dcrat | 100d007f31fb3e31f65cf7515d230d8d9cba1ce46a7f15242312ded2b3769b34

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_100d007f31fb3e31f65cf7515d230d8d9cba1ce46a7f15242312ded2b3769b34.exe
Size

1.3MB
MD5

9316c1c6cf808b813308c553ac48fa3f
SHA1

37c640d13fbbb4696c85c6f2f27732da795e74ae
SHA256

100d007f31fb3e31f65cf7515d230d8d9cba1ce46a7f15242312ded2b3769b34
SHA512

1ae7fc205070a3d1d3773ba5855cc6dadad4f475169690361bac2d9d9811c2c36c83da024da68f28635527b97ae04e94fc46643b8e3083fdba22dd9e0cab7444
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2312	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2312	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2312	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2312	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2312	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2312	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2312	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2312	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2312	schtasks.exe	32

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000016d1b-9.dat	dcrat
behavioral1/memory/2112-13-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/1912-52-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat
behavioral1/memory/1676-170-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/756-230-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/780-290-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/2648-350-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2404-411-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/2264-531-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1800-591-0x0000000000960000-0x0000000000A70000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe
2484	powershell.exe
2492	powershell.exe
2500	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2112	DllCommonsvc.exe
1912	DllCommonsvc.exe
668	DllCommonsvc.exe
1676	DllCommonsvc.exe
756	DllCommonsvc.exe
780	DllCommonsvc.exe
2648	DllCommonsvc.exe
2404	DllCommonsvc.exe
1148	DllCommonsvc.exe
2264	DllCommonsvc.exe
1800	DllCommonsvc.exe
2544	DllCommonsvc.exe
1524	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
1036	cmd.exe
1036	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
38	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\ja-JP\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\taskhost.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\de-DE\taskhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\DigitalLocker\de-DE\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\de-DE\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_100d007f31fb3e31f65cf7515d230d8d9cba1ce46a7f15242312ded2b3769b34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3004	schtasks.exe
2628	schtasks.exe
2636	schtasks.exe
2768	schtasks.exe
2980	schtasks.exe
2528	schtasks.exe
2740	schtasks.exe
2588	schtasks.exe
2688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2112	DllCommonsvc.exe
2500	powershell.exe
2484	powershell.exe
2492	powershell.exe
2680	powershell.exe
1912	DllCommonsvc.exe
668	DllCommonsvc.exe
1676	DllCommonsvc.exe
756	DllCommonsvc.exe
780	DllCommonsvc.exe
2648	DllCommonsvc.exe
2404	DllCommonsvc.exe
1148	DllCommonsvc.exe
2264	DllCommonsvc.exe
1800	DllCommonsvc.exe
2544	DllCommonsvc.exe
1524	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	DllCommonsvc.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1912	DllCommonsvc.exe
Token: SeDebugPrivilege	668	DllCommonsvc.exe
Token: SeDebugPrivilege	1676	DllCommonsvc.exe
Token: SeDebugPrivilege	756	DllCommonsvc.exe
Token: SeDebugPrivilege	780	DllCommonsvc.exe
Token: SeDebugPrivilege	2648	DllCommonsvc.exe
Token: SeDebugPrivilege	2404	DllCommonsvc.exe
Token: SeDebugPrivilege	1148	DllCommonsvc.exe
Token: SeDebugPrivilege	2264	DllCommonsvc.exe
Token: SeDebugPrivilege	1800	DllCommonsvc.exe
Token: SeDebugPrivilege	2544	DllCommonsvc.exe
Token: SeDebugPrivilege	1524	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2120	2288	JaffaCakes118_100d007f31fb3e31f65cf7515d230d8d9cba1ce46a7f15242312ded2b3769b34.exe	28
PID 2288 wrote to memory of 2120	2288	JaffaCakes118_100d007f31fb3e31f65cf7515d230d8d9cba1ce46a7f15242312ded2b3769b34.exe	28
PID 2288 wrote to memory of 2120	2288	JaffaCakes118_100d007f31fb3e31f65cf7515d230d8d9cba1ce46a7f15242312ded2b3769b34.exe	28
PID 2288 wrote to memory of 2120	2288	JaffaCakes118_100d007f31fb3e31f65cf7515d230d8d9cba1ce46a7f15242312ded2b3769b34.exe	28
PID 2120 wrote to memory of 1036	2120	WScript.exe	29
PID 2120 wrote to memory of 1036	2120	WScript.exe	29
PID 2120 wrote to memory of 1036	2120	WScript.exe	29
PID 2120 wrote to memory of 1036	2120	WScript.exe	29
PID 1036 wrote to memory of 2112	1036	cmd.exe	31
PID 1036 wrote to memory of 2112	1036	cmd.exe	31
PID 1036 wrote to memory of 2112	1036	cmd.exe	31
PID 1036 wrote to memory of 2112	1036	cmd.exe	31
PID 2112 wrote to memory of 2680	2112	DllCommonsvc.exe	42
PID 2112 wrote to memory of 2680	2112	DllCommonsvc.exe	42
PID 2112 wrote to memory of 2680	2112	DllCommonsvc.exe	42
PID 2112 wrote to memory of 2484	2112	DllCommonsvc.exe	43
PID 2112 wrote to memory of 2484	2112	DllCommonsvc.exe	43
PID 2112 wrote to memory of 2484	2112	DllCommonsvc.exe	43
PID 2112 wrote to memory of 2492	2112	DllCommonsvc.exe	44
PID 2112 wrote to memory of 2492	2112	DllCommonsvc.exe	44
PID 2112 wrote to memory of 2492	2112	DllCommonsvc.exe	44
PID 2112 wrote to memory of 2500	2112	DllCommonsvc.exe	45
PID 2112 wrote to memory of 2500	2112	DllCommonsvc.exe	45
PID 2112 wrote to memory of 2500	2112	DllCommonsvc.exe	45
PID 2112 wrote to memory of 2132	2112	DllCommonsvc.exe	48
PID 2112 wrote to memory of 2132	2112	DllCommonsvc.exe	48
PID 2112 wrote to memory of 2132	2112	DllCommonsvc.exe	48
PID 2132 wrote to memory of 1992	2132	cmd.exe	52
PID 2132 wrote to memory of 1992	2132	cmd.exe	52
PID 2132 wrote to memory of 1992	2132	cmd.exe	52
PID 2132 wrote to memory of 1912	2132	cmd.exe	53
PID 2132 wrote to memory of 1912	2132	cmd.exe	53
PID 2132 wrote to memory of 1912	2132	cmd.exe	53
PID 1912 wrote to memory of 1664	1912	DllCommonsvc.exe	56
PID 1912 wrote to memory of 1664	1912	DllCommonsvc.exe	56
PID 1912 wrote to memory of 1664	1912	DllCommonsvc.exe	56
PID 1664 wrote to memory of 2348	1664	cmd.exe	58
PID 1664 wrote to memory of 2348	1664	cmd.exe	58
PID 1664 wrote to memory of 2348	1664	cmd.exe	58
PID 1664 wrote to memory of 668	1664	cmd.exe	59
PID 1664 wrote to memory of 668	1664	cmd.exe	59
PID 1664 wrote to memory of 668	1664	cmd.exe	59
PID 668 wrote to memory of 2516	668	DllCommonsvc.exe	60
PID 668 wrote to memory of 2516	668	DllCommonsvc.exe	60
PID 668 wrote to memory of 2516	668	DllCommonsvc.exe	60
PID 2516 wrote to memory of 2556	2516	cmd.exe	62
PID 2516 wrote to memory of 2556	2516	cmd.exe	62
PID 2516 wrote to memory of 2556	2516	cmd.exe	62
PID 2516 wrote to memory of 1676	2516	cmd.exe	63
PID 2516 wrote to memory of 1676	2516	cmd.exe	63
PID 2516 wrote to memory of 1676	2516	cmd.exe	63
PID 1676 wrote to memory of 624	1676	DllCommonsvc.exe	64
PID 1676 wrote to memory of 624	1676	DllCommonsvc.exe	64
PID 1676 wrote to memory of 624	1676	DllCommonsvc.exe	64
PID 624 wrote to memory of 2480	624	cmd.exe	66
PID 624 wrote to memory of 2480	624	cmd.exe	66
PID 624 wrote to memory of 2480	624	cmd.exe	66
PID 624 wrote to memory of 756	624	cmd.exe	67
PID 624 wrote to memory of 756	624	cmd.exe	67
PID 624 wrote to memory of 756	624	cmd.exe	67
PID 756 wrote to memory of 1656	756	DllCommonsvc.exe	68
PID 756 wrote to memory of 1656	756	DllCommonsvc.exe	68
PID 756 wrote to memory of 1656	756	DllCommonsvc.exe	68
PID 1656 wrote to memory of 1712	1656	cmd.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_100d007f31fb3e31f65cf7515d230d8d9cba1ce46a7f15242312ded2b3769b34.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_100d007f31fb3e31f65cf7515d230d8d9cba1ce46a7f15242312ded2b3769b34.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\de-DE\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FE1ty2beYi.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1992
      - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2348
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2556
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2480
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1712
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
        15⤵
        
        PID:1056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2248
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
        17⤵
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2476
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        19⤵
        
        PID:400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2340
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
        21⤵
        
        PID:1576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2052
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
        23⤵
        
        PID:3036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2656
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
        25⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2024
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat"
        27⤵
        
        PID:1908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2892
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1413763a146d88bcb82cacb3a37d3122

SHA1
7f49026e6b28fee732e2cfa09b86b2eebb5e0c46

SHA256
2c0ad26c3ad429bb4314dbfd7497e92ab1c7eba7c575b68e336ac39ead5fabad

SHA512
ff91aac3af2537c7432856860c14bddf9925fbae380e1d625b11cd105a043eb5c19d68a64875f0fa9dfea492c387a3a00e43702fe4b29b13ba0b600b20b8ae6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e07bd2a366592fc234e4981680e11c52

SHA1
5ebe8e1aced463277eee0d9885ea2c91d3f196d0

SHA256
83a1d799409cbeb57c2cb62c4a4c1ecfdd78d964fbc515d9c55e1e229a9b8563

SHA512
9734d6eaffe7620ad848c518421df98da14048b1ca2052427b5b7039b55fdc4b4f7cb06edac9e5da87754662bd178012e75b66d1798fd31d8e8108906ba022fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16dd33f46d299d8a5419fd82a67a8ce1

SHA1
5ec4f54469f1122b87ce3ef12d00c2d6438abbef

SHA256
d6e4a48db459a78553460c8e0ed22d5181238aad93626cccd6e392021ee0ff4e

SHA512
cd8082ef3d4c8fc15289b4176393ea0cc6409951e9573f1ae393d2e078b6246784d4435d53d55ad16bab769e9c5b0e3fe0554622e0d2745e52026e594a400663

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0582f11bfc688619a0de5773a5ef1aa

SHA1
c85a7e12d95678f9e16136cc37dcffc5874eece2

SHA256
571076bfcebd8a21b10dbe0a169c72800407ba6d15f30929b2634cddd699d6ba

SHA512
e9f1aecb819046923fdc49784c555d20c053c4d3af3961c81c2c4d122ec60eb181d079e0d27b7e77c196a9416f74d61dd69e2569143b8e0775e45401f0f5942b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c8fe0f393c22cac3766a7362292295d

SHA1
26289607959c3186422c9af08b735f8dfd65971d

SHA256
0a6bb4a9051bdbef26d3adb29555e1855e52c45ad629d7e2199d3b0632f8a078

SHA512
c20cbef837ed2ad3804f8543f26bee2ee35fc4eaf75414ce563f232f74556e30ed46a10edf09625059ce0e9c478c2c7041b63367d6ffb710f77eee43098a9ab8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a82e4474834405ece477654dcb7e65bb

SHA1
867edb67b0899af1065878fe27520d328e258ced

SHA256
071d727eee2d7b317249b331944b0a2ae487c4126b888005422130d67b751ae6

SHA512
ec49fb491efca8a38695a57d2e17d215686e91d2084a921cf6b4aeaea1604c61d621ccaa9b0ed45a143f72e9f3901663aa9576e9404a3ce2eb77a627e41a7fec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95f7c9073210f4b55f1f69bac708217d

SHA1
9f01c1fd5e854d938d70abef72236ab44a46d52c

SHA256
1f19fd82efa47f278802caa9af9d4f4b40f38b193b0fc8c4b291ebaa9889f8d2

SHA512
64e8b5fe6187b8b99501bbda6a9431480615a7ca33b69ea132268e06b1ab3c5ac391e01a887a37a9de718569bc0f26e5dcd807518342f6bb2a418b6641abb6e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3ea7481192c9e9ca5b3081118d24c0b

SHA1
f04a82775b2a187c78852b7ccf1270524017d49e

SHA256
b8ac61eff6d72b56ef79d0bc80371d016ef7dc53013548c626bbccab3dae5fea

SHA512
3d29e7ec9249271316022364a60844693d1923f9af552542a668618e3f4345f440a7e8c579fc3542274df1684394ccae04ec819ad32b083453a2921d69f6be1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b1c5c4e062bf4c02b62f394a09080bc

SHA1
603b3f6504056fc755edf4ba9086405802c05554

SHA256
2f62fd6a703ac938724b96ed86ac6acdccbfc3ea017e0a6c5e318fa2ef198849

SHA512
164c08acf2ddec8a30ba2b6450b478a6c14014e9f8625e2a235dd564fdfc41d739b0d10834abbccaeb6fdada82477d2e2d1fedcc29be6f676c8e37efd8536152

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
733d1b6d57ea0f8356f9c65e6a98e663

SHA1
5931f7d865a6d7cdb40a869cd3addb86f5b38697

SHA256
c948a988fcf86f0c03cd89752c7d4ec8b83ffad7f8f4421394eb0305a8e26270

SHA512
082d5ea1ca67095909b22da5442bfbb6dd76d4fd4e316440bc6ba4c9c88ccb79718d69d4a06c37934d1a8b963849f19f42d385066984ed5cc27581ae9709bbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE227.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE1ty2beYi.bat

Filesize
230B

MD5
fffce09d0abc3dcc6d37d023ba0fef6b

SHA1
79237e271f2330e5d7cb857d9c924b192d1203cb

SHA256
ec1a81b1a9551306fa880785719858798f1f844f138b2efbccae7029231aac3c

SHA512
1aa52a764b3a9dd43b0bb11d86c00ccc4e5305fde1c4c6ad99e2b9a0be6343081c86612255c4637019cd6be9ded1a342ead24f78746e18d4bbb06ea5f5a220f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat

Filesize
230B

MD5
a64938de66be017801db581ba404373b

SHA1
e3799ca8b171e297de0ec45d958b59903fe74bcf

SHA256
817cdaf3f10744c5b615d6c6f785bec75d8b4bd7cef1c25dbc8ea781e139e6d1

SHA512
a2226ac1e4782e137be0e0dda803d70bd4a18ed2617f2b82b752a395cdf97e8e53fe7e041dd1e541d14feda34443f201593b6c29133fcbeed084be789fbc30bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat

Filesize
230B

MD5
46aecd138798d3916e3f21d0c633631e

SHA1
17297fc374a28b5f7c745346dd777f3464914237

SHA256
df39c12373cd0e75f422cb9f79a4e29509b8e08b844ce66c5f481fc50f90b3f2

SHA512
088a78030477aa146318e882b914c193a797dbf36e36ff091cfff0b9051b143be9a1a29f7c944296baa271af92806ad37bbc39d99bdbe30d7e55c9d4576d23fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat

Filesize
230B

MD5
5294e2b78b4b0546f59355255f54ad04

SHA1
d006c8d66ab179db9a519d318c0d0c3a093bb453

SHA256
43d0945f56f4fa7965a27eebdc287efbf834ed639337f05be7ea1fd6a0f29f74

SHA512
dc54b8c3e7a3dde757ae96cd2a42d7f1eba151471caa13fe358ab492ef85fc77b5385c16c3ac096e4e1e1f4f0c757b912d98d3e1f4339f552dd12397ae18ffba

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
230B

MD5
546d970bc21553096beaa9be81cfe6bb

SHA1
f2d0b950ae1e5d845cfa39d9f62a907b6af33776

SHA256
1445105239210032b729e849ab6976e8a69ce4ad0b66415c0bbd43e222f14756

SHA512
4f7c49061b473631de88a8b913b600a5c2f9b153aa7df61f3a915adcc22a659baf695a30a6472d7fb8f23047f71f7ed34c2d95cd742047d287cc3ed0b31ee3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

Filesize
230B

MD5
f08d0a2461d2b393f3df34aecd7e7ad5

SHA1
171eb250bd5b5e110ab903df1424b21b25a7cc86

SHA256
9ed83163483dd208451a34c95682ad52136bf2b5a7e9c154ac8d331d00c4d79f

SHA512
87b7a57a96082f8f79438a9eb1a689962b8a532ddb0ba021ef891acb63740e2856a6a7660ccff04260df963bef725be7cb4ebc573e88bab7d8d534be536ce384

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE249.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
230B

MD5
8f3dbecc36a9381a6ade290c9ba15ebb

SHA1
1de905616dd04a3fa751ae1342039e4c1601eef6

SHA256
564319ee93d8d8c73e4ff14c91aebf397eaebac438aac3412ac6db6a855c2c35

SHA512
fc28981faf8e7aa6b665304e388fa013f992111540464377c77598b2420fea4c4d6f0fdd66dfb772c5980c0d7cc8d575d7352fa52eb5c211398b5f5b2438ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

Filesize
230B

MD5
baab4a8607e51dd5fd6bd589cb4cbfbc

SHA1
78a518e939f5efc59e656beb6f6f74fb71ae4d42

SHA256
75bab3ed8e10397019b480a6414977a9405263e6dcc96b58c1e1b3a38e74c37c

SHA512
fc22e15855b80ed9ae5481deef25c27e38cc44ef337ff3f6021ec30d20a6b66bde75edf24c68db582f0ecb808819cf8023be0d2a88b51b880e508c0676f0ae51

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

Filesize
230B

MD5
8cca3bdbf2f040e5816e4b4cb2777e0e

SHA1
068dcc986463344e8decf1de33391dce34f65301

SHA256
c9c9958ff8c43dd624c8314c12bfbc66448c6e79f5c472550d8c97519af7ac60

SHA512
b51e9fe4db10ed7bb1e409ac63417630e1f1879288648a4fb592061562f5a087020c1ce74090799d4e1a0e247b3ecc493363cc985cf84a378c5a9021bafdb03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

Filesize
230B

MD5
4ec0f3b62b5fdd2927f4049b4bec2c25

SHA1
485dca8f92c5025b36a704539ac006137639b9d6

SHA256
6e9d6065c7dc8be2610a6207060c8ddbeb4dd80973857775b1c2924a187ea8b1

SHA512
daceee6e16378df65aa6e65f396bb4c262a14e8559b54f95cbf465c1b6d62c6b9ec3d9e104ffc4fe4845a14c82199f50b27da74fa923bbd7597be45afce23a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat

Filesize
230B

MD5
f7b53554286f432aece80972ee76aa89

SHA1
7fc8247ce899ca66d24148920c734ec4fd92b14a

SHA256
c9b16636c976f5c35e32527eb5eb91658ac4d2d68c5a03c86194437e67b942cd

SHA512
e68bcf0fc768b857678af94cfe5bd4139f7c706039798b8282f09b9a7411dc3e218b2028e7845b283212fd572687c179fb96fc8ab2a85614eaa158d416be6673

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
70ff7d48d2c11e1e83c477ea494808f1

SHA1
feb315fa589cfc3fbc5483f4310f755f8d5ef9b3

SHA256
20d0db7b3a1865cfa472440efdfcf75c7fbccc2a14691cc16cab81363edbf43d

SHA512
16c123d8fd35e0a765df5db1b2b820e13c0bcb0eab8749896ff978e22a25eea1af6373ce0d64b05341990bb31b9e9d6faae1f1e5a3c7363cd11408ebb5b9f8a8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/756-230-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/780-290-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/1148-471-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1676-170-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/1800-591-0x0000000000960000-0x0000000000A70000-memory.dmp

Filesize
1.1MB

Download
memory/1912-52-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download
memory/2112-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2112-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2112-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2112-13-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/2112-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2264-531-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2404-411-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/2500-48-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2500-49-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2648-351-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2648-350-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download