dcrat | c58ce6b91ba06adb88ab239242c5a7218d4fcfb4d9749ac70c78b2f464ad3df4

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c58ce6b91ba06adb88ab239242c5a7218d4fcfb4d9749ac70c78b2f464ad3df4.exe
Size

1.3MB
MD5

5f25d5918d5986e631ce1450ce6a4526
SHA1

7bad3901bfbe64c81d568e3b2a3fb173a9d89c29
SHA256

c58ce6b91ba06adb88ab239242c5a7218d4fcfb4d9749ac70c78b2f464ad3df4
SHA512

5c160c287638b2e6737ac5506b2ba45e735104196c403b38a4a5ba5fce1cb6540f72d4e612efe45e2b4446ba3d7be4fd82db8ee5322a55bff7935d9980c4883b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2556	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2556	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2556	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2556	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2556	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2556	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2556	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2556	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2556	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2556	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2556	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2556	schtasks.exe	35

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cec-9.dat	dcrat
behavioral1/memory/2576-13-0x0000000000820000-0x0000000000930000-memory.dmp	dcrat
behavioral1/memory/264-59-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2956-118-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/2428-178-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1828-239-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/568-299-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat
behavioral1/memory/1508-359-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/2352-419-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/2812-480-0x0000000000940000-0x0000000000A50000-memory.dmp	dcrat
behavioral1/memory/1400-540-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/1844-600-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/2348-660-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2076	powershell.exe
2280	powershell.exe
2460	powershell.exe
1656	powershell.exe
2352	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2576	DllCommonsvc.exe
264	cmd.exe
2956	cmd.exe
2428	cmd.exe
1828	cmd.exe
568	cmd.exe
1508	cmd.exe
2352	cmd.exe
2812	cmd.exe
1400	cmd.exe
1844	cmd.exe
2348	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	cmd.exe
2688	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
35	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\cmd.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c58ce6b91ba06adb88ab239242c5a7218d4fcfb4d9749ac70c78b2f464ad3df4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2480	schtasks.exe
2232	schtasks.exe
376	schtasks.exe
1932	schtasks.exe
984	schtasks.exe
3016	schtasks.exe
2216	schtasks.exe
2784	schtasks.exe
2952	schtasks.exe
2580	schtasks.exe
700	schtasks.exe
1332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2576	DllCommonsvc.exe
2576	DllCommonsvc.exe
2576	DllCommonsvc.exe
2352	powershell.exe
2280	powershell.exe
2460	powershell.exe
2076	powershell.exe
1656	powershell.exe
264	cmd.exe
2956	cmd.exe
2428	cmd.exe
1828	cmd.exe
568	cmd.exe
1508	cmd.exe
2352	cmd.exe
2812	cmd.exe
1400	cmd.exe
1844	cmd.exe
2348	cmd.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	DllCommonsvc.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	264	cmd.exe
Token: SeDebugPrivilege	2956	cmd.exe
Token: SeDebugPrivilege	2428	cmd.exe
Token: SeDebugPrivilege	1828	cmd.exe
Token: SeDebugPrivilege	568	cmd.exe
Token: SeDebugPrivilege	1508	cmd.exe
Token: SeDebugPrivilege	2352	cmd.exe
Token: SeDebugPrivilege	2812	cmd.exe
Token: SeDebugPrivilege	1400	cmd.exe
Token: SeDebugPrivilege	1844	cmd.exe
Token: SeDebugPrivilege	2348	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2684	2956	c58ce6b91ba06adb88ab239242c5a7218d4fcfb4d9749ac70c78b2f464ad3df4.exe	31
PID 2956 wrote to memory of 2684	2956	c58ce6b91ba06adb88ab239242c5a7218d4fcfb4d9749ac70c78b2f464ad3df4.exe	31
PID 2956 wrote to memory of 2684	2956	c58ce6b91ba06adb88ab239242c5a7218d4fcfb4d9749ac70c78b2f464ad3df4.exe	31
PID 2956 wrote to memory of 2684	2956	c58ce6b91ba06adb88ab239242c5a7218d4fcfb4d9749ac70c78b2f464ad3df4.exe	31
PID 2684 wrote to memory of 2688	2684	WScript.exe	32
PID 2684 wrote to memory of 2688	2684	WScript.exe	32
PID 2684 wrote to memory of 2688	2684	WScript.exe	32
PID 2684 wrote to memory of 2688	2684	WScript.exe	32
PID 2688 wrote to memory of 2576	2688	cmd.exe	34
PID 2688 wrote to memory of 2576	2688	cmd.exe	34
PID 2688 wrote to memory of 2576	2688	cmd.exe	34
PID 2688 wrote to memory of 2576	2688	cmd.exe	34
PID 2576 wrote to memory of 2076	2576	DllCommonsvc.exe	48
PID 2576 wrote to memory of 2076	2576	DllCommonsvc.exe	48
PID 2576 wrote to memory of 2076	2576	DllCommonsvc.exe	48
PID 2576 wrote to memory of 2352	2576	DllCommonsvc.exe	49
PID 2576 wrote to memory of 2352	2576	DllCommonsvc.exe	49
PID 2576 wrote to memory of 2352	2576	DllCommonsvc.exe	49
PID 2576 wrote to memory of 1656	2576	DllCommonsvc.exe	50
PID 2576 wrote to memory of 1656	2576	DllCommonsvc.exe	50
PID 2576 wrote to memory of 1656	2576	DllCommonsvc.exe	50
PID 2576 wrote to memory of 2460	2576	DllCommonsvc.exe	51
PID 2576 wrote to memory of 2460	2576	DllCommonsvc.exe	51
PID 2576 wrote to memory of 2460	2576	DllCommonsvc.exe	51
PID 2576 wrote to memory of 2280	2576	DllCommonsvc.exe	52
PID 2576 wrote to memory of 2280	2576	DllCommonsvc.exe	52
PID 2576 wrote to memory of 2280	2576	DllCommonsvc.exe	52
PID 2576 wrote to memory of 1624	2576	DllCommonsvc.exe	58
PID 2576 wrote to memory of 1624	2576	DllCommonsvc.exe	58
PID 2576 wrote to memory of 1624	2576	DllCommonsvc.exe	58
PID 1624 wrote to memory of 2240	1624	cmd.exe	60
PID 1624 wrote to memory of 2240	1624	cmd.exe	60
PID 1624 wrote to memory of 2240	1624	cmd.exe	60
PID 1624 wrote to memory of 264	1624	cmd.exe	61
PID 1624 wrote to memory of 264	1624	cmd.exe	61
PID 1624 wrote to memory of 264	1624	cmd.exe	61
PID 264 wrote to memory of 1772	264	cmd.exe	62
PID 264 wrote to memory of 1772	264	cmd.exe	62
PID 264 wrote to memory of 1772	264	cmd.exe	62
PID 1772 wrote to memory of 3036	1772	cmd.exe	64
PID 1772 wrote to memory of 3036	1772	cmd.exe	64
PID 1772 wrote to memory of 3036	1772	cmd.exe	64
PID 1772 wrote to memory of 2956	1772	cmd.exe	65
PID 1772 wrote to memory of 2956	1772	cmd.exe	65
PID 1772 wrote to memory of 2956	1772	cmd.exe	65
PID 2956 wrote to memory of 1332	2956	cmd.exe	66
PID 2956 wrote to memory of 1332	2956	cmd.exe	66
PID 2956 wrote to memory of 1332	2956	cmd.exe	66
PID 1332 wrote to memory of 2440	1332	cmd.exe	68
PID 1332 wrote to memory of 2440	1332	cmd.exe	68
PID 1332 wrote to memory of 2440	1332	cmd.exe	68
PID 1332 wrote to memory of 2428	1332	cmd.exe	69
PID 1332 wrote to memory of 2428	1332	cmd.exe	69
PID 1332 wrote to memory of 2428	1332	cmd.exe	69
PID 2428 wrote to memory of 1952	2428	cmd.exe	70
PID 2428 wrote to memory of 1952	2428	cmd.exe	70
PID 2428 wrote to memory of 1952	2428	cmd.exe	70
PID 1952 wrote to memory of 2220	1952	cmd.exe	72
PID 1952 wrote to memory of 2220	1952	cmd.exe	72
PID 1952 wrote to memory of 2220	1952	cmd.exe	72
PID 1952 wrote to memory of 1828	1952	cmd.exe	73
PID 1952 wrote to memory of 1828	1952	cmd.exe	73
PID 1952 wrote to memory of 1828	1952	cmd.exe	73
PID 1828 wrote to memory of 2624	1828	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c58ce6b91ba06adb88ab239242c5a7218d4fcfb4d9749ac70c78b2f464ad3df4.exe
"C:\Users\Admin\AppData\Local\Temp\c58ce6b91ba06adb88ab239242c5a7218d4fcfb4d9749ac70c78b2f464ad3df4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMYZ5DmT2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2240
      - C:\Program Files\Microsoft Office\Office14\1033\cmd.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3036
        
        C:\Program Files\Microsoft Office\Office14\1033\cmd.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2440
        
        C:\Program Files\Microsoft Office\Office14\1033\cmd.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2220
        
        C:\Program Files\Microsoft Office\Office14\1033\cmd.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"
        13⤵
        
        PID:2624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2636
        
        C:\Program Files\Microsoft Office\Office14\1033\cmd.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
        15⤵
        
        PID:548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2704
        
        C:\Program Files\Microsoft Office\Office14\1033\cmd.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\cmd.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"
        17⤵
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2640
        
        C:\Program Files\Microsoft Office\Office14\1033\cmd.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\cmd.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
        19⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2364
        
        C:\Program Files\Microsoft Office\Office14\1033\cmd.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\cmd.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"
        21⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2708
        
        C:\Program Files\Microsoft Office\Office14\1033\cmd.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\cmd.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
        23⤵
        
        PID:284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2136
        
        C:\Program Files\Microsoft Office\Office14\1033\cmd.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\cmd.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"
        25⤵
        
        PID:296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1960
        
        C:\Program Files\Microsoft Office\Office14\1033\cmd.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\cmd.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\SendTo\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c913838f138b12a03b9ade174eca5ff

SHA1
a6c6426c5a9b64f20295fac113091edb96edf931

SHA256
8734e748476d1493a7fb8ef97d94dc01a6be1bc2a83c460e30794ebfe0e9bb1e

SHA512
7fbfd992875dc7a6f1cf97b5ee72171b8a61d2a15f799930f7b0197b5a9e3db2d7819dfa913c7cb798bfcae16e637bcae9209e5413286b863bdb7b68fb08ea49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb79d669d5dbfa0fb18df033d165012f

SHA1
6c18cf90d5f93f1d679188afbe9f2dedd88437d7

SHA256
5d49b0cf8692b5933bf46eb005e0fd2f7c679041edb424541042e2944a31ff90

SHA512
a1c0b103978ea81a28a1675e3fb3569d4b72c14dfbcf31675a817ff6c7858194213a0b3b3725c4920f10f1f60af89ae977da59c2869104384ca386eb2ec765e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b93b29226cbc37b13524fe470d203e1d

SHA1
3c4ddbb1ce8ca93749ff33cfa94e6d05140c5d31

SHA256
2517b4ab60c7d58bc13f43fdafab5ac4ae78eba6cf50cbacf3c24dcb6fa765e5

SHA512
69eae387fa63b4a44474fbf2ff3fef6e28de493b7409f1882365767af465c7f8fd20c1030dc80f00039fbba882aaf019e3fad625d769a854914240cb32cd1800

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ac2b4c2d3f3d728a6927100d7a4efc3

SHA1
c10589a345cf465826f7c4bf4dd3038cca9f9b65

SHA256
e5edb04008e0099f728f2cc60a406f6f97dce495c09e2a90c4f2bb2efb8bc061

SHA512
009a494ef8ec4a3c590df43e8806b0579595f86430aef0e5fba51cbd71e2d0030dd1e699346b758dc6051f28a384eb7776c7bd85a85a914087a091deacf64dbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fa6f8941bd0417e94d669d7b0e12d73

SHA1
791592c28b58c11c622f74baee42d03c9e07afab

SHA256
281e32362a0e95c00a3c1a205d0d1118b69a053b04cd822be3f9ae47e11e847f

SHA512
ae2787e3bb5849d12c91fa930969da0c183c3f672411bc03e9eab98c550cfe663c8ea38ae46d75b4bf5102d271920a49bbae3de6c2849a111693f4b40a779713

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e7433e7fec72866b0f2c366b717394c

SHA1
0a2bb56f7b49ee4749fe735097c0cacb4cb9e989

SHA256
2f713a7acaff01a8d45d44908a11e12eebbb30b924a6402b5ab68f56cf1d670d

SHA512
dcd0418cf705e435b1b2d20fdad69d432613784eac9a448f8617965458eed3d580f2405f935e54dfaf79b4e9c7f3b455e7e2603f0f06831bbdaa8ae61e444811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
495a5ef99ce4a1c322c270cc23514599

SHA1
61d49bbb75b4b33f2ba016483354b09cfc8e76ed

SHA256
aef544a8c106cb6c71876a58c9f17b6b6e1b706f5dc78e5cd2f0bf8683efd2d5

SHA512
311e833f48f7d028a7089836e732b4519cf9288996fc5e233bc50cdc61235f10322b8fd5817a438dc95305d754059b4f00530dfe0e45ca5458b1f578a9a6d04a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2a1d0263f14047727baa9d42529cb1f

SHA1
8cee2af4dcac3a56f6741e2370078627af058b10

SHA256
a8bd2dcc9b3da16687f14d514d220c50ac04ab12ce11639e73d4693848e51d16

SHA512
c95024fc1513b0828e58404a84b894a2c4de90090449130c1ef6f18256cdd1cedb23593c10baa9dbe27687c7092eb62ba580fe48e4d3e38c3f9f7931cf07a4e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0815e3c8b7b6b8654ff294fb0b77ee49

SHA1
6aa7ed5461b2137fc696d0e1f618a01dc8a2a69a

SHA256
fc41f1991eb804636b5a46cf1ce219658f9714f3b8ab3a8cdd41eb35f655efca

SHA512
0b60d318eb1752b12364d8b8e7b72136ba77295b69650dc8b3c770fdb5d4474bf040f18d873b8139eb791876c0e99a522a6035d3583e369fcf5d3192a1a4a512

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

Filesize
220B

MD5
b5e37bc07c375ac449335e4be9766a12

SHA1
29c9a22783929bb9e5070876d7f23d0489f80242

SHA256
68653e12373c11ded7b1807d9e3efdc3a21581164459aa2f1667d851faf04a5f

SHA512
f94929e614e58cbb57658513a991cda8a8e61b403669fc672818b7a9fd61f2b47550626ef75bc01fd09502351094b717d5488bf9be2c125e8494d3c319f89b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMYZ5DmT2.bat

Filesize
220B

MD5
d7cdde405241867ca3ee845e88854e12

SHA1
6fb300389a0efb0962fc24c6edd3f2c2281b5f66

SHA256
2526064cf129dca55d743cec71d9304fa9789c097d0b7cd5bf115fc504ab8518

SHA512
df4e62541be85e7f3d03ec771535af63aa2c9cd06a5f447843cf51fc8ff292d0f275b5369342123be75e18ad206239aeeef069d910466b28d9fa0657ba616421

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4CDA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat

Filesize
220B

MD5
f1ac6c174cabcaaef57bb7a39ae2d983

SHA1
c13469d39f691b3248b18d00897a82aede618046

SHA256
f902582e2e00b21f7d276ba600c473d6cf07f9061f9d3de3735bd98ac883f96c

SHA512
218b8bb4abf99ff16e6c4314b3acb9a111a1b1b9f0aef57225fc4551e462c4f326f910d8bc0ce985b69954e3ff5c20e43f08271fc5b8242317d8aa49a279c344

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat

Filesize
220B

MD5
1fb4df2a6d013df9a3c605ab62403d3f

SHA1
4b4a157818e58e687b22158951bccc94e986ec3b

SHA256
4f6070ecef96d44ffa14dbc341512f49c6ba9281e6790f88d62ea0fa64465003

SHA512
cda0e921f5858224ac2bf45cd312373069dc1dc30b3d79f2479f178725ed9bb103adb8a59619d8121f3c1824f45540266689f778e27dd034875a5f5e567fe703

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat

Filesize
220B

MD5
5f0818fb0c0a5cf611c01df37dad4727

SHA1
eea5b7f2aaaba0d135537e8c6f40c0417b888b09

SHA256
9ede16b02057fe9411bf0649f15e01d1633ac4aeaabc0d7c66f79e43b7a9b7f5

SHA512
4ca9fd338de57aa19c71e82fde4863f639b35c693ec2221e464a0b85bd246177611a8289cd44b943a1a45aedf7737859eed97ed1d0df5a0f46dec5c75938e17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4CED.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat

Filesize
220B

MD5
914dfa74ac1fcc490c4eb3e32e9af8e8

SHA1
afa6671c7b65288a53233d81d058268a3dbe6c2f

SHA256
6b67fe67c8405948aa89ba890e1072c434e2556babcd08b68934529d52eaf540

SHA512
1cb42d7580064cfb0a6df17bea443abf3a211cddc9d546fa630539a47598a8b3a0c59423ec1e1792a36f96c185546cfe3cbd65e0e1680aca9267e7c63bc29682

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

Filesize
220B

MD5
45ce0445f704f9dd847cd9610a11834a

SHA1
4ffae990fbde6ef250fa3862aaf53d4e096469e9

SHA256
3d641022f3365bf4320187cd01712a04c7b0f315f5e89af4288bbe6c2faba078

SHA512
45fdc6f9526f6798094c9eeb324521ae62fd109da121afb0b4b66a4ddc656cfdacb6a71b6acb129f6238b0680d1d13808f62a3447d86e9f1fc41d826645e113c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat

Filesize
220B

MD5
4ea6ca327b380f309fa6b86d569a3b1c

SHA1
49f5efbf67c405a2d6faa6c90d4e3fa5a01f20a0

SHA256
864f8e8a0ef45fd8890c9ee004ebdeffb5fcaeca105a71dd7a15172bb28dde27

SHA512
f4d53cc4017f0ed1a4652b1c9f3f5df131ffc0002e18c0c55bc24246151bf523c2d0b22a5c34bcc940abcde5b9f28031662f257e3ee48c90827515ed54916049

Download Submit
C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat

Filesize
220B

MD5
9d983af9f6b7514110c60bd9e578aa65

SHA1
52ab9e856130b3ffa0b112644efc9a7494b4f580

SHA256
4d9754663f58c77c7f36b89f61fe8f9e8f429f28c363d4849996797d2f5c39c7

SHA512
36e34a95f067014bca2348904c149cbff813b48038e431a9e2c3db826c5f5e92e74098b238f655540fe63093c10759ddfd076cd36da6fdf6a743eb1a4d2d8c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

Filesize
220B

MD5
04b71ec97cd7d787f13a546d9dc11dd3

SHA1
22ff803bb4de9c44d490efad9d8c482f3028773a

SHA256
276c6e10b646ba715fc411c611b1da3aa4f5f4319a490f8b1e6723cba06cdff4

SHA512
76c52121b381eb567029b3521a43d05f442998dc0f6628948ba3d281c395e4f86fd8fc66ce22bbc448a3e52e31ab4456300c4473a800f4883c2179b9b1b4115c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat

Filesize
220B

MD5
4ad593b3de09b8ab419eb28b3b6728e6

SHA1
f1b71fc0372b7fea0fd1bfb9ca2c1c72c5309707

SHA256
6ad42c618bb384a6b6fb055d651fd300c49ea6ad5a511aa84c8218395f03a43d

SHA512
93690b60a0c6b34790d33ea6ca34a7445b975c2ba6dbd89d129bcc645e48df2a68350312dd431ae50bda77405fbcd82cd061522088078d65967337246d2e2b29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
93e0e6d19b83a3c2c36db0be33437a2c

SHA1
7e39dfde6679568eb9ca8c808cf48c0fd62c3dda

SHA256
1aba5079aec618cf81272b73c8d8ed501fa972f9b37b24d392de4f7d68429205

SHA512
02845c68d3aa72e5c1e01977af8df85a69ff19890c905a245de8925d3b1ccd9aadf2192c160750bdc790854d8bd1de9b8dc12f51ad2f40180d42294642527ef4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/264-59-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/568-299-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/1400-540-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/1508-359-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/1828-239-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/1844-600-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/2348-660-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/2348-661-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2352-40-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2352-420-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2352-419-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/2352-35-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2428-179-0x0000000000270000-0x0000000000282000-memory.dmp

Filesize
72KB

Download
memory/2428-178-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2576-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2576-13-0x0000000000820000-0x0000000000930000-memory.dmp

Filesize
1.1MB

Download
memory/2576-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2576-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2576-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2812-480-0x0000000000940000-0x0000000000A50000-memory.dmp

Filesize
1.1MB

Download
memory/2956-118-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download