dcrat | b1bcdbedb47f70502cd563e8b9d5e7325872100ea4d9e09e85193d17cfe22f0e

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b1bcdbedb47f70502cd563e8b9d5e7325872100ea4d9e09e85193d17cfe22f0e.exe
Size

1.3MB
MD5

1420e94c7f76fbe4c832923b90f70b9a
SHA1

218d270b857fab1cfb722b9400d6d70429a43902
SHA256

b1bcdbedb47f70502cd563e8b9d5e7325872100ea4d9e09e85193d17cfe22f0e
SHA512

c21d8cea2a2b02cededf1f423fffe26ad7284dd38b00f5af3f258baa12f6cafb9471bf5ed3295badf3aa51e93038392abf3c3ecb5368d43c05badd0afde2534d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1856	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001949d-9.dat	dcrat
behavioral1/memory/2496-13-0x0000000000990000-0x0000000000AA0000-memory.dmp	dcrat
behavioral1/memory/2964-38-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/3052-125-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/2156-246-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/1412-306-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/300-366-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1872	powershell.exe
1712	powershell.exe
328	powershell.exe
1960	powershell.exe
2984	powershell.exe
2844	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2496	DllCommonsvc.exe
2964	lsass.exe
3052	lsass.exe
3064	lsass.exe
2156	lsass.exe
1412	lsass.exe
300	lsass.exe
2448	lsass.exe
1168	lsass.exe
3032	lsass.exe
832	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	cmd.exe
2488	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
39	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b1bcdbedb47f70502cd563e8b9d5e7325872100ea4d9e09e85193d17cfe22f0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe
2716	schtasks.exe
1644	schtasks.exe
1780	schtasks.exe
1876	schtasks.exe
2668	schtasks.exe
2084	schtasks.exe
2952	schtasks.exe
1632	schtasks.exe
2816	schtasks.exe
2644	schtasks.exe
1772	schtasks.exe
2744	schtasks.exe
1592	schtasks.exe
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2496	DllCommonsvc.exe
2496	DllCommonsvc.exe
2496	DllCommonsvc.exe
2496	DllCommonsvc.exe
2496	DllCommonsvc.exe
2496	DllCommonsvc.exe
2496	DllCommonsvc.exe
1712	powershell.exe
2984	powershell.exe
2844	powershell.exe
1960	powershell.exe
328	powershell.exe
1872	powershell.exe
2964	lsass.exe
3052	lsass.exe
3064	lsass.exe
2156	lsass.exe
1412	lsass.exe
300	lsass.exe
2448	lsass.exe
1168	lsass.exe
3032	lsass.exe
832	lsass.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	DllCommonsvc.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2964	lsass.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	3052	lsass.exe
Token: SeDebugPrivilege	3064	lsass.exe
Token: SeDebugPrivilege	2156	lsass.exe
Token: SeDebugPrivilege	1412	lsass.exe
Token: SeDebugPrivilege	300	lsass.exe
Token: SeDebugPrivilege	2448	lsass.exe
Token: SeDebugPrivilege	1168	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	832	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 2572	532	JaffaCakes118_b1bcdbedb47f70502cd563e8b9d5e7325872100ea4d9e09e85193d17cfe22f0e.exe	31
PID 532 wrote to memory of 2572	532	JaffaCakes118_b1bcdbedb47f70502cd563e8b9d5e7325872100ea4d9e09e85193d17cfe22f0e.exe	31
PID 532 wrote to memory of 2572	532	JaffaCakes118_b1bcdbedb47f70502cd563e8b9d5e7325872100ea4d9e09e85193d17cfe22f0e.exe	31
PID 532 wrote to memory of 2572	532	JaffaCakes118_b1bcdbedb47f70502cd563e8b9d5e7325872100ea4d9e09e85193d17cfe22f0e.exe	31
PID 2572 wrote to memory of 2488	2572	WScript.exe	32
PID 2572 wrote to memory of 2488	2572	WScript.exe	32
PID 2572 wrote to memory of 2488	2572	WScript.exe	32
PID 2572 wrote to memory of 2488	2572	WScript.exe	32
PID 2488 wrote to memory of 2496	2488	cmd.exe	34
PID 2488 wrote to memory of 2496	2488	cmd.exe	34
PID 2488 wrote to memory of 2496	2488	cmd.exe	34
PID 2488 wrote to memory of 2496	2488	cmd.exe	34
PID 2496 wrote to memory of 1872	2496	DllCommonsvc.exe	51
PID 2496 wrote to memory of 1872	2496	DllCommonsvc.exe	51
PID 2496 wrote to memory of 1872	2496	DllCommonsvc.exe	51
PID 2496 wrote to memory of 2844	2496	DllCommonsvc.exe	52
PID 2496 wrote to memory of 2844	2496	DllCommonsvc.exe	52
PID 2496 wrote to memory of 2844	2496	DllCommonsvc.exe	52
PID 2496 wrote to memory of 1712	2496	DllCommonsvc.exe	53
PID 2496 wrote to memory of 1712	2496	DllCommonsvc.exe	53
PID 2496 wrote to memory of 1712	2496	DllCommonsvc.exe	53
PID 2496 wrote to memory of 328	2496	DllCommonsvc.exe	54
PID 2496 wrote to memory of 328	2496	DllCommonsvc.exe	54
PID 2496 wrote to memory of 328	2496	DllCommonsvc.exe	54
PID 2496 wrote to memory of 1960	2496	DllCommonsvc.exe	56
PID 2496 wrote to memory of 1960	2496	DllCommonsvc.exe	56
PID 2496 wrote to memory of 1960	2496	DllCommonsvc.exe	56
PID 2496 wrote to memory of 2984	2496	DllCommonsvc.exe	57
PID 2496 wrote to memory of 2984	2496	DllCommonsvc.exe	57
PID 2496 wrote to memory of 2984	2496	DllCommonsvc.exe	57
PID 2496 wrote to memory of 2964	2496	DllCommonsvc.exe	63
PID 2496 wrote to memory of 2964	2496	DllCommonsvc.exe	63
PID 2496 wrote to memory of 2964	2496	DllCommonsvc.exe	63
PID 2964 wrote to memory of 1728	2964	lsass.exe	64
PID 2964 wrote to memory of 1728	2964	lsass.exe	64
PID 2964 wrote to memory of 1728	2964	lsass.exe	64
PID 1728 wrote to memory of 2796	1728	cmd.exe	66
PID 1728 wrote to memory of 2796	1728	cmd.exe	66
PID 1728 wrote to memory of 2796	1728	cmd.exe	66
PID 1728 wrote to memory of 3052	1728	cmd.exe	67
PID 1728 wrote to memory of 3052	1728	cmd.exe	67
PID 1728 wrote to memory of 3052	1728	cmd.exe	67
PID 3052 wrote to memory of 2468	3052	lsass.exe	68
PID 3052 wrote to memory of 2468	3052	lsass.exe	68
PID 3052 wrote to memory of 2468	3052	lsass.exe	68
PID 2468 wrote to memory of 2248	2468	cmd.exe	70
PID 2468 wrote to memory of 2248	2468	cmd.exe	70
PID 2468 wrote to memory of 2248	2468	cmd.exe	70
PID 2468 wrote to memory of 3064	2468	cmd.exe	71
PID 2468 wrote to memory of 3064	2468	cmd.exe	71
PID 2468 wrote to memory of 3064	2468	cmd.exe	71
PID 3064 wrote to memory of 1664	3064	lsass.exe	72
PID 3064 wrote to memory of 1664	3064	lsass.exe	72
PID 3064 wrote to memory of 1664	3064	lsass.exe	72
PID 1664 wrote to memory of 992	1664	cmd.exe	74
PID 1664 wrote to memory of 992	1664	cmd.exe	74
PID 1664 wrote to memory of 992	1664	cmd.exe	74
PID 1664 wrote to memory of 2156	1664	cmd.exe	75
PID 1664 wrote to memory of 2156	1664	cmd.exe	75
PID 1664 wrote to memory of 2156	1664	cmd.exe	75
PID 2156 wrote to memory of 108	2156	lsass.exe	76
PID 2156 wrote to memory of 108	2156	lsass.exe	76
PID 2156 wrote to memory of 108	2156	lsass.exe	76
PID 108 wrote to memory of 3056	108	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1bcdbedb47f70502cd563e8b9d5e7325872100ea4d9e09e85193d17cfe22f0e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1bcdbedb47f70502cd563e8b9d5e7325872100ea4d9e09e85193d17cfe22f0e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2796
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2248
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:992
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3056
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
        14⤵
        
        PID:1776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1532
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"
        16⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1004
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"
        18⤵
        
        PID:2496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1996
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        20⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1288
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
        22⤵
        
        PID:1176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2848
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"
        24⤵
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9624741d79067f020742e7219da66546

SHA1
9f479780b5920becc9a95377610517b95145fba9

SHA256
88bd949c95a60390a727a38621b64ed9dfbba597373546f3c8a02b1cf2a62b0e

SHA512
815bd4f0be87b7fd691552e00efcaf88cfb221bf7fc5ccae66d1465891784f9282f794ce5c5e96b7b0c48a874c9a77bd926525627a7d9183752a4b0c5a24f175

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d49aa373a96dcdf1ff5c51c4f39bf515

SHA1
5c88ed947b66e7c9a2ec4d5f46f8b5106740e7e5

SHA256
006370d337243054475df9b8033ce1417adedbec211c7136a7d5c84d4ec7f8fd

SHA512
b5ffd566578a7a053a99c5875b1b8238a20f986e737b1643843ce0e069a32798a339c00dcc64cf39000b511aad1fd0c763c262c6605f5360afe57b4ac71592c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c01b6ece1dec5b59eaeafe9bd73d81e8

SHA1
c9e3349cf76320d9f69fd6048e66ebcf0819bd06

SHA256
754aab06aa6d4002edc1f89a9e5b95e963fc2df62c30ddfaa4f0b2716f8d7f0e

SHA512
05ff71bade63d6153618a11c5a56e973eb9b4e2da304e447aef26a0653bc795428faaf5a280b7e719da29cd0c7c5ab91ed3de2659890be85b8d49280e193f1e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16f78eb02ac3e29947aed1186c525146

SHA1
a2d9de587bec66583f1c1b3bb6b1f2590a471425

SHA256
66c733cd5b256b7b728db6432310fe70d660ea01e012d3d79a51540265dbe6dd

SHA512
d76e6f74a5c3bff94a50ac8e927b10603d5360ed88b73abd01ad9922265c617363b2ada848862ece1ca295cc235493cfc8af35817aef2726c6a78ac395ee426d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb1db59f4316d14ed85735f414746302

SHA1
63ea54a2c7c37ccf62830fb8dece1a7ad0aa9902

SHA256
926d33a7dafcbbd951042c700ee51a09387322495176ca487fd4bbf2de40a3bb

SHA512
ba2965e43d303a2b0c92aa8371b7be5e061e24becc6e56ecfb0386bbdb2433852942407c191cf9d4ba043fc7837bf184fc7e0dc6ecfd1472ba211fc1046fbd91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
023c35db25eadc62956c5e45dc7744c3

SHA1
cd57808ec09db0e26ca840310c6c64623bcc4e7e

SHA256
61031653ca5cd0c7648511ab0b0f4a7fd655a3840d76254e875389c71e13b3e6

SHA512
d3363c54fe9e882e361f937bd8c7ae3642856e3d88c21e4c78c6214f66b4ad9824a20dee0d31edde8e9ec27dbc58ebcb178f969cc86c979739cec35a6aeef20e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f260e6f365b6669b3d6996be11ab6052

SHA1
f490534fc960bd83d336926d5f8d5e85ade3012e

SHA256
d71c8024b4103f055ace51d8ef7826d9334d4b914a81bc1a4b06e805ea944a28

SHA512
971501c4bd66a95d3fc2740141364137934db5dee99e83705f914d4266fc3c161722356429cc3d71d9520eefed2dba67224d7d65e3442a8d0d58eb0a7aa84276

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5811467fc78e42a2dd3f565068c3db36

SHA1
0139080726d717af728dc82761c2193057ca8449

SHA256
69c78f9e14839297df8a5bbc42973db4f88654737c7d3c9d0782d3eaabd7f61d

SHA512
7bf77cb7a0dab90385d88a7622c41b73d8b5eaad876e10840a680996b84d8a80d32910e0d3dc46d14a51911e63dd1194fbb2571747446fa71b790b339193ab92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
701eb0b2c5ba2c6e12ab8374cdddb321

SHA1
5752723eaf450960e0191ff398d8fd268cea28cf

SHA256
dc39cebe6e349370d9330c13caa4d798d385679683b78209426d9498f810db21

SHA512
7816e4e8a26ae19aa25844e2029ca8dd32892357fc47eb55a41bdec9a7fef1d3345b74aacb1a7ab8db167350add4dc52953f11657eb1bbc4db63b91b44bd819c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1F65.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat

Filesize
223B

MD5
ec0178e228346e9df1ef19ee1078e83d

SHA1
4ccd840535569c4077552f7bf6a7458f7099c3b4

SHA256
e887b869e81d0238d73bb3af40933225f37a8867a4ad901646e05e524888c89a

SHA512
355fc3ad984513a6955da3848324e625a54024477cb90a8d3227edd596496530062687ba6885e2294cf60a9415939688dd3ca647c68eb7d828eb38ab2ba86f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat

Filesize
223B

MD5
b66eac1eaa81c8b4f2c3061f1d01adba

SHA1
335822149fc28bc94612f9189185b9c8a9d56b77

SHA256
4320d390d1f2c0e4686e9223db22f1b597b07e8fa2e3eee4cee0ed3427807dc1

SHA512
158182627dca2c615cd7c580ef891e19ef971cdbd974a5d07cb5edb237f500be66ca4886cb2288ecec86ddaeaae6b46a6bc2a2c6fb4a1eea2738c1fda3e39f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1F87.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

Filesize
223B

MD5
6b5a02899a5736f9464d51d445f167f2

SHA1
935024f382ca14ea2d48505895ea75ae915c45ea

SHA256
b247e98be1635db26c8d4f67a27c52efe63855460cee84647ac1af7a8689bea9

SHA512
d70c700bba6719e21ab1f81350cc5ccdc8f9f3ad39f4fd4ac95d15bdd0686f8a4d30c6e399265823a9a8e4504562674b9a1d60d8e5c0522b2c30428a3d10cbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat

Filesize
223B

MD5
f344bbb28d2df518924663e85d5b0731

SHA1
9269767fc8a6a430a9785753653ae2183a355e49

SHA256
bd33b06691c8da9b3a2f4d5363bbde347a8cf41e765768ec575e814357d3fed5

SHA512
afe0cbdc451a120683c6287bac42ff51c643d68435cd91a35570d91c6ed9cdce07438599c6e6b04a938c29743907e4eeb72566681ca1e1f0743286f149f6e803

Download Submit
C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

Filesize
223B

MD5
893cde6f2fe4f8628d3e1d326691c0e8

SHA1
6aacfb60b3cbfa9ed8e39f7fd8f702ca5cc75cb5

SHA256
0a298798be5863053f71fecdd92e0cb7d5cfae6d3da4aa55d92c90676508472a

SHA512
4f787b79d09fccb216c4df295b6ab5ebea253333ff3dead01db621456d9a87a985807b653a43898848b34e5c5efe8e9d319ba0c74e4d69b423ff2f34bdfed200

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

Filesize
223B

MD5
51ae4bba393bba93a6281b2f7c2202fb

SHA1
272d86d6bc7481d06c2559c45bd9fe894c68aae8

SHA256
32ee79d12ce979f524b316a0f25317a6c16ea2f98dfbdd4a85dabbafc3dbacb6

SHA512
c1e50cccbe288541467d9eafea3af46a50da4f78f48e8b7d662cd35f1a36f3f985c4df5836bc079f40d40d29562697a428c0fa628d6434a361a9e881dff9a957

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
223B

MD5
044358177940ee473008ec274092fbfa

SHA1
a54a9005b4e8ad1fa547ed4e51aa763004781f4d

SHA256
b6348badede565ec5ea300c398887c79862083b5d2bead3ed6a90a2710b22958

SHA512
d7ee72566a80ac7077f274f13ae458530ed7032523151367c76e42737f94cc63ea62c244fae701b8a271af2a39d56ea212213b6ae3c3dd57da4eb1ff2424a7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat

Filesize
223B

MD5
616dde07ba258f8f54377804639c9527

SHA1
1582bbdea6422dce37f8af6595e6d9bbbb596a9c

SHA256
a5e45160e830b16aacdaa057f2b5da57bf7746bd7ef4013a03658394b1ef75fa

SHA512
7a7b7ba543ba198fcab85e8c508490d063039b249703435847a94b6d15b0f83513fe48026306c456700638165836056e250203e21f97f8057c434888fd4c65d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
223B

MD5
243067b74c18971fe149eff6aacaae98

SHA1
e5815f91d695cba9b295b68336395f936dbc4696

SHA256
993107eb4c25dce5ef9d1ef8da59e4f7de37f428fd78eab5b92ef96dcb0424d3

SHA512
ac28306a4563723c787aa9656cbf2a6ec588f8ff7c536dfd127e468a9222da2dd86262759a8528143061f4fad0a234d444f8196e5df9f749c56d406134b4a952

Download Submit
C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat

Filesize
223B

MD5
00c5356a06a280d5908c6ede23e7ce25

SHA1
4beb9eef13b0026d3e99bc8ed79a78df3e2c18c8

SHA256
35b2ebc84d961a398a9d2584848367e0eb3c9883c8580034e2ff080ce0357ec1

SHA512
5858e2562563e5c2b2d45f20dc9c71e2d99855ead8315aa3f9b4997dd9786fcaded03b110c887f8de08a0fd62519781bedbbfa4750e5df5fb7c5950637550c23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7aef5a088c0f3a37ed7c6faab9624680

SHA1
17dd58355f201948da7255f70b81cf9014556c94

SHA256
6189bf1e03f0ff2608c9b56feee5b5295d26bdb370d782d4a6d98f0dfb1066f0

SHA512
8ccd064151a68194d276e3e29eb09ed4ab94fd5959ed6e17478d2ab610638ea894dac4f72c7c6e211aabfdfdcc43d109af15a683c23cd7025af30441a50931db

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/300-367-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/300-366-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/1412-306-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/1712-40-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1712-45-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2156-246-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2448-427-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2496-17-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2496-13-0x0000000000990000-0x0000000000AA0000-memory.dmp

Filesize
1.1MB

Download
memory/2496-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2496-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2496-16-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2964-38-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/2964-61-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/3052-125-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/3052-126-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/3064-186-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download