dcrat | 908c071005dba7addca6ddc0f6dea1910a57308273bcc233dc655e1a918dd4b6

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_908c071005dba7addca6ddc0f6dea1910a57308273bcc233dc655e1a918dd4b6.exe
Size

1.3MB
MD5

569dea92cfeb2070961491c772b675d4
SHA1

68d9638899e134c253c8bde4da5c2ec928f46090
SHA256

908c071005dba7addca6ddc0f6dea1910a57308273bcc233dc655e1a918dd4b6
SHA512

4b94852ff14d0d12d433658ff7139fdb51656f46b82324fd584bbaaa082edbda5384ba7d2843c4711891894ed7ad2372697dbfec6baf8227f4c3cbdf31ce2d66
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2732	schtasks.exe	35

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001926b-12.dat	dcrat
behavioral1/memory/2788-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/944-63-0x0000000000860000-0x0000000000970000-memory.dmp	dcrat
behavioral1/memory/2644-123-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/1152-361-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2036	powershell.exe
1336	powershell.exe
1004	powershell.exe
2916	powershell.exe
2980	powershell.exe
1984	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2788	DllCommonsvc.exe
944	conhost.exe
2644	conhost.exe
1636	conhost.exe
2788	conhost.exe
2296	conhost.exe
1152	conhost.exe
2932	conhost.exe
2788	conhost.exe
2560	conhost.exe
616	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1308	cmd.exe
1308	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\audiodg.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\audiodg.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_908c071005dba7addca6ddc0f6dea1910a57308273bcc233dc655e1a918dd4b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2052	schtasks.exe
2816	schtasks.exe
2504	schtasks.exe
2772	schtasks.exe
2324	schtasks.exe
2792	schtasks.exe
2848	schtasks.exe
2844	schtasks.exe
892	schtasks.exe
2992	schtasks.exe
2624	schtasks.exe
2612	schtasks.exe
2680	schtasks.exe
2004	schtasks.exe
2676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2788	DllCommonsvc.exe
1004	powershell.exe
2036	powershell.exe
1336	powershell.exe
2916	powershell.exe
2980	powershell.exe
1984	powershell.exe
944	conhost.exe
2644	conhost.exe
1636	conhost.exe
2788	conhost.exe
2296	conhost.exe
1152	conhost.exe
2932	conhost.exe
2788	conhost.exe
2560	conhost.exe
616	conhost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	DllCommonsvc.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	944	conhost.exe
Token: SeDebugPrivilege	2644	conhost.exe
Token: SeDebugPrivilege	1636	conhost.exe
Token: SeDebugPrivilege	2788	conhost.exe
Token: SeDebugPrivilege	2296	conhost.exe
Token: SeDebugPrivilege	1152	conhost.exe
Token: SeDebugPrivilege	2932	conhost.exe
Token: SeDebugPrivilege	2788	conhost.exe
Token: SeDebugPrivilege	2560	conhost.exe
Token: SeDebugPrivilege	616	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1700	2904	JaffaCakes118_908c071005dba7addca6ddc0f6dea1910a57308273bcc233dc655e1a918dd4b6.exe	30
PID 2904 wrote to memory of 1700	2904	JaffaCakes118_908c071005dba7addca6ddc0f6dea1910a57308273bcc233dc655e1a918dd4b6.exe	30
PID 2904 wrote to memory of 1700	2904	JaffaCakes118_908c071005dba7addca6ddc0f6dea1910a57308273bcc233dc655e1a918dd4b6.exe	30
PID 2904 wrote to memory of 1700	2904	JaffaCakes118_908c071005dba7addca6ddc0f6dea1910a57308273bcc233dc655e1a918dd4b6.exe	30
PID 1700 wrote to memory of 1308	1700	WScript.exe	31
PID 1700 wrote to memory of 1308	1700	WScript.exe	31
PID 1700 wrote to memory of 1308	1700	WScript.exe	31
PID 1700 wrote to memory of 1308	1700	WScript.exe	31
PID 1308 wrote to memory of 2788	1308	cmd.exe	33
PID 1308 wrote to memory of 2788	1308	cmd.exe	33
PID 1308 wrote to memory of 2788	1308	cmd.exe	33
PID 1308 wrote to memory of 2788	1308	cmd.exe	33
PID 2788 wrote to memory of 2036	2788	DllCommonsvc.exe	51
PID 2788 wrote to memory of 2036	2788	DllCommonsvc.exe	51
PID 2788 wrote to memory of 2036	2788	DllCommonsvc.exe	51
PID 2788 wrote to memory of 1336	2788	DllCommonsvc.exe	52
PID 2788 wrote to memory of 1336	2788	DllCommonsvc.exe	52
PID 2788 wrote to memory of 1336	2788	DllCommonsvc.exe	52
PID 2788 wrote to memory of 1004	2788	DllCommonsvc.exe	53
PID 2788 wrote to memory of 1004	2788	DllCommonsvc.exe	53
PID 2788 wrote to memory of 1004	2788	DllCommonsvc.exe	53
PID 2788 wrote to memory of 2916	2788	DllCommonsvc.exe	54
PID 2788 wrote to memory of 2916	2788	DllCommonsvc.exe	54
PID 2788 wrote to memory of 2916	2788	DllCommonsvc.exe	54
PID 2788 wrote to memory of 2980	2788	DllCommonsvc.exe	55
PID 2788 wrote to memory of 2980	2788	DllCommonsvc.exe	55
PID 2788 wrote to memory of 2980	2788	DllCommonsvc.exe	55
PID 2788 wrote to memory of 1984	2788	DllCommonsvc.exe	56
PID 2788 wrote to memory of 1984	2788	DllCommonsvc.exe	56
PID 2788 wrote to memory of 1984	2788	DllCommonsvc.exe	56
PID 2788 wrote to memory of 1824	2788	DllCommonsvc.exe	63
PID 2788 wrote to memory of 1824	2788	DllCommonsvc.exe	63
PID 2788 wrote to memory of 1824	2788	DllCommonsvc.exe	63
PID 1824 wrote to memory of 3016	1824	cmd.exe	65
PID 1824 wrote to memory of 3016	1824	cmd.exe	65
PID 1824 wrote to memory of 3016	1824	cmd.exe	65
PID 1824 wrote to memory of 944	1824	cmd.exe	66
PID 1824 wrote to memory of 944	1824	cmd.exe	66
PID 1824 wrote to memory of 944	1824	cmd.exe	66
PID 944 wrote to memory of 2276	944	conhost.exe	67
PID 944 wrote to memory of 2276	944	conhost.exe	67
PID 944 wrote to memory of 2276	944	conhost.exe	67
PID 2276 wrote to memory of 2140	2276	cmd.exe	69
PID 2276 wrote to memory of 2140	2276	cmd.exe	69
PID 2276 wrote to memory of 2140	2276	cmd.exe	69
PID 2276 wrote to memory of 2644	2276	cmd.exe	70
PID 2276 wrote to memory of 2644	2276	cmd.exe	70
PID 2276 wrote to memory of 2644	2276	cmd.exe	70
PID 2644 wrote to memory of 2432	2644	conhost.exe	71
PID 2644 wrote to memory of 2432	2644	conhost.exe	71
PID 2644 wrote to memory of 2432	2644	conhost.exe	71
PID 2432 wrote to memory of 868	2432	cmd.exe	73
PID 2432 wrote to memory of 868	2432	cmd.exe	73
PID 2432 wrote to memory of 868	2432	cmd.exe	73
PID 2432 wrote to memory of 1636	2432	cmd.exe	74
PID 2432 wrote to memory of 1636	2432	cmd.exe	74
PID 2432 wrote to memory of 1636	2432	cmd.exe	74
PID 1636 wrote to memory of 1260	1636	conhost.exe	75
PID 1636 wrote to memory of 1260	1636	conhost.exe	75
PID 1636 wrote to memory of 1260	1636	conhost.exe	75
PID 1260 wrote to memory of 2188	1260	cmd.exe	77
PID 1260 wrote to memory of 2188	1260	cmd.exe	77
PID 1260 wrote to memory of 2188	1260	cmd.exe	77
PID 1260 wrote to memory of 2788	1260	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_908c071005dba7addca6ddc0f6dea1910a57308273bcc233dc655e1a918dd4b6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_908c071005dba7addca6ddc0f6dea1910a57308273bcc233dc655e1a918dd4b6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2nDodB2Jrc.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3016
      - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2140
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:868
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2188
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"
        13⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1692
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
        15⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:340
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"
        17⤵
        
        PID:1776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1004
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
        19⤵
        
        PID:564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3016
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
        21⤵
        
        PID:960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2572
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
        23⤵
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1744
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"
        25⤵
        
        PID:896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35037e8831ce2991a17474e4704f6261

SHA1
2be773b24c61962da5c50c93adf43046abe4f41e

SHA256
7beb19fed7c9b56a3cbc6ed6b6a748c691f74a81b5d97a8bd4da173310a30d5f

SHA512
cc534297329bf0675f4d68a2768fb99afc219b4e2044eeec38910f89baecc79fcee7678aee03f7819b64b53f554d2c8157c6822653214487b6c5411a5f0b9db6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b990ff1ef6c786c4c080134cbb5369f8

SHA1
4dff11c94ac681eb3d6ba490f45eedb31f063389

SHA256
dcc94dc6ed465e7a6c4201d1f55544fb89512bb34028d3b20502bd6b03dd8cff

SHA512
35718b43bcb356b4108d23357a7d482748d7f8a482498be8a99806e9310f3a1ade797c3bdfab53f82ce87535558bd886646b460059de53df0fa6f676071fe356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c51fdac05b71839d0d0f57d55ad9b42

SHA1
02f8e3a75604d0e5dafdff3e422c5339934a819a

SHA256
a855c98d24b3fa6df1cad8da063362e16793edcdb0112dd58340113c5ed7ed2f

SHA512
98e77a251cd97672a7e64b4ea5ff1c947adf6d7bb3c4df125dcd06469b92bca5de027ad46c8029370354533c7cdfb7d3da437e83695a8f2c56aea1f5bd1e7917

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59a36a48834ab3510a411edf336b33dc

SHA1
c8960c226a0d2f6c3ece4f7ef7d9a63dbe928771

SHA256
aeec72f2197eca58986eab4671ddc86478e406a75cfe804284df5e9063a0a8b0

SHA512
915afad16c7edb596dc157ed1404e5a9a3a80959ccbc35407cb57da35e73bd9b533aea5fd4086b1022302036fa54f0e7e88d63828eed1b4703fb030767fa7eff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a63f7a5806d191bfb0ed308baf250d3e

SHA1
1fbfc237c42219f35c16733f8e04126f6bbd98bf

SHA256
6cd18361a3aef36747862cfe78dd9504cea8e888d5780d00ee4653cd8fb0bb64

SHA512
d2c6dcd65457ecc4c6e05f7a31cd58a1d2e85f6e1727015a0117cec285163fafcde458145cf66897326397414ec67fde7d4e0341f2a3cc746647fbb4203a07a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
884dec6dc0a7bdc71707a6f98d26700f

SHA1
2eda795c38e9beeffbe58705a20bd29b7c4042a9

SHA256
cf53af02c9f548e4ca0ad789256eb6ae4283ad1cce331a9fbfc61d81b561aca7

SHA512
329db789bd697299f1325866d9f79d5b013e4e576c88834ee7b8b3ba4faab03454f5428319825ff7ad97a02ebd2bf3aca6ff13ac73147cfa02c39d95f6c4027e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c93afd7cba904bed7618c5c04fdc77c2

SHA1
40384ceee376aa5f4c9030b626c4c8cf8ab39c03

SHA256
6cb7290cd8f9658a0cec184a298943a21ed460a7d097388518e727f672fc3683

SHA512
5fdedf6499653f1f720bf99ea19abda9602615bedbf1e525385b156298425508ae1eef1973bab0ffae27ef0c0580f0843358fc80528298231b56f7f91a83393c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca370de96e4dfd07ceb4c9dd5acf9666

SHA1
f1b1e93a1bfb7f2a69d3fc3a5a27d9f14f295829

SHA256
4c76e71ff73e61db3c39bfffc3f31088dad79a33fbb5e6b78d3b00a06a335a92

SHA512
99eb4b554db566ebe691253b7e2bac91644b0abab297813db982dd801efb8da25d60cf328c4b07da9a3fe9ec2bf6bff42a2bd4a62767062306302b7caf076eac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c344223871e046fb94cca3ed6cee28dd

SHA1
8ade4cb9ac62960468a821b9e3b66374995cb417

SHA256
decc3f40864765bcda8850c146aa5d0673dd535c77736e9c63bb2a26e09c8804

SHA512
229cdec20624cbc5130876324c92a315fd2550f77277640cb1d6bbaaffdb224f702534c41558dc75af88c6fcadaecbd586009734f8c5572300a4d488862f3e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2nDodB2Jrc.bat

Filesize
248B

MD5
5b606baa9b6f9ca2756cd1a5e7d60cb2

SHA1
f20345c019f46f59a4cc95cadc97ecbae44bfc56

SHA256
93b119197c7a166dfbdd23e7c5f4f761db07ae9a92a76849e4c37a78afd44447

SHA512
100b0c9bf22c4d208afbb1a2c6fa0f3db96cb8d4a73e8d9785d341643dad58353680731b8e8ee78e0fc46a04e8c8874d5830f3a29b07b68d06efa0ff10aea310

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat

Filesize
248B

MD5
1ddddadd727f42b7e7f9d8c56220cfa5

SHA1
792ae17cf472d90a9414cd16a1344b745dd70372

SHA256
2fdf33aa5385c12b23203238784a086b34412ad687d7ee5c84dc9f49cbbcbe35

SHA512
4cc5c216b359140d88f62f31b6469a1655def9047f51bb1765a54e42b22d914af2ea6c3e4531d6b27ca428e8181df372a6c7883447ae5e395c4b92c62add77b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

Filesize
248B

MD5
32e570b7e3a2462b4916b1726cf4326a

SHA1
98f7a003eb419476676f43fa17ee949da59f1f98

SHA256
5d7c3adfe1c333368631c887400f4fbd587ca8b270e9660123a6be3d59c56ad7

SHA512
97e87c6ffff99e2b75f7d3543acb25d625757fdbad9efef4334943b4780dae92f4bbde644bc998e561b6817afe7e2f92b35c50a10d1da60849ef4f86f1fe4a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7DF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
248B

MD5
ca3069ea8a9bcf1df340a12ff3bf11b6

SHA1
e9e3d875c71b2d40c80248182461cd3afca03c80

SHA256
38ce651f1cec65e843a74a2246aecc0a7274d3305aee05a3b7cef1cb19d6ea32

SHA512
b0cfddd765c697c6bc16e0002c4378b81d6646538d406c57578b854bd9f0ccae0b2e7fac0b075762af9c142e0ea96a1dc3f38d152cd218fd96e1b9ec44b941bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7F2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat

Filesize
248B

MD5
86d00acfd9c1ae458d1cc7e5a4c0f71c

SHA1
53121e1021b2931aa01b5ab412a13bf01a01e153

SHA256
13d371f9b2b2a42b45c54c6bf196677e09593b227848ab709f0597b597c76d97

SHA512
1f2af89df025cfff423833d797b1ccf7695a68c4f73ec6fd68e224a3b0542d3d82d934d6f20eeab240d800f5446068fb50ef48ece53ca4639193a692e97e5a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat

Filesize
248B

MD5
f9061147497b04ec6a9d8221d2c381f7

SHA1
3b0db61ea171fdde58350ad1ec8a1006e2d00bc1

SHA256
390d58728de5626079d1b46db92df6a5067c134045c01097d375c3895a7a3e21

SHA512
49bea8551138e7156cc2b57dfa1157df3332d2170498220442aed2229288b287d12ec621fa6d059c56cc63f0e6abcf995d0fdb7283bac9878150091e905069d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
248B

MD5
1944c2a0c6cba8b93024889db4596b77

SHA1
b344f018097504b1264b8e1e61ad7d3b88d04824

SHA256
7eaaffe20004b9a1a763c8f1d0e55a79ef5f74b3507d67d9f2f4d8129f36d5e6

SHA512
26fb36a3eb8756260710da118d2252602780ee6b171c2be7c6855e0cbe3e795f0c541d54dcb1090e7683685300c1ab3a05b12173d1ad57e1dc09a11e36081638

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

Filesize
248B

MD5
13546c817c60cc5a0c05b1520225d1e3

SHA1
7e1fdffd34c5f5ae08e9a09f7905f129155508cb

SHA256
6f61ace2b5a8a1b2c9bd814486096475f99aca7cf7f4fc6eddbc602628f83bdd

SHA512
59e3cc30abcaed546e721edbbe45f7333f456bc88e635941f764250bcb59e8d87953a0efdb8f8a497b8f78d19daf76fd2d4bf92103b577af5ead82e833b847a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat

Filesize
248B

MD5
73090b4fd31e9d9dc8f8ab971b44b85d

SHA1
52044a5ef6eadbc3f88eb72c86e36a5203c18035

SHA256
a1e98bf31c84f7a145d1c2b55c221792d1bfab783a43fa4d8c9ef9fe73d6c982

SHA512
ef070e4b8482ff0b6601ac2194ea43fc2c06a6dd1b575c18390790fdb770fbf5c7798529696bc48c847d73f322b2426aa4c3c33a6b4120537890ee1a157b9ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

Filesize
248B

MD5
bcd3e39ca488214f274dcd28742fb797

SHA1
8db43c8db90976ac129455eae7faffd09280c858

SHA256
7f03148cd35846817ca6f68c8e199747f4d2d4f4bd7b1a19a7b4bc9955baffee

SHA512
e50c02391ec003f36635995eda0e25819be2bc74b89ea9742ec7e3a991413f43855fd6768b058564145623e4ce9254bcb45bc265a5b8c57a939887eabf65f1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat

Filesize
248B

MD5
3e81186396314ff7eb74fb0885c599c4

SHA1
849b8acb352e63a48ec10643246c3779523a3575

SHA256
68430a08ecc948d65c67c4836419b0e59a100ba33b03a306d0027310d7eedf5a

SHA512
d1e161c999552f96b64f31d38b58c390f44c51c7202923d8077a03f55e3f8219c3d004825bd86e9ea559cb1a388650478a370386aecf70f9a14138e8b38d30e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
25082d9b2d44b8f72c7b3972e05dbc2d

SHA1
276bebe973c278fce59189b4069f446ec8fc2e1c

SHA256
64e6e368772737bb9823902638489c5671696eef57c6b3fc8ef80ec4d0768bd4

SHA512
19649434df3249b41624245c864f48130f9a22da9dcd634b4d6f8ce50f0ce44e69a90c4f7926c56bbb4f4104f8a24ef850b0c2f47100f0d0d06f3af364d53967

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/616-599-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/944-63-0x0000000000860000-0x0000000000970000-memory.dmp

Filesize
1.1MB

Download
memory/944-64-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1004-41-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1004-37-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1152-361-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/1636-183-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2644-123-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-17-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2788-16-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2788-15-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2788-14-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2788-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/2932-421-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download