dcrat | 0de0281926925a1d5c87d3d7137fd5e16c49e98f47da8109423f63239917074f

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0de0281926925a1d5c87d3d7137fd5e16c49e98f47da8109423f63239917074f.exe
Size

1.3MB
MD5

530d751ed8f3ab68b5f77b99ddbee899
SHA1

8db37112c9ae61f9f36da12e4b9958c7a84aac28
SHA256

0de0281926925a1d5c87d3d7137fd5e16c49e98f47da8109423f63239917074f
SHA512

363cf82a78c45d6d80d475f8b558af7d6f4f0e0e29537ac1458acc96f9bbfd9eb7d8073daad4d7bff5ef6a973af0e2529387678dc29307d515953a64bc2ddf3f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2836	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d0c-9.dat	dcrat
behavioral1/memory/2168-13-0x0000000000E40000-0x0000000000F50000-memory.dmp	dcrat
behavioral1/memory/2228-47-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/452-376-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/2200-436-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/1972-556-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/564-616-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2240	powershell.exe
2504	powershell.exe
2196	powershell.exe
3008	powershell.exe
2384	powershell.exe
2060	powershell.exe
2508	powershell.exe
2216	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2168	DllCommonsvc.exe
2228	lsm.exe
2360	lsm.exe
276	lsm.exe
1736	lsm.exe
2132	lsm.exe
452	lsm.exe
2200	lsm.exe
3000	lsm.exe
1972	lsm.exe
564	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	cmd.exe
2040	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0de0281926925a1d5c87d3d7137fd5e16c49e98f47da8109423f63239917074f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2016	schtasks.exe
1872	schtasks.exe
1492	schtasks.exe
2860	schtasks.exe
2088	schtasks.exe
2800	schtasks.exe
2380	schtasks.exe
2360	schtasks.exe
608	schtasks.exe
1028	schtasks.exe
2536	schtasks.exe
2992	schtasks.exe
1780	schtasks.exe
2600	schtasks.exe
2884	schtasks.exe
1944	schtasks.exe
1784	schtasks.exe
2136	schtasks.exe
2340	schtasks.exe
1660	schtasks.exe
588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2168	DllCommonsvc.exe
2168	DllCommonsvc.exe
2168	DllCommonsvc.exe
2240	powershell.exe
2196	powershell.exe
2504	powershell.exe
2384	powershell.exe
2060	powershell.exe
2216	powershell.exe
3008	powershell.exe
2508	powershell.exe
2228	lsm.exe
2360	lsm.exe
276	lsm.exe
1736	lsm.exe
2132	lsm.exe
452	lsm.exe
2200	lsm.exe
3000	lsm.exe
1972	lsm.exe
564	lsm.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	DllCommonsvc.exe
Token: SeDebugPrivilege	2228	lsm.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2360	lsm.exe
Token: SeDebugPrivilege	276	lsm.exe
Token: SeDebugPrivilege	1736	lsm.exe
Token: SeDebugPrivilege	2132	lsm.exe
Token: SeDebugPrivilege	452	lsm.exe
Token: SeDebugPrivilege	2200	lsm.exe
Token: SeDebugPrivilege	3000	lsm.exe
Token: SeDebugPrivilege	1972	lsm.exe
Token: SeDebugPrivilege	564	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2424	2116	JaffaCakes118_0de0281926925a1d5c87d3d7137fd5e16c49e98f47da8109423f63239917074f.exe	30
PID 2116 wrote to memory of 2424	2116	JaffaCakes118_0de0281926925a1d5c87d3d7137fd5e16c49e98f47da8109423f63239917074f.exe	30
PID 2116 wrote to memory of 2424	2116	JaffaCakes118_0de0281926925a1d5c87d3d7137fd5e16c49e98f47da8109423f63239917074f.exe	30
PID 2116 wrote to memory of 2424	2116	JaffaCakes118_0de0281926925a1d5c87d3d7137fd5e16c49e98f47da8109423f63239917074f.exe	30
PID 2424 wrote to memory of 2040	2424	WScript.exe	31
PID 2424 wrote to memory of 2040	2424	WScript.exe	31
PID 2424 wrote to memory of 2040	2424	WScript.exe	31
PID 2424 wrote to memory of 2040	2424	WScript.exe	31
PID 2040 wrote to memory of 2168	2040	cmd.exe	33
PID 2040 wrote to memory of 2168	2040	cmd.exe	33
PID 2040 wrote to memory of 2168	2040	cmd.exe	33
PID 2040 wrote to memory of 2168	2040	cmd.exe	33
PID 2168 wrote to memory of 2504	2168	DllCommonsvc.exe	56
PID 2168 wrote to memory of 2504	2168	DllCommonsvc.exe	56
PID 2168 wrote to memory of 2504	2168	DllCommonsvc.exe	56
PID 2168 wrote to memory of 2196	2168	DllCommonsvc.exe	57
PID 2168 wrote to memory of 2196	2168	DllCommonsvc.exe	57
PID 2168 wrote to memory of 2196	2168	DllCommonsvc.exe	57
PID 2168 wrote to memory of 2240	2168	DllCommonsvc.exe	58
PID 2168 wrote to memory of 2240	2168	DllCommonsvc.exe	58
PID 2168 wrote to memory of 2240	2168	DllCommonsvc.exe	58
PID 2168 wrote to memory of 2216	2168	DllCommonsvc.exe	59
PID 2168 wrote to memory of 2216	2168	DllCommonsvc.exe	59
PID 2168 wrote to memory of 2216	2168	DllCommonsvc.exe	59
PID 2168 wrote to memory of 2508	2168	DllCommonsvc.exe	60
PID 2168 wrote to memory of 2508	2168	DllCommonsvc.exe	60
PID 2168 wrote to memory of 2508	2168	DllCommonsvc.exe	60
PID 2168 wrote to memory of 3008	2168	DllCommonsvc.exe	62
PID 2168 wrote to memory of 3008	2168	DllCommonsvc.exe	62
PID 2168 wrote to memory of 3008	2168	DllCommonsvc.exe	62
PID 2168 wrote to memory of 2060	2168	DllCommonsvc.exe	63
PID 2168 wrote to memory of 2060	2168	DllCommonsvc.exe	63
PID 2168 wrote to memory of 2060	2168	DllCommonsvc.exe	63
PID 2168 wrote to memory of 2384	2168	DllCommonsvc.exe	65
PID 2168 wrote to memory of 2384	2168	DllCommonsvc.exe	65
PID 2168 wrote to memory of 2384	2168	DllCommonsvc.exe	65
PID 2168 wrote to memory of 2228	2168	DllCommonsvc.exe	72
PID 2168 wrote to memory of 2228	2168	DllCommonsvc.exe	72
PID 2168 wrote to memory of 2228	2168	DllCommonsvc.exe	72
PID 2228 wrote to memory of 3024	2228	lsm.exe	73
PID 2228 wrote to memory of 3024	2228	lsm.exe	73
PID 2228 wrote to memory of 3024	2228	lsm.exe	73
PID 3024 wrote to memory of 1872	3024	cmd.exe	75
PID 3024 wrote to memory of 1872	3024	cmd.exe	75
PID 3024 wrote to memory of 1872	3024	cmd.exe	75
PID 3024 wrote to memory of 2360	3024	cmd.exe	76
PID 3024 wrote to memory of 2360	3024	cmd.exe	76
PID 3024 wrote to memory of 2360	3024	cmd.exe	76
PID 2360 wrote to memory of 2892	2360	lsm.exe	77
PID 2360 wrote to memory of 2892	2360	lsm.exe	77
PID 2360 wrote to memory of 2892	2360	lsm.exe	77
PID 2892 wrote to memory of 1808	2892	cmd.exe	79
PID 2892 wrote to memory of 1808	2892	cmd.exe	79
PID 2892 wrote to memory of 1808	2892	cmd.exe	79
PID 2892 wrote to memory of 276	2892	cmd.exe	80
PID 2892 wrote to memory of 276	2892	cmd.exe	80
PID 2892 wrote to memory of 276	2892	cmd.exe	80
PID 276 wrote to memory of 1744	276	lsm.exe	81
PID 276 wrote to memory of 1744	276	lsm.exe	81
PID 276 wrote to memory of 1744	276	lsm.exe	81
PID 1744 wrote to memory of 1456	1744	cmd.exe	83
PID 1744 wrote to memory of 1456	1744	cmd.exe	83
PID 1744 wrote to memory of 1456	1744	cmd.exe	83
PID 1744 wrote to memory of 1736	1744	cmd.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0de0281926925a1d5c87d3d7137fd5e16c49e98f47da8109423f63239917074f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0de0281926925a1d5c87d3d7137fd5e16c49e98f47da8109423f63239917074f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\Media Center Programs\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1872
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1808
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1456
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        12⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2908
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        14⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2780
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"
        16⤵
        
        PID:608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1016
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"
        18⤵
        
        PID:1064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:928
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"
        20⤵
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1800
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
        22⤵
        
        PID:760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:980
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05cd88b8ddcb0c3cd7aaf3d025dd98ff

SHA1
f755a41d06e5be08392bd5cfd6385b5f687e3280

SHA256
d892ceb614b59c2c3f2c218767e61b1ae934d31578a2a1196029b677fca3de9a

SHA512
68cce0285ea7193eed50aecb01c08fc0a8d1a2680b16874c5eb90a04a4e09e603b77f754ded10e8237bc27814c9a347b04f4a510d3acb3fc1199fc75896ca661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dd7162e160145f21742cb150cd78bc3

SHA1
799d68e09e451caff942c7027328d37991a6e5d7

SHA256
a8813febcc7a0f8e642c9dd221489faeaf139eabb47a666ec9f0c56ded076dd7

SHA512
55b5b00a4305267a66130a9ad25d30bcbb6f55c8d76657932bd6728b8f4234f6a9648c43e14196d7ff843a08df19829b3eec155e16faf8d9e62e477267f0146e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5de34972061ba5d33aefbc840451240d

SHA1
625c0a7776f23ef7cb23c724a91013d23dda4546

SHA256
7da1f0a5953e8798a665701335f6e10bd4d17ddd32ef417bdc599e0d6ddb3cd4

SHA512
b7c2d08940ba6c3967ef705e0d25494f4fcba2dcfe93d472982ea0177346fcf1ee98d566a34fd393b920585da42db6e2db2608792e0086f51bcc87a699c78850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b14421d56644ddd2552409293dc3973

SHA1
d49e861701b6b322d2de305debdc9241421e1076

SHA256
e9632d84f333297d872d1d56963f6f84bd4fae10848dc0342833aef22c64d5b8

SHA512
da9360602c80d2b430bbcee16a29940abbe1d6693da609593964f0dd7d347c5f5c0a8a57413e2eab3a536b7a582c444f881b04a17f980164b417a19018e84b09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c225b485074acf7a0f4f34627703c34

SHA1
6f30bb06560201e120865f6150fce8186fd39757

SHA256
1e44a75e3277a99a3f288511c6c5f2cb04c7d56f4c435c2a26ce4ba39b842dc0

SHA512
6454f14469832f7ecbb210a156cba29ffdcd30f25acbe93ec0434d77fb960f9a614d7e94eb70d553e6981bd74b41314739d6070be8beaa7d313f5f2575860c67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ed107b37a55e609196c8405bbb5a821

SHA1
7f409cbe39513658e2a8888980a7d855f472c79b

SHA256
f4414182e40ef14ca0ea5594b44d70ef605a20585632a08a796156cc1838966b

SHA512
f400919f7060f550ce4a55ec39918f495dc223fdbc1e122b0196bff2e8c5de7e402c50dd9773aa00c87b07922a2248dcb6d8aee35a18e086c205f7f31226770c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60ce127dbaa7ccd5a223ec6d49c2df1a

SHA1
6cba716062f911d24cd3968a054ffbb38486fe57

SHA256
7f85fbc1cf41f99cd483b958bb495027602ec758f03c36acd1bece6aeeafa1e4

SHA512
20319ff4eb2944303a6de2f6402423222883a9ed7e436fb6bab806c262334bd0aa02332c29a63ecef4b8e29a387043f28f1133567cf11f66a664e36ee6e921fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
473968fb2934abc6895227f8994bb165

SHA1
13786eb563aa3a1db0c465165bacefbbe50e3a40

SHA256
c5702eb5720a99fde365a6813ed683bc7b2f13b70e0babce9ee27cbc662d5fda

SHA512
80a723b0c8cd89dfe5271b7d8e9d582672eb97a12328c8a95e9279508bd37a0bbbb71b68167ac38bd978fc81b28a565f07fd6f617011543ed9f972687ea3aabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE6E8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

Filesize
221B

MD5
2ed9d8433380a891bd71cdf9a56af527

SHA1
5211b104d0d0ed87d77f91f3831d4216315bff7a

SHA256
9fb14132781c19675c23c2a393e08d65b55e440b2c37b65b81ed1f35f286a952

SHA512
ceff2efce1a871fd3a71211bbe5f12ee9e1de826d2e83300b007a53b9a044f05156cccce72bbc6849b15f0b9baddd0ddfa7ee0fcd78caba1903f80d040db5a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
221B

MD5
84bee2de6933c0ed3b14742c86aae351

SHA1
3fe1629dcaba80df825ab4f2e219b79e6c1192c6

SHA256
e39f265a2543de8e2710f4470f9c6ef741cfcbb198c1d7fcb32a6b9f156152d4

SHA512
ff17ea6f3515b9618acfd9613bac33e0817117eb0ce0a768805a701699d2a6d65028a4dfd134449e29f37a2ce41489e9c6556e7059ed320241177e4640b05e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

Filesize
221B

MD5
e11da6620df38c617a635c6fdddc8ab1

SHA1
968eb9459c527684c536bec276bd0fc1d7832c90

SHA256
79bf35a969921b86d1e4ab6c9dd59b0b98870b2c6692560c446badd218f793d2

SHA512
c32d89b432dd15b64d12adddf6a2a004d734481cd65b1eb17dcfe84f0720f5b7a751666aed3b9d8036080489d63283aa858d34eda8bae17af93b01f60824ae3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat

Filesize
221B

MD5
0ca4fb4705b3c70b2787dbdd1e6e7f4b

SHA1
b5412af3751cadd48355700f7c40a98fa57bf24f

SHA256
43fa8af42170a2f9667286a8c6360bc757404ed5f2ff77b32a50082f06d0c965

SHA512
515f32d7cb0085e8507240217183b06be62bfd448502e773c6ad6a75e431aaf17ebad9218de30f4893653624e8ae79389076d2d257eed13145b1b843adb4a7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

Filesize
221B

MD5
7363765fc4e170d0b43b71fe40226b20

SHA1
09e4879087f49dca92178acf23c68457e755dd80

SHA256
c6a1a307f91a02d556d5dc17b366ef17ccc14a64b7ba63a480dabbe0f06b18ec

SHA512
7ecbdf292fbe014ac9d35baf885f05bd1ba16b9ab2c0bf1e642de127bf519a385f59212aceabd4faec6ef3951f64b649e3eca9d174276de57d6e05c0fd47922d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE787.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
221B

MD5
0abc4b425c56b32169fc6e1f8f19f251

SHA1
3299511ffe8dd737553ccd0c76e17099419ee669

SHA256
90ba3502948323045e2844f3d4085bd455166c252912b186fbcb726550d5dd3a

SHA512
0b1019033a35b07ba68554ef8fe4e31330b9902ce213aba50e4e121c34073ad95d2a556fe175cba665ba2a585d7adf5ac7a354fb9c924536fd0d7f538869fe9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat

Filesize
221B

MD5
7efb68843a6b382bc443e4cd57fa7298

SHA1
a93e290bfb08bc1be3b5f1c1ccab9f8532bfe820

SHA256
67ee63172785a129f81cfc7be696695b57df7f4598452e8abbb8b46faf58c65b

SHA512
f57c2321b77eb08761c11c6c4f0c214e777e52ccced86f5f2dff49cf3e51c26da24b0087923296976cd51dcc64c21af9205443d9280d17c3935040e34ec95d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

Filesize
221B

MD5
744799690d1bb9c90d2ba6562802b4a1

SHA1
58472c270a3fa369d057e9254599e17675d76b74

SHA256
d4bd8b93a34b952fb0b542da0e33394612996c7a0c8a97860e5191a7f459c26c

SHA512
b37959b907592cd4752b54f7e93a93860f8ce45af195203228de6add5ba085dd08a09fc0acd15808fa03d2110242df9b825c9abd7b73f536db8a5ee22718e153

Download Submit
C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat

Filesize
221B

MD5
ce300ea0555fb89983578819be1abe17

SHA1
e01650cd079a80b893544bf7513933eac267a027

SHA256
fe105e37e573311d45473ed9fcc89064077f2e4e1fe340911065017413cc9d56

SHA512
b0cf4e0addcd755c53af98790dbe9112719e63e5b4556f919e950e655830ab204a44fe68f30e168b8b8a77914ec067ed470da81029a7ab9c850660827a5b7c07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4a8174b9056d244f5021febe75ea81c8

SHA1
685fc251b46659965931a1162e64468a190d0d93

SHA256
eb28d7d9d95d5ed1ed8197b10312e6b2470f3475b88c2b1ec269f8d3875a9dbf

SHA512
e61f566855076d7142094685bf71cf7ae5400d5c00e5fb850d64a3092618d040b603ae4a41839ae2ee2ffdcfa5a14466574543bcd1080bff49efe4ad95631a99

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/452-376-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/564-616-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/1736-257-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1972-556-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2060-78-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2168-13-0x0000000000E40000-0x0000000000F50000-memory.dmp

Filesize
1.1MB

Download
memory/2168-15-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2168-14-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2168-16-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2168-17-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2200-437-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2200-436-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2228-47-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2240-79-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2360-138-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download