dcrat | e810c9445e775019ee32d4a0d4aba7315a5e44527e854a444ad7f072c7dd891f

Analysis

max time kernel
10s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-11-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kirrstar.exe
Size

1.9MB
MD5

782545ebb1627aafbdd1f71cc52e50c7
SHA1

b1d27c1e03fe974d50137057951d1777439cc613
SHA256

e810c9445e775019ee32d4a0d4aba7315a5e44527e854a444ad7f072c7dd891f
SHA512

9083e247eebc90392c4a2b9e4b10a9c81eec85dc9a13c3f9b539918c7225d730f8dc470769ccdeb2bdf139ff68f6c640f7d2a1cd3bf1396236de80b5af7bf07c
SSDEEP

49152:HbA3FaX7C/8hUYjLY7rtMfDYj8Fun8rxe0SdqY:HbbX7C0E+Yjg9xnyv

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	2260	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	2260	schtasks.exe	84

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/files/0x001c00000002aab7-10.dat	dcrat
behavioral2/memory/1752-13-0x0000000000400000-0x00000000005A2000-memory.dmp	dcrat
behavioral2/files/0x001900000002aaf2-169.dat	dcrat
behavioral2/files/0x001c00000002aaea-187.dat	dcrat
behavioral2/files/0x001900000002aaf2-191.dat	dcrat
behavioral2/files/0x001c00000002aaea-198.dat	dcrat

Executes dropped EXE 1 IoCs

Processes:

hypercrtcommon.exe

pid	Process
1752	hypercrtcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exekirrstar.exeWScript.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kirrstar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

Processes:

kirrstar.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	kirrstar.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
3780	schtasks.exe
3504	schtasks.exe
5104	schtasks.exe
2024	schtasks.exe
1988	schtasks.exe
4924	schtasks.exe
4320	schtasks.exe
4244	schtasks.exe
3464	schtasks.exe
3468	schtasks.exe
2420	schtasks.exe
960	schtasks.exe
4856	schtasks.exe
2468	schtasks.exe
4808	schtasks.exe
4796	schtasks.exe
1924	schtasks.exe
1472	schtasks.exe
652	schtasks.exe
2000	schtasks.exe
1664	schtasks.exe
1588	schtasks.exe
4328	schtasks.exe
464	schtasks.exe
3764	schtasks.exe
4716	schtasks.exe
2416	schtasks.exe
3908	schtasks.exe
3912	schtasks.exe
4476	schtasks.exe
3056	schtasks.exe
884	schtasks.exe
5016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

hypercrtcommon.exe

pid	Process
1752	hypercrtcommon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hypercrtcommon.exe

description	pid	Process
Token: SeDebugPrivilege	1752	hypercrtcommon.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

kirrstar.exeWScript.execmd.exe

description	pid	Process	procid_target
PID 3744 wrote to memory of 4496	3744	kirrstar.exe	79
PID 3744 wrote to memory of 4496	3744	kirrstar.exe	79
PID 3744 wrote to memory of 4496	3744	kirrstar.exe	79
PID 4496 wrote to memory of 1100	4496	WScript.exe	81
PID 4496 wrote to memory of 1100	4496	WScript.exe	81
PID 4496 wrote to memory of 1100	4496	WScript.exe	81
PID 1100 wrote to memory of 1752	1100	cmd.exe	83
PID 1100 wrote to memory of 1752	1100	cmd.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\kirrstar.exe
"C:\Users\Admin\AppData\Local\Temp\kirrstar.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\serverWebRefcrt\nuGtg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\serverWebRefcrt\q5bwasDOM5YS7sD9.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Users\Admin\AppData\Roaming\serverWebRefcrt\hypercrtcommon.exe
      "C:\Users\Admin\AppData\Roaming\serverWebRefcrt\hypercrtcommon.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1752
    - - C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        "C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe"
        5⤵
        
        PID:4088
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce09e1bf-fafa-4eb7-8122-300f4ff390f5.vbs"
        6⤵
        
        PID:2324
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        7⤵
        
        PID:3424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3157a898-cc7c-4ae1-b9f6-fc0860155405.vbs"
        8⤵
        
        PID:1800
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        9⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faef43b0-021d-4043-820d-ed2ba4069ce8.vbs"
        10⤵
        
        PID:1464
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        11⤵
        
        PID:3360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7685f198-18be-4d06-9bbb-20afa5223e35.vbs"
        12⤵
        
        PID:3900
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        13⤵
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0066fa54-c92a-4c81-aca7-677366e8958e.vbs"
        14⤵
        
        PID:3580
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        15⤵
        
        PID:560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33c64bc0-802f-43e0-9fc0-de8c1418e270.vbs"
        16⤵
        
        PID:1840
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        17⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ef0bb9-33ad-445d-8df3-27da39c10e3f.vbs"
        18⤵
        
        PID:4372
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        19⤵
        
        PID:4760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d446e90-050b-4ac6-ac2e-ae95eb5a1009.vbs"
        20⤵
        
        PID:2560
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        21⤵
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af0d4aed-8ca3-4f1a-b4f8-0d8a0b137ded.vbs"
        22⤵
        
        PID:4588
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        23⤵
        
        PID:4132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55d8dc11-52b9-4632-a843-becdd4c884c4.vbs"
        24⤵
        
        PID:2668
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        25⤵
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf1c2d42-2f2b-4a70-abae-23d0fa4a8c48.vbs"
        26⤵
        
        PID:2004
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        27⤵
        
        PID:576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7234cfbb-5213-4e70-8792-3596f22f0f92.vbs"
        28⤵
        
        PID:2296
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        
        C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe
        29⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62c3804b-0cbc-49b3-b921-4347f7fbf672.vbs"
        30⤵
        
        PID:3980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa3810e7-fe48-4584-a305-4b6bde4170eb.vbs"
        30⤵
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94a1c83c-b838-4a8a-b120-905f47dc4f0b.vbs"
        28⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65fe66f0-ec4b-401a-9fa0-f57d79b98dc4.vbs"
        26⤵
        
        PID:3736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\530c4996-0a5f-417b-bd10-932dd4a76080.vbs"
        24⤵
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bf3bb56-0c78-4825-9dd5-e8fee40ca44b.vbs"
        22⤵
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10a59a3e-a8ff-4460-ac5e-19b7e07f1e87.vbs"
        20⤵
        
        PID:3420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6c9939c-6670-45d5-8ffb-9e0d653e750f.vbs"
        18⤵
        
        PID:1492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25345b46-0e1d-4f27-b323-51b2c0c02788.vbs"
        16⤵
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d8cb35e-3655-4a6f-bc33-c6391b0d9300.vbs"
        14⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1481d724-f54f-4e0e-bdaf-2f966489e31f.vbs"
        12⤵
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b3dc86a-6e1a-4d23-8e54-a9861cfe3d8a.vbs"
        10⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3370d4b4-157a-4ddd-97a9-3c9d3cc234cb.vbs"
        8⤵
        
        PID:3156
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa3645cb-c0f0-499d-997a-91aa2ec3d31f.vbs"
        6⤵
        
        PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
b058942fe750846925da0c79dbad94ec

SHA1
338efbdf7514f23e73dac4e69c6e9b979b0c902f

SHA256
de170e04a6f6e8c23b3c293a4c9386ec929f3ab0b79d0051fbe285a894edb559

SHA512
bcfa26f2dc24237eefd8070714735a0ebde5a3f83845f31ea412807e98b61f93ea96b6f1166d21e0bcec948483347790b2238151caceadcb0ec353dd877f375e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0066fa54-c92a-4c81-aca7-677366e8958e.vbs

Filesize
748B

MD5
d405df1fc73aba2f6184072031e09469

SHA1
3a5f72b3a24710053e3d37ddaf8d3f70e410e96b

SHA256
2e25321e582a611255d3afe23144d17073dbebd104cf3f9d75d37fee1d72c334

SHA512
4b0df33e7084cc7de0973dc181091c62e6d545037491ad0015bc2d7413e27fe7fdbddf67bdc91edb1f5b72601a0021703613ead6a2d28a085776c6bef31e8c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\3157a898-cc7c-4ae1-b9f6-fc0860155405.vbs

Filesize
748B

MD5
11d11dc711551352000d236fbebdd01c

SHA1
5ead2a8146a528b8081c40c74f4df9a55a99c2b6

SHA256
08a20b6b1269ffcfeba0707cca65ab63872381b18c7cfaff75f4116d550614f1

SHA512
f7bb58ec5281122ceea1c9b7b4c9eacd9974de824a03c8de33abd41dfddded377855a5f18649420f3c0e2bfea27b046d8a66803a14fa08c1dcc62e7b9d62fd2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\33c64bc0-802f-43e0-9fc0-de8c1418e270.vbs

Filesize
747B

MD5
118c3bb337afe15c708a787023634796

SHA1
be04cd201d644e75c12d33c9dbace041bf223ab5

SHA256
53ac0e50c435c5873c533f49b12aeb144e7eb9d64a5a2811b9be01c3d0bc75fd

SHA512
d08a22ce2ca2d4ae6481474cb8958776d78271a810d174f2fdd4efbae3fa69d8d8473e632c3b15953efc025ff034fd984b13abaea0c51dd75413f73bb8a099c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d446e90-050b-4ac6-ac2e-ae95eb5a1009.vbs

Filesize
748B

MD5
8518d8c23de060751da5fcc9b9cad0ea

SHA1
437fe6e0ffd222db7f719392c2a77feceda33341

SHA256
83515248fc9d04f60fcf202cbadb32f2205e42fcacd49630669fd2a27de40e6d

SHA512
4c12f9cab1820daaf3db989af54de1b80a6cc223902bc922418236565cfc69895d41a318a740a2f8c4f9e6cad86f8295c047fa8ff24b9c26333016c37cbdd120

Download Submit
C:\Users\Admin\AppData\Local\Temp\5124281c6213314083a2941d7c1df30e09660696.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5124281c6213314083a2941d7c1df30e09660696.exe

Filesize
1.6MB

MD5
60f47adf7b73419e859b721c06a14a4f

SHA1
2aaffbc8cdfc022bfd79ae61c74b943ddbbf534c

SHA256
2caba288d06a5c0e4277537f005d6c8392f74d2e4cf8160c2e3aadce2c857874

SHA512
fa7fa6fb63cc1ee4d28d18bfddb5374630617b6d1c49917312861f74b2a4dc6d9adc4c1f838e70bbd1dab2d0cfaa1fac62f5a40727bda9c0c38ca550f5870c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\5124281c6213314083a2941d7c1df30e09660696.exe

Filesize
923KB

MD5
50969eacb7d1033844f19dbf2c1cb8c6

SHA1
7e2c2f74b7b04e54f4687ca776bd1e7ac3afda86

SHA256
a839aaef3eb4f30fc1875b4057eda279275f3c3b28c724b04598717f5a1c0f3a

SHA512
d6923b2ece98f2d5eb7eb312ce380ec1ccfb412f3bb7f74d7bf4de1e55428df9c54f4dd4c510d877fee901c778dabc8071a811974ff47f954a39ee7d9428b625

Download Submit
C:\Users\Admin\AppData\Local\Temp\55d8dc11-52b9-4632-a843-becdd4c884c4.vbs

Filesize
748B

MD5
3b616cf9a38c705d9662bd26a42e3b2d

SHA1
d9243dcbe197dca5421b50b002285d83db31fb2a

SHA256
c71b5adac5337413ce089082dd24c4b268a813baad35b10b5b2f31c93a6d33bb

SHA512
52f83c0d88a3aa8173aa918dfd820cfab4bada8bd4b39f0c1df3b4e6a7a109a87c523b1aa95fce7889addb4d0d21548ec2b1c89a0ab32d891685985ddbac4efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\55ef0bb9-33ad-445d-8df3-27da39c10e3f.vbs

Filesize
748B

MD5
ab5887c83eaa8a590bd2ae5b32b34a58

SHA1
219ecd99f5b939f28e9e779322cb902b7f556544

SHA256
22e2afc367ebf9216f1965a3df8e313085706c480d4d0883f226bfc0e3538a54

SHA512
baf60a60bae0f8cbb7d460afd45927e1db35abd45c1ede364c18c891c8e22dae7e5f42c50a9e8a9151111a2a4bede862a13ca5658e494f26f06e11f3a4a954f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\62c3804b-0cbc-49b3-b921-4347f7fbf672.vbs

Filesize
748B

MD5
3b8b816cb4b344a799ce6ab06aad3fd0

SHA1
302e70d9bd40be378a8fd518c2e4fb1a99c73eee

SHA256
c225073314a0084da921b74b9d0c6b7d3e1732ae1650fd35e30a805d7480ce91

SHA512
3275f64beab2588beb7ca701ed1a37c7873e7625236967ea701c622850d11d0fbe99b826d8b7d9190acb7ea2424ceccd72b48479be1a8733e4ed1473bef6c24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7234cfbb-5213-4e70-8792-3596f22f0f92.vbs

Filesize
747B

MD5
e172df803929c3741d6518e3e85b6493

SHA1
849a8b05706377e2ab90d9823ea185fc46065c9f

SHA256
f002c970831d97afa635976ebd5635f972f9f36926090eeb5e229c0fdbec40c1

SHA512
d199cfae5c3ccf1c440d164350d7f87de48fbaea80771be3784a424c30c51478c399265aacc71f7548387eb8003a0c936a8234146a98b5cae26fd553065b43df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7685f198-18be-4d06-9bbb-20afa5223e35.vbs

Filesize
748B

MD5
d775521dbf7a59417f2907d69101274c

SHA1
7d3b763cf69fc03a7e5bd37ec9db195ae6238c3e

SHA256
568794f326c7308f6dd72e9f4d895190ae89f29cc612d5f64c4538f8c89ff278

SHA512
3eb58f1e3c064b142e963fb5734227c27d4925655a9bac95460bc28f3ed73e451bbb7dd0041bb6fd4b2409fab42c73e3175988c9f228c17f2497ca9008cde162

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0d4aed-8ca3-4f1a-b4f8-0d8a0b137ded.vbs

Filesize
748B

MD5
3f2289fd3565d23c56b74ccdd4bffe5e

SHA1
54097c5e3cfb43d2a779ab630a41c72b0632c89a

SHA256
37233cac60c9856d9c9391dcd29bbfe671309ee7b7a854df22e30f0c212c5375

SHA512
04b72e69813b7725637a7d1aa03b0826916bdb36d5adc2998e1c7ec59ce14807d538d2baab5a42d607497c6ee9fe639df88e2c58456c99cd258cc23ac327ef3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce09e1bf-fafa-4eb7-8122-300f4ff390f5.vbs

Filesize
748B

MD5
70e7f71869bade22c821fe243176dd2b

SHA1
f1462a40483d466055867e846edb86531bad2232

SHA256
07578300a42359d92d82df608669b70be37bf57f72429c7f8b9ea4609bee4631

SHA512
240c07ec1b9fa2ee7b2dca6f4d30be7ac2d06a3a5b0a46a5683daf430aa3dc4291bdc13a4d8ef7df04af1b0a416ce59859d1aedc4255b76651c2ba29d43d4b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1c2d42-2f2b-4a70-abae-23d0fa4a8c48.vbs

Filesize
748B

MD5
2b5d21bbfaa839ce74e6d98a0ab38cc7

SHA1
591e8ae867aec55cb3de7e669272f8ea8b84a487

SHA256
84d59af9eb1993a1ce349a45ab3b1f60788d567d4f90fa62917f3be81bb19f13

SHA512
ff9602626646f366a7d9742bb6bbbd49d55fee771d8f392cac2ccd2e21872a490fde4bd2dbd3de96c496c130ca6b9ac2bdb642ca1d0c2b30169ff5943d69ff52

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa3645cb-c0f0-499d-997a-91aa2ec3d31f.vbs

Filesize
524B

MD5
6562481c8ff10d91060faf84acf88c4a

SHA1
c7cd9d015b7a9408a42290326384bf0684a64da5

SHA256
b2c906cb5192a67ad90c838ede5d4f36f3dfec295d800d733e991d797c941427

SHA512
067b92f5862723c1a259f7957320a74abca18eb2e95f917d59ae4515c3e64f72a70b3dfa69205e8bc92a76ca2dceeeac7c370a3972e5fe3be317d6427d1113f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\faef43b0-021d-4043-820d-ed2ba4069ce8.vbs

Filesize
748B

MD5
66262fc9a0709beda2531ef05b273e58

SHA1
235aaea2fe8f882d1d06fa4c9231c1a89937bc1e

SHA256
fbc0f6f5d30cb63ce5eb951b535dacc1e7baaa57a8c94ff353bee91a3cadc35a

SHA512
1be2aee3a754ed11134c9cc8e84208125141a1b81e9beaae78ffa972c1f94b90884814906646aa82c8a98ee7cd1ff38343c7e5d84d99eef4c0ee38dc2543ebf3

Download Submit
C:\Users\Admin\AppData\Roaming\serverWebRefcrt\hypercrtcommon.exe

Filesize
1.6MB

MD5
072edca5a98ae0ff356fa14ad186d76a

SHA1
0514122976c7d5e0bbbe14e6d0a1694f27a32b9e

SHA256
47d7589c2c7496edc95b731fcdec2d965acba56315ff83916c04e661c57e3601

SHA512
589f700ed723fdc972111b0072e6791aaf4d0e2b804dbde19cbaf1895ae1993e2572290c99c24227cb58a1182b1b0d717ef7e4f04a8d9177339c04bd5f0c4220

Download Submit
C:\Users\Admin\AppData\Roaming\serverWebRefcrt\nuGtg.vbe

Filesize
215B

MD5
95be41d8177ec747048637be28e9f418

SHA1
37f9979e22af99ffd429b6434382ae745d37743e

SHA256
b18e9afd19aacc32b0559a1b54c0edf163ac9f65f73915faad8c8f292ce9face

SHA512
b6d4e7fadfa3a69b0a4fe18553a50ca0efc33f38030cf976dbf2815b5e62248d88b8103e188c86553477aa21a8bbc9361079d21d5dd077cf2523d4ccf6249b68

Download Submit
C:\Users\Admin\AppData\Roaming\serverWebRefcrt\q5bwasDOM5YS7sD9.bat

Filesize
46B

MD5
c410c756184db7fecbe24e333980916c

SHA1
e0f7f117977531ffeffb38c09556dc8c6d03380a

SHA256
86227dbd23320383949944459a14570218eaaa702ec1765dbc64e8eb9190efe5

SHA512
55f233396d844febd12814026e37737d2ffbdc542d5f9feaa985fbf00dac6602895cd732931aba12dc01a02ef9485360342a41052e06f59997a6d43901a33158

Download Submit
C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe

Filesize
1.1MB

MD5
18f191bacd673d00b43592d1a48f1e46

SHA1
58f7c5a0208583050c622e2ab16f31b7559869d5

SHA256
691fb59f78de7fb44a024581932e23bee7e3083f09a306cfe9d8547c8d4de619

SHA512
ad0b9369e74a6ac38e7511be1a68576c0e35045bbd65f737f0b06d0905889d658e43b7180331c8307ed855f8f18a8754436e1d2caa1a2c730309f68925975d0d

Download Submit
C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe

Filesize
923KB

MD5
4440be9ed4a16009e67386bd6a98d16a

SHA1
39e96f296d358847aa5ae7de7c4506c28405075e

SHA256
435929c13848ce57650e1bd1a934db1b749f41d2c003a4da0dfcfb839c787b8d

SHA512
085075dafa758f9a865f43a6da5dadfde0410dbde223f896117558fdfec81215e70e6009a86a4c10db5819be2d18617e8b95c6cc4c85d8be4080a85aa6398ad6

Download Submit
memory/1752-14-0x0000000000EE0000-0x0000000000EEE000-memory.dmp

Filesize
56KB

Download
memory/1752-26-0x000000001B960000-0x000000001B96C000-memory.dmp

Filesize
48KB

Download
memory/1752-22-0x000000001BE90000-0x000000001C3B8000-memory.dmp

Filesize
5.2MB

Download
memory/1752-21-0x000000001B1A0000-0x000000001B1B2000-memory.dmp

Filesize
72KB

Download
memory/1752-23-0x000000001B8E0000-0x000000001B8EA000-memory.dmp

Filesize
40KB

Download
memory/1752-24-0x000000001B8F0000-0x000000001B8FE000-memory.dmp

Filesize
56KB

Download
memory/1752-15-0x0000000000F10000-0x0000000000F2C000-memory.dmp

Filesize
112KB

Download
memory/1752-18-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/1752-13-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1752-16-0x000000001B910000-0x000000001B960000-memory.dmp

Filesize
320KB

Download
memory/1752-17-0x00000000027F0000-0x0000000002806000-memory.dmp

Filesize
88KB

Download
memory/1752-19-0x0000000002820000-0x000000000282C000-memory.dmp

Filesize
48KB

Download
memory/1752-20-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/1752-12-0x00007FFECD8F3000-0x00007FFECD8F5000-memory.dmp

Filesize
8KB

Download
memory/1752-27-0x000000001B970000-0x000000001B97A000-memory.dmp

Filesize
40KB

Download
memory/1752-25-0x000000001B900000-0x000000001B90E000-memory.dmp

Filesize
56KB

Download
memory/2076-109-0x000000001C380000-0x000000001C392000-memory.dmp

Filesize
72KB

Download
memory/2892-154-0x000000001BFE0000-0x000000001BFF2000-memory.dmp

Filesize
72KB

Download
memory/3360-97-0x000000001C5F0000-0x000000001C602000-memory.dmp

Filesize
72KB

Download
memory/3424-74-0x000000001BFE0000-0x000000001BFF2000-memory.dmp

Filesize
72KB

Download
memory/4088-61-0x000000001BDF0000-0x000000001BE02000-memory.dmp

Filesize
72KB

Download