dcrat | 4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe
Size

1.3MB
MD5

ca3ac46b4772a1a78cb4a52e5f49521e
SHA1

3bc93ae4f50a8a54e38847e43de5c352ff023b41
SHA256

4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b
SHA512

70d04811fead8120c65a7b4be94e80d80a81e1d66d2cdb0eee2ef4452efab98ff51efad24a6048eda48b759a70c02d9ef3fa7790078e45a60fdd1f5c0ebabaa8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2820	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d6d-9.dat	dcrat
behavioral1/memory/2660-13-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/1652-32-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/3032-177-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2316-238-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/1868-298-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/2072-476-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2640-536-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/1972-596-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/2312-656-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/956-716-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1684	powershell.exe
2424	powershell.exe
884	powershell.exe
1632	powershell.exe
1464	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2660	DllCommonsvc.exe
1652	System.exe
1624	System.exe
3032	System.exe
2316	System.exe
1868	System.exe
1712	System.exe
2432	System.exe
2072	System.exe
2640	System.exe
1972	System.exe
2312	System.exe
956	System.exe

Loads dropped DLL 2 IoCs

pid	Process
756	cmd.exe
756	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
22	raw.githubusercontent.com
28	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\Media\Festival\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Festival\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\es-ES\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2892	schtasks.exe
2584	schtasks.exe
2656	schtasks.exe
3020	schtasks.exe
648	schtasks.exe
1840	schtasks.exe
2704	schtasks.exe
2788	schtasks.exe
2752	schtasks.exe
2624	schtasks.exe
2160	schtasks.exe
2608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2424	powershell.exe
1684	powershell.exe
1652	System.exe
1632	powershell.exe
1464	powershell.exe
884	powershell.exe
1624	System.exe
3032	System.exe
2316	System.exe
1868	System.exe
1712	System.exe
2432	System.exe
2072	System.exe
2640	System.exe
1972	System.exe
2312	System.exe
956	System.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	DllCommonsvc.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1652	System.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1624	System.exe
Token: SeDebugPrivilege	3032	System.exe
Token: SeDebugPrivilege	2316	System.exe
Token: SeDebugPrivilege	1868	System.exe
Token: SeDebugPrivilege	1712	System.exe
Token: SeDebugPrivilege	2432	System.exe
Token: SeDebugPrivilege	2072	System.exe
Token: SeDebugPrivilege	2640	System.exe
Token: SeDebugPrivilege	1972	System.exe
Token: SeDebugPrivilege	2312	System.exe
Token: SeDebugPrivilege	956	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1228	2504	JaffaCakes118_4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe	30
PID 2504 wrote to memory of 1228	2504	JaffaCakes118_4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe	30
PID 2504 wrote to memory of 1228	2504	JaffaCakes118_4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe	30
PID 2504 wrote to memory of 1228	2504	JaffaCakes118_4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe	30
PID 1228 wrote to memory of 756	1228	WScript.exe	31
PID 1228 wrote to memory of 756	1228	WScript.exe	31
PID 1228 wrote to memory of 756	1228	WScript.exe	31
PID 1228 wrote to memory of 756	1228	WScript.exe	31
PID 756 wrote to memory of 2660	756	cmd.exe	33
PID 756 wrote to memory of 2660	756	cmd.exe	33
PID 756 wrote to memory of 2660	756	cmd.exe	33
PID 756 wrote to memory of 2660	756	cmd.exe	33
PID 2660 wrote to memory of 1684	2660	DllCommonsvc.exe	48
PID 2660 wrote to memory of 1684	2660	DllCommonsvc.exe	48
PID 2660 wrote to memory of 1684	2660	DllCommonsvc.exe	48
PID 2660 wrote to memory of 2424	2660	DllCommonsvc.exe	49
PID 2660 wrote to memory of 2424	2660	DllCommonsvc.exe	49
PID 2660 wrote to memory of 2424	2660	DllCommonsvc.exe	49
PID 2660 wrote to memory of 884	2660	DllCommonsvc.exe	50
PID 2660 wrote to memory of 884	2660	DllCommonsvc.exe	50
PID 2660 wrote to memory of 884	2660	DllCommonsvc.exe	50
PID 2660 wrote to memory of 1632	2660	DllCommonsvc.exe	51
PID 2660 wrote to memory of 1632	2660	DllCommonsvc.exe	51
PID 2660 wrote to memory of 1632	2660	DllCommonsvc.exe	51
PID 2660 wrote to memory of 1464	2660	DllCommonsvc.exe	52
PID 2660 wrote to memory of 1464	2660	DllCommonsvc.exe	52
PID 2660 wrote to memory of 1464	2660	DllCommonsvc.exe	52
PID 2660 wrote to memory of 1652	2660	DllCommonsvc.exe	58
PID 2660 wrote to memory of 1652	2660	DllCommonsvc.exe	58
PID 2660 wrote to memory of 1652	2660	DllCommonsvc.exe	58
PID 1652 wrote to memory of 1848	1652	System.exe	59
PID 1652 wrote to memory of 1848	1652	System.exe	59
PID 1652 wrote to memory of 1848	1652	System.exe	59
PID 1848 wrote to memory of 2972	1848	cmd.exe	61
PID 1848 wrote to memory of 2972	1848	cmd.exe	61
PID 1848 wrote to memory of 2972	1848	cmd.exe	61
PID 1848 wrote to memory of 1624	1848	cmd.exe	62
PID 1848 wrote to memory of 1624	1848	cmd.exe	62
PID 1848 wrote to memory of 1624	1848	cmd.exe	62
PID 1624 wrote to memory of 2700	1624	System.exe	63
PID 1624 wrote to memory of 2700	1624	System.exe	63
PID 1624 wrote to memory of 2700	1624	System.exe	63
PID 2700 wrote to memory of 2164	2700	cmd.exe	65
PID 2700 wrote to memory of 2164	2700	cmd.exe	65
PID 2700 wrote to memory of 2164	2700	cmd.exe	65
PID 2700 wrote to memory of 3032	2700	cmd.exe	66
PID 2700 wrote to memory of 3032	2700	cmd.exe	66
PID 2700 wrote to memory of 3032	2700	cmd.exe	66
PID 3032 wrote to memory of 1824	3032	System.exe	67
PID 3032 wrote to memory of 1824	3032	System.exe	67
PID 3032 wrote to memory of 1824	3032	System.exe	67
PID 1824 wrote to memory of 788	1824	cmd.exe	69
PID 1824 wrote to memory of 788	1824	cmd.exe	69
PID 1824 wrote to memory of 788	1824	cmd.exe	69
PID 1824 wrote to memory of 2316	1824	cmd.exe	70
PID 1824 wrote to memory of 2316	1824	cmd.exe	70
PID 1824 wrote to memory of 2316	1824	cmd.exe	70
PID 2316 wrote to memory of 1448	2316	System.exe	71
PID 2316 wrote to memory of 1448	2316	System.exe	71
PID 2316 wrote to memory of 1448	2316	System.exe	71
PID 1448 wrote to memory of 888	1448	cmd.exe	73
PID 1448 wrote to memory of 888	1448	cmd.exe	73
PID 1448 wrote to memory of 888	1448	cmd.exe	73
PID 1448 wrote to memory of 1868	1448	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a276cd9450909bac91468f2f4518b3b162bf5f6860543256369bfadf085479b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Festival\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2972
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2164
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:788
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:888
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
        14⤵
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1620
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat"
        16⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:696
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
        18⤵
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2908
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
        20⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2012
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
        22⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2224
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"
        24⤵
        
        PID:1860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1456
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"
        26⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2880
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\Media\Festival\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Media\Festival\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Festival\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
377901bfd2195d719d563c48be56f646

SHA1
65af8c71daea010629c5ed7f066b1437e7a15f21

SHA256
964658cdfbbfaf40f995124f51b4b6a5726918e620bfed4fa7b31fd454652a65

SHA512
40ff97b2e22f0e272bd7919a9397b5c834f4e5b3e0111cf754314eebf260cc417504573d0467bd11e96b395c5c8de9e46b287c907c21dba1a0c5fa5a6cf92202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7438aad8986e7fe515aa09088c7d283

SHA1
3f8a2023e29ccb6073ae3ae741d02da76e810919

SHA256
498bdf60edb20abccd67b08e5a290aa3253a899e03845444c71d119f762504ad

SHA512
b2179c80e287e24ca2c5c46ab0483c95f9b031d476c9714c7025ab0de3c3ec5fcd3847c64ef63a5945df5a6771a6e9c304dfd591158233fd82b51ab63d9eaf70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f51d5a6edcc53a9d5841f99fb75abed

SHA1
d776f010f6988588ee395f59c7bd871352d0d695

SHA256
1560fd3e6555d4b9bddd1b32b179c09217325bbf75a58964863ed31cf7196e14

SHA512
e4c8eb65fd19b3944762f824f8507fd45628ab73f3e851c510cafe4ad178775db11935a5dd3656f811bab4468ce60db97c643ca29309676ca7bdd07d8372d21d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b17fd154a885fc5f102c19896051234e

SHA1
09edcc2c394d34bd6ea07a8d389d35117606da8a

SHA256
c69323a7c06ede94ba23d6698ef4778911ec0fc1678635981e056f578f78ca05

SHA512
01f3acc8e627c1240a64028978943b3e349a1786ad02dc883b355ed7abb526e44c35d0de0230294e68eaab03d8fd6673155ff79517ded2851f6ebbe6eaf2a5b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7adfc2effad2a15641196356a103c847

SHA1
a73eb7047404ee5987eb7b1213b74aa0c71f257e

SHA256
dc04060b895332ccb31e5c00a90f925b3cd1d24c75819087605914cffcc53396

SHA512
4a611fd8608a8e62216bc6aa892e86f8f7ac3e857be608505e2cef80d8410f158ef05b2ee65f5ccce65580ebe45c74ceef6d6603bacc6ab2f15d5d03626ea3e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9b2add38fc3ec693c3c71684073413b

SHA1
b7eb53e0c5853ee9e18e32b08abe639ad7f944c9

SHA256
c2828ed530a8f1f2a616debee24e22c00edf995ce0c2fa766937ba6d55d94ef1

SHA512
1fcb34412b4eb141ba558d539eb1f4336b77a66b13a03422c1f27c5b54424a0c061873712c41a20f4703e275ccbf3b558a024a1cdcb28006842bd8ee19ed023e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
336e8bb3f5fa1514f6bf3dbf1363f2a6

SHA1
210a53221e9273fbf60fed624ee4dab2451264d7

SHA256
ed28df789bd1fea833e100460844095874a338bae9e2922e19709b12d0af5c3b

SHA512
e7f8e0eeabff1b04e428d94576e40b796f58c696587ec0e62bdb0ef377b2b5b22a5ef0dd3bfae5f17c2e9a90696d33267bbb81f5ef7db6a44ea38d5c2b6e7406

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c67975c2acda5d44bc646a7fb707198

SHA1
8b906bdea6316a5f0cdcf115ee450398dd003188

SHA256
adff20c1069b27466c739c560aed0fc66cb05fa4085b45bfb3f8d19598e0c666

SHA512
fee70eb0da4791c8f0de13bb64a87c705d8cf7bd03dbadb383c378be67478da16a011a82ff19b6855f6ed06e0d073d642e35486c769e55e3c6160c75e9b5db01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f44ad682d59a4afbe67f88d6fa0acff

SHA1
cc62a505beac03ebb8efa69b53f466fe453dafe6

SHA256
4e3fdeda1c8f4d3d35768f0563c0364efbb4ffae7bbffa92a904dffcb64deaf9

SHA512
8a8bf3c89478e758c57a7ab1eaa15a39a7370db72809010aafdb3c09ce9f243aa4db1bfbeedc12821f43879327065fb340529ba2c1e9a742da3e0041d484336b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a34def9cf51d0ed594977c36bf659e3

SHA1
5ea4ab0bb3da341d9204c68d6beb598020ce0cc1

SHA256
2936521b695feb6e3d0e1d9ffd80e2b6ab368f01b2f9ac9592a2d9cbcc57fd2c

SHA512
f8e811b668e29f968000bb044edcabc7311d5ac5cdfc5805822690b71886e32d41bd55eb92fcc2efbda4dbfed6370ec18538f4c83350fe6430a3591041f12e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

Filesize
238B

MD5
a55073c49d3fa8247be7c2aaab47d4a3

SHA1
ae7f6a6d3444d75272b00f2352b81cd8b6193658

SHA256
8e5216d84d3967c3ca972c24b56ba4ab0daed299e7c30794f7ee1f2c4f35b504

SHA512
af57a65b7b38ac0c5a805f5595db05441fd68f67d1bff73db2b1ef45d9264fa1a249edb78aa6c0fddc7cdfce1ae1399dc1166be46412546609fd281fa068fe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
238B

MD5
060359e180b651ca403db81cd907310d

SHA1
e8f5405378f73fb2ed79821bcbc9410c60b1b38d

SHA256
1fd1e679816865a5ce907be545755d09e521f30384f441e62a2a369b1cd3aba1

SHA512
d6c7438e960183f3178c50af40fec3abbc393fc959c12bb1b460fb0bbb1c44284069861f1d9646d6a400ae65d24f180de402378d7212e50509c0dd7616114545

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat

Filesize
238B

MD5
d92e26dca43dcad8bed20f957058db80

SHA1
c2fa724b9c6977127bf00cfd31ef63a998bc6920

SHA256
236e669fab8a4c42a20623d0484f9256478201d8f78da8e09dbcd9eb89273e5f

SHA512
dc32a8bfc57dd9da18b899a0986bd1a3668ce35af78c835e3e0eb86b7ae3a7cf6bd0442adf7d8dc94a8c344365ee52c7271c1911dd209910655f3de65b5d1e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEFAE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat

Filesize
238B

MD5
3c70b72cfab3f5d6300f319c04220ba7

SHA1
9073d10c9db91ea44bcf795443fea35739209218

SHA256
c328f974c5124d12041d3fc774a3089e575aa3cb3490042678ef61d1b80cd6d4

SHA512
33d65b248f67453aa45c37e8d33f7143a1f3f2f15e4716b30993b383e2dd05b0b6dfb5ca0b9418232c3972e98b0f16f6b6f06b81d0b83fdab7bf7818f2f7aa9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat

Filesize
238B

MD5
2fd8d52c7585b8de91f6df1161a89ad6

SHA1
936b2822ee31aee290c22b16c4ba839833d5fe43

SHA256
49ad453f70cf0cc55fddc56f6eaded345a34eea86170d9e09c9e8ced2bcbe6b6

SHA512
a122edd458d03eedd42a40501f2e6ed9729704f787e0db81a720f0536434bf01b7273162bd2a7b544eca7e297ca076585e44c39ebd4ffe7790d56ba01a847f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

Filesize
238B

MD5
f63b0400e6cfae25094c3df439a039ec

SHA1
8ad4e0593cb69a790ffde1730067b5e1c21a6a8d

SHA256
933a0831efc997469e8c205c0e2d9c2febbf9e3b7323f7d8e0a4d59ffa356985

SHA512
73a1487c2055f5aae528bde8b62811af1df9f47c3e4731cb4ad215ae6d4a32db9dd624f03e7986661ff9ce5a117bded7b6f1da3a74af8c53bace6ef7c5f46851

Download Submit
C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat

Filesize
238B

MD5
7f361b797c7b2eb0a993bba6877e2f4a

SHA1
78a6f3c2ea0eb9bc5c7e63951ebf57e4fc952d15

SHA256
4f0ae70bc98c85e399c367342c2468941770af607173f3e8d66f82607fedc996

SHA512
a04187ccd3a0ea73006e7252e1e8e2fe5e7ed63c7aa9204679c0aae726eada639753158dd9b0e275526d55bba7f2f1f345e2dbdd9788c0e67afd231ce7b43636

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEFD0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

Filesize
238B

MD5
70c5354bb322104e0ef077223de917fe

SHA1
81d46119d176573910777bef1fa0c1dc1bf65c7a

SHA256
39dac0366f9cada355b82fd5fea113d79508f38c51804c60f09fbe790d526bf2

SHA512
28d537c93e3ae21e399b4923b05c8d4214ee963992b7fbc9c88428039556067ed1487abe565a2a6d4901a40e9d10149866dfe07849ab7a3d7125408a4d54ecb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat

Filesize
238B

MD5
486113f3f8718dfcc883b8ae0776824e

SHA1
c020fe28c50bf252405db85daf092f704803ecb8

SHA256
87bb4ea2cffabe102da3c6c802d660c202b50096086ca4e9a380317b79bb640e

SHA512
07b61fcc1bbf2edd63ee8e7b51cdcc6a0bed4b9b960b68ae25f03cfce7e16e7e37421924e78b154855c5b30be27abf2beb720249ca5289629f6c245e521981fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat

Filesize
238B

MD5
2fe707a30da35fa55b086dcc0f2fe7bd

SHA1
90c4c271416ef1525c1c6d22c94c3c5749406261

SHA256
a28b4b820ada892629e7e1e2f41df4e8467255040f70a452a3a0a74d6f309292

SHA512
fa6b80e6af39b58493035a687bdb5fa93cfc9432e24100df8bb41304a3bd685d30aae1833821aac7a919a7b389e37f633955aa02197c7eaa0f1f518ebfe9cda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat

Filesize
238B

MD5
90c55c4d52271ff2f89cfd30f1bdd63f

SHA1
309279c777eea4df3307178dd2de4e6eae8bf40f

SHA256
061c7290fd5a66e9baeba36defad713f2c82357674ec96787cccb4aeffd034b0

SHA512
c1bc5c334a2f9f36703f331b3815d2a23b2ad9f6ffe59adb078847e5ca4406e614144dda13f62d3534d261ab4193eff8c7b206b7d831b8068a536d5e519626b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
69f0900c104d8b91af147c876b8a93f2

SHA1
074a3b74d024476886402119b16698a23eac5352

SHA256
c89a3f7283c0065264548251b21dc6aa841e71007582f7d496845d9c84283031

SHA512
1786db5fd29d8839edf3c2bdaf3397bd80952fc1c7bfb002331f24129c9cbf5f2dfb2c19576252e1b5dc8ca0b163ab02e5781e61865a589366f3116ea787ee67

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/956-717-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/956-716-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/1652-32-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/1652-45-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/1684-43-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1868-298-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/1972-596-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/2072-476-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2312-656-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2316-238-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/2424-44-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2640-536-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/2660-17-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/2660-13-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/2660-14-0x0000000000C60000-0x0000000000C72000-memory.dmp

Filesize
72KB

Download
memory/2660-15-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/2660-16-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/3032-177-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/3032-178-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download