dcrat | b60b9f1fe09eb8674161d0d6c1592dfb9050b05ebe784a176aadda7d1f242a1c

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b60b9f1fe09eb8674161d0d6c1592dfb9050b05ebe784a176aadda7d1f242a1c.exe
Size

1.3MB
MD5

e6e8719eb855f51d5485767b8734bc9a
SHA1

867b0580da5d9fb09117ff9f1dc697929861e226
SHA256

b60b9f1fe09eb8674161d0d6c1592dfb9050b05ebe784a176aadda7d1f242a1c
SHA512

8a0f8a3d38dfe472685dcb8eab4ab4e40271f0f0cf688bf1d473100c086eb7859339ad2f74ffb174c4afbf69ca1d1d8c89c27c319d7d32460470b0859eb4305f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2012	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d3a-9.dat	dcrat
behavioral1/memory/572-13-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2928-70-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/2504-130-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/912-249-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/876-310-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/1860-370-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/2984-430-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/2280-549-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/2228-610-0x0000000000850000-0x0000000000960000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2712	powershell.exe
2716	powershell.exe
2740	powershell.exe
1652	powershell.exe
284	powershell.exe
764	powershell.exe
2736	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
572	DllCommonsvc.exe
2928	cmd.exe
2504	cmd.exe
2400	cmd.exe
912	cmd.exe
876	cmd.exe
1860	cmd.exe
2984	cmd.exe
932	cmd.exe
2280	cmd.exe
2228	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	cmd.exe
2228	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b60b9f1fe09eb8674161d0d6c1592dfb9050b05ebe784a176aadda7d1f242a1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1088	schtasks.exe
2292	schtasks.exe
2556	schtasks.exe
3016	schtasks.exe
896	schtasks.exe
344	schtasks.exe
2536	schtasks.exe
2404	schtasks.exe
2748	schtasks.exe
1724	schtasks.exe
264	schtasks.exe
1212	schtasks.exe
2584	schtasks.exe
1524	schtasks.exe
2004	schtasks.exe
1948	schtasks.exe
2124	schtasks.exe
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
572	DllCommonsvc.exe
572	DllCommonsvc.exe
572	DllCommonsvc.exe
572	DllCommonsvc.exe
572	DllCommonsvc.exe
1652	powershell.exe
764	powershell.exe
2716	powershell.exe
2712	powershell.exe
2736	powershell.exe
284	powershell.exe
2740	powershell.exe
2928	cmd.exe
2504	cmd.exe
2400	cmd.exe
912	cmd.exe
876	cmd.exe
1860	cmd.exe
2984	cmd.exe
932	cmd.exe
2280	cmd.exe
2228	cmd.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	DllCommonsvc.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2928	cmd.exe
Token: SeDebugPrivilege	2504	cmd.exe
Token: SeDebugPrivilege	2400	cmd.exe
Token: SeDebugPrivilege	912	cmd.exe
Token: SeDebugPrivilege	876	cmd.exe
Token: SeDebugPrivilege	1860	cmd.exe
Token: SeDebugPrivilege	2984	cmd.exe
Token: SeDebugPrivilege	932	cmd.exe
Token: SeDebugPrivilege	2280	cmd.exe
Token: SeDebugPrivilege	2228	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2436	2100	JaffaCakes118_b60b9f1fe09eb8674161d0d6c1592dfb9050b05ebe784a176aadda7d1f242a1c.exe	31
PID 2100 wrote to memory of 2436	2100	JaffaCakes118_b60b9f1fe09eb8674161d0d6c1592dfb9050b05ebe784a176aadda7d1f242a1c.exe	31
PID 2100 wrote to memory of 2436	2100	JaffaCakes118_b60b9f1fe09eb8674161d0d6c1592dfb9050b05ebe784a176aadda7d1f242a1c.exe	31
PID 2100 wrote to memory of 2436	2100	JaffaCakes118_b60b9f1fe09eb8674161d0d6c1592dfb9050b05ebe784a176aadda7d1f242a1c.exe	31
PID 2436 wrote to memory of 2228	2436	WScript.exe	32
PID 2436 wrote to memory of 2228	2436	WScript.exe	32
PID 2436 wrote to memory of 2228	2436	WScript.exe	32
PID 2436 wrote to memory of 2228	2436	WScript.exe	32
PID 2228 wrote to memory of 572	2228	cmd.exe	34
PID 2228 wrote to memory of 572	2228	cmd.exe	34
PID 2228 wrote to memory of 572	2228	cmd.exe	34
PID 2228 wrote to memory of 572	2228	cmd.exe	34
PID 572 wrote to memory of 2740	572	DllCommonsvc.exe	54
PID 572 wrote to memory of 2740	572	DllCommonsvc.exe	54
PID 572 wrote to memory of 2740	572	DllCommonsvc.exe	54
PID 572 wrote to memory of 1652	572	DllCommonsvc.exe	55
PID 572 wrote to memory of 1652	572	DllCommonsvc.exe	55
PID 572 wrote to memory of 1652	572	DllCommonsvc.exe	55
PID 572 wrote to memory of 284	572	DllCommonsvc.exe	56
PID 572 wrote to memory of 284	572	DllCommonsvc.exe	56
PID 572 wrote to memory of 284	572	DllCommonsvc.exe	56
PID 572 wrote to memory of 764	572	DllCommonsvc.exe	57
PID 572 wrote to memory of 764	572	DllCommonsvc.exe	57
PID 572 wrote to memory of 764	572	DllCommonsvc.exe	57
PID 572 wrote to memory of 2736	572	DllCommonsvc.exe	58
PID 572 wrote to memory of 2736	572	DllCommonsvc.exe	58
PID 572 wrote to memory of 2736	572	DllCommonsvc.exe	58
PID 572 wrote to memory of 2716	572	DllCommonsvc.exe	59
PID 572 wrote to memory of 2716	572	DllCommonsvc.exe	59
PID 572 wrote to memory of 2716	572	DllCommonsvc.exe	59
PID 572 wrote to memory of 2712	572	DllCommonsvc.exe	60
PID 572 wrote to memory of 2712	572	DllCommonsvc.exe	60
PID 572 wrote to memory of 2712	572	DllCommonsvc.exe	60
PID 572 wrote to memory of 1236	572	DllCommonsvc.exe	68
PID 572 wrote to memory of 1236	572	DllCommonsvc.exe	68
PID 572 wrote to memory of 1236	572	DllCommonsvc.exe	68
PID 1236 wrote to memory of 696	1236	cmd.exe	70
PID 1236 wrote to memory of 696	1236	cmd.exe	70
PID 1236 wrote to memory of 696	1236	cmd.exe	70
PID 1236 wrote to memory of 2928	1236	cmd.exe	71
PID 1236 wrote to memory of 2928	1236	cmd.exe	71
PID 1236 wrote to memory of 2928	1236	cmd.exe	71
PID 2928 wrote to memory of 1020	2928	cmd.exe	72
PID 2928 wrote to memory of 1020	2928	cmd.exe	72
PID 2928 wrote to memory of 1020	2928	cmd.exe	72
PID 1020 wrote to memory of 2800	1020	cmd.exe	74
PID 1020 wrote to memory of 2800	1020	cmd.exe	74
PID 1020 wrote to memory of 2800	1020	cmd.exe	74
PID 1020 wrote to memory of 2504	1020	cmd.exe	75
PID 1020 wrote to memory of 2504	1020	cmd.exe	75
PID 1020 wrote to memory of 2504	1020	cmd.exe	75
PID 2504 wrote to memory of 2780	2504	cmd.exe	76
PID 2504 wrote to memory of 2780	2504	cmd.exe	76
PID 2504 wrote to memory of 2780	2504	cmd.exe	76
PID 2780 wrote to memory of 3036	2780	cmd.exe	78
PID 2780 wrote to memory of 3036	2780	cmd.exe	78
PID 2780 wrote to memory of 3036	2780	cmd.exe	78
PID 2780 wrote to memory of 2400	2780	cmd.exe	79
PID 2780 wrote to memory of 2400	2780	cmd.exe	79
PID 2780 wrote to memory of 2400	2780	cmd.exe	79
PID 2400 wrote to memory of 2364	2400	cmd.exe	80
PID 2400 wrote to memory of 2364	2400	cmd.exe	80
PID 2400 wrote to memory of 2364	2400	cmd.exe	80
PID 2364 wrote to memory of 1800	2364	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b60b9f1fe09eb8674161d0d6c1592dfb9050b05ebe784a176aadda7d1f242a1c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b60b9f1fe09eb8674161d0d6c1592dfb9050b05ebe784a176aadda7d1f242a1c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLNgICC7cT.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:696
      - C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2800
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3036
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1800
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
        13⤵
        
        PID:2644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3024
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"
        15⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2584
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"
        17⤵
        
        PID:1720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2516
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
        19⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1236
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat"
        21⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1612
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"
        23⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1272
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        25⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e40919208387b6375f1036923d69b81d

SHA1
74f0c1ad1d5f74584b5c32f6ce4c9a0c79b59723

SHA256
5dc8636b91ec0fe3702069576579e6d08bb37a3cbcd1145578523427b04a9f3e

SHA512
c0cef72134606da8faf3b61354e785785780d809af50f3639423844d26df907c9c216d1d50f6ed0b2f06b0c0c9e021ca22ea51130bdd2f50b19ea93de731cb50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
126fa96b4fe80f86eff078d26b66fdf6

SHA1
87d931c86b7cfdd3406eb82944f19e85196f1bcb

SHA256
c576dbe4ecf3ae0d19b92f07a0fa208e9cde1d844de1fcd8bcd124276f4b8be5

SHA512
6ff4634768c7873b794b8eaaccd1afb95264e2ae6c26e3ccc613b213aed73f52bb17b5521a57c356d8d760ca0b979769203ceb1a169f3df1045466b80655eed3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
215ece6559573a58a21340bf18d35ac9

SHA1
da204f222afc35b0b6656807bbb60e246727f0cf

SHA256
dae4d418f7d64602f13d240d028db59104868c596112aaa293ba9ca6732ec416

SHA512
14945d42b4022ace2bc7049ad020547c3b95a21b1774f9b55b57e363745fc257a8430839addb5e7e2eaa617fd1173b1ed1c739b8da1f1635c3ac227fba9765c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f1bb7fb1d7b8b7158a3ba6c8b6763ad

SHA1
f704da783086bae495e1ca74459e43ac72912ee2

SHA256
6710183f8d04c5c289a550088aeda4a93a26b71251bf0f8f72dc27663ead1627

SHA512
82f2ca621dde77414b926f37ae62a76013b4fc7a6545d1f7061dd5836ec5977803698e600e128825ba4c00e779e9e9d2802923a5ebe3046c352a26e59ea2c0d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c802c8c9fad0fc806902e63768704c7

SHA1
5ab13431850e2b32e86b4e8c4e30a02af025b5f0

SHA256
7e59946ae40c920439c804700e31b3759434b49525aee3bc1fe8e850180e44b3

SHA512
7beeb31dba67d35578c802ed7ac487a9d998f08da7e73e2579db9702b4f45f299074cd2eb0cf3ccc08f4f81caab1330960bc9890f9c5c8e627599015beba316b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d145079cd814734dcf22ec4b26d06967

SHA1
73716fb42dbe17f2052206a8a3102d9b272fc146

SHA256
cc36f140059441b330e5da2ab3469a4770702f36a6f0b157ee40378c3d5fc6d9

SHA512
fe413bdf72cad97a8724d533544dd2b8c9c70cc778f4633e2d9735d1eee8c9d784be6fb672921634b5342845b9e2c690f794cf2eb9c0c0d7979864b0ab5aa080

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c3c2cec955f34fd157f1977f2e39678

SHA1
b9551383d7e5195db76db50d07ca51ea468cff77

SHA256
9bb68c7cd17f894957cbbe6b7f6847008771831d4eefac10efa1c2b6a12fee2c

SHA512
1d602dcc332d4436f58c3efa67e4e548a6e266b68efcf0d6ff92caf5f05b379fdff8a396ab7708ce9dd7e512a8aeec8c4330bc9a7e5288ab26b32c4206801b87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05a2419c12975fc4813fe7e37aaa74ea

SHA1
ad56b7fe7a6b28ae4b63cb1f4043d5c7b33dc81b

SHA256
85c6d89db816e422002167c9a2e3b5b42256df7b13c7e92c48ed77e8509a9d2d

SHA512
764f0997f4a1119e2c28f3798e9e9740384b8ad671cc0f3182827ec084c580a05cf5b829974ce55fd9c4b75633d5f01e194b9618e3bfc96104fb82f2f5c2fa52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14ebac65b7565638daa437a5a4ab4e28

SHA1
a4527a2b1ec1d0f993cabde402d290b484386e31

SHA256
e24b3e48019209f6af5eb7e32ca8106c1f1da594278c69de2540fa9389c20b94

SHA512
704d0b3fa9d675c75ac32501eb1acae70e1c4eab43afb50fe013678fd05efd618056bbab9a2cb20df1aa4b34f80bdb8b16b9807e7e9a0f8f9194b6668f062d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat

Filesize
190B

MD5
908a9fa207e7049c79a94661c4cb0147

SHA1
d9e45281a5a5f4fb0980e412e07486f84eb63a4c

SHA256
1656901a718cb867d7ec454d291cb5bb93a8bb047266e53929a8f9bc8015d951

SHA512
d5af9ff7c881aa943d316509254697e803445813e1ab1ac220cfb7672e63da280b5d1b00576aad51fb4908b3f8a0fa26d9c6f015798a26d7f6aa40b007d30e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2CAE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

Filesize
190B

MD5
f677bdaaad436fb9bff5594d32a23da4

SHA1
3c4685901bdc3c03315b9240811c6a2fe1dde866

SHA256
03f6556db81d5e20461c47657d28c2e5b8718e8af52359e154a77239fd83f3ce

SHA512
c26ef1c50063e70b58d78a9d7b18025666553624ae6b1780290d51ffa408009f776c6bcd1ff60d09c736bd42870132b9e6b4c52ccb4c3bd53edc6d512f6d22da

Download Submit
C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat

Filesize
190B

MD5
8a0bcd13b33b6007ae02eb4db69ecb70

SHA1
1f539c4633e77412314d8a1b855cfa3a557f90ca

SHA256
a4a962fb90d320b7d4366ff4e904078aa377712380cfd1585b2ef617ba041923

SHA512
95912ff81230d8ef64365fd3c33e6983190ff74c085ba643af8153b4f31aa52ef86c5565e314092eb6dac79c784b114760494d0e547e16e4f230bed0088a6482

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat

Filesize
190B

MD5
1f5b59c4b6f3ae35862a0af958edb89b

SHA1
ede933f46e756486aa20f5dd26efc8bd2c1ae117

SHA256
5c66273de973b8c7d24681c5ea00c78ab37acf4e4532dce1d6d2560943917525

SHA512
743b0bdfd37c6e98f311fcb822a49c69d06045bc2fbef4e9f67d3ca940d037c0544fcbffe4b48ee91999a2467a91d966775bfd35fd4a234c3758041562efee2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2CC0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat

Filesize
190B

MD5
6040061d7b92501d8533e0ab2ae488e5

SHA1
43d63e65c8ab68e2ee5f2294a4d0d78e27b9c7a7

SHA256
88c341ed5eebd1a5b40c6ace972fa7b0f2d37d4cff17443eaf5f7c858d037322

SHA512
25be6e7779ac0c72b3f93f6a3c9516ac7338039a035886d49cbbd7da918ff85ff30aff078d304af7ff0851391228fd9ea935f01003a5e9c5e53fa5f614763788

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
190B

MD5
bf36d7f0b7ced3dd763941df90bef493

SHA1
bb90ebfcfc7b1af71c029c7bd74a2c86a2f57fa1

SHA256
85adae7be00f1280fc59ae3f294c0f45576a46fbf2ebc181eb19e63d0721333a

SHA512
78513a2e3b2cf70b5ed1302ee7c26b4147d4ff81e8b1b18e0c4b33531f3dcab458f5c4aa9c3cf559eed34a83688b9d4bd3d7bee4b503cd2a75542613dae025c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

Filesize
190B

MD5
b32c44c6c909b5cf80892199feab9a3f

SHA1
9af706bfef20b2772220f3bf3e8a5ae47756b749

SHA256
f6479bf1543d81c2f5e9d9a2fdfe6a5bc0c88b7d6d6576adc475ecc0f0b2b669

SHA512
4f202064a982cc66b7a8b75ad40a713e83e0e7259a71fca64e8fda0f88749437e87b3094e60211bf8eba410df0d64866bdea3ca8904cea49a5a261ffd54a02f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLNgICC7cT.bat

Filesize
190B

MD5
aed4f2a6fe50e487a6a0546c03f4a5a4

SHA1
93caad308f48e09a2f54fa0be7b9e6f54d771f55

SHA256
1169a337d3e778b6dd4811862604396b6a8bca5789cb7f5c48bb6753b935af5b

SHA512
0929db716de40b75e59e486dd2073844685b181eaf1632e3ad354f77f3d1791ac6fedd4838a03c364593f135e636ce91e6c8388499bf831a70b1fdb88644176d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat

Filesize
190B

MD5
b65f7ff7e4ba3d3060f6744dadfbf2e9

SHA1
c04a37f2f703fbaef8f69d84774c3408aaa8118f

SHA256
7694501092dc3c61c94586ca74047bd0645be393a40e089c3acda4b30eb523ea

SHA512
2de89bd2fba54e58ecff47050a04a0c5b6b01665660476ab7590684f63a8931568a03f92f481317258d260d2d871827efb43f9b007b31027325004e7a524bb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

Filesize
190B

MD5
51023888757447ff62694e4a3c446367

SHA1
4feb37e714a3431756a3e4358f581d86d50718f3

SHA256
c00ad529674a1abaf7ef57d0446c38d57cb2f8ff5826d7940b7b2f1952703b64

SHA512
86fa0de6c878a5d5919c05cea7b470199afe691614bc67bd8a7c4aa632b0f8fe6287ee643c74532b76dc03cd8bf868bc19084d401ae806b559164f8da15e4c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat

Filesize
190B

MD5
94b94b7db11ccfb0f722d5f527bc506b

SHA1
18120ca49f7d3f2df9c7f7c37b1bf4290f08fab5

SHA256
2c2c5060d28955f8d171d82471134f8a743c9a20bd4bd251a16b56d453cbdea9

SHA512
c96829edfc9ff4e4087d3f48e347f9a7af37bc7add240310db7c97cd389ebe1ad851a2592a23ce49ac5e1f9f212f5cf4e520a2c50329d8cf82de5bab7741b3a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c466f5af50795acf86ded3e6215ec2c

SHA1
7c9744f464bccf8a4c32fccbaff80c12f08db4a9

SHA256
7d15f1f0a999c76612ccd4a91d8f00e19c7026d0d382426913711e530302c4ea

SHA512
3f5ddf5c0545b34ef3961f4a58d6160bec114433d0c74971c2540758c781d4f2933abf27fae16adf5eb34a2242a0c56f00cb1efcdabe0294250b85e36f58ee71

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/284-61-0x000000001B890000-0x000000001BB72000-memory.dmp

Filesize
2.9MB

Download
memory/572-13-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/572-16-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/572-14-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/572-15-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/572-17-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/764-66-0x0000000001C70000-0x0000000001C78000-memory.dmp

Filesize
32KB

Download
memory/876-310-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/912-249-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/912-250-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1860-370-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2228-610-0x0000000000850000-0x0000000000960000-memory.dmp

Filesize
1.1MB

Download
memory/2228-611-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2280-549-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2280-550-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/2504-130-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/2928-70-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/2928-71-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2984-430-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download