dcrat | 4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe
Size

1.3MB
MD5

708dd81195aa21dab187893af9951b3d
SHA1

72f5126c70acbdb45127e61e95ef857446bef02e
SHA256

4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a
SHA512

29905786477ba9a05af2f25fe272c4e7f74273e502055ba599bac16d39d6327c13cac82837468c29a2f378ebe195d22661453a0405ce66f0baabeea11a142c12
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2112	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001922c-12.dat	dcrat
behavioral1/memory/2712-13-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/3016-60-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/2640-125-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/1276-245-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/2248-424-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/2020-543-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/1856-603-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2592	powershell.exe
848	powershell.exe
2784	powershell.exe
2764	powershell.exe
2836	powershell.exe
2708	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2712	DllCommonsvc.exe
3016	DllCommonsvc.exe
2640	DllCommonsvc.exe
1756	DllCommonsvc.exe
1276	DllCommonsvc.exe
2868	DllCommonsvc.exe
2640	DllCommonsvc.exe
2248	DllCommonsvc.exe
1496	DllCommonsvc.exe
2020	DllCommonsvc.exe
1856	DllCommonsvc.exe
1768	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	cmd.exe
2156	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2696	schtasks.exe
2760	schtasks.exe
2908	schtasks.exe
2988	schtasks.exe
2560	schtasks.exe
2776	schtasks.exe
2552	schtasks.exe
1240	schtasks.exe
2184	schtasks.exe
1228	schtasks.exe
2036	schtasks.exe
2796	schtasks.exe
2108	schtasks.exe
2532	schtasks.exe
1900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2764	powershell.exe
2784	powershell.exe
2708	powershell.exe
848	powershell.exe
2592	powershell.exe
2836	powershell.exe
3016	DllCommonsvc.exe
2640	DllCommonsvc.exe
1756	DllCommonsvc.exe
1276	DllCommonsvc.exe
2868	DllCommonsvc.exe
2640	DllCommonsvc.exe
2248	DllCommonsvc.exe
1496	DllCommonsvc.exe
2020	DllCommonsvc.exe
1856	DllCommonsvc.exe
1768	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	DllCommonsvc.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	3016	DllCommonsvc.exe
Token: SeDebugPrivilege	2640	DllCommonsvc.exe
Token: SeDebugPrivilege	1756	DllCommonsvc.exe
Token: SeDebugPrivilege	1276	DllCommonsvc.exe
Token: SeDebugPrivilege	2868	DllCommonsvc.exe
Token: SeDebugPrivilege	2640	DllCommonsvc.exe
Token: SeDebugPrivilege	2248	DllCommonsvc.exe
Token: SeDebugPrivilege	1496	DllCommonsvc.exe
Token: SeDebugPrivilege	2020	DllCommonsvc.exe
Token: SeDebugPrivilege	1856	DllCommonsvc.exe
Token: SeDebugPrivilege	1768	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1672	2348	JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe	30
PID 2348 wrote to memory of 1672	2348	JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe	30
PID 2348 wrote to memory of 1672	2348	JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe	30
PID 2348 wrote to memory of 1672	2348	JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe	30
PID 1672 wrote to memory of 2156	1672	WScript.exe	31
PID 1672 wrote to memory of 2156	1672	WScript.exe	31
PID 1672 wrote to memory of 2156	1672	WScript.exe	31
PID 1672 wrote to memory of 2156	1672	WScript.exe	31
PID 2156 wrote to memory of 2712	2156	cmd.exe	33
PID 2156 wrote to memory of 2712	2156	cmd.exe	33
PID 2156 wrote to memory of 2712	2156	cmd.exe	33
PID 2156 wrote to memory of 2712	2156	cmd.exe	33
PID 2712 wrote to memory of 2592	2712	DllCommonsvc.exe	50
PID 2712 wrote to memory of 2592	2712	DllCommonsvc.exe	50
PID 2712 wrote to memory of 2592	2712	DllCommonsvc.exe	50
PID 2712 wrote to memory of 848	2712	DllCommonsvc.exe	51
PID 2712 wrote to memory of 848	2712	DllCommonsvc.exe	51
PID 2712 wrote to memory of 848	2712	DllCommonsvc.exe	51
PID 2712 wrote to memory of 2784	2712	DllCommonsvc.exe	52
PID 2712 wrote to memory of 2784	2712	DllCommonsvc.exe	52
PID 2712 wrote to memory of 2784	2712	DllCommonsvc.exe	52
PID 2712 wrote to memory of 2708	2712	DllCommonsvc.exe	53
PID 2712 wrote to memory of 2708	2712	DllCommonsvc.exe	53
PID 2712 wrote to memory of 2708	2712	DllCommonsvc.exe	53
PID 2712 wrote to memory of 2764	2712	DllCommonsvc.exe	54
PID 2712 wrote to memory of 2764	2712	DllCommonsvc.exe	54
PID 2712 wrote to memory of 2764	2712	DllCommonsvc.exe	54
PID 2712 wrote to memory of 2836	2712	DllCommonsvc.exe	55
PID 2712 wrote to memory of 2836	2712	DllCommonsvc.exe	55
PID 2712 wrote to memory of 2836	2712	DllCommonsvc.exe	55
PID 2712 wrote to memory of 3016	2712	DllCommonsvc.exe	62
PID 2712 wrote to memory of 3016	2712	DllCommonsvc.exe	62
PID 2712 wrote to memory of 3016	2712	DllCommonsvc.exe	62
PID 3016 wrote to memory of 1652	3016	DllCommonsvc.exe	64
PID 3016 wrote to memory of 1652	3016	DllCommonsvc.exe	64
PID 3016 wrote to memory of 1652	3016	DllCommonsvc.exe	64
PID 1652 wrote to memory of 1992	1652	cmd.exe	66
PID 1652 wrote to memory of 1992	1652	cmd.exe	66
PID 1652 wrote to memory of 1992	1652	cmd.exe	66
PID 1652 wrote to memory of 2640	1652	cmd.exe	67
PID 1652 wrote to memory of 2640	1652	cmd.exe	67
PID 1652 wrote to memory of 2640	1652	cmd.exe	67
PID 2640 wrote to memory of 1436	2640	DllCommonsvc.exe	68
PID 2640 wrote to memory of 1436	2640	DllCommonsvc.exe	68
PID 2640 wrote to memory of 1436	2640	DllCommonsvc.exe	68
PID 1436 wrote to memory of 1308	1436	cmd.exe	70
PID 1436 wrote to memory of 1308	1436	cmd.exe	70
PID 1436 wrote to memory of 1308	1436	cmd.exe	70
PID 1436 wrote to memory of 1756	1436	cmd.exe	71
PID 1436 wrote to memory of 1756	1436	cmd.exe	71
PID 1436 wrote to memory of 1756	1436	cmd.exe	71
PID 1756 wrote to memory of 2764	1756	DllCommonsvc.exe	72
PID 1756 wrote to memory of 2764	1756	DllCommonsvc.exe	72
PID 1756 wrote to memory of 2764	1756	DllCommonsvc.exe	72
PID 2764 wrote to memory of 1452	2764	cmd.exe	74
PID 2764 wrote to memory of 1452	2764	cmd.exe	74
PID 2764 wrote to memory of 1452	2764	cmd.exe	74
PID 2764 wrote to memory of 1276	2764	cmd.exe	75
PID 2764 wrote to memory of 1276	2764	cmd.exe	75
PID 2764 wrote to memory of 1276	2764	cmd.exe	75
PID 1276 wrote to memory of 1120	1276	DllCommonsvc.exe	76
PID 1276 wrote to memory of 1120	1276	DllCommonsvc.exe	76
PID 1276 wrote to memory of 1120	1276	DllCommonsvc.exe	76
PID 1120 wrote to memory of 2296	1120	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1992
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1308
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1452
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2296
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        14⤵
        
        PID:3004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3000
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
        16⤵
        
        PID:1044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2672
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"
        18⤵
        
        PID:2712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1692
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        20⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2696
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
        22⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2236
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        24⤵
        
        PID:2076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:592
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce1f1c26cae96c01365857da33b5186d

SHA1
f6f1a0c3f4ae3ea22a6108827ce94117d07939f0

SHA256
bde607b90b38173c7f9b7193d5e369a35359b93c590505a33c3060190c87b0d2

SHA512
3dd424ba394998939bfd05de8c55a5d664bd3e9543a2f860c319778af580fee95f154025c0a2a4661c97f1b4ca1e99838d847e475720ea6816bc4d0a69499878

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2d592485868c402d5800d3801431e3a

SHA1
a7bd90dabd70632d53574baefa35d0c0418ee04f

SHA256
3bb4d58d3714d0e21064538b350d65e0cbc186226316d163edd0b1e8a0b6889d

SHA512
e4a5c3f77ecc290734311444931a30e7c90bb6459d66bcc7523dae4d05f737b201e7ee34b0e657b3d11184a4ad00b2c31439ace76b379f6dcc4a8e9ac66c071b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0eab0f3013f39a793f3d497031239ade

SHA1
773f7a707a091cd2ba3596b094fa36ef76b6c346

SHA256
7839e359b91ae7820b66a4ee9acfebd6c1780d85743246abb8a58be0efbea07a

SHA512
3fc920961f9f32ceed4d16cceb1b3c19d77e41f0913798975dfe13b26471cc55b13d6ec3866aa1eccbdd0b86673b754c184866628eb767431208047a07fb89ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
726736492b742d20a326007b038eb773

SHA1
602101f988c29bb0b90ececb66ac42ec26b23ad8

SHA256
a1bbb68f61a80f6cbb42a496544f701b79f188f65f2f01f40f81e141bd7ab72a

SHA512
55ebbf797fa1577c7dca71f4faf47474083954dcb1352cdd3fd6c20620305e651956ffb08453175acd96abc0ee4a80552b4ed1639cacb146c56a7489cbfe1bdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd33e94625cfcdf2e30ceb36159eed4d

SHA1
46faef7970ed52411d38062ba66b565874c67521

SHA256
3cf0d1cd291f2f54ce452d4fef0b6014bf6a65189fed758079bee1b9ae1af55b

SHA512
32afd00d8b4536d60a61b02756a7666eb22ddafa7f4afad766069c22fe8cd488780fc71d7987045b31a971619035addfa26f0bb2493381ebbbec40bb0aa5cb4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bc558c960fa7ca1118dbdefb64aa111

SHA1
f1c16cbab986d58bb7a0d96353be153baf7d1881

SHA256
a57e9321c9f69735098fd1cf40ef251fd845b4b9893b3af4da043093f27305a9

SHA512
9246b7fca28226fc3784469434007492021ef4b07ed9224f3f2deb72b9fface50e0f306c7c24fbb4df8f22dd9979c581ddcb409dfc88e65645c90ca4ee699007

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c1593cd3c5590294b8d2f2e6f9b1e94

SHA1
a1ac305e58488e4e4971bd139fba85592e115bf0

SHA256
abad44530f38fe51a3dbf35c9e71148d9ea881a50a9e2c38bab30cdb06993d01

SHA512
bbffc6b9beccacaafd3360c184c71b251f629534941c8b28f0b1ee9346ffc26701d7d852eb9f93fc1f827c3fcd3c7bfdd129f652e78d49aa5dafb2c3ca6acb95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
474c92d2c5f395420bcc32bb50dc5174

SHA1
2912313ad70a4548e0ef7eb637e9859758b687a9

SHA256
0d447a329fc3c28b436285535ee2fa8da03594469a72709dd9866c140e0b2b4d

SHA512
5934c097544b513eedae032dbad6bb86b74657f6ec0db39b983f1350728ed535ee1b54750fb7aaac0c179516b1a5ca4e31403085fbbc6267aa39d350e9680c19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bf4252967da340f7c489ed5c8fd6681

SHA1
3eb2959a0d2db7ed5b00d96af72320f2770d5c19

SHA256
031b3fc8c3c2a9bd454386881b0c063ba9c77ba2d0a3321fa5f2da2a1d313baa

SHA512
74bdca86c8a86f66c73cf05eb5b4273dd4014c22bb33d69ef373f637f7cc020348c61d98b9f593745b9845775ed6f688e9bd33f4f079041ece7ab1b62febe3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat

Filesize
230B

MD5
4f0429e79b16768f15ff142498653412

SHA1
8fd343c265e5d9bf51a68c4ff48f385e16b83f01

SHA256
96d65734baf5888bc27370ec303d4a9e395eb651a5d8db906e2a1b4097036798

SHA512
98ba692651ebea79f878df137878d0a79236e805fd2b4b165e846280f2a3c62419c1fab09632ac57c394b07d5cf47c97edd2e69b42b832319dfab80a4e52b324

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
230B

MD5
d7282fdaad3c1b3db65f5f946c31cc3f

SHA1
2ba8565c2c60c2e255fabc13520509816bcfb86a

SHA256
47c0dcf990f655c5a0530c9425ecdbd47557615b4c1d93a7d1f4f93805f6a64e

SHA512
5770b38ca5fcc3eda800e1f2eb89f85d11c13c2c0d21b959825aa2c8cc05bf600b7de1e96084331387e5a746a8654ce4e927e50990610b20bacb645669c1c206

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF88.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
230B

MD5
906e3b1e6a8c093b6c94eda81b6ee6e9

SHA1
318e78e010c3cfe9f38d74497c63a1b76aec6589

SHA256
8f30b55ccb0529c9ce67f573ca9fd8568aa24c5f1ef0d6fd4beb8680f30c5779

SHA512
ea1f69e3ec602028f17e0e054d6493004c34f7ed7e716b75824c0162fd4b095e0947cc81aceedc8bb0c460e12609fba378994b603c8bfd40ccd813d4570e0ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat

Filesize
230B

MD5
b4d7507b6c5d526ed2fa6c466ecc4e7b

SHA1
44424c37fe3190264cd3a602119ab515ff7d075c

SHA256
7faf4f735ca9729ddbb5c3b2829117fea80dadce88daa5e876f5ba7789c8d44c

SHA512
855749ce6687eaba7467585070e756e0840f64a704ccf7585d12e12c741da59a17fee44d175405ea498cc4f4e447f1839b028252cda4bf53c8127cd018ad95f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

Filesize
230B

MD5
191d79abec6e087a5bab431824672a27

SHA1
c298083bf9926291da188bd0e421a483d9870b54

SHA256
5d0053f21898e4454b955fd9c9904a6081691ca8b3a1192b02e7ce732b65ea01

SHA512
d4fb3239de34abd2bed09480a9a075750de9218ec7b5852f57d48194eb647793e80cc6e9ab68063b1ac6627173f24fb56cfdb2edd165ca053e3de6e98c3762e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat

Filesize
230B

MD5
1ddd23fa4dba7a52e75790839a9ba75e

SHA1
3e427048b1380f5c3fdf40bf9786b16c7a353613

SHA256
39098f1b5c4e84248edb6765f5762a0f50799c0c12bee83efd273f49b6bbd008

SHA512
997fb57604a7a584833ec103a5cf8e0682446dc2ec55031db8370c256b58ebc0fac239d83eccba521b83d651c18f3b72fcc8db63250e1fb24451762e82b74f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

Filesize
230B

MD5
9b3dc9337b922fdb286349098d5aa999

SHA1
270afe9704d66c4548f4af09edc356b9a2c86d5a

SHA256
deb820f068089d77e3ca66747117820dd9ebb610067267849b7456cfcbdbf762

SHA512
aa6553891ca3ba93f83ab9cfe873a6eedc7e5b2820a1f290dae893831453a128a865b8702cca448c95597578d5df2d22724063d0d7e642c69c2813f47c4a64c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDF9B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat

Filesize
230B

MD5
2837d22eb5d625bcbd7c214d5481c890

SHA1
dad89294e29c87300ca1f52c19d4c0a271285e90

SHA256
1377bc27624ff7a5b1a8d09d7b534272d1f950368d113748c9a143fff73a1d1f

SHA512
8b89f574daead34be9d4d9b65d9dd7571758b8a86ef63d837221a3202c8909858f8d5f62851d0484154302cf0992a02decc65b44c8acdf83e7ea13648a700ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
230B

MD5
aafc23db3c99979b1710a2873e8e5c97

SHA1
74c332e710b2110593886e76a812799d7e9383ec

SHA256
2fdb5949f19d12cfd964502142e4673059498216f4c9b30ac1eb98f5b6b9a16d

SHA512
5014789dd2119d6ac66e4f3fc9fe069fb2910e93fcff881c4235b0f06e04998e47559af707de1562ebbb1a4432ecf792e507b17b869146a7f45798c95b31e83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat

Filesize
230B

MD5
04c61fcfe369dcf78e5520b6b6a0fb19

SHA1
8d4388db97a4720d504e1b49ecaf1744d584c48f

SHA256
64b337e0aa96faa10e4ce9c109572c5a08669982e741bacfdc88653c41c4c075

SHA512
813ed30ef0618378b357e32b5f53d7b896a538dc03379b845dc4443527cafd27c2b2d2a16a12a475f5822b4b6cd904d2059560516d2671a12836a1992b40ad2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6ce8f047887b9154fe909b391d2bac22

SHA1
b3da1bad5824aed706bd882ad5765ba22e69aaaf

SHA256
c2aa5b37b7e84bfa87acf1b794420053f80d04df5f1633bdfdfe606aee4df7f4

SHA512
cf5df465a96ae935aa64c1615b11b1d3178d4f09cd5b442bfd5fb7a5f5053207002eaafa1491592c1b979fafdf944d0cbd4791638f1c7591f56929a2a7660e2a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1276-245-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/1756-185-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/1856-603-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2020-543-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2248-424-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2640-364-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2640-125-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2708-52-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2712-17-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2712-16-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2712-15-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2712-14-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2712-13-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/2764-58-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/3016-66-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/3016-60-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download