dcrat | 858408bc8d008e2521b0c61d3f42b6ed7104c7bc60bff96fad430e13082900a4

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_858408bc8d008e2521b0c61d3f42b6ed7104c7bc60bff96fad430e13082900a4.exe
Size

1.3MB
MD5

01c9a361a6df1d12da7b1976d88ae0e7
SHA1

74a6668abc79434e4762e26fccea0133c49cf50d
SHA256

858408bc8d008e2521b0c61d3f42b6ed7104c7bc60bff96fad430e13082900a4
SHA512

2e87789dbb15b0175b2ce8f076e02fd9170b656eea5fd748e89116224f405da5953fe9ca8ab760ccca4fd96ff61b0023b3cd44b41195598dc304afd6b93606c9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2868	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d0c-9.dat	dcrat
behavioral1/memory/2708-13-0x0000000000E40000-0x0000000000F50000-memory.dmp	dcrat
behavioral1/memory/1508-73-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/1924-132-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/1256-192-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/916-252-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/1672-312-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/2972-373-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/1028-433-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/2228-493-0x0000000000CD0000-0x0000000000DE0000-memory.dmp	dcrat
behavioral1/memory/2244-553-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
956	powershell.exe
2192	powershell.exe
2076	powershell.exe
2308	powershell.exe
768	powershell.exe
492	powershell.exe
1960	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2708	DllCommonsvc.exe
1508	DllCommonsvc.exe
1924	DllCommonsvc.exe
1256	DllCommonsvc.exe
916	DllCommonsvc.exe
1672	DllCommonsvc.exe
2972	DllCommonsvc.exe
1028	DllCommonsvc.exe
2228	DllCommonsvc.exe
2244	DllCommonsvc.exe
2300	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2872	cmd.exe
2872	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_858408bc8d008e2521b0c61d3f42b6ed7104c7bc60bff96fad430e13082900a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
640	schtasks.exe
2896	schtasks.exe
2760	schtasks.exe
2628	schtasks.exe
2140	schtasks.exe
2956	schtasks.exe
1348	schtasks.exe
1048	schtasks.exe
780	schtasks.exe
2672	schtasks.exe
2088	schtasks.exe
2276	schtasks.exe
692	schtasks.exe
2948	schtasks.exe
556	schtasks.exe
1512	schtasks.exe
1440	schtasks.exe
2976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2708	DllCommonsvc.exe
2308	powershell.exe
768	powershell.exe
956	powershell.exe
1960	powershell.exe
2192	powershell.exe
2076	powershell.exe
492	powershell.exe
1508	DllCommonsvc.exe
1924	DllCommonsvc.exe
1256	DllCommonsvc.exe
916	DllCommonsvc.exe
1672	DllCommonsvc.exe
2972	DllCommonsvc.exe
1028	DllCommonsvc.exe
2228	DllCommonsvc.exe
2244	DllCommonsvc.exe
2300	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	DllCommonsvc.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	1508	DllCommonsvc.exe
Token: SeDebugPrivilege	1924	DllCommonsvc.exe
Token: SeDebugPrivilege	1256	DllCommonsvc.exe
Token: SeDebugPrivilege	916	DllCommonsvc.exe
Token: SeDebugPrivilege	1672	DllCommonsvc.exe
Token: SeDebugPrivilege	2972	DllCommonsvc.exe
Token: SeDebugPrivilege	1028	DllCommonsvc.exe
Token: SeDebugPrivilege	2228	DllCommonsvc.exe
Token: SeDebugPrivilege	2244	DllCommonsvc.exe
Token: SeDebugPrivilege	2300	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 3052	2532	JaffaCakes118_858408bc8d008e2521b0c61d3f42b6ed7104c7bc60bff96fad430e13082900a4.exe	30
PID 2532 wrote to memory of 3052	2532	JaffaCakes118_858408bc8d008e2521b0c61d3f42b6ed7104c7bc60bff96fad430e13082900a4.exe	30
PID 2532 wrote to memory of 3052	2532	JaffaCakes118_858408bc8d008e2521b0c61d3f42b6ed7104c7bc60bff96fad430e13082900a4.exe	30
PID 2532 wrote to memory of 3052	2532	JaffaCakes118_858408bc8d008e2521b0c61d3f42b6ed7104c7bc60bff96fad430e13082900a4.exe	30
PID 3052 wrote to memory of 2872	3052	WScript.exe	31
PID 3052 wrote to memory of 2872	3052	WScript.exe	31
PID 3052 wrote to memory of 2872	3052	WScript.exe	31
PID 3052 wrote to memory of 2872	3052	WScript.exe	31
PID 2872 wrote to memory of 2708	2872	cmd.exe	33
PID 2872 wrote to memory of 2708	2872	cmd.exe	33
PID 2872 wrote to memory of 2708	2872	cmd.exe	33
PID 2872 wrote to memory of 2708	2872	cmd.exe	33
PID 2708 wrote to memory of 492	2708	DllCommonsvc.exe	53
PID 2708 wrote to memory of 492	2708	DllCommonsvc.exe	53
PID 2708 wrote to memory of 492	2708	DllCommonsvc.exe	53
PID 2708 wrote to memory of 768	2708	DllCommonsvc.exe	54
PID 2708 wrote to memory of 768	2708	DllCommonsvc.exe	54
PID 2708 wrote to memory of 768	2708	DllCommonsvc.exe	54
PID 2708 wrote to memory of 2308	2708	DllCommonsvc.exe	55
PID 2708 wrote to memory of 2308	2708	DllCommonsvc.exe	55
PID 2708 wrote to memory of 2308	2708	DllCommonsvc.exe	55
PID 2708 wrote to memory of 1960	2708	DllCommonsvc.exe	56
PID 2708 wrote to memory of 1960	2708	DllCommonsvc.exe	56
PID 2708 wrote to memory of 1960	2708	DllCommonsvc.exe	56
PID 2708 wrote to memory of 2076	2708	DllCommonsvc.exe	58
PID 2708 wrote to memory of 2076	2708	DllCommonsvc.exe	58
PID 2708 wrote to memory of 2076	2708	DllCommonsvc.exe	58
PID 2708 wrote to memory of 2192	2708	DllCommonsvc.exe	60
PID 2708 wrote to memory of 2192	2708	DllCommonsvc.exe	60
PID 2708 wrote to memory of 2192	2708	DllCommonsvc.exe	60
PID 2708 wrote to memory of 956	2708	DllCommonsvc.exe	62
PID 2708 wrote to memory of 956	2708	DllCommonsvc.exe	62
PID 2708 wrote to memory of 956	2708	DllCommonsvc.exe	62
PID 2708 wrote to memory of 808	2708	DllCommonsvc.exe	67
PID 2708 wrote to memory of 808	2708	DllCommonsvc.exe	67
PID 2708 wrote to memory of 808	2708	DllCommonsvc.exe	67
PID 808 wrote to memory of 932	808	cmd.exe	69
PID 808 wrote to memory of 932	808	cmd.exe	69
PID 808 wrote to memory of 932	808	cmd.exe	69
PID 808 wrote to memory of 1508	808	cmd.exe	70
PID 808 wrote to memory of 1508	808	cmd.exe	70
PID 808 wrote to memory of 1508	808	cmd.exe	70
PID 1508 wrote to memory of 2896	1508	DllCommonsvc.exe	72
PID 1508 wrote to memory of 2896	1508	DllCommonsvc.exe	72
PID 1508 wrote to memory of 2896	1508	DllCommonsvc.exe	72
PID 2896 wrote to memory of 2936	2896	cmd.exe	74
PID 2896 wrote to memory of 2936	2896	cmd.exe	74
PID 2896 wrote to memory of 2936	2896	cmd.exe	74
PID 2896 wrote to memory of 1924	2896	cmd.exe	75
PID 2896 wrote to memory of 1924	2896	cmd.exe	75
PID 2896 wrote to memory of 1924	2896	cmd.exe	75
PID 1924 wrote to memory of 2828	1924	DllCommonsvc.exe	76
PID 1924 wrote to memory of 2828	1924	DllCommonsvc.exe	76
PID 1924 wrote to memory of 2828	1924	DllCommonsvc.exe	76
PID 2828 wrote to memory of 2200	2828	cmd.exe	78
PID 2828 wrote to memory of 2200	2828	cmd.exe	78
PID 2828 wrote to memory of 2200	2828	cmd.exe	78
PID 2828 wrote to memory of 1256	2828	cmd.exe	79
PID 2828 wrote to memory of 1256	2828	cmd.exe	79
PID 2828 wrote to memory of 1256	2828	cmd.exe	79
PID 1256 wrote to memory of 1092	1256	DllCommonsvc.exe	80
PID 1256 wrote to memory of 1092	1256	DllCommonsvc.exe	80
PID 1256 wrote to memory of 1092	1256	DllCommonsvc.exe	80
PID 1092 wrote to memory of 956	1092	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_858408bc8d008e2521b0c61d3f42b6ed7104c7bc60bff96fad430e13082900a4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_858408bc8d008e2521b0c61d3f42b6ed7104c7bc60bff96fad430e13082900a4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MwhyAKzAav.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:808
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:932
      - C:\Users\Admin\PrintHood\DllCommonsvc.exe
        
        "C:\Users\Admin\PrintHood\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2936
        
        C:\Users\Admin\PrintHood\DllCommonsvc.exe
        
        "C:\Users\Admin\PrintHood\DllCommonsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2200
        
        C:\Users\Admin\PrintHood\DllCommonsvc.exe
        
        "C:\Users\Admin\PrintHood\DllCommonsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:956
        
        C:\Users\Admin\PrintHood\DllCommonsvc.exe
        
        "C:\Users\Admin\PrintHood\DllCommonsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        13⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1644
        
        C:\Users\Admin\PrintHood\DllCommonsvc.exe
        
        "C:\Users\Admin\PrintHood\DllCommonsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
        15⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1928
        
        C:\Users\Admin\PrintHood\DllCommonsvc.exe
        
        "C:\Users\Admin\PrintHood\DllCommonsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat"
        17⤵
        
        PID:1152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2900
        
        C:\Users\Admin\PrintHood\DllCommonsvc.exe
        
        "C:\Users\Admin\PrintHood\DllCommonsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        19⤵
        
        PID:1144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2220
        
        C:\Users\Admin\PrintHood\DllCommonsvc.exe
        
        "C:\Users\Admin\PrintHood\DllCommonsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"
        21⤵
        
        PID:316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2088
        
        C:\Users\Admin\PrintHood\DllCommonsvc.exe
        
        "C:\Users\Admin\PrintHood\DllCommonsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"
        23⤵
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1564
        
        C:\Users\Admin\PrintHood\DllCommonsvc.exe
        
        "C:\Users\Admin\PrintHood\DllCommonsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
199c7dbe7a961a04d1ec4d1608c6842e

SHA1
f5793ced4bcf9714ca2dce2eead8150c79e185ec

SHA256
4cc4e03f11fcf642a938e68e17a3816d960331ffbd2be444dc0b7c13cd64c253

SHA512
d802c31faef4912dfc088aaddae9cdc2a4d234cd18af1bebae8880b2e3b54772e2752d9574d10799f38782b2303da512a73ee2f975d5fee7c9584a808d7ed3d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afee61b1335af84bb6d795a5b6b78fa5

SHA1
87aa7a0501063c25a589ed82d1197797585abb41

SHA256
daa6b626f0caddfc59f41f58c3572ad863b49dfb3f2ce205617505ea8b1b5f2e

SHA512
42a9b8709c35fed39fef46c653dac9dd5e6bdcdef8fe65a5ddc33032d0ba59d9523daff929422b43c9cee3cbb6ada3beef4b013196fcd928d8523413197e3d4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b80a7fd21f0e213a411785712352f71e

SHA1
6f40c8a7fe065192ef126e47675d2db842684e02

SHA256
ba7ee4df0782e03ae774957f2fe42abb687c271c576aa6ee93e136b979813a8a

SHA512
3c75639ff96aa75810c651892124a39bf42ca943df48dea0d11c97e3c516ba470a863f0232c9c332d71151756d3d15bf9f7f1af62b16ed4719dbdaa1f513e400

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3988f14e2f3f839dd06bddc8670e8442

SHA1
ff1c017750fa671d75f729cbaace4f54f0db670c

SHA256
5737f5d2f0824ae70dde72b44e94865a5bff8e5be47035a84ef7e3ec94df8878

SHA512
c0119175358913a61ae457e5522806b2f91ba99b2326fcf8fc8ae9f7f4ab98f8ee99cde29129b573a89db219cc67b9e66b207f7aa270d2e95eaa08865a6fc112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28230c4c0f4b95b13cdeb7452664e3e1

SHA1
1a7fac928f9b28aeadb3f96a1909199e14392f19

SHA256
643d685e8fb3f080f7229776dd998a07b20f6bb664e750b330c0d48965b84cb0

SHA512
4f467faf74443b68ef34a4a167ed259881796f425ae1f56df5af1c1f97e6c68114fe332e8678c6eaf3d7c097084016f576aa50fd70be084d1048e8be352d80ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09de949c8bd24068d1c941f8d436130a

SHA1
23f521c889dc8c0f88414002be1d1165760e98db

SHA256
f37563918a1845304ef21e79b5efb50221968e13a496bcaeaba12cfbad74da0e

SHA512
7ffd5dee3a3b37f612a56ee6a5aa19f02bd47f8ae8b10ed2e61a929e4448aa30d3f950f13146db4dd9eceb013992a8f6351bc8e79bc22d72019c4feb7b6c51af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f19024073affc2445a4ffe521f1f4946

SHA1
ee84f768ec2c292ccce1d79517523316d7d3a80b

SHA256
2b58445ef6508f5a63483f7a1a0ac44c1097ab753f30934ea635d215e3f9a9f5

SHA512
56b2eb170a39c3c39543a046ee501ec841dd339a42cc367856105b94e8ddceecb804d3e211da83290d9d050de4155a55e12e44180aedd6c7c50e356f6d169988

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0112074eaaae98770a81d12d84d87c0

SHA1
e304b92042d29c4c5bdd890050a3b6ca419bdd57

SHA256
dfc369edb99ad1719e67e76aa12c2a0acf06883920ccd827ffdaf5da7dcaafd1

SHA512
bd2e09bd64591e82ea3307dfe75d960c7a89f16ba7c55255ff215dc995e2eedd788a28eab18bdd7caf64230632afc934c7c57052ca5ab8b10135975def6f8d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
206B

MD5
1072d12e8e142230c37fc34db8cbbdf4

SHA1
b2636d762d5455ccc9aafe0180633d45d6680f56

SHA256
8976cc3cb1da5529a1d2a9255df57e69dc6d41c0218d46febf4712bf27842846

SHA512
1ddf52a3c2076777f3ea31d8f5199d5425c13b35a0a2999226b097e04bb3d70a9a3a2e2de4efcdb84f5a587017240ff6f892c0e36ab4da9454f9de909116dfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

Filesize
206B

MD5
afba8a9bcf7733eb07abad1ea975942b

SHA1
a332eb132610b026dbb344fcab0fbe68bc9961cd

SHA256
420739bef7646491ed2a6267ad75f539feb402fa27c13a05ffce07f138ddb612

SHA512
a3661ac2e90c3faf7f0baac54b8e055fb2b43c72ab137c781f354ea70d13f6884fd88d58248256482a3d813cc1430d41fbe6fc142342c899878fd59bc6f1fdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

Filesize
206B

MD5
2c291d8d59eefc27edcb4794b03630fa

SHA1
a3f68716e6e5737dba03c3b97e3f5a182352ee11

SHA256
55077b22394c4d7bec568eba85224905fda95bdea91ee46ace208f6f9978155f

SHA512
2fc6c51a14852bb6eedc917efc0e4639df28f45d197a6ca5cd3540c2c676d864bcf7f950783ea2027c8a746701cb91ecc025e798579f1aaa6aed141f5196e9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF4EC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwhyAKzAav.bat

Filesize
206B

MD5
e5a23b0d8d8cca4bb4ab02ff91c506c6

SHA1
18f87ee5ca7cbd05ec16d2783af18570148a2100

SHA256
a201a576da22a33a634c22bfa273457af626d8013e42007b7083fc78bd57cf2c

SHA512
841558ac8a081850551ebe47b68fd8fa400d489e55e5b56d232d9f58e76e852b568184ec3373496f53e570bc54e013c47be4aa358dd49509d96de90102863f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF4FE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat

Filesize
206B

MD5
73b8d6d0fd74664623c1020255fb6590

SHA1
826e9b7164b5fa66387efacaff432ca2241064e2

SHA256
958b3acfdc9ed238666a2127f7e0e6c099a2a30278a869c90ed2bbd06b4a8a01

SHA512
3fef251185bf0494bd410a0d31b6911563e950cef617b267cd3d4810f6b5dd647c690ac283fbcf5ce8208f122a5cc288c6ad61e171b6d2778ef8d99bbc45017e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat

Filesize
206B

MD5
5bff68fb1af883da37e580b3f3f7feea

SHA1
929aa097b6b830dd5d5504e8ef6260a1de7647dd

SHA256
4b6783d1e6edeae225cf06c73b1cbd1e458002bd0a2ba5d2ad2a2b9fc6dfd196

SHA512
f0d1dd82c7fc9e22b2bed21e83c9cf80b4d58fd0e6c9f37a7d62b6edf3077e27580a797f8b702f75ece4244e75d3d2e7f4d287fb62aa0a6e6f1bcfd115dde49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat

Filesize
206B

MD5
057e2dd8d8682d40137eb788e21d6382

SHA1
9400b5f46f6498a92c93e7d464688ab5de79849a

SHA256
e73e32e5dc6c743d78932e28f7036ea657f265dffea4917709201dc9c87c47cf

SHA512
51d6bdb972481e9e2953e2110876ac0de7513170e19c74743f932ee048d675df1106cb94c6f1f37162c80130aa7e34295f6e140280cd96614ff959972c822395

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

Filesize
206B

MD5
117ecbac0d65fb5843f53416c0c22ec0

SHA1
b3a0551398f26922dbfcde2b7da072ac9ddd29d9

SHA256
2bf9efa0adf6135b53569ce51197b89e0f65f32d9f0386949e7e7281aa139c34

SHA512
001b1bff6be890ed1dd21a2a968c19ae77afbcd69f6fd3ea616fc94f2ee50efd82cafd9e2b02d887fea9f97f7e9a128786d311d807a28d55af8333b3fb141a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
206B

MD5
5a0f3da9215ba6d91f83a63a703b0d50

SHA1
70b0a28358209053efee8deadde093a9bad5ae92

SHA256
7a75cec0602c8d3da77b51d63b148d8260f740ca526033b05779c0afada3d922

SHA512
5823cf86cefb784875316074de46e9350833e8b0c2728a47b1ec4daa0920a266a045b8e0f1ed8f2f32a599b1844612f5e05504b163d9e12f2f05c1e6bf540b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat

Filesize
206B

MD5
ab3100eb4300bd7703e40824437de288

SHA1
563dd9cf7f8ee75649e4c6f34fcdaeeb3f398344

SHA256
52b0156661408f2c56ab6688e0511055f07e303d499e1064af51b8a0fbf2f4a9

SHA512
e138e91176137d2ceb70eda291b958edf12dba15e6be46f34f1bbeccbdc5db3dd9f96a285454b7304a78603d4595f0f5b65e80e673a42845b2358c66084f2d49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4b009d1c6d02ea6a6af3e0aaa7090c99

SHA1
6867633c2f4b4406bab38bda699fe4d2f310faf9

SHA256
1b55b6730aeee1b69729152126cc9f564b3fcd5cf4cbac925720a80c9097f407

SHA512
873bfbf9ca52d8f1d7f049967e004a72d512798e33738042fe4963a4f7d2c155b84101480121275c1134f8648ca783aadfec3245328bb563736e13850792aa37

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/916-252-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/1028-433-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/1256-192-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/1508-73-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/1672-313-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1672-312-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/1924-132-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2228-493-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

Filesize
1.1MB

Download
memory/2244-553-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/2308-48-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2308-49-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2708-15-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2708-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2708-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2708-13-0x0000000000E40000-0x0000000000F50000-memory.dmp

Filesize
1.1MB

Download
memory/2708-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2972-373-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download