dcrat | 13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055N.exe
Size

1.3MB
MD5

56c01f1253725415dcc2543936c03130
SHA1

35cb7dc4bba04c0dca729dcf03539ce42db43de6
SHA256

13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055
SHA512

94a47e5aa9c8cde6b449e298f3af484466b819acfcc91ef8aa5a6b7897d950f6fa1c5e800743370c9bfb64eaeb84cf9a3770d072c2b4da343bc791a184bfb927
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2992	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0009000000018b28-9.dat	dcrat
behavioral1/memory/2904-13-0x0000000000890000-0x00000000009A0000-memory.dmp	dcrat
behavioral1/memory/1544-66-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/1648-243-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/3012-303-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2924-363-0x0000000000900000-0x0000000000A10000-memory.dmp	dcrat
behavioral1/memory/1016-423-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat
behavioral1/memory/1692-483-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1352	powershell.exe
1628	powershell.exe
1112	powershell.exe
2084	powershell.exe
2448	powershell.exe
2300	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

DllCommonsvc.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
2904	DllCommonsvc.exe
1544	csrss.exe
2564	csrss.exe
2200	csrss.exe
1648	csrss.exe
3012	csrss.exe
2924	csrss.exe
1016	csrss.exe
1692	csrss.exe
588	csrss.exe
1524	csrss.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2972	cmd.exe
2972	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
17	raw.githubusercontent.com
2	raw.githubusercontent.com
3	raw.githubusercontent.com
6	raw.githubusercontent.com
8	raw.githubusercontent.com
10	raw.githubusercontent.com
12	raw.githubusercontent.com
14	raw.githubusercontent.com
19	raw.githubusercontent.com
21	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055N.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2836	schtasks.exe
1156	schtasks.exe
1928	schtasks.exe
2416	schtasks.exe
3068	schtasks.exe
2540	schtasks.exe
2740	schtasks.exe
1472	schtasks.exe
2352	schtasks.exe
2112	schtasks.exe
2940	schtasks.exe
1652	schtasks.exe
860	schtasks.exe
1392	schtasks.exe
944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
2904	DllCommonsvc.exe
1628	powershell.exe
2448	powershell.exe
1352	powershell.exe
1112	powershell.exe
2084	powershell.exe
2300	powershell.exe
1544	csrss.exe
2564	csrss.exe
2200	csrss.exe
1648	csrss.exe
3012	csrss.exe
2924	csrss.exe
1016	csrss.exe
1692	csrss.exe
588	csrss.exe
1524	csrss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	2904	DllCommonsvc.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1544	csrss.exe
Token: SeDebugPrivilege	2564	csrss.exe
Token: SeDebugPrivilege	2200	csrss.exe
Token: SeDebugPrivilege	1648	csrss.exe
Token: SeDebugPrivilege	3012	csrss.exe
Token: SeDebugPrivilege	2924	csrss.exe
Token: SeDebugPrivilege	1016	csrss.exe
Token: SeDebugPrivilege	1692	csrss.exe
Token: SeDebugPrivilege	588	csrss.exe
Token: SeDebugPrivilege	1524	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055N.exeWScript.execmd.exeDllCommonsvc.execmd.execsrss.execmd.execsrss.execmd.execsrss.execmd.exe

description	pid	Process	procid_target
PID 2536 wrote to memory of 1824	2536	13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055N.exe	30
PID 2536 wrote to memory of 1824	2536	13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055N.exe	30
PID 2536 wrote to memory of 1824	2536	13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055N.exe	30
PID 2536 wrote to memory of 1824	2536	13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055N.exe	30
PID 1824 wrote to memory of 2972	1824	WScript.exe	31
PID 1824 wrote to memory of 2972	1824	WScript.exe	31
PID 1824 wrote to memory of 2972	1824	WScript.exe	31
PID 1824 wrote to memory of 2972	1824	WScript.exe	31
PID 2972 wrote to memory of 2904	2972	cmd.exe	33
PID 2972 wrote to memory of 2904	2972	cmd.exe	33
PID 2972 wrote to memory of 2904	2972	cmd.exe	33
PID 2972 wrote to memory of 2904	2972	cmd.exe	33
PID 2904 wrote to memory of 1352	2904	DllCommonsvc.exe	50
PID 2904 wrote to memory of 1352	2904	DllCommonsvc.exe	50
PID 2904 wrote to memory of 1352	2904	DllCommonsvc.exe	50
PID 2904 wrote to memory of 1628	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 1628	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 1628	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 2300	2904	DllCommonsvc.exe	53
PID 2904 wrote to memory of 2300	2904	DllCommonsvc.exe	53
PID 2904 wrote to memory of 2300	2904	DllCommonsvc.exe	53
PID 2904 wrote to memory of 2448	2904	DllCommonsvc.exe	54
PID 2904 wrote to memory of 2448	2904	DllCommonsvc.exe	54
PID 2904 wrote to memory of 2448	2904	DllCommonsvc.exe	54
PID 2904 wrote to memory of 2084	2904	DllCommonsvc.exe	55
PID 2904 wrote to memory of 2084	2904	DllCommonsvc.exe	55
PID 2904 wrote to memory of 2084	2904	DllCommonsvc.exe	55
PID 2904 wrote to memory of 1112	2904	DllCommonsvc.exe	56
PID 2904 wrote to memory of 1112	2904	DllCommonsvc.exe	56
PID 2904 wrote to memory of 1112	2904	DllCommonsvc.exe	56
PID 2904 wrote to memory of 2504	2904	DllCommonsvc.exe	62
PID 2904 wrote to memory of 2504	2904	DllCommonsvc.exe	62
PID 2904 wrote to memory of 2504	2904	DllCommonsvc.exe	62
PID 2504 wrote to memory of 1636	2504	cmd.exe	64
PID 2504 wrote to memory of 1636	2504	cmd.exe	64
PID 2504 wrote to memory of 1636	2504	cmd.exe	64
PID 2504 wrote to memory of 1544	2504	cmd.exe	65
PID 2504 wrote to memory of 1544	2504	cmd.exe	65
PID 2504 wrote to memory of 1544	2504	cmd.exe	65
PID 1544 wrote to memory of 2396	1544	csrss.exe	66
PID 1544 wrote to memory of 2396	1544	csrss.exe	66
PID 1544 wrote to memory of 2396	1544	csrss.exe	66
PID 2396 wrote to memory of 3016	2396	cmd.exe	68
PID 2396 wrote to memory of 3016	2396	cmd.exe	68
PID 2396 wrote to memory of 3016	2396	cmd.exe	68
PID 2396 wrote to memory of 2564	2396	cmd.exe	69
PID 2396 wrote to memory of 2564	2396	cmd.exe	69
PID 2396 wrote to memory of 2564	2396	cmd.exe	69
PID 2564 wrote to memory of 860	2564	csrss.exe	70
PID 2564 wrote to memory of 860	2564	csrss.exe	70
PID 2564 wrote to memory of 860	2564	csrss.exe	70
PID 860 wrote to memory of 976	860	cmd.exe	72
PID 860 wrote to memory of 976	860	cmd.exe	72
PID 860 wrote to memory of 976	860	cmd.exe	72
PID 860 wrote to memory of 2200	860	cmd.exe	73
PID 860 wrote to memory of 2200	860	cmd.exe	73
PID 860 wrote to memory of 2200	860	cmd.exe	73
PID 2200 wrote to memory of 456	2200	csrss.exe	74
PID 2200 wrote to memory of 456	2200	csrss.exe	74
PID 2200 wrote to memory of 456	2200	csrss.exe	74
PID 456 wrote to memory of 2152	456	cmd.exe	76
PID 456 wrote to memory of 2152	456	cmd.exe	76
PID 456 wrote to memory of 2152	456	cmd.exe	76
PID 456 wrote to memory of 1648	456	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055N.exe
"C:\Users\Admin\AppData\Local\Temp\13129962f25c4ef3f982cd46a2577375588c49c4d39067c9aecb9f3602c42055N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMEDRueHfb.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1636
      - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3016
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:976
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2152
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"
        13⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2880
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"
        15⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:284
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"
        17⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2068
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
        19⤵
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2528
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
        21⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1564
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        23⤵
        
        PID:2252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:596
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3c5c9d0b56a98483d33f30c7d1b8e9c

SHA1
7794efa58e53a020873ef59ceab041aa6aa4d306

SHA256
b589df68458ce17087b2add8aa134f05d7fdb74fd180c2734c319be8aed3ad36

SHA512
a441a8240290de4a6cd7eac816c4ea2aa85b95d02654a8878fdbe85dbaa0fa7244f9f23d24785d11f20293f6387cc886532fbdb7fcfbe4e99c38ac2c72341a24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdecd87089daa6e728d3360fcf083f64

SHA1
231c5ab114565c0ccaaad057e55562e15d587ef6

SHA256
66dd9a3e35a87ad9a6597f26b4f92a34b3de2430ddeae1462cdd4aff8713aff5

SHA512
c9341189ca9300b14f553cdbe38917475a712ac190dd173c46bc470fc256830f258837e87d4b46e5961accd256ec771025b2220e4cacd5964258de9d822a8e54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01245f04c6217ed74e52d14babd96fdd

SHA1
b4d5abe936bc53ac5143216b05ff6ea0e5d83cda

SHA256
55380f973fa6d17bdb797250fc6416172f39df9f4449371aed8fe590dcd42668

SHA512
9c1f1ca8aed172307b87536917d821cb493c03ebf814d16df50ef0ca87791d17999c2b2deb6d1c1ae110b75ddb1fe4f04f34d3d5205757264ef322cf6be43f1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c12c5c34eadbf4b3f04df26450e33c73

SHA1
c686adbb0109d6fa89068b766d799073743a8614

SHA256
e58481839b08b40af6b2a776c6f8dd28019fb437d4405dc42762290bc7bc3c8d

SHA512
405d3915c91dfd4eab8236458988adc9bc8ce86148f23a18bf4f0d93216ef1ae6616d2e085655a21847209b85e57babda7be70c70d10d5873ce0d16bc0289e70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec845b2592c5e1898bfa000d8806ecd5

SHA1
c71456a2111f5087ba832378efd43301d7809c08

SHA256
024ea0244040b8ddaecbe63b76de92b0d5ee9694dcca2b3866c02ef47290ce7b

SHA512
a8407b63a274fb28f7835e8892755cdde934211c2e864af224739066d3f6a96da72f5efc58cd91606b2d233e8d2dbe5fa6284bc159c751cf68cbe61c926211f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce99ccc278b64b53f078e74e5a354cde

SHA1
3010d998150f4e82d592c1499172b3f38abb204c

SHA256
c1c98841ff19a2732551bc86b2a60ddc0013b8231f8abf47e834a4535c9d51b9

SHA512
42a9e8bf59b1c40055428298ee2f11db205f0cf3c288e1b6b01e234a5419f274ce4d26707835e51442b2d2443fb4b7cb28dac0d260a095ebce9ab8cbbc2704c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f09e6504ed9340b2a995c262e1c78c4d

SHA1
0e69515f0bdc62daf4e19fb6478b8aff8bf9edc6

SHA256
cb6851fb18e5d0d1de778c5d8859e5a92135aa349667b97971c94ab0324dfe4b

SHA512
2e671d6b3321ce3df59421f50671de58dee97fb4df97bd4b2088b4d123cdd297d7599fe454d11285be010655839ec963b039f647c7b1647b885d555befcb6c94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af3a6d47f5c69e3f1d8a244370403770

SHA1
6308360dfeac0979992a7afb336e9601e44213c7

SHA256
f388391ffe20ffa38a2873e9e7675b7a97349e588614a85ea849afb2838782da

SHA512
a4af6fb602006f10c8a1780dda77ad37c351aad1cf6b8f2d40f0aefe86e4bda3ef1187c2c10e26b1023f3ff6d54db24a199d1614bdc8842e11b597aab770f768

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

Filesize
223B

MD5
eff2ff3e94a1fec9aa474f17048e76db

SHA1
207995b5b7114c46514361facf886742a6a8dc50

SHA256
15249f3487e48ab86ac70ebab2c58565ba0f814979a8e8f487e4e8232e7a43fe

SHA512
d7eab0bc960cc951289254d161235ecef0a04c86364a75035fb4486da556d392789b04dfb8216f338fd111733a43af42e897cb359a3c439b9ef40dfd75caa435

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFBAF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat

Filesize
223B

MD5
d4e4cd18c388e63cc585ca45e071eff4

SHA1
f67dfb6c01bd8f7f203c885497f929d2e4b81a6f

SHA256
ca888a979ebb892dacca11139352c50d912056becabed280fab9a69558099761

SHA512
4d7dcc7a8328bfe6d4b7add084af6e28d7efeffa951d0a56f4900fd220789126c242ca818831b7a7509018388026ca8877e2e0ed810d2221caebbbc2f8e1664a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

Filesize
223B

MD5
daad212dfc0ce08145b85033d17053f0

SHA1
1ae97ebcdc3758e0be00a6e87680fbec2528b9c1

SHA256
d23456b54fd156c453783426920217dc19fcfe0be0e0f5780bed007378fd65b6

SHA512
420ef3fc0a7ca08e182db202dc83fc24516db8455be4e840f799dc013cdd855631d0c8d42c9e06f25327f4fd4848047ca8e8b7b6579e839c9d7bfac92a3be93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFBF1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat

Filesize
223B

MD5
e9a23c0594ea72f1755148cd7af197a1

SHA1
b24b907126bcb48d65acd2f713183b51bc390d08

SHA256
9bd249b67f49a81b216f58409780f1d1ec1cb1c56318d9927a72e83f3cc4697b

SHA512
24512c743444cbc2b6681efca1b663a25ac8d514fc8b053b1e25602539cc5526b0d445b93a4487fb538069d4f5b70c5cfe976a5c12abdb0bc00fa87bf7596773

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
223B

MD5
2b8391cfa0ad1946d4616384a34206fb

SHA1
bd24a60473aece33f02e06b21fc398eff154db09

SHA256
ae7ae85e820a13416efe5b4ee9f123cfd5e7db7350706dd66ae1e2f53ed2449c

SHA512
ceb93bd6348931e9ae6cb5916670b77f8020ce792feec59a4b4d111dd1fdd0e3bd98f26b773b2fab7cf2d67de6a156d4cfbfc9e99616b5f17794d38f2f4ef630

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat

Filesize
223B

MD5
82e97a5db1a207c2e313155ab46a0a04

SHA1
121660dae2118fa36233bd4ebfd9e4dd233bc355

SHA256
4516e1ff6e09308a17b17f4bdf39564efdf762cbcab686c85ebf69f926059bac

SHA512
a9ccae573f593c544fe6ffc7f3223c54d73cac877191295427195b77e02c9bfb23bae5e9ac8c30ee080687badca5d8bcecd8ea98d442b2e9793c28f82cfcdf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat

Filesize
223B

MD5
fe7433222db2856ad969f174f6ea5a4a

SHA1
9244dac19045651c1d291cf8ae92e05a4d3a0593

SHA256
a2223fb1506d2144c3494763d07789fd3c55ff1207f5c01fb04f10c509ff4b4b

SHA512
46565820ffc59a040e81c2a2e7d6ac3a141e5579fa1cc2feb76b9c0faef00323c569fc70df85db3cbaae1a9161438c0f74acbac6197ae64a25baa3ef37e6bd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
223B

MD5
beba2c50ee8c5750c89dac0b7a9d3eac

SHA1
1d5bf410003b0db8559acf341646b49fbbabaa3e

SHA256
5f007dc7a5aed41a27bd6657bc70260a694a710e1f9b4150660c4053ae1b7161

SHA512
e908675134c2652aeb8c250ac210fd9b2e92795bf203ae3236b2fa729b7b10ddaa126781603c85354243d43d92b093811c8cd2bf4c58e581ae090621082751a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat

Filesize
223B

MD5
fc1ab0a8499585cbd694da8a6f4be0b9

SHA1
bf946a8336caa154d792cd3412a0e94e5f44527f

SHA256
691d086b8454096fe476401fa825acb055a7c2a90a3693f6d997e4630e6c142f

SHA512
f2dfaad589fd8601327860a26a8aa61989f1122f9286d61ec7a569f2354ef0cf5f06b459c27b7ca00317c1a73745a2cdb05a8e40eb35b7af8539e8de77ed6292

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMEDRueHfb.bat

Filesize
223B

MD5
4cb636f269ba79c9a40d8f2c30845b3b

SHA1
afecbabb6478243fb4e09112fcd62c4bb4ae8859

SHA256
66ea5eb78a043039db50f060658faaf1c5e3e9c8056311a4b8be58c4dac546ce

SHA512
bb38bd2cb01b097b894f7fc46b1b74fc30d8cdd6e349876acf227e2e8067f03289ac31231ad7f1876b31755c6549d241b04b1ee1656f2d8ff659fadde6cf57de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
706c7c191716a0359430eb45cb44f13a

SHA1
7d42f1e9a82100ee58f82e80cad093a5851ed651

SHA256
6b544cba6a68c29f764d241fe82b236a3eb2192e7afa0c8cdd835fd759e4fa18

SHA512
3a37f586d0596eda9dabd3bbcec115ff843368d86d1551ed4522476f618a5964c6aaba12ec8f35207e72bc23d9d22662bd9f5ada5047bd7a1a1fc76e4733eb3c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/588-543-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1016-423-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/1544-66-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/1628-48-0x000000001B440000-0x000000001B722000-memory.dmp

Filesize
2.9MB

Download
memory/1628-49-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/1648-243-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/1692-483-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2904-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2904-13-0x0000000000890000-0x00000000009A0000-memory.dmp

Filesize
1.1MB

Download
memory/2904-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2904-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2904-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2924-363-0x0000000000900000-0x0000000000A10000-memory.dmp

Filesize
1.1MB

Download
memory/3012-303-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download