dcrat | 2332c7cebcc9756a6214e95f27fe6e72066281f668e3ed43a1387b4b0d10b787

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2332c7cebcc9756a6214e95f27fe6e72066281f668e3ed43a1387b4b0d10b787.exe
Size

1.3MB
MD5

4f64f41321daebcfda59182d0edeb821
SHA1

c8e8e952ad8ce004d70530f57e15c6604b9a37d9
SHA256

2332c7cebcc9756a6214e95f27fe6e72066281f668e3ed43a1387b4b0d10b787
SHA512

0627ceabc1bdd0597b31c0c39c3e8d5fe1eec678483b413174b188b5c876b5ed67f95cd9853c894249c3b09c91d0b982b70e4ba84fc7276b04d27534a85f0292
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2312	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2312	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000160d5-9.dat	dcrat
behavioral1/memory/2720-13-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/552-66-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/1676-243-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/916-303-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2856-363-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2128-423-0x0000000000C80000-0x0000000000D90000-memory.dmp	dcrat
behavioral1/memory/1396-483-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/2256-543-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2980-604-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/1508-664-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2584	powershell.exe
404	powershell.exe
1004	powershell.exe
1012	powershell.exe
1040	powershell.exe
464	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2720	DllCommonsvc.exe
552	dwm.exe
2964	dwm.exe
1372	dwm.exe
1676	dwm.exe
916	dwm.exe
2856	dwm.exe
2128	dwm.exe
1396	dwm.exe
2256	dwm.exe
2980	dwm.exe
1508	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2284	cmd.exe
2284	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com
36	raw.githubusercontent.com
32	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Registration\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\Tasks\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Tasks\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\de-DE\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2332c7cebcc9756a6214e95f27fe6e72066281f668e3ed43a1387b4b0d10b787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2432	schtasks.exe
2660	schtasks.exe
2020	schtasks.exe
2968	schtasks.exe
2612	schtasks.exe
2732	schtasks.exe
1256	schtasks.exe
1984	schtasks.exe
1636	schtasks.exe
2784	schtasks.exe
3068	schtasks.exe
1796	schtasks.exe
1800	schtasks.exe
1052	schtasks.exe
1580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2720	DllCommonsvc.exe
2720	DllCommonsvc.exe
2720	DllCommonsvc.exe
1004	powershell.exe
1040	powershell.exe
404	powershell.exe
2584	powershell.exe
1012	powershell.exe
464	powershell.exe
552	dwm.exe
2964	dwm.exe
1372	dwm.exe
1676	dwm.exe
916	dwm.exe
2856	dwm.exe
2128	dwm.exe
1396	dwm.exe
2256	dwm.exe
2980	dwm.exe
1508	dwm.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	DllCommonsvc.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	552	dwm.exe
Token: SeDebugPrivilege	2964	dwm.exe
Token: SeDebugPrivilege	1372	dwm.exe
Token: SeDebugPrivilege	1676	dwm.exe
Token: SeDebugPrivilege	916	dwm.exe
Token: SeDebugPrivilege	2856	dwm.exe
Token: SeDebugPrivilege	2128	dwm.exe
Token: SeDebugPrivilege	1396	dwm.exe
Token: SeDebugPrivilege	2256	dwm.exe
Token: SeDebugPrivilege	2980	dwm.exe
Token: SeDebugPrivilege	1508	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1488	2380	JaffaCakes118_2332c7cebcc9756a6214e95f27fe6e72066281f668e3ed43a1387b4b0d10b787.exe	30
PID 2380 wrote to memory of 1488	2380	JaffaCakes118_2332c7cebcc9756a6214e95f27fe6e72066281f668e3ed43a1387b4b0d10b787.exe	30
PID 2380 wrote to memory of 1488	2380	JaffaCakes118_2332c7cebcc9756a6214e95f27fe6e72066281f668e3ed43a1387b4b0d10b787.exe	30
PID 2380 wrote to memory of 1488	2380	JaffaCakes118_2332c7cebcc9756a6214e95f27fe6e72066281f668e3ed43a1387b4b0d10b787.exe	30
PID 1488 wrote to memory of 2284	1488	WScript.exe	31
PID 1488 wrote to memory of 2284	1488	WScript.exe	31
PID 1488 wrote to memory of 2284	1488	WScript.exe	31
PID 1488 wrote to memory of 2284	1488	WScript.exe	31
PID 2284 wrote to memory of 2720	2284	cmd.exe	33
PID 2284 wrote to memory of 2720	2284	cmd.exe	33
PID 2284 wrote to memory of 2720	2284	cmd.exe	33
PID 2284 wrote to memory of 2720	2284	cmd.exe	33
PID 2720 wrote to memory of 1004	2720	DllCommonsvc.exe	50
PID 2720 wrote to memory of 1004	2720	DllCommonsvc.exe	50
PID 2720 wrote to memory of 1004	2720	DllCommonsvc.exe	50
PID 2720 wrote to memory of 404	2720	DllCommonsvc.exe	51
PID 2720 wrote to memory of 404	2720	DllCommonsvc.exe	51
PID 2720 wrote to memory of 404	2720	DllCommonsvc.exe	51
PID 2720 wrote to memory of 1012	2720	DllCommonsvc.exe	53
PID 2720 wrote to memory of 1012	2720	DllCommonsvc.exe	53
PID 2720 wrote to memory of 1012	2720	DllCommonsvc.exe	53
PID 2720 wrote to memory of 1040	2720	DllCommonsvc.exe	54
PID 2720 wrote to memory of 1040	2720	DllCommonsvc.exe	54
PID 2720 wrote to memory of 1040	2720	DllCommonsvc.exe	54
PID 2720 wrote to memory of 2584	2720	DllCommonsvc.exe	55
PID 2720 wrote to memory of 2584	2720	DllCommonsvc.exe	55
PID 2720 wrote to memory of 2584	2720	DllCommonsvc.exe	55
PID 2720 wrote to memory of 464	2720	DllCommonsvc.exe	57
PID 2720 wrote to memory of 464	2720	DllCommonsvc.exe	57
PID 2720 wrote to memory of 464	2720	DllCommonsvc.exe	57
PID 2720 wrote to memory of 2988	2720	DllCommonsvc.exe	62
PID 2720 wrote to memory of 2988	2720	DllCommonsvc.exe	62
PID 2720 wrote to memory of 2988	2720	DllCommonsvc.exe	62
PID 2988 wrote to memory of 396	2988	cmd.exe	64
PID 2988 wrote to memory of 396	2988	cmd.exe	64
PID 2988 wrote to memory of 396	2988	cmd.exe	64
PID 2988 wrote to memory of 552	2988	cmd.exe	65
PID 2988 wrote to memory of 552	2988	cmd.exe	65
PID 2988 wrote to memory of 552	2988	cmd.exe	65
PID 552 wrote to memory of 1036	552	dwm.exe	66
PID 552 wrote to memory of 1036	552	dwm.exe	66
PID 552 wrote to memory of 1036	552	dwm.exe	66
PID 1036 wrote to memory of 1488	1036	cmd.exe	68
PID 1036 wrote to memory of 1488	1036	cmd.exe	68
PID 1036 wrote to memory of 1488	1036	cmd.exe	68
PID 1036 wrote to memory of 2964	1036	cmd.exe	69
PID 1036 wrote to memory of 2964	1036	cmd.exe	69
PID 1036 wrote to memory of 2964	1036	cmd.exe	69
PID 2964 wrote to memory of 1716	2964	dwm.exe	70
PID 2964 wrote to memory of 1716	2964	dwm.exe	70
PID 2964 wrote to memory of 1716	2964	dwm.exe	70
PID 1716 wrote to memory of 708	1716	cmd.exe	72
PID 1716 wrote to memory of 708	1716	cmd.exe	72
PID 1716 wrote to memory of 708	1716	cmd.exe	72
PID 1716 wrote to memory of 1372	1716	cmd.exe	73
PID 1716 wrote to memory of 1372	1716	cmd.exe	73
PID 1716 wrote to memory of 1372	1716	cmd.exe	73
PID 1372 wrote to memory of 1192	1372	dwm.exe	74
PID 1372 wrote to memory of 1192	1372	dwm.exe	74
PID 1372 wrote to memory of 1192	1372	dwm.exe	74
PID 1192 wrote to memory of 1088	1192	cmd.exe	76
PID 1192 wrote to memory of 1088	1192	cmd.exe	76
PID 1192 wrote to memory of 1088	1192	cmd.exe	76
PID 1192 wrote to memory of 1676	1192	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2332c7cebcc9756a6214e95f27fe6e72066281f668e3ed43a1387b4b0d10b787.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2332c7cebcc9756a6214e95f27fe6e72066281f668e3ed43a1387b4b0d10b787.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wMvxJuE7fS.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:396
      - C:\Windows\Registration\dwm.exe
        
        "C:\Windows\Registration\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1488
        
        C:\Windows\Registration\dwm.exe
        
        "C:\Windows\Registration\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:708
        
        C:\Windows\Registration\dwm.exe
        
        "C:\Windows\Registration\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1088
        
        C:\Windows\Registration\dwm.exe
        
        "C:\Windows\Registration\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat"
        13⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:108
        
        C:\Windows\Registration\dwm.exe
        
        "C:\Windows\Registration\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
        15⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2624
        
        C:\Windows\Registration\dwm.exe
        
        "C:\Windows\Registration\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"
        17⤵
        
        PID:1316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:896
        
        C:\Windows\Registration\dwm.exe
        
        "C:\Windows\Registration\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
        19⤵
        
        PID:1884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2224
        
        C:\Windows\Registration\dwm.exe
        
        "C:\Windows\Registration\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
        21⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2548
        
        C:\Windows\Registration\dwm.exe
        
        "C:\Windows\Registration\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        23⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2284
        
        C:\Windows\Registration\dwm.exe
        
        "C:\Windows\Registration\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"
        25⤵
        
        PID:1440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1740
        
        C:\Windows\Registration\dwm.exe
        
        "C:\Windows\Registration\dwm.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5796fc0bb11db0e04ef9c4725c8acd53

SHA1
7dc34c3bfbb3fd9609313bdd8f67af1f8a13e998

SHA256
fb80aac774e96c757f38d0a64998cd9533d3edc649a3069d3e48673a0b4bca57

SHA512
dac6fbfabc594736ee0b97536c45cdee52ef61abbaec78b2cbae247a62deeb4a2bf6e0263892f05aea9d35459c7a7c68e105014eccb47a13137cfe01d97e4ce1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e02d45dcf9a8f8c0aa5ebab6cf404c98

SHA1
f4f067b4ace4fded4364212d85a91f5807747c5b

SHA256
3907aa026b923858fa02d0132d297b0b1c7b2d30b7748aa8459f4f32a025d333

SHA512
0190e71a4f24986d204630de11b185af24c6c897200fa03570eeeae380a3a8c58565cdc9e9151cd59020d34339b39e32f5a74b4cec26977968d34160bf3fa9a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fe489c3dae8c175e159001effd63a70

SHA1
f89c5dc2e0034fbd825056e0afc2b457548094c1

SHA256
b9936ad77c03c253482ca2fc10cc433a459c62b1cd6bf1191f43174bd97f8105

SHA512
5a47656b16da09353ca499906ef1233a83760da1d714dea8690108d6d28103d6030b27c7e40654c8ae64c8ee794f1f437ffad032dd1b3b5d499e5420319e09a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b37c93a8a858cdad1f631ad80adc6cef

SHA1
2839b4d244019eccf45b1d0cc904750971d89dff

SHA256
5c3bae0b5e8aafd1583185c1709343b02977736ce7fbb0a8320e5f660ac78ab6

SHA512
feb012b37b405d3b3675186b52b82dce65266f1f79dcbf29d7f19a9f910815a0d76946365984a265143c1e50a4a24814db7f8c8b337825f72372c636ba36efb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
254248bc84cbcd87bb6eb23688645bb8

SHA1
5603c8724595b23da6c8e1d30d5ef582f6d2dcc4

SHA256
ecdaa7898e0f12d28836120b3863a4fe99849ccd236c8c8ad720d91f4e63d533

SHA512
c4ec99fde990edc8f518ed24d2f36a00569a991834476bd7c53353069ee3b643d7be38f2e53c547ee72ae1ff19679769131c58b0e8ac01dcb8b5a882bd1dea3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b157f1f4215b67181ad9a53cb47c3f61

SHA1
c3e887fef9d499c39129e5b4bc3dc7b8611bdcbc

SHA256
e8138fc9b604a14f6d1e8ab9fde78f1da52d8fb79387366b9ab61e64692879f8

SHA512
65be91be195231cf5a571e7c93b3bb529bf31ae990463668839ac8e80323d384a2049ab0d546b33591049856516a50446806e65f7dfb6b5920ac8319e4423370

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b91e82fc0f28743c0c65274f33c4e875

SHA1
e4e65de29f2806e93d4d563bd31921e42c32a7c3

SHA256
bde16c58a484b1ec96ff6341afae5a17420c4c5812f05fd2bd708817a319b9af

SHA512
7814be39113dcc92786197ee38da798e4040cdbbe2c0e314e7fdde0b710f66ad100bf638c1de9114a957f1000c31bf0e7dba53c68cfd095d50bf7616ffc23829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64c171e5c77bffbf5f65a002aaf7fcbb

SHA1
3e9c1a34e5851819b1e184b0792faf32245df362

SHA256
1741fd0c6f57cfe8d10e5677306b32d6b5b562c057629fb92b83e47a786ba415

SHA512
ef5b1973300267e4b75878e00d26d21ba3ad502f7d0f5254901c3067be351b2256b221fee5db6c049278d2cd5e76f4fc659b2ed11e243c6c621d60fcd2c4fcfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a37563d2a0da082847ce60451a267288

SHA1
e5235978573fed37ac82a0345f51f1035d89b95f

SHA256
089b921f78029959ce39e0ed58c65eae6ed6c01f51a7b50f8158d2371b6dc17f

SHA512
0378973ff0ac1ff1a8142f25d7d610bf153b34222e79316f16cff82a564b3308576821fe0ddeade199611a30cdae3914fa4944a7eaba45118ba0159d8f7b2bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

Filesize
196B

MD5
788ea56105a72fae762f3abd85a732ec

SHA1
1b9e9aa4c10c5af0f963ce91e17a8a90e270c4ce

SHA256
41020d024ca3036807bf2379cdc6d8b434a4221e62be132c9001c6d7d5c5c7a0

SHA512
872e854c513a4483b9463e9c8a41972cdea1643695baa62f47cbbc2e7a656c0c8c233fb6c2e3d01c79b567bd73baee91166d76ce15ef7ebb5baeca550379ad90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5D8D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
196B

MD5
7ac1edf5baa75011c9497d3c9d4d0028

SHA1
5a3781c26ee22391b7676e73fc5aa90bdd32d3a6

SHA256
c1cbc0fcf29cef04d3b9d117c4802c66d62a7ae9de99a1d4ca8d5d6b5eebab4d

SHA512
dde2f26587c24ec834ff3bb259315a8ff426ccc4e38c6cbe735a41fcf9db850fcc07a879afa733e93cfb60fa9b77c791779e0f76556d138278c4dac992da0163

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat

Filesize
196B

MD5
0890bae5e748d09c129a2c3f9f88d509

SHA1
6eea2c10d6616d1aa02a3c800fb382f0a994b36f

SHA256
39700da64f83a98af3dde0a3bd82e55282f484776263b94d98d2cf794593d5fc

SHA512
ddd67a9446e242e780b712bdd9d2a074c4736f127b2a366b818c0d3042757c4196e6fbd2d5f54efc381fff9e8d69e6397e87f6a9d24f982555e7382f39a47488

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

Filesize
196B

MD5
0255f11f560520d2faf48d20b74ed3a0

SHA1
229b4d727a610e98b6358acd62d3da91ddde5c25

SHA256
87632f6cc2ebc0ba855fb88bc3f02a3078a76da8ccc7750f27ef0f7b23184a2a

SHA512
7eec4e6e56a78fd0b82b563bb9d93bac43378c1f3b12a0a081a49c5a1624fe955d6c8e3d8ac8e5365e83d6aca8a74ce179181333c6e3297877a65df87210e7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat

Filesize
196B

MD5
610420989927d2713db19e4429b768a9

SHA1
3d7ea81b90e58a598a4b9b02343fd461110ae8a6

SHA256
679ae0cb13728d7a57110ea7be3d645ed783ea7acb77092dc066cb8ef2106dbf

SHA512
66686ad09bd4924dfa06f330705164fa1be9f155ff04f7e69775f670ea7806c404647e7f3ea80aeff35f219418e6bb8295adce66855a04a13bf26f4feda001e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5DAF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat

Filesize
196B

MD5
4122f9d8437fa7dbaea0091e0021df5a

SHA1
130866f49b668b3acb328e80fc0cb45b397a8e7f

SHA256
1992e4c8be07b954cd41496fda1c9f120a87c35424ec6815a50c8d7880aac1d9

SHA512
9593e01df2961ac28d3e56d6e75a68f79029cbe1a14ca39c114264d43999fd5c1928d4512452f98be07a2925297ce7b2cf5f036388de6927c7749ab1607ac1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

Filesize
196B

MD5
a18dc9c1c35fa2e2800563b6adf33a8b

SHA1
399df393be4614fa202748fe9a9d656673e3f9a3

SHA256
4b60eadd6dbded21fb270bee54fd9c6cd26a670425aa87f48620bd11be3da081

SHA512
bb47eda0da05f0f35ae49e59a4c0f7a6d8d65abf22cc2cc75c32d0e38238d3881ad558379a5700bb0d1b889a529015e67e9e427bb4cea413146221b2e83c531c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat

Filesize
196B

MD5
2abb5895d5c22eb799c83f7874357fba

SHA1
8f0cb3a78c0bfa92223cbee4cbbba071739f8947

SHA256
1c6b720d506f86d5a8949f346409a2b8f9d3c95955a1606efbe17810cbce5e9f

SHA512
534d89eea18c0cc15bab378391494cddcc3a15456bbd218f404e7b5e3fddb122f949898149974037532f0c60e5db7a2f828363d269467ab8e82cf737412817d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
196B

MD5
e39c7f5448d6567c4e9e3e566cfa3600

SHA1
3b9fdb9b6e2869b0bbe584baa17f190182030ab4

SHA256
7f00b672699304e4c3dea8abf06d9ad6effcc1aaafdd76e42ddd7ed77bc80bda

SHA512
7b5158a9d05578fcf38621f54a6326bb88a00132adeccfd8a1ed04252097d0d834de822b3e4c2961134568b59333e63a3846604841329ef8b3df65c18cf58554

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMvxJuE7fS.bat

Filesize
196B

MD5
d70dc6e5696cde68608d8f92950920c9

SHA1
0dbda9a82922c35f5671ef78364c648f6895c89f

SHA256
7b22e0e39ef0f0b484cac43713b3a6a4a784a87af78bca5423a33430521827a6

SHA512
c0aa64b616b97ffc4d47f0caa947d7bf39f785caa2d7e95acac190617fb30512ca4d46d516ecbe376d226188864859a0735b2e63ddf5454b6872cce208c7002c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat

Filesize
196B

MD5
421662c4d7249c9120c4e62f23f55922

SHA1
896b3b951d5a7b078f0ad6effeb0268f094d9db6

SHA256
fac794ce27a34e371155422a0917e8baf6fff71d806dadc234723b72c1024f96

SHA512
1c4aabb923c12c100a842a503e1f08a86b0963248439637144b33dcdaa8491e839776c5219da80ff9a55bfc607fcde6622b000f5a930226aa0aa9bb90c2d2714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00ee6947dabc4974e7d7bb4c6621a5b1

SHA1
cfb02118523c7d88cf490757af6ead68881a7b0d

SHA256
53dfa4f6e778a5efee3c1baf10761fa90557ae437bf4f00d39c0bb8f2794a070

SHA512
59bb27fb6d6419019980ec09d7896208120457089ab64c5c397000d9cb8ed85853530abcca189eb0fc5d437e4e1d2cb81c9d99f7c176bddfa209b82d6aee5301

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/552-66-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/916-303-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/1004-53-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/1004-57-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1396-483-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download
memory/1508-664-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/1676-243-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2128-423-0x0000000000C80000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/2256-543-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2256-544-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2720-17-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2720-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2720-15-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2720-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2720-13-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2856-363-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2980-604-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download