dcrat | 431f352c2247f4150b11f31c45c29bbb052f92ade956a87d525a793719b697e7

Analysis

max time kernel
147s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_431f352c2247f4150b11f31c45c29bbb052f92ade956a87d525a793719b697e7.exe
Size

1.3MB
MD5

9d8e0a0a8a8de52ac0de3feb5525ce3c
SHA1

c7f6c425d90501be2e924714b9170c79aa694bbf
SHA256

431f352c2247f4150b11f31c45c29bbb052f92ade956a87d525a793719b697e7
SHA512

775a5e750d4b23a6d32dd2a81016100275bf8485ce242d55c3fc97c1088d18fb01913a156d3c7743850ce03c1b186976fe93f6b3c01f0ca82b093fd0a131c80d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2616	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016ca0-9.dat	dcrat
behavioral1/memory/2744-13-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/464-52-0x0000000000850000-0x0000000000960000-memory.dmp	dcrat
behavioral1/memory/3012-111-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat
behavioral1/memory/2260-171-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1920-231-0x0000000000BA0000-0x0000000000CB0000-memory.dmp	dcrat
behavioral1/memory/896-291-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/644-351-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/1564-470-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2928-531-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/1952-592-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2124-652-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/2444-712-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2460	powershell.exe
1944	powershell.exe
1964	powershell.exe
1936	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2744	DllCommonsvc.exe
464	winlogon.exe
3012	winlogon.exe
2260	winlogon.exe
1920	winlogon.exe
896	winlogon.exe
644	winlogon.exe
1340	winlogon.exe
1564	winlogon.exe
2928	winlogon.exe
1952	winlogon.exe
2124	winlogon.exe
2444	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2592	cmd.exe
2592	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
41	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_431f352c2247f4150b11f31c45c29bbb052f92ade956a87d525a793719b697e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
804	schtasks.exe
2140	schtasks.exe
2000	schtasks.exe
2260	schtasks.exe
2144	schtasks.exe
2972	schtasks.exe
2672	schtasks.exe
348	schtasks.exe
2216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2744	DllCommonsvc.exe
1964	powershell.exe
1936	powershell.exe
1944	powershell.exe
2460	powershell.exe
464	winlogon.exe
3012	winlogon.exe
2260	winlogon.exe
1920	winlogon.exe
896	winlogon.exe
644	winlogon.exe
1340	winlogon.exe
1564	winlogon.exe
2928	winlogon.exe
1952	winlogon.exe
2124	winlogon.exe
2444	winlogon.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	DllCommonsvc.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	464	winlogon.exe
Token: SeDebugPrivilege	3012	winlogon.exe
Token: SeDebugPrivilege	2260	winlogon.exe
Token: SeDebugPrivilege	1920	winlogon.exe
Token: SeDebugPrivilege	896	winlogon.exe
Token: SeDebugPrivilege	644	winlogon.exe
Token: SeDebugPrivilege	1340	winlogon.exe
Token: SeDebugPrivilege	1564	winlogon.exe
Token: SeDebugPrivilege	2928	winlogon.exe
Token: SeDebugPrivilege	1952	winlogon.exe
Token: SeDebugPrivilege	2124	winlogon.exe
Token: SeDebugPrivilege	2444	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2804	2192	JaffaCakes118_431f352c2247f4150b11f31c45c29bbb052f92ade956a87d525a793719b697e7.exe	30
PID 2192 wrote to memory of 2804	2192	JaffaCakes118_431f352c2247f4150b11f31c45c29bbb052f92ade956a87d525a793719b697e7.exe	30
PID 2192 wrote to memory of 2804	2192	JaffaCakes118_431f352c2247f4150b11f31c45c29bbb052f92ade956a87d525a793719b697e7.exe	30
PID 2192 wrote to memory of 2804	2192	JaffaCakes118_431f352c2247f4150b11f31c45c29bbb052f92ade956a87d525a793719b697e7.exe	30
PID 2804 wrote to memory of 2592	2804	WScript.exe	31
PID 2804 wrote to memory of 2592	2804	WScript.exe	31
PID 2804 wrote to memory of 2592	2804	WScript.exe	31
PID 2804 wrote to memory of 2592	2804	WScript.exe	31
PID 2592 wrote to memory of 2744	2592	cmd.exe	33
PID 2592 wrote to memory of 2744	2592	cmd.exe	33
PID 2592 wrote to memory of 2744	2592	cmd.exe	33
PID 2592 wrote to memory of 2744	2592	cmd.exe	33
PID 2744 wrote to memory of 1936	2744	DllCommonsvc.exe	44
PID 2744 wrote to memory of 1936	2744	DllCommonsvc.exe	44
PID 2744 wrote to memory of 1936	2744	DllCommonsvc.exe	44
PID 2744 wrote to memory of 2460	2744	DllCommonsvc.exe	45
PID 2744 wrote to memory of 2460	2744	DllCommonsvc.exe	45
PID 2744 wrote to memory of 2460	2744	DllCommonsvc.exe	45
PID 2744 wrote to memory of 1964	2744	DllCommonsvc.exe	46
PID 2744 wrote to memory of 1964	2744	DllCommonsvc.exe	46
PID 2744 wrote to memory of 1964	2744	DllCommonsvc.exe	46
PID 2744 wrote to memory of 1944	2744	DllCommonsvc.exe	47
PID 2744 wrote to memory of 1944	2744	DllCommonsvc.exe	47
PID 2744 wrote to memory of 1944	2744	DllCommonsvc.exe	47
PID 2744 wrote to memory of 1056	2744	DllCommonsvc.exe	52
PID 2744 wrote to memory of 1056	2744	DllCommonsvc.exe	52
PID 2744 wrote to memory of 1056	2744	DllCommonsvc.exe	52
PID 1056 wrote to memory of 1040	1056	cmd.exe	54
PID 1056 wrote to memory of 1040	1056	cmd.exe	54
PID 1056 wrote to memory of 1040	1056	cmd.exe	54
PID 1056 wrote to memory of 464	1056	cmd.exe	55
PID 1056 wrote to memory of 464	1056	cmd.exe	55
PID 1056 wrote to memory of 464	1056	cmd.exe	55
PID 464 wrote to memory of 2284	464	winlogon.exe	56
PID 464 wrote to memory of 2284	464	winlogon.exe	56
PID 464 wrote to memory of 2284	464	winlogon.exe	56
PID 2284 wrote to memory of 2936	2284	cmd.exe	58
PID 2284 wrote to memory of 2936	2284	cmd.exe	58
PID 2284 wrote to memory of 2936	2284	cmd.exe	58
PID 2284 wrote to memory of 3012	2284	cmd.exe	59
PID 2284 wrote to memory of 3012	2284	cmd.exe	59
PID 2284 wrote to memory of 3012	2284	cmd.exe	59
PID 3012 wrote to memory of 1928	3012	winlogon.exe	60
PID 3012 wrote to memory of 1928	3012	winlogon.exe	60
PID 3012 wrote to memory of 1928	3012	winlogon.exe	60
PID 1928 wrote to memory of 2552	1928	cmd.exe	62
PID 1928 wrote to memory of 2552	1928	cmd.exe	62
PID 1928 wrote to memory of 2552	1928	cmd.exe	62
PID 1928 wrote to memory of 2260	1928	cmd.exe	63
PID 1928 wrote to memory of 2260	1928	cmd.exe	63
PID 1928 wrote to memory of 2260	1928	cmd.exe	63
PID 2260 wrote to memory of 1840	2260	winlogon.exe	64
PID 2260 wrote to memory of 1840	2260	winlogon.exe	64
PID 2260 wrote to memory of 1840	2260	winlogon.exe	64
PID 1840 wrote to memory of 2084	1840	cmd.exe	66
PID 1840 wrote to memory of 2084	1840	cmd.exe	66
PID 1840 wrote to memory of 2084	1840	cmd.exe	66
PID 1840 wrote to memory of 1920	1840	cmd.exe	67
PID 1840 wrote to memory of 1920	1840	cmd.exe	67
PID 1840 wrote to memory of 1920	1840	cmd.exe	67
PID 1920 wrote to memory of 1268	1920	winlogon.exe	68
PID 1920 wrote to memory of 1268	1920	winlogon.exe	68
PID 1920 wrote to memory of 1268	1920	winlogon.exe	68
PID 1268 wrote to memory of 2304	1268	cmd.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_431f352c2247f4150b11f31c45c29bbb052f92ade956a87d525a793719b697e7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_431f352c2247f4150b11f31c45c29bbb052f92ade956a87d525a793719b697e7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DjfEt6epAa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1040
      - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2936
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2552
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2084
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2304
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat"
        15⤵
        
        PID:2636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1932
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
        17⤵
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2376
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
        19⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2044
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        21⤵
        
        PID:1088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2688
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
        23⤵
        
        PID:2608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2264
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"
        25⤵
        
        PID:2240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2204
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        27⤵
        
        PID:464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2024
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
849408b29a0ccf5266a1d03e0f810864

SHA1
279c03440a6493c75d30bd932ded3a87ecfac2a3

SHA256
a4393a59514218cbe4e5ff362ed6dc160b3a965c70e6d65b6529bd4a8272bdf9

SHA512
c3c0ceb5dd6f3e1311d2b3f537adc443bf99ecdfaa99656e7893bedf27542fd7ebaf7845a28874b294a4f5ecc3f2aa12ec24f9efb3ed64408fb0e69f054410d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6948c492fc51c2f5f20e931d4e1c6ee

SHA1
6af4f3a18c8db54c9b1022de02eb2d4ff5f1749a

SHA256
cadf68b1d84a05a0d953764f1e1ea17b2cebc42fed0fc9f6a6e505b7ce51b335

SHA512
2bb83c493725211c810a2f3d8ac680e2abef3f9bc4ad67daaeb0d193922a6fa0e7ecfb3aa666fd5acc785fa522ffbbeeafd11ece3393f7ba98d1f6ba324c878f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f51fd09d3eb7a5d1f3d74e78d638d4b6

SHA1
1a5c391c1a46cdef3505a798da8b2167764dc83f

SHA256
c874799b2e3a8a5940c8dec3638aead4bd5ef58665acc3cc60d3a0abef124410

SHA512
8dfdb54f186fab7a1a2e163e5895b7c53e68a83d2ab60686742d0f2436e35c205913069277817f688fa6a7b3fcef3cebfbf888326e53cdc9f02d65bbc5f430fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
caa0dc6ba788d879641844595cc338e5

SHA1
a729068fac3483c55e01afd93db47391a18430ff

SHA256
db7ca70f6d4fd2b68ff69598eaad3e34295e1fca7bb8d9cbe75e9ef748a0e31b

SHA512
a2ede70882413619fb79ff739163769b6fe41bd87106d4ab6253af2e7afa04bdcb8fd37cfdc63cdc202803465c4de4196f3ce8fa782b09a05ee9b45b0dd2ca36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e72de99d9ee3806a9ec9913191c891d

SHA1
b13d6a979cbcf8d04119f4ee97ad4e0fca7ae6ee

SHA256
b0caf918f549e94321a6ae56bdd04fa734b370ffb6dfc1d3f2764a4bd8c85bbb

SHA512
25ec6543a1ec9d05c633e19e1ca94f5764fee9d09e74011ae72683f692dc0cb5de592c7eb6fa693b067a44c2eab78208279f85b392c488151436af955c0cca66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b723923c020a2b8002a7c2f223fa61a8

SHA1
515f1a9b8de0a0f94b1359b48c465c51f2cd2b45

SHA256
6eebd749d3ddd57a4b575bf885be78b4296d5eaeb973e4dd4a4cc03146d37404

SHA512
11335a746c1ef012aa56e0665d606be2886caca841e163128149f7af0295c9caf532669c0101d9f1cad40075aa0e485900f87843ec39f4bcc6651378370cbfef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d316025e092dd47e5dec35648369dcc

SHA1
8911de4838c26095ba96eca2c3154ca6a4242d04

SHA256
06b120d60a2759ad576c603bf9af3500b57876ee69d3ab8b48a50e654c29331f

SHA512
3086a0d5e7251aa26be40adb35e942f8db85d49235ca7139ec031240cc5af3667189887ab649a571ce7fa1f1563f6b0f43098053cca24bfd0d61dc8db0c80cdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dfd90df7ef27d11061c392394477768

SHA1
c2b1004f11fab5ee6b5e3eda90d2e601546b6785

SHA256
6da1362c17c9e8de24117aaeef9b004703a81300ddd22788bcb08301dafa9155

SHA512
271da08cfc943dd583a472055b783c19585ed4ab47a278fadcc0a011aa13c0443cfd9f79975c77cc60db87ceb0ec5269f5f2fdce3b22a5a18a6b848cb30bcd9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42eea8d83f3a33fc8547ba096dd4cd0b

SHA1
f1c20ec5f8857bd11a93aab4c65ca3e557968227

SHA256
807402ced14a166528f1ecb13179bf575099ae17965e366c0c69c208a71c0047

SHA512
279b1e90778b8b22c124cb3ef3f68adf63ead2feac3925a067168c486eaa9fd12954f10bb408d25ffb39d619258fda099cacce6a79ac1f751c8b5fbec7d45d12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efa873d16963c9c662d35dbf0cbc1abd

SHA1
e655933da4fe9a5c2a8c923aa125ad2479be866c

SHA256
ae2c7dae489d8a3da38711e70bc1480265289a754e7581c2e4a9c551281e9f27

SHA512
7893403c5bbfd73184fafa5e44dcc09191c84dcaee66bc684442b22c37d1ea9debbf32aa62bd12693eb438638077aeca49ae29f0a4c6afa44f3026d118fd8088

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

Filesize
226B

MD5
f8d36fbca854b42aa0110bd78af893c9

SHA1
dbdcd6e0b52f63c026067cd7f6000b802c9946c1

SHA256
2c4aeb5990abb947154a6cd51364fbe657fbcaace8989dca5d16cb3decf486c8

SHA512
817652b0d136a7e6d793fb4b860c759312b436002b52109cb58966b9db8fad2c4bd9bbc99aa5c5a564e6c2a4f97aaa3c6796798dd99bf418b52dcada08c4a470

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5092.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DjfEt6epAa.bat

Filesize
226B

MD5
db145c5ce9d7dff24b997b16936126cc

SHA1
800f1575c8bb6a278189e49b46a0b5fc7855217a

SHA256
974a33fbaca886f64b787adfda24e8cb4df1a378894e0a3c3762ac0917bcf442

SHA512
d82d22c625aa3ad5fa0b6d10e0f7be2ac6854374ffeea955261bafa9a0a3b15758e904f6f94b07f28b9b9fb28454505c521235ecedb61114f1e2dd95258f32b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat

Filesize
226B

MD5
b41b15270698f5fd0306b311c049a17e

SHA1
9a23946ca400827d8d318d78a7f0a0969f3e3883

SHA256
970917442591f29867d134b752b983b4de6fd1ffff2ba02d5a9d06939468da11

SHA512
a86972bd32ec12dd593e716a0445f22cb151172193117d5af61ce695792e3e8329f2a1f11c6de7b5cffc892846a2298020744a2200bdd275ba1d6948b26f3c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

Filesize
226B

MD5
0bd8528ad78df631cdf4a0c04a8e8229

SHA1
0a19a13dc6b13c37078040b342d721da8c661166

SHA256
f52642b4eb82e8b321f158df98ddc86bb44d80a131724b234877b65e0807f539

SHA512
7a16fa61ee815c286c0c17db6a7159c59809e5c95ceffdf01864b9148cc9db7b09f15903c7ce9807700accad5e0d9de73625483626abd4294108f71c04876dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat

Filesize
226B

MD5
3a6d491b642a6a20ee82140b88886508

SHA1
b657e62b09eb2d980f0db5d2743aed576077e516

SHA256
53ce0bfc4cf58d039844f65740eb3d62eacf5af88c76a83f26c1cfdde4072ea4

SHA512
5ee67cc0743535306c8d6e90abbd792965127e3f3a7b925c814bf7fb5534aa1f57a269f1b98fab94c13c21a26d1f5878ab74734f9199e6802cefe81bde5ab0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar50D3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
226B

MD5
75eceab07d67eb322075065a79fc73af

SHA1
e4e673e9cda84581e413a948fb8f6678ebce0359

SHA256
ac13c626689b2803a14ec2b9f82ef0f93bfea66bbf4c1eec7cfcf8fe585ce1bd

SHA512
1f27abd2b943b147ae83478227be6b3a5e123dda688fc4ebe3a1907fe2d3924afe77d7c8ed24cf44e9fa3a5def9c1b4dbadb3205f628a6b76d2c0de97cd638d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat

Filesize
226B

MD5
bdaa21d72a069d38f5a85caab38b810d

SHA1
c2f60bea8738071f423c4c2bc1f9d819991d228f

SHA256
cb5afa7bd2eab2dc3071ffeaaa6c4e2146f3358fa14c460c1d877990cca2b006

SHA512
8504eb592671929a416aa039e53c81226c94f006691489d26f37448b077d9857cffed35c350cef8effc77de71ead84ebed12cdea58afe238323dba8342c59b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

Filesize
226B

MD5
a9081a2fff524cbaacaf50bf8c294884

SHA1
09cb0600e8093116ebbc57808763dd8af7651f46

SHA256
4681b5964053f692695691b71cefc1eae648ee08e3fe5f155d0445d5dac39263

SHA512
c2130c32669ff18f84368d50a74ab42886fa92ec0f406a2ddab45507746feccabda935cb396184911ac0aea15c494ec1c98fa7d715f78d518d87d9fc17f49b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

Filesize
226B

MD5
c6587d3d9cba18cd3826a9673e173f2d

SHA1
f735c9f8a26587f889726ea37c7809c722501c28

SHA256
90ffb4189c6ef4ebb4de7aec6144824fd45d97383edb6e1876f266c8ee9dd64c

SHA512
d9d50ccaf6708b0d91f959bf1144170185447f6a0b1da5da7019d1d87e9039ae2ccd97bdfa3cd29cf106153963d5ca57f597a2f76332393dc46e7e4e9685ef0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

Filesize
226B

MD5
03ca59bec8a61bc814673862bef23b86

SHA1
7d63998970f6c0a9656e308f11eaf9e52ebdfe82

SHA256
809a9ac6227c1c7a3ab1ef1dab1f9e53434e556da12afb78a5f68dd49d1db244

SHA512
51e5d58304e6d825f00b399d568ce881a0a0eaa00206cf4f761e8db72a294bc2af14a93e43d5eee60ef5e8e8170f34da90bc032b621b6f445eaa23a2a2d0768a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat

Filesize
226B

MD5
5d05614d0d45c1f6fdb0e402cc97c74b

SHA1
f45306a22a88656de0fcf41f9327f568c13314e6

SHA256
4a688237cd77aae007125d307c580cba75059a0880f4d58711b0824e2b4213c8

SHA512
079571c5d38341d58eea76c8f1bc69b7f056f2b961e6cdebbd0ed5e8934759ee0a0730cc75973d17931ef108d8d4e9e0e05cbeca60e0794703ad71d1309c1664

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

Filesize
226B

MD5
997124c2a480e370adec086f205fdd13

SHA1
1d07cb4cc7db33487693b70186b9266226b576b7

SHA256
6a65cd8e3f18bbf00e52a1ddb5add34e209d4e075e27c973ad32078a8502f033

SHA512
9759cd310c1b3c556c81a7efd6ad7a8fe98eb8bec88fd026f7d2168437920118a4e3d8d8beddfab3660fb90276c5c764abe82cc6529ba9a73ad1969b4132c5ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e3059069b73adaaf2f70b1560bf4706a

SHA1
3aa46d6c287fe3f0dd250927b33c4e65add23a3d

SHA256
a1414cdf26066355d06690f08c7bf40b277d32181f133fc116e9feb9e9404b7e

SHA512
c6fa295f748e8f62b71a178317591871241a7200d924312f07c5ec7f60dca3ce7f343fd6de1e5c30b821887e7515a9d55b784a7c56848837136f809d91888898

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/464-52-0x0000000000850000-0x0000000000960000-memory.dmp

Filesize
1.1MB

Download
memory/644-351-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/896-291-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/1564-471-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1564-470-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/1920-231-0x0000000000BA0000-0x0000000000CB0000-memory.dmp

Filesize
1.1MB

Download
memory/1952-592-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/1964-42-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1964-43-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2124-652-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/2260-171-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2444-712-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/2444-713-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2744-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2744-15-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2744-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2744-13-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/2744-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2928-532-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2928-531-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/3012-111-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download