dcrat | 3c258af2e7dd12a2971da815b13306d1edd006b4068c2ec4eec4286128d81f45

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3c258af2e7dd12a2971da815b13306d1edd006b4068c2ec4eec4286128d81f45.exe
Size

1.3MB
MD5

61f34537bf4e69f94077ac1e94fb2b39
SHA1

b2c1d94a31cdca33e6c8e3d592a14bca51526e0f
SHA256

3c258af2e7dd12a2971da815b13306d1edd006b4068c2ec4eec4286128d81f45
SHA512

58de7be8287f381227746eef672543b257d06e45704be5b6ca7cca223fbc5ddc1258da3604e8a47cba6841c7aaa95eeeea6eb2a80fb7de9b014e1a9ddc581abc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2156	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2156	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d07-12.dat	dcrat
behavioral1/memory/2108-13-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/1580-73-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/604-192-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/1296-252-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2072-312-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2568-549-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2192-609-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/1740-670-0x0000000000BA0000-0x0000000000CB0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2160	powershell.exe
1948	powershell.exe
2512	powershell.exe
3036	powershell.exe
1688	powershell.exe
2188	powershell.exe
1876	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2108	DllCommonsvc.exe
1580	taskhost.exe
2984	taskhost.exe
604	taskhost.exe
1296	taskhost.exe
2072	taskhost.exe
2944	taskhost.exe
2372	taskhost.exe
2080	taskhost.exe
2568	taskhost.exe
2192	taskhost.exe
1740	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	cmd.exe
2960	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
38	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\scheduled\Maintenance\it-IT\winlogon.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3c258af2e7dd12a2971da815b13306d1edd006b4068c2ec4eec4286128d81f45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2052	schtasks.exe
776	schtasks.exe
2924	schtasks.exe
2720	schtasks.exe
2904	schtasks.exe
3000	schtasks.exe
2776	schtasks.exe
2912	schtasks.exe
1612	schtasks.exe
1784	schtasks.exe
1248	schtasks.exe
1844	schtasks.exe
840	schtasks.exe
2148	schtasks.exe
2640	schtasks.exe
2892	schtasks.exe
2972	schtasks.exe
3056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2108	DllCommonsvc.exe
1688	powershell.exe
3036	powershell.exe
1876	powershell.exe
1948	powershell.exe
2160	powershell.exe
2512	powershell.exe
2188	powershell.exe
1580	taskhost.exe
2984	taskhost.exe
604	taskhost.exe
1296	taskhost.exe
2072	taskhost.exe
2944	taskhost.exe
2372	taskhost.exe
2080	taskhost.exe
2568	taskhost.exe
2192	taskhost.exe
1740	taskhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	DllCommonsvc.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1580	taskhost.exe
Token: SeDebugPrivilege	2984	taskhost.exe
Token: SeDebugPrivilege	604	taskhost.exe
Token: SeDebugPrivilege	1296	taskhost.exe
Token: SeDebugPrivilege	2072	taskhost.exe
Token: SeDebugPrivilege	2944	taskhost.exe
Token: SeDebugPrivilege	2372	taskhost.exe
Token: SeDebugPrivilege	2080	taskhost.exe
Token: SeDebugPrivilege	2568	taskhost.exe
Token: SeDebugPrivilege	2192	taskhost.exe
Token: SeDebugPrivilege	1740	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2668	2692	JaffaCakes118_3c258af2e7dd12a2971da815b13306d1edd006b4068c2ec4eec4286128d81f45.exe	31
PID 2692 wrote to memory of 2668	2692	JaffaCakes118_3c258af2e7dd12a2971da815b13306d1edd006b4068c2ec4eec4286128d81f45.exe	31
PID 2692 wrote to memory of 2668	2692	JaffaCakes118_3c258af2e7dd12a2971da815b13306d1edd006b4068c2ec4eec4286128d81f45.exe	31
PID 2692 wrote to memory of 2668	2692	JaffaCakes118_3c258af2e7dd12a2971da815b13306d1edd006b4068c2ec4eec4286128d81f45.exe	31
PID 2668 wrote to memory of 2960	2668	WScript.exe	32
PID 2668 wrote to memory of 2960	2668	WScript.exe	32
PID 2668 wrote to memory of 2960	2668	WScript.exe	32
PID 2668 wrote to memory of 2960	2668	WScript.exe	32
PID 2960 wrote to memory of 2108	2960	cmd.exe	34
PID 2960 wrote to memory of 2108	2960	cmd.exe	34
PID 2960 wrote to memory of 2108	2960	cmd.exe	34
PID 2960 wrote to memory of 2108	2960	cmd.exe	34
PID 2108 wrote to memory of 1688	2108	DllCommonsvc.exe	54
PID 2108 wrote to memory of 1688	2108	DllCommonsvc.exe	54
PID 2108 wrote to memory of 1688	2108	DllCommonsvc.exe	54
PID 2108 wrote to memory of 2188	2108	DllCommonsvc.exe	55
PID 2108 wrote to memory of 2188	2108	DllCommonsvc.exe	55
PID 2108 wrote to memory of 2188	2108	DllCommonsvc.exe	55
PID 2108 wrote to memory of 1876	2108	DllCommonsvc.exe	56
PID 2108 wrote to memory of 1876	2108	DllCommonsvc.exe	56
PID 2108 wrote to memory of 1876	2108	DllCommonsvc.exe	56
PID 2108 wrote to memory of 2160	2108	DllCommonsvc.exe	57
PID 2108 wrote to memory of 2160	2108	DllCommonsvc.exe	57
PID 2108 wrote to memory of 2160	2108	DllCommonsvc.exe	57
PID 2108 wrote to memory of 1948	2108	DllCommonsvc.exe	58
PID 2108 wrote to memory of 1948	2108	DllCommonsvc.exe	58
PID 2108 wrote to memory of 1948	2108	DllCommonsvc.exe	58
PID 2108 wrote to memory of 2512	2108	DllCommonsvc.exe	59
PID 2108 wrote to memory of 2512	2108	DllCommonsvc.exe	59
PID 2108 wrote to memory of 2512	2108	DllCommonsvc.exe	59
PID 2108 wrote to memory of 3036	2108	DllCommonsvc.exe	60
PID 2108 wrote to memory of 3036	2108	DllCommonsvc.exe	60
PID 2108 wrote to memory of 3036	2108	DllCommonsvc.exe	60
PID 2108 wrote to memory of 1320	2108	DllCommonsvc.exe	68
PID 2108 wrote to memory of 1320	2108	DllCommonsvc.exe	68
PID 2108 wrote to memory of 1320	2108	DllCommonsvc.exe	68
PID 1320 wrote to memory of 1324	1320	cmd.exe	70
PID 1320 wrote to memory of 1324	1320	cmd.exe	70
PID 1320 wrote to memory of 1324	1320	cmd.exe	70
PID 1320 wrote to memory of 1580	1320	cmd.exe	71
PID 1320 wrote to memory of 1580	1320	cmd.exe	71
PID 1320 wrote to memory of 1580	1320	cmd.exe	71
PID 1580 wrote to memory of 2096	1580	taskhost.exe	72
PID 1580 wrote to memory of 2096	1580	taskhost.exe	72
PID 1580 wrote to memory of 2096	1580	taskhost.exe	72
PID 2096 wrote to memory of 1020	2096	cmd.exe	74
PID 2096 wrote to memory of 1020	2096	cmd.exe	74
PID 2096 wrote to memory of 1020	2096	cmd.exe	74
PID 2096 wrote to memory of 2984	2096	cmd.exe	75
PID 2096 wrote to memory of 2984	2096	cmd.exe	75
PID 2096 wrote to memory of 2984	2096	cmd.exe	75
PID 2984 wrote to memory of 1984	2984	taskhost.exe	76
PID 2984 wrote to memory of 1984	2984	taskhost.exe	76
PID 2984 wrote to memory of 1984	2984	taskhost.exe	76
PID 1984 wrote to memory of 328	1984	cmd.exe	78
PID 1984 wrote to memory of 328	1984	cmd.exe	78
PID 1984 wrote to memory of 328	1984	cmd.exe	78
PID 1984 wrote to memory of 604	1984	cmd.exe	79
PID 1984 wrote to memory of 604	1984	cmd.exe	79
PID 1984 wrote to memory of 604	1984	cmd.exe	79
PID 604 wrote to memory of 2168	604	taskhost.exe	80
PID 604 wrote to memory of 2168	604	taskhost.exe	80
PID 604 wrote to memory of 2168	604	taskhost.exe	80
PID 2168 wrote to memory of 2468	2168	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c258af2e7dd12a2971da815b13306d1edd006b4068c2ec4eec4286128d81f45.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c258af2e7dd12a2971da815b13306d1edd006b4068c2ec4eec4286128d81f45.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HT4pm53nyK.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1324
      - C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1020
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:328
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2468
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
        13⤵
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1612
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat"
        15⤵
        
        PID:1464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1908
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"
        17⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1248
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"
        19⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2152
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"
        21⤵
        
        PID:952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2556
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
        23⤵
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3036
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
        25⤵
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2800
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5df3000d8868379963f55a2b0ab902d5

SHA1
7b9e5850eeb3d6afa4188c322211047d5844a3e4

SHA256
b95a8cd25cfb1a0732b908829f169038150c82eeb095b710eb1414eee6abe909

SHA512
8e20e042081c21ff0f750f57c8fd5c4cdd7e56faea28005ee071d8c1c2f88e247bb0013e028f8c8c17d0a7cb169d088288c32e54c93015cb9921016c5351eb88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80f2cc15bd20f8b13ba5c9bb822a829a

SHA1
75ce933b0744979575e98935ad4c9a1660567ba5

SHA256
0f29a632d411b54fb49acde7f7beda75c523e4b5a2ddb7739c61812a769568f1

SHA512
72cb7e69a57d3de378fe353eab24b7c4cb9d9268b218c73b5643cf88a60ee78beb51775357a4516429a2e3bb8a687c0f4b93175c42d55e1489ebc9d1864ef137

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79d7258d05a34d0a972f144f1f1f640f

SHA1
d37a9e852e86522e183ef2d5c74250945d12acd5

SHA256
1a175325af928023da0c04ea6692a26893fb31b78aabd18d0ce317b72481c926

SHA512
f3304cfa68dcc32c74394818091304fb153fd35a7312c3aff2643919ea1ec75a09fe376eaf34e3a26cafd96149fb2156b31bbbaa3f401838f808da7db07cc8f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d92ebf1ccf0a6d2851c4e5f430cb0963

SHA1
8cd48f78bd5399cddfcd30838dcbe42eb728b34c

SHA256
20dce168780be33d7dd1bd8fa0ed11cd5bb3801c9837bfdc79b4230f90662c09

SHA512
37ad301b7ca38efb5695211132f3f98a56dac4e82d7e250593da7df569116b04ae8028dd11d52b7611b07efb63511b8a99240bc187ce967499600c2401c3fba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26c84d523b44b3abb74d45ab2c2d997d

SHA1
8ad0b63a6dc7159d04b67c4f6cc9ec4b8e412721

SHA256
5e02c3c69eff9a6ba93dcf99de2fd7b27dc93c920b7f98c055fe4e353d82af3c

SHA512
aad2ff56102713883d62098aeeba9296e86f028d61b3cb9ced23b8d901e664637e23bdd65f7a5692be1f6041646b7eb38a25ac97d13fee6183a760b7848cc074

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99aebc599af174093efd8cc3c9a422c6

SHA1
6050dfa41c308df839ebf1e197cb3ff4df5d9aa7

SHA256
1e0102b6070f1a42f7cbb181daf4a08e6a3a1c34122fc20f11fb0e7659479b7a

SHA512
1d848cca4f24c5a491817cdb1252c54a4cf132905b772a72f5921450760d2bf3dac799847d2b2c014241d4603f8f1bf346962bf5760042ce3e7da1ec199d3b0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ee870cc0a1075607f742f40e4070016

SHA1
0a46be89dffc13003b8d27e52bdd2303f0c251a6

SHA256
8075afc60f9e61cf9f5c488011a73ef9bba9089920dccfbb885e948866622797

SHA512
b796a11a49fb1ae4b0ca8fb979d23778a52951caaac99efb894ab7d2e31c0e5ad6d4e269c821688c8e5bd6b33dd39fabf8da4cb7e952abe71b8f638d004e01bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c6e40c50210f496dd53dc7adf715d8c

SHA1
5b26f1dc27d17beae44ab4c0f20f0a55431572de

SHA256
b67e5d48d919cdca7687b8a7efe0de94a8e7f46a3b78fc9ad3371678b25f404f

SHA512
e764ae463a483cd808e6eec44bbcc9d7bfe61dccb05cc3d81c390d3b4149250e819352493688fa3ba09ecaf07dec21b544978f0a1cf74bd3b352ed94e5127037

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
408c1882a73f1499ca1aba05cf5f1c6d

SHA1
85404adeae7d52ac80aaaddab4d155c2576cba32

SHA256
1ac70399010419e609773ebf0180035e12123d7a62aa7c9a3c50a848f289686b

SHA512
d3b662d4aabcea70d56f9b968c83f1745bcb025e904992e0faa18077ca2c142d108f5ee07266ecf3655f8a7f021d9c9a73851cc1d18b7cac69dd31a3adb08e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat

Filesize
195B

MD5
ee8078f8a8612532f2e96badbee49708

SHA1
18d0438111e0941b570885810dd0222911559024

SHA256
d68d1d1fa4918d6fb663226fdb8bbe551587edd791d65d7647197f5b590c3e15

SHA512
157ad86004e6d24f436e9ecd00959c966df8bab5e806e3a652e34b0b512e357792e30cd8a6bf3b463534275e0d675a7364ff38d7e92509bb7d4e691f150abb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat

Filesize
195B

MD5
27fadc848f5865eb265a7c6293e1b3e9

SHA1
30462dc001d8e1a8f63bf35ba300b109954ebf20

SHA256
a81408b75ae81c1668fe756e2b4a15e2bc7237bf15d91a0bd91c0dc9c510dff0

SHA512
bdba78e9a5a20b96ac316e18ed88033c9b8e2bdb96470d7554221af716b803721c6bc42990362e08442694256614dfbe55513bfae286594d39f0324c01794223

Download Submit
C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat

Filesize
195B

MD5
35cf9ef65a33736b6356006ad06c3db4

SHA1
9d070757c63d09527082be334e5aa30c6764435d

SHA256
7da387f1fe17db1e7bcec8fe5dfbc8c7b0a6b6544a87888bb56bc19eb218eddb

SHA512
bfe45b212db7e36779cd4cc2eaa8fc9d7d12d4b0c2b1c7d07e54dca39ab20fb0d61a086e3fad9c46771bbdd8f324d42547c5619eb11614a94c084b0ab6665610

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab395A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HT4pm53nyK.bat

Filesize
195B

MD5
9e337005e9d29afbd146de817e996f30

SHA1
e4e3b493d5d2d5136820c7df4c7dfa047b63db66

SHA256
9bc81549c86c01e09704a16ec189e6cb93b0722f96261e3041ebaec048736ad3

SHA512
2cbddf637f266b7aa6f6b4f14d2d615e3aef40df3acbdfbd0c329fe38b01757d2d0d3d58e808e5f2763eae0fa4d22e77afdae3b107c735b99b8a63873679a720

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat

Filesize
195B

MD5
12d2c52d05591f9771586bb98dcf2baa

SHA1
157c53aebed5834ef3b901b26dceadbb1d1e2ae1

SHA256
70fe56471c2209a21390f5530c014944fdb868911f1138c53a9e5691607a2198

SHA512
88e6c2f45cc356d994b8de7dc995157f28685b224a63094c648e98d05e62747ed630a0a5c20bbaa22fd3125d833ba73246003ff66c423c3a65e41f6d80afa66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat

Filesize
195B

MD5
56ee98e1c8601c5ab09434f9bd10e9c2

SHA1
e9e2a881a94054737b124e032fe131fddaadd7fb

SHA256
61ec689b26b22aea3340a03e348e72edca451a5fc335ba24227307bef1704323

SHA512
2f252d8aff92463c1344468ad796b343dc6fba860763fb03fd86a75e7951255d5d43e17def26399810b15e00212e1f77a459bb087fe2c5012a7c5634dd9f6833

Download Submit
C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat

Filesize
195B

MD5
d7472dd793c038fd69d8e6de95d559be

SHA1
9a43b876ec8d0a712992291c0a2a1b2c4ed0a260

SHA256
8af8ec99958fc82216701721ab1f6ca02a1f811028ac8b445ff81c2f1daf6052

SHA512
73f2f66bc55f1948fda5d6380fe5725e6772b595b399678a0f85a1aca735fe3fcf992efb4bda67e9a6decab9873881a5c1cf6a59abbe9ed6f6f05b04eee02e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar396D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
195B

MD5
2bfa8feb34abba923851734df3e5901b

SHA1
7b34a753431efeccbec1daaf468abffbe9fca78f

SHA256
a2155bfa1a5bde48d269b83eca79274ef63879b136c5bae7f7258d49cfb8b6c3

SHA512
9a857c48d01ad70331f1d790438d961255f044d961107e91748230b673db79d35ca58a3e3d4dded3997de91df5726854b525e9165871927a70e2f40e915ad5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat

Filesize
195B

MD5
420d21163dbf93401ddc927cdaa50956

SHA1
bd24d4997ac38fe46a196763fdcb0430a83a53c9

SHA256
9ae71074cc3895bf994ee285e65f0d0c5a02b09c141b91403301ac73bdd2b875

SHA512
a5aeeda8b70f1283a9ffa3fddb07270da3e158f0b4d7a5ae33a0b02b30f16cbfc24c3534d79338eb234d62c8c2615123695f8c6aff89c26a3c79cc09bd3e1cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat

Filesize
195B

MD5
7fdfe8fa279b49369744f8ef9a237f86

SHA1
b6c82f25d2567209ef8dd7c366aa8f540a6b5a66

SHA256
a3e507cd9dd1643e1093572dc221311f4aff6328c23db5ebcdff808b90509b33

SHA512
2c724080c3c24075210cce49511afca77b90943fc5477739df9fad0b0d711f9d26a42ef355acac9f346f86200a1cdd146aa4629fe7783a973b9523f5681059cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat

Filesize
195B

MD5
768942f9422a3abc271b995a275f7bdd

SHA1
487baac4f8c9b21418975de5d2b69a995144f7bb

SHA256
887ed9bb01292185f74b35b8f971bf968013bb3c8e71de6efb6ec31e35f4deb6

SHA512
0f755c102c8c6195c4b6a25dab3d5f45964f2403ecbc2d188f2b50c8e8432576d72e7d8c6a7703238159993b440392f6a87fd1bf7c710b9b4ae7cfc5b4851bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e3a22c7a88d431c84bdaeb0be39b93c

SHA1
a2cf139e16268f455ad47109ea06750dbf8061e1

SHA256
e176127513c1278ba9042c5b5b98a5b67d4bab596b55fcb862a4fcd7b5170b4d

SHA512
b738e63372aaeb0c9630bf88a64a4871942495ce3c532f00e9e379bb2a3e1e52d923f687426827fc7620d16dc68f97b553673873cd2b9a30f7f98bb9e94ef2c5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/604-192-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/1296-252-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/1580-74-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1580-73-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/1688-69-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/1740-670-0x0000000000BA0000-0x0000000000CB0000-memory.dmp

Filesize
1.1MB

Download
memory/2072-312-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2108-16-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2108-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2108-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2108-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2108-13-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2192-609-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/2192-610-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2568-549-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/3036-70-0x0000000001C80000-0x0000000001C88000-memory.dmp

Filesize
32KB

Download