dcrat | 1014ca46ceee1bfbc4051ec847992bfeb0e091e5f9ca63b015b73f828dc1af79

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1014ca46ceee1bfbc4051ec847992bfeb0e091e5f9ca63b015b73f828dc1af79.exe
Size

1.3MB
MD5

62b9df42a72f69c31d74773578e523af
SHA1

b5f7a29271671b4fda5338ef1018c4f114ca4aec
SHA256

1014ca46ceee1bfbc4051ec847992bfeb0e091e5f9ca63b015b73f828dc1af79
SHA512

17faa7b0dc6416f29d8b9358b2f05bcfe30a551c2ffc7e1728340ece6ce9a628a56f193488d8bad50d68f13fa8c14b26885525f8a4eb0e1e8896744fc4af16b1
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2944	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016ce8-11.dat	dcrat
behavioral1/memory/2556-13-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/2404-36-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2776-190-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/1360-250-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat
behavioral1/memory/792-310-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/2864-370-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/784-431-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/1812-491-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2844-551-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/1736-612-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3064	powershell.exe
1996	powershell.exe
1028	powershell.exe
1224	powershell.exe
1340	powershell.exe
1916	powershell.exe
872	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2556	DllCommonsvc.exe
2404	csrss.exe
2796	csrss.exe
2776	csrss.exe
1360	csrss.exe
792	csrss.exe
2864	csrss.exe
784	csrss.exe
1812	csrss.exe
2844	csrss.exe
1736	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	cmd.exe
2316	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
31	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1014ca46ceee1bfbc4051ec847992bfeb0e091e5f9ca63b015b73f828dc1af79.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1296	schtasks.exe
2876	schtasks.exe
2640	schtasks.exe
2888	schtasks.exe
1056	schtasks.exe
2652	schtasks.exe
2796	schtasks.exe
1008	schtasks.exe
2960	schtasks.exe
2264	schtasks.exe
3016	schtasks.exe
1116	schtasks.exe
2900	schtasks.exe
3052	schtasks.exe
584	schtasks.exe
556	schtasks.exe
3032	schtasks.exe
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2556	DllCommonsvc.exe
2556	DllCommonsvc.exe
2556	DllCommonsvc.exe
1916	powershell.exe
3064	powershell.exe
1028	powershell.exe
1340	powershell.exe
872	powershell.exe
1996	powershell.exe
1224	powershell.exe
2404	csrss.exe
2796	csrss.exe
2776	csrss.exe
1360	csrss.exe
792	csrss.exe
2864	csrss.exe
784	csrss.exe
1812	csrss.exe
2844	csrss.exe
1736	csrss.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	DllCommonsvc.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	2404	csrss.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	2796	csrss.exe
Token: SeDebugPrivilege	2776	csrss.exe
Token: SeDebugPrivilege	1360	csrss.exe
Token: SeDebugPrivilege	792	csrss.exe
Token: SeDebugPrivilege	2864	csrss.exe
Token: SeDebugPrivilege	784	csrss.exe
Token: SeDebugPrivilege	1812	csrss.exe
Token: SeDebugPrivilege	2844	csrss.exe
Token: SeDebugPrivilege	1736	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2116	1820	JaffaCakes118_1014ca46ceee1bfbc4051ec847992bfeb0e091e5f9ca63b015b73f828dc1af79.exe	30
PID 1820 wrote to memory of 2116	1820	JaffaCakes118_1014ca46ceee1bfbc4051ec847992bfeb0e091e5f9ca63b015b73f828dc1af79.exe	30
PID 1820 wrote to memory of 2116	1820	JaffaCakes118_1014ca46ceee1bfbc4051ec847992bfeb0e091e5f9ca63b015b73f828dc1af79.exe	30
PID 1820 wrote to memory of 2116	1820	JaffaCakes118_1014ca46ceee1bfbc4051ec847992bfeb0e091e5f9ca63b015b73f828dc1af79.exe	30
PID 2116 wrote to memory of 2316	2116	WScript.exe	31
PID 2116 wrote to memory of 2316	2116	WScript.exe	31
PID 2116 wrote to memory of 2316	2116	WScript.exe	31
PID 2116 wrote to memory of 2316	2116	WScript.exe	31
PID 2316 wrote to memory of 2556	2316	cmd.exe	33
PID 2316 wrote to memory of 2556	2316	cmd.exe	33
PID 2316 wrote to memory of 2556	2316	cmd.exe	33
PID 2316 wrote to memory of 2556	2316	cmd.exe	33
PID 2556 wrote to memory of 3064	2556	DllCommonsvc.exe	53
PID 2556 wrote to memory of 3064	2556	DllCommonsvc.exe	53
PID 2556 wrote to memory of 3064	2556	DllCommonsvc.exe	53
PID 2556 wrote to memory of 1996	2556	DllCommonsvc.exe	54
PID 2556 wrote to memory of 1996	2556	DllCommonsvc.exe	54
PID 2556 wrote to memory of 1996	2556	DllCommonsvc.exe	54
PID 2556 wrote to memory of 1028	2556	DllCommonsvc.exe	55
PID 2556 wrote to memory of 1028	2556	DllCommonsvc.exe	55
PID 2556 wrote to memory of 1028	2556	DllCommonsvc.exe	55
PID 2556 wrote to memory of 1224	2556	DllCommonsvc.exe	56
PID 2556 wrote to memory of 1224	2556	DllCommonsvc.exe	56
PID 2556 wrote to memory of 1224	2556	DllCommonsvc.exe	56
PID 2556 wrote to memory of 1340	2556	DllCommonsvc.exe	57
PID 2556 wrote to memory of 1340	2556	DllCommonsvc.exe	57
PID 2556 wrote to memory of 1340	2556	DllCommonsvc.exe	57
PID 2556 wrote to memory of 1916	2556	DllCommonsvc.exe	58
PID 2556 wrote to memory of 1916	2556	DllCommonsvc.exe	58
PID 2556 wrote to memory of 1916	2556	DllCommonsvc.exe	58
PID 2556 wrote to memory of 872	2556	DllCommonsvc.exe	59
PID 2556 wrote to memory of 872	2556	DllCommonsvc.exe	59
PID 2556 wrote to memory of 872	2556	DllCommonsvc.exe	59
PID 2556 wrote to memory of 2404	2556	DllCommonsvc.exe	67
PID 2556 wrote to memory of 2404	2556	DllCommonsvc.exe	67
PID 2556 wrote to memory of 2404	2556	DllCommonsvc.exe	67
PID 2404 wrote to memory of 2308	2404	csrss.exe	69
PID 2404 wrote to memory of 2308	2404	csrss.exe	69
PID 2404 wrote to memory of 2308	2404	csrss.exe	69
PID 2308 wrote to memory of 1492	2308	cmd.exe	71
PID 2308 wrote to memory of 1492	2308	cmd.exe	71
PID 2308 wrote to memory of 1492	2308	cmd.exe	71
PID 2308 wrote to memory of 2796	2308	cmd.exe	72
PID 2308 wrote to memory of 2796	2308	cmd.exe	72
PID 2308 wrote to memory of 2796	2308	cmd.exe	72
PID 2796 wrote to memory of 1680	2796	csrss.exe	73
PID 2796 wrote to memory of 1680	2796	csrss.exe	73
PID 2796 wrote to memory of 1680	2796	csrss.exe	73
PID 1680 wrote to memory of 1292	1680	cmd.exe	75
PID 1680 wrote to memory of 1292	1680	cmd.exe	75
PID 1680 wrote to memory of 1292	1680	cmd.exe	75
PID 1680 wrote to memory of 2776	1680	cmd.exe	76
PID 1680 wrote to memory of 2776	1680	cmd.exe	76
PID 1680 wrote to memory of 2776	1680	cmd.exe	76
PID 2776 wrote to memory of 1780	2776	csrss.exe	77
PID 2776 wrote to memory of 1780	2776	csrss.exe	77
PID 2776 wrote to memory of 1780	2776	csrss.exe	77
PID 1780 wrote to memory of 2540	1780	cmd.exe	79
PID 1780 wrote to memory of 2540	1780	cmd.exe	79
PID 1780 wrote to memory of 2540	1780	cmd.exe	79
PID 1780 wrote to memory of 1360	1780	cmd.exe	80
PID 1780 wrote to memory of 1360	1780	cmd.exe	80
PID 1780 wrote to memory of 1360	1780	cmd.exe	80
PID 1360 wrote to memory of 2636	1360	csrss.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1014ca46ceee1bfbc4051ec847992bfeb0e091e5f9ca63b015b73f828dc1af79.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1014ca46ceee1bfbc4051ec847992bfeb0e091e5f9ca63b015b73f828dc1af79.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\ja-JP\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1492
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1292
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2540
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
        12⤵
        
        PID:2636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2644
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
        14⤵
        
        PID:1212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2908
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
        16⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2724
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"
        18⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2384
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
        20⤵
        
        PID:1032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1732
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        22⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:872
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76f0e1d911e46e56f13ce702e71a6dc6

SHA1
9bd9ef651273ecd812b5f7075655f7d9aab6fc9a

SHA256
907064f10a6a5af01d2fdcfe7b9f1e7082b21fcb546628d98914783f141aa9d6

SHA512
7ffdfb85068ffe1519401537a3ccc3a12b218c0525e24ef83dc639d37f90d24e919d643112e5d0f9fa858467cc4c8172b550bd838e84cb93f7c9f4e9e465bdc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4847b059918fc442a2c1ee36edf43ffb

SHA1
674dca95d5f8bc2d81b5b895e407f3b82ad58931

SHA256
03a7783dc04ffb6d21a1875d0fa891f7c31902dd9fc009617c19eda112da3d3c

SHA512
710b19eacae5f1c0433fcf8c8509795905543b677107394d78269efca2c2d179f3f5db92e4190507fb21dfe6ab52d8f89c1fec48371ac9e5a1b7995045e3379c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b790b53d5c13c89ba5a23d87e9ac9047

SHA1
55fe5fa827699e1f3df7bc583aa60b3ee636c82c

SHA256
a1f6fb318a2f5343bc9cfbff91fd69e7cb0e0c800de9e9ded15f03d8153bd05e

SHA512
53de1a97c8b3786d27ce6446be5deb11378be4e10ded431714da8eb507a74aa23682b0f42f3c32a73c1e96eb66d536cf7b442bca71c2dd9e9c781a2aab3c212f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a875a33e2cdc1793f4ec24178dd698b

SHA1
20e882c1a9c859b904c0522a78da56bce301d7a8

SHA256
6a23ca24a0be889db584c065856bc4a9be2e9f8c3ab91d10ff5bf923ca652159

SHA512
7a52ba089982595bf628188d16ac61c97c8bd989a3b4210a006c625f0ccf55e698340f1bc4c72338a0379f9d4a2ead65e9663f4127ce296c3694e3c5e1c6a75d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
010b9ece0936e779a20f26564034bad0

SHA1
42cc80bd4bbe827436112bf90ce7263ceea7e209

SHA256
c129d8aafe02b57cdc8da9565d7775beb00285a453467349b67c41892a7a44a4

SHA512
875910c5065a23a88a998a45fb62ab741d3ba9eb5fc20449c3ed147e03517c6f2a92d6cd81b0448e0f0aee2f67796807bf01a8c22ab5250de83f68e6bf734477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d995fc7c9376617e81f3747a20f821b

SHA1
f2406cb63c986ca836524c468e687ffa78b545d0

SHA256
2d329741f814178f9bb8b281ac5ce7cb6868069db2039cb3634ff535ca6f4f83

SHA512
7e6aa417de8d2250c3b20ef59ddb40f8e9ffda8ace62fc3987d9edd379fb12fcc50dca327e41886760138fe7cbcba12c7887e7c20115bfc837004cfd955bc63a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed078829092b8815c0d709507d6478b1

SHA1
c3a42d38d079f673c1515de0b1c8a9f72bd5ed6d

SHA256
c0a15a936fa4f2ef9507abf6cbabd3ed840e546c88e720406a1bd95588453239

SHA512
d3bad221b6910913f9b9042508fc15c6ff3045f2c88fd3c96423da0b4fe63e2dc83c1cd2a7d827ef5af1a14fb4782b6414e09bbf372567d54c2dd4a5aa1051a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
123daa0cf02634a316008bc005c415b2

SHA1
c0ef73d3b041769876cb3de352b08bd0a4681e17

SHA256
8e0912c61e3c266c6824f1f47607b8558624c73972eb6515dc1ffc828fb7b8be

SHA512
57cf5836a186a089db0a541b882aa968034de9a6516650b7cb516f4d2b59e5f5755c79369396c21fcf6d855fa090eb6652541388fcf3c4af239cb3aa4cdf7ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

Filesize
223B

MD5
543100fb1fe0f5c9eb5f579e74bf385e

SHA1
b0b8d4c713f0d1e2b6f255856d843ac3b1f8a838

SHA256
869cb0650ea1ae9f7adc4423937de234658dfdd5ab53f0e4a4f582c9bfa69387

SHA512
1f51923dad5425cf5528586f217232a67b39a13689a877bd2ae6258e63d1dcff8cc96d0ecf8970998dfb4db6b2312a1fec4649c33ced187527b8d80181d5b572

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFAA6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFAC8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

Filesize
223B

MD5
159e4c51a0a691be68255ec03775f51b

SHA1
c3389a8c15614c7bcb6a8b4c9576ced90d83cd39

SHA256
7800f35ac5a76124ee2aa77e72d893ff08736948eb928f27a7c01819206acf2b

SHA512
cf7208bf9dc1da64ba5eb4e1f1f06ee6ccdca9bfc3e4621bd06ea1261b35064765ae929581d1bc352982034729bf9f2892e1b6d014c0dc72ed9feaf09a8fc54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

Filesize
223B

MD5
73f2278ef7627add526235588c665a00

SHA1
204524c438364c86c591099cf0e2b7cc17647251

SHA256
c880e116476064bcfac93f054da7b4bfc5ffba4c535ed34b7558ba47239ca98c

SHA512
4a2809fdcdb51ecc81abba978c23f13ea97d22a2b0ffa92cebfb4b8bc992dd992a6a4715c713826f95469d18fa418403ad8ebda37565972726846300224f5a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat

Filesize
223B

MD5
2a57684bcd37ede948a2898ae57118a1

SHA1
302bd78cb84350f45f822bc26c8312f6b456aed0

SHA256
6c2c7a829ae344276d42ed9120e23e360d5726f2e94dda20465636821fc6c002

SHA512
de4dc1c5b81032313cbf3d6ad671686cee7254559bb6768d68f64cb620daef3c70d18a552f34d6b38974c5eb4a2dcdd72fda5a15700207aa30d6436125bcfe45

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
223B

MD5
1d1be9c52a1f6e3f75846b9d68c6ce26

SHA1
7a79fc04993f403cf7a55008bad56e09d86e1bcd

SHA256
16fdfbe856d39a3a99c405d3dc879ed5300e3605cb5adf2414a9e079fc20c4bd

SHA512
89b97e5d26003c4b7023dd2e73db0e8777a28e7a1ae85ae43badfef0d675b10e6ac12bc583c8ae05688090369b52a86b275d53a2b1b88a4e6640479c3ea41b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

Filesize
223B

MD5
13e4ff6b7aa268890f212656915ede9d

SHA1
4f2748fc0834778e0459a2a435d16a656e19ae31

SHA256
bd3e487295c39c544c582833e9b116f6b673e6f80bf42b89038667c704f2f3dd

SHA512
7a56d187ba89666060fc61ad0f944a65dc12d9375f64c883ebbc2c2353175f85a0de6e765dc4ea70fb955d1fa87af8813e24c53966fcdb866a8bd94ebd5ec71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

Filesize
223B

MD5
6a4313a901afd262b019bde9d391e1c1

SHA1
7da7707b1ea3f7beb34a6542b8d3d54a87eec03b

SHA256
3f7a99f9b849cf6e3a4a7452f17c3e543ed675a5e2d5429403c85c74402ddb5f

SHA512
78bb0507e63532a1c2d35f16fe0c4875458c329d092157604e460f8cb3de8e35ba250e19405fbf25dd2aff2aeb58803ac6da5a2202787b6df81466c5206753bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

Filesize
223B

MD5
d94f510531e0be71aa703b5c19e030c8

SHA1
91ce894c7c49a58617df350994d2c92b304f868b

SHA256
89a70d2c424095c5e3bf7dff8d98f8be3eb5f475237837bab4ed1b1dfa35e802

SHA512
7ff71b57ad738c9e504cf22268af6cf9c6c004e92041ddc74f4fd11e3b08db5e57dbf3c7f6baa06b55f67c92d6a72703fc5160d8203b54535bc2e2b816d2a395

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z9CPBEC2O0JD76C6GB3H.temp

Filesize
7KB

MD5
56aba7eb90632e28c7ce5818c25f6b92

SHA1
636b8872b457dea570ad2b432ffcd15bee06d3bc

SHA256
b8ea9619c8df1cd0d42c0188d6926bcb14940b478cc6975f6291fea66db28402

SHA512
3f7d5558303e6c36b23ea3a92e35dfe3c1d4d5f6a7a9f017ef3f95f860a17326bb0ebf650d57093ef2e10c060745bcdf54e393a2c7a4a812258502c4f7238d81

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/784-431-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/792-310-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/1360-250-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/1736-613-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1736-612-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/1812-491-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/1916-47-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/1916-42-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2404-36-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/2556-17-0x0000000001F30000-0x0000000001F3C000-memory.dmp

Filesize
48KB

Download
memory/2556-16-0x0000000001F20000-0x0000000001F2C000-memory.dmp

Filesize
48KB

Download
memory/2556-15-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2556-14-0x0000000001F00000-0x0000000001F12000-memory.dmp

Filesize
72KB

Download
memory/2556-13-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2776-190-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/2844-551-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/2844-552-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2864-371-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2864-370-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download