dcrat | 85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87

Analysis

max time kernel
3s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
Size

1.7MB
MD5

f110d8cce9bfb48c7360203fa38d21c7
SHA1

b25dc35fe3741b5c6cf8286d65067920fb89823b
SHA256

85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87
SHA512

506cd39bc1cbcc9550cc726bc237a25c463512eec8c59f3b5990f207694f17dabd84e650676377c0b456f85ea61064fc0c55029390e82e0fece594982a223ad0
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2296	schtasks.exe	28

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2528-0-0x0000000000210000-0x00000000003C6000-memory.dmp	dcrat
behavioral1/files/0x0006000000015c85-28.dat	dcrat
behavioral1/files/0x0006000000018b82-74.dat	dcrat
behavioral1/files/0x000500000001946a-86.dat	dcrat
behavioral1/files/0x002e000000014824-110.dat	dcrat
behavioral1/files/0x000a000000014f08-121.dat	dcrat
behavioral1/files/0x000d00000001549c-144.dat	dcrat
behavioral1/files/0x000a000000015c85-168.dat	dcrat
behavioral1/files/0x0008000000015ea1-203.dat	dcrat
behavioral1/files/0x000a0000000162d1-236.dat	dcrat
behavioral1/files/0x0006000000016051-412.dat	dcrat
behavioral1/files/0x0006000000016051-411.dat	dcrat
behavioral1/files/0x0006000000016051-455.dat	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\dwm.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files (x86)\Windows Sidebar\6cb0b6c459d5d3	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\debug\lsass.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Windows\debug\6203df4a6bafc7	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1776	schtasks.exe
1640	schtasks.exe
1680	schtasks.exe
1992	schtasks.exe
1284	schtasks.exe
1136	schtasks.exe
3044	schtasks.exe
1084	schtasks.exe
1224	schtasks.exe
2880	schtasks.exe
2860	schtasks.exe
1664	schtasks.exe
3012	schtasks.exe
2100	schtasks.exe
1384	schtasks.exe
1596	schtasks.exe
344	schtasks.exe
2592	schtasks.exe
2276	schtasks.exe
1580	schtasks.exe
1908	schtasks.exe
1736	schtasks.exe
2108	schtasks.exe
1316	schtasks.exe
2844	schtasks.exe
2636	schtasks.exe
2684	schtasks.exe
2820	schtasks.exe
2800	schtasks.exe
1092	schtasks.exe
2360	schtasks.exe
2960	schtasks.exe
1948	schtasks.exe
1732	schtasks.exe
1508	schtasks.exe
2176	schtasks.exe
2928	schtasks.exe
876	schtasks.exe
1016	schtasks.exe
1960	schtasks.exe
2620	schtasks.exe
2864	schtasks.exe
2224	schtasks.exe
2472	schtasks.exe
1772	schtasks.exe
1852	schtasks.exe
1324	schtasks.exe
2724	schtasks.exe
2256	schtasks.exe
1328	schtasks.exe
856	schtasks.exe
484	schtasks.exe
2476	schtasks.exe
2104	schtasks.exe
268	schtasks.exe
1688	schtasks.exe
3056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2528	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
2528	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
2528	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
2528	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
2528	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
2528	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
2528	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
2528	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
2528	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
"C:\Users\Admin\AppData\Local\Temp\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  PID:2584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat"
  2⤵
  PID:2224
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1028
- - C:\Program Files (x86)\Mozilla Maintenance Service\logs\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\logs\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe"
    3⤵
    PID:1092
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa41aae6-b023-4788-aef6-2bd38ba49f70.vbs"
      4⤵
      PID:1684
    - - C:\Program Files (x86)\Mozilla Maintenance Service\logs\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe"
        5⤵
        
        PID:1552
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92f42038-b022-4600-a9e3-a4c1c6319b45.vbs"
      4⤵
      PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\debug\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb878" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb878" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\179d7a82-9b9c-11ee-95b5-e6b52eba4e86\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\179d7a82-9b9c-11ee-95b5-e6b52eba4e86\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\179d7a82-9b9c-11ee-95b5-e6b52eba4e86\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\179d7a82-9b9c-11ee-95b5-e6b52eba4e86\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\server\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb878" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb878" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\NetHood\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\server\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\server\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\179d7a82-9b9c-11ee-95b5-e6b52eba4e86\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\179d7a82-9b9c-11ee-95b5-e6b52eba4e86\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\audiodg.exe

Filesize
625KB

MD5
05e49f918c72c30e6379e3e679414612

SHA1
fe01ea7f605fd46780f78c595e1e117dc4bb7573

SHA256
f22a173f69e88d78c887777a85f22b9328badf76b9ae5a3d27e3319aabe2b03a

SHA512
42e815957b084cfa40d6525d36efa0dbf0ac35b192ba8ce7bdf7d878d79bb0223628c9b63e7bddd28d4634472504dccb2535b78576a141cfc57172d7f0fec9a6

Download Submit
C:\MSOCache\All Users\audiodg.exe

Filesize
6KB

MD5
9df0e2504418971d8b5ca26e1c0b4b22

SHA1
78229e0a2eec623698a267f6d5527bab46997406

SHA256
1e10af602450eaa6c5d47cda6a2e915a4b08b83b317cbea1fd2f75b78c40f800

SHA512
030ff3d4c901bf39256345f3dfe56a5f17a769df680856c94652f0b4f82fddab15cf51a6192fe79112f3077d8864388e2a41010ea68e166b6bf1497cfe28b923

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe

Filesize
19KB

MD5
bf49952cace6abbc8fa3440a56158422

SHA1
14dda3613c31ba5faedc353c4fa21c44b2325587

SHA256
0352c2c0c18e6983e12d25b2731a7b9b8c26cafdcef04a06defff308154ed67f

SHA512
b796ede6f0fd7dc4f8dd36b47105ed8d0661660c37d91fba8142e80e552b5978ad03eb3f4ef7058822093cb458d993d6699aad0b3828337ca7faaf810364eae0

Download Submit
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe

Filesize
254KB

MD5
4ebd563c39d3b2bb01a6fe0883b1dd40

SHA1
ffbbc198bbbc1f40886b765b170070396aeb04ec

SHA256
bc157acb4079864953189f624136513b652fc15d0ef279f4f80110f1eca4ecac

SHA512
346a3c2618a53bbb7a77bd88a7919417207524c79dfaee7739afc4e5cece7959e43dd41375f2c372bfba961da2d299cfcb0f23abf9ec534fb50db4fd622fb2f3

Download Submit
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe

Filesize
332KB

MD5
60e132ff7fc139a26e0b31597540ece3

SHA1
db53951b8cdc5238aa09928f1010bfaa8e059bef

SHA256
5caf3359efdffbea3f30dd084e22a32c71f5b3679989d3a304331e1039bb35f5

SHA512
2036b6ce567938ba654a8062805a60bc9b099990e28899a92c33b586967d022578b40ddae5065ae61de880c9caa64d8269a28b7b61bec77301735aa3f2cf0ba0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Filesize
46KB

MD5
be4d5623595342e16d1515f74a4a756b

SHA1
94ac8bf1f7df312bd6784d98d171cf314c496b0d

SHA256
e3202e1d670dc2b8167b4d9c17a03f4a70672a064a5c27da922d0f2d6cc01df1

SHA512
c367323a5a446370c36418cdc589bb8ac14d909834eaa52e2da333b508521b736018e579e464edd62b963c60af69d193bd417e4c444b5d8ba0463b397f32db53

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Filesize
26KB

MD5
3c8677492b3daa92fc90abae3a48bb20

SHA1
8f492f21b1d28897413e9e18b92874597c45325f

SHA256
6950e2f26495c6587363bb6241401acbb34c822d2e71de3f1fa87cc3d38ce2d3

SHA512
0a51594decab537fa2a8e2aaf4e57f654e4ffd010f87ecaccf86bd57ca798f3dde3986a40a8e11a3f632edabf6a73079725934c040bc99d43e4f15282d121b54

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Filesize
145KB

MD5
1b0e9042d8d0500603587a29b1e7b591

SHA1
10a6a33f0ece8f15fe820825396815b9a351cdb4

SHA256
8d506be083d4fe9f7491f50f5100d2fde9b2880d7ead3a97e3d2d6d49473d45c

SHA512
93a4c97e7ba41dcb58f23586dbd9d91f4e274519b6b0398f90f99145bc049311ec6191b02ac6a8b6e8d131fb984a4f06bfa5a8a60eb56a32f93fe825037d1ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat

Filesize
289B

MD5
517117cfd4844a16657f0d88b932451b

SHA1
e2f209226d79b8926e2542fe6b1394202a9ccc6b

SHA256
bf6eed65fd6db069a95031ebbe6ae78ad7f038e5ad205a1154e78a8054fd91d4

SHA512
a471a76dfc72ab35adc4d4eddb9e3d0880bdd210438148515b0afcfc0d16da6662b5f5915cc06612915de156d524d4e39af39a296d6251eef1333b1263d2af5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\92f42038-b022-4600-a9e3-a4c1c6319b45.vbs

Filesize
576B

MD5
95d2084f2cc5824f8c6ba5f3c47eb246

SHA1
0a606bdbb5cf7d23f40d7ba9d30477334d169f7f

SHA256
eb1f48763a313e626e6564e33d7443bab1989f5194da50b5bb9b35dd6600c974

SHA512
bb19481f1798a1165f3146669479b02fcaf2f331bbd401a77c5c06f5eb992899046158d0b2863009d2cbf46b9871ebea8243793101fc434c87ddb2d6d4e93d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa41aae6-b023-4788-aef6-2bd38ba49f70.vbs

Filesize
800B

MD5
85e60958bb59e08475ab11d84ad85a63

SHA1
98edc1cf6635e77ac9f6619ec06179d2fed39e48

SHA256
0cdf7038c12f379b0a4e7a71d42a65827e40bd35ec3d0326e7b26f70211eae51

SHA512
131d49058261588b462fbf0b2fc4b43f125bc1dde325d601df4486505f02b38d1370a0f6617cb5225ba8c352b26429c9266792e29b1d9cea3f58404970f5b185

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c46f6a29be282f057405ece5ce5cecd9

SHA1
5b74edca34c2519d4436dbd551e688546afd9b31

SHA256
dd64c6b15a81e20c3a135bb9bde04161b9244004faf59e90b4ed3f7babf3a87b

SHA512
a7a7283308d989346330e209221b5429711f8db07865fb4c1f4cc48a970049232fa99f0ece7a585b3bd6225055d7f12f2ccceec7d4ab0220fe6efd7511ccd4b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
1KB

MD5
3fa81fd73a2946f6ce6be87e8f169e25

SHA1
090a8f5088e36f3f61a95e5dc9bcf2ebd4a6006b

SHA256
52e635bbb25340c3c322f61b7b5999a36fa6323078231efcbba878f2a2ec7140

SHA512
63c15035c65cc4604829c1446c9856426745455ae4cf8463f873b43c4565636904da5ddfef54d572cf017e3110b5b37bf74b203a201e06166dd01dd9dec12789

Download Submit
C:\Users\Admin\Pictures\services.exe

Filesize
347KB

MD5
a019748fdded88dd135d406b13457499

SHA1
e085aeaed6cf8c42387f60c4c875edc7f4842667

SHA256
e9284068013b20a4c82067d7f3d3853d624602ca1156830afc96e8d9b17eafe6

SHA512
53bb28f0b9772df761ef6029ac3c52902f2361c9f404f10b929a69a353e02178b669e71e22711b601a390e9accf7272536b879f7c1933b65d0feef1bff55dbb8

Download Submit
C:\Windows\Temp\Crashpad\reports\taskhost.exe

Filesize
179KB

MD5
c53e776bad13954b135769f9eeb584ce

SHA1
3bd1b6a9b39467a12ec0e70be3fcbf816503731d

SHA256
dac48f4a730783e12238b00906740929f404af82a83688baf5d60d20a5c74f42

SHA512
11ab2d47a6713ad14c82d94d1fae0a6256585f45c4cf0b497aa4535102ac64fad694c13fd8d22205853b27c01f90af4cc2c9b50fa1fa7ce6e7df6315c852026e

Download Submit
C:\Windows\debug\lsass.exe

Filesize
293KB

MD5
44f8e1bf6b0f10bdfee543aa8e568cd4

SHA1
b227b534f2a69d6c373574ab36bf6e5491584730

SHA256
fe042de3bfd6b7a96b1be9665e367db43e5289d00719fb652f4e249bbb8f8905

SHA512
cd9e266de9cf111fe6cbdf8142fa7b8acc57141c9fed2b054d1fd54e61fa80384ff37e0769d9d9350d6c62ebe507e2d20a0d0ccbe21ac12b75e6040fb960f6cc

Download Submit
C:\Windows\tracing\winlogon.exe

Filesize
123KB

MD5
3b5f70d6c53e965830b280c26be2de05

SHA1
952a1f65fa80162ec7fd55a2a98436cef98752b2

SHA256
8feec7977462d143efdbead8ee0a177fc1ac398124768d97e391fac7036584ad

SHA512
c1a933ed6065e640d4db5148c3f5f685e8b95ffdc963092b61d9bc11ff8c9e02233b50ecf041feee6d4940ac0ddd20f661dfaf73028f74fa36762643b40201f4

Download Submit
memory/628-370-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/628-320-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/628-372-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

Filesize
9.6MB

Download
memory/628-374-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/628-373-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/676-383-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

Filesize
9.6MB

Download
memory/2104-384-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

Filesize
9.6MB

Download
memory/2108-366-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

Filesize
9.6MB

Download
memory/2108-363-0x000000000289B000-0x0000000002902000-memory.dmp

Filesize
412KB

Download
memory/2108-369-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2164-353-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

Filesize
9.6MB

Download
memory/2164-354-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2164-360-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

Filesize
9.6MB

Download
memory/2164-361-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2164-375-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2164-318-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download
memory/2164-382-0x000000000280B000-0x0000000002872000-memory.dmp

Filesize
412KB

Download
memory/2404-379-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

Filesize
9.6MB

Download
memory/2528-288-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-17-0x0000000002230000-0x000000000223C000-memory.dmp

Filesize
48KB

Download
memory/2528-263-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-262-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-0-0x0000000000210000-0x00000000003C6000-memory.dmp

Filesize
1.7MB

Download
memory/2528-287-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-194-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-299-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-147-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-101-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-326-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-89-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-77-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-71-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-65-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-36-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-27-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-14-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/2528-1-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-2-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-3-0x0000000000650000-0x000000000066C000-memory.dmp

Filesize
112KB

Download
memory/2528-15-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/2528-5-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2528-234-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-4-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/2528-7-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/2528-18-0x0000000002240000-0x000000000224C000-memory.dmp

Filesize
48KB

Download
memory/2528-16-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2528-13-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/2528-6-0x0000000000680000-0x0000000000696000-memory.dmp

Filesize
88KB

Download
memory/2528-8-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/2528-10-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/2528-12-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/2528-9-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2584-371-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/2584-362-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-364-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2584-367-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2584-365-0x000000000241B000-0x0000000002482000-memory.dmp

Filesize
412KB

Download
memory/2624-377-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2624-376-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

Filesize
9.6MB

Download
memory/2624-381-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

Filesize
9.6MB

Download
memory/2624-380-0x00000000029AB000-0x0000000002A12000-memory.dmp

Filesize
412KB

Download
memory/2844-378-0x0000000002A9B000-0x0000000002B02000-memory.dmp

Filesize
412KB

Download
memory/2844-368-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

Filesize
9.6MB

Download
memory/3004-385-0x0000000002B5B000-0x0000000002BC2000-memory.dmp

Filesize
412KB

Download