512
d9d6ab7ce7b47083405ee1bdddb25546ddd0c52d8165dc921e763a2e2c985392b99f07c5c410b8639f43db7c0329480bc22cb62614fc05b159daefb4cba1a197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
630bc39ce098cd355988d9fa8853aff0

SHA1
8bcf8c166d72230253d1998cf30fa0a4df9f77d3

SHA256
3fd6649877e7fcee0194234570a990e76db680aa536fbb006b2874288ce2efd8

SHA512
d9d6ab7ce7b47083405ee1bdddb25546ddd0c52d8165dc921e763a2e2c985392b99f07c5c410b8639f43db7c0329480bc22cb62614fc05b159daefb4cba1a197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
630bc39ce098cd355988d9fa8853aff0

SHA1
8bcf8c166d72230253d1998cf30fa0a4df9f77d3

SHA256
3fd6649877e7fcee0194234570a990e76db680aa536fbb006b2874288ce2efd8

SHA512
d9d6ab7ce7b47083405ee1bdddb25546ddd0c52d8165dc921e763a2e2c985392b99f07c5c410b8639f43db7c0329480bc22cb62614fc05b159daefb4cba1a197

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe

Filesize
214B

MD5
f246d91170758c560dcc804e79b689ce

SHA1
8e9820729c33e492c5d76722607a38379b1cbd38

SHA256
8558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665

SHA512
dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat

Filesize
37B

MD5
c87d31ff7b6bc8e971808bc819561137

SHA1
000f77a2d2596c87d3e2085ad74794b0627c034a

SHA256
738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872

SHA512
34d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_asu0usqm.kfr.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/424-146-0x00000184EF790000-0x00000184EF7A0000-memory.dmp

Filesize
64KB

Download
memory/424-147-0x00000184EF790000-0x00000184EF7A0000-memory.dmp

Filesize
64KB

Download
memory/424-129-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/652-132-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/652-148-0x000001F8C4E30000-0x000001F8C4E40000-memory.dmp

Filesize
64KB

Download
memory/660-125-0x000002821BC00000-0x000002821BC10000-memory.dmp

Filesize
64KB

Download
memory/660-74-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/660-217-0x000002821BC00000-0x000002821BC10000-memory.dmp

Filesize
64KB

Download
memory/744-138-0x0000024F340A0000-0x0000024F340B0000-memory.dmp

Filesize
64KB

Download
memory/744-139-0x0000024F340A0000-0x0000024F340B0000-memory.dmp

Filesize
64KB

Download
memory/744-161-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/748-6-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/748-25-0x00000000070B0000-0x0000000007142000-memory.dmp

Filesize
584KB

Download
memory/748-33-0x0000000000EA0000-0x000000000121E000-memory.dmp

Filesize
3.5MB

Download
memory/748-24-0x00000000074C0000-0x00000000079BE000-memory.dmp

Filesize
5.0MB

Download
memory/748-1-0x0000000000EA0000-0x000000000121E000-memory.dmp

Filesize
3.5MB

Download
memory/748-3-0x0000000003FC0000-0x0000000003FD0000-memory.dmp

Filesize
64KB

Download
memory/748-0-0x0000000000EA0000-0x000000000121E000-memory.dmp

Filesize
3.5MB

Download
memory/748-2-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/748-4-0x0000000000EA0000-0x000000000121E000-memory.dmp

Filesize
3.5MB

Download
memory/748-7-0x0000000003FC0000-0x0000000003FD0000-memory.dmp

Filesize
64KB

Download
memory/748-35-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/916-126-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/916-143-0x00000264ED9D0000-0x00000264ED9E0000-memory.dmp

Filesize
64KB

Download
memory/916-145-0x00000264ED9D0000-0x00000264ED9E0000-memory.dmp

Filesize
64KB

Download
memory/1068-128-0x000001A057580000-0x000001A0575A2000-memory.dmp

Filesize
136KB

Download
memory/1068-130-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/1068-142-0x000001A057570000-0x000001A057580000-memory.dmp

Filesize
64KB

Download
memory/1068-144-0x000001A057570000-0x000001A057580000-memory.dmp

Filesize
64KB

Download
memory/1880-160-0x00000161AE100000-0x00000161AE176000-memory.dmp

Filesize
472KB

Download
memory/1880-131-0x0000016195BE0000-0x0000016195BF0000-memory.dmp

Filesize
64KB

Download
memory/1880-133-0x0000016195BE0000-0x0000016195BF0000-memory.dmp

Filesize
64KB

Download
memory/1880-227-0x0000016195BE0000-0x0000016195BF0000-memory.dmp

Filesize
64KB

Download
memory/1880-95-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-137-0x000001772CC90000-0x000001772CCA0000-memory.dmp

Filesize
64KB

Download
memory/2076-163-0x000001772CC90000-0x000001772CCA0000-memory.dmp

Filesize
64KB

Download
memory/2076-116-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-38-0x000000001BD90000-0x000000001BDE0000-memory.dmp

Filesize
320KB

Download
memory/2108-87-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-32-0x0000000000A20000-0x0000000000BA0000-memory.dmp

Filesize
1.5MB

Download
memory/2108-34-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-36-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/2108-37-0x0000000002C90000-0x0000000002CAC000-memory.dmp

Filesize
112KB

Download
memory/2108-39-0x0000000002CD0000-0x0000000002CE6000-memory.dmp

Filesize
88KB

Download
memory/2108-40-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2108-41-0x0000000002CB0000-0x0000000002CBC000-memory.dmp

Filesize
48KB

Download
memory/2108-43-0x0000000002D00000-0x0000000002D0E000-memory.dmp

Filesize
56KB

Download
memory/2108-42-0x0000000002CF0000-0x0000000002CFE000-memory.dmp

Filesize
56KB

Download
memory/2108-44-0x0000000002D10000-0x0000000002D1A000-memory.dmp

Filesize
40KB

Download
memory/2108-45-0x0000000002D20000-0x0000000002D2C000-memory.dmp

Filesize
48KB

Download
memory/2524-135-0x000000001AE30000-0x000000001AE40000-memory.dmp

Filesize
64KB

Download
memory/2524-154-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-169-0x000002D567B40000-0x000002D567B50000-memory.dmp

Filesize
64KB

Download
memory/2940-140-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/4564-127-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/4564-150-0x0000022F278E0000-0x0000022F278F0000-memory.dmp

Filesize
64KB

Download
memory/4564-149-0x0000022F278E0000-0x0000022F278F0000-memory.dmp

Filesize
64KB

Download
memory/4760-166-0x0000012FA01E0000-0x0000012FA01F0000-memory.dmp

Filesize
64KB

Download
memory/4760-218-0x0000012FA01E0000-0x0000012FA01F0000-memory.dmp

Filesize
64KB

Download
memory/4760-124-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/4760-141-0x0000012FA01E0000-0x0000012FA01F0000-memory.dmp

Filesize
64KB

Download
memory/5052-134-0x00000250955A0000-0x00000250955B0000-memory.dmp

Filesize
64KB

Download
memory/5052-108-0x00007FFB6D4A0000-0x00007FFB6DE8C000-memory.dmp

Filesize
9.9MB

Download
memory/5052-136-0x00000250955A0000-0x00000250955B0000-memory.dmp

Filesize
64KB

Download