dcrat | 1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe
Size

1.3MB
MD5

8602a55edec3889558030387bc232e0e
SHA1

7f7811584231c653e945d57d2ccaa0cfcda24d29
SHA256

1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3
SHA512

0be96ad32cb92f23fb144cba6d8f5477ac7e5b3dab26bbff76ba15f87c46ceb1ce9c91a2bed80bbde6f802aca8e0d2c3eea5d4608095f85e290e69d371ef6ef0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2528	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2528	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000016009-9.dat	dcrat
behavioral1/memory/336-13-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/1640-66-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/2512-126-0x0000000000BF0000-0x0000000000D00000-memory.dmp	dcrat
behavioral1/memory/1944-245-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/2924-660-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2260	powershell.exe
1484	powershell.exe
1776	powershell.exe
2332	powershell.exe
1148	powershell.exe
1032	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
336	DllCommonsvc.exe
1640	explorer.exe
2512	explorer.exe
2884	explorer.exe
1944	explorer.exe
784	explorer.exe
1700	explorer.exe
1296	explorer.exe
2656	explorer.exe
3044	explorer.exe
1924	explorer.exe
2924	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	cmd.exe
2376	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
36	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Registration\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2812	schtasks.exe
2016	schtasks.exe
1628	schtasks.exe
2832	schtasks.exe
1612	schtasks.exe
532	schtasks.exe
2252	schtasks.exe
2676	schtasks.exe
2868	schtasks.exe
1532	schtasks.exe
2976	schtasks.exe
3016	schtasks.exe
2988	schtasks.exe
2576	schtasks.exe
1916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
336	DllCommonsvc.exe
336	DllCommonsvc.exe
336	DllCommonsvc.exe
336	DllCommonsvc.exe
336	DllCommonsvc.exe
1032	powershell.exe
2260	powershell.exe
1484	powershell.exe
2332	powershell.exe
1776	powershell.exe
1148	powershell.exe
1640	explorer.exe
2512	explorer.exe
2884	explorer.exe
1944	explorer.exe
784	explorer.exe
1700	explorer.exe
1296	explorer.exe
2656	explorer.exe
3044	explorer.exe
1924	explorer.exe
2924	explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	336	DllCommonsvc.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1640	explorer.exe
Token: SeDebugPrivilege	2512	explorer.exe
Token: SeDebugPrivilege	2884	explorer.exe
Token: SeDebugPrivilege	1944	explorer.exe
Token: SeDebugPrivilege	784	explorer.exe
Token: SeDebugPrivilege	1700	explorer.exe
Token: SeDebugPrivilege	1296	explorer.exe
Token: SeDebugPrivilege	2656	explorer.exe
Token: SeDebugPrivilege	3044	explorer.exe
Token: SeDebugPrivilege	1924	explorer.exe
Token: SeDebugPrivilege	2924	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2696	2980	JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe	30
PID 2980 wrote to memory of 2696	2980	JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe	30
PID 2980 wrote to memory of 2696	2980	JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe	30
PID 2980 wrote to memory of 2696	2980	JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe	30
PID 2696 wrote to memory of 2376	2696	WScript.exe	31
PID 2696 wrote to memory of 2376	2696	WScript.exe	31
PID 2696 wrote to memory of 2376	2696	WScript.exe	31
PID 2696 wrote to memory of 2376	2696	WScript.exe	31
PID 2376 wrote to memory of 336	2376	cmd.exe	33
PID 2376 wrote to memory of 336	2376	cmd.exe	33
PID 2376 wrote to memory of 336	2376	cmd.exe	33
PID 2376 wrote to memory of 336	2376	cmd.exe	33
PID 336 wrote to memory of 2260	336	DllCommonsvc.exe	50
PID 336 wrote to memory of 2260	336	DllCommonsvc.exe	50
PID 336 wrote to memory of 2260	336	DllCommonsvc.exe	50
PID 336 wrote to memory of 1484	336	DllCommonsvc.exe	51
PID 336 wrote to memory of 1484	336	DllCommonsvc.exe	51
PID 336 wrote to memory of 1484	336	DllCommonsvc.exe	51
PID 336 wrote to memory of 1032	336	DllCommonsvc.exe	52
PID 336 wrote to memory of 1032	336	DllCommonsvc.exe	52
PID 336 wrote to memory of 1032	336	DllCommonsvc.exe	52
PID 336 wrote to memory of 1776	336	DllCommonsvc.exe	54
PID 336 wrote to memory of 1776	336	DllCommonsvc.exe	54
PID 336 wrote to memory of 1776	336	DllCommonsvc.exe	54
PID 336 wrote to memory of 1148	336	DllCommonsvc.exe	55
PID 336 wrote to memory of 1148	336	DllCommonsvc.exe	55
PID 336 wrote to memory of 1148	336	DllCommonsvc.exe	55
PID 336 wrote to memory of 2332	336	DllCommonsvc.exe	57
PID 336 wrote to memory of 2332	336	DllCommonsvc.exe	57
PID 336 wrote to memory of 2332	336	DllCommonsvc.exe	57
PID 336 wrote to memory of 2272	336	DllCommonsvc.exe	62
PID 336 wrote to memory of 2272	336	DllCommonsvc.exe	62
PID 336 wrote to memory of 2272	336	DllCommonsvc.exe	62
PID 2272 wrote to memory of 2324	2272	cmd.exe	64
PID 2272 wrote to memory of 2324	2272	cmd.exe	64
PID 2272 wrote to memory of 2324	2272	cmd.exe	64
PID 2272 wrote to memory of 1640	2272	cmd.exe	65
PID 2272 wrote to memory of 1640	2272	cmd.exe	65
PID 2272 wrote to memory of 1640	2272	cmd.exe	65
PID 1640 wrote to memory of 2740	1640	explorer.exe	66
PID 1640 wrote to memory of 2740	1640	explorer.exe	66
PID 1640 wrote to memory of 2740	1640	explorer.exe	66
PID 2740 wrote to memory of 2624	2740	cmd.exe	68
PID 2740 wrote to memory of 2624	2740	cmd.exe	68
PID 2740 wrote to memory of 2624	2740	cmd.exe	68
PID 2740 wrote to memory of 2512	2740	cmd.exe	69
PID 2740 wrote to memory of 2512	2740	cmd.exe	69
PID 2740 wrote to memory of 2512	2740	cmd.exe	69
PID 2512 wrote to memory of 2992	2512	explorer.exe	70
PID 2512 wrote to memory of 2992	2512	explorer.exe	70
PID 2512 wrote to memory of 2992	2512	explorer.exe	70
PID 2992 wrote to memory of 2644	2992	cmd.exe	72
PID 2992 wrote to memory of 2644	2992	cmd.exe	72
PID 2992 wrote to memory of 2644	2992	cmd.exe	72
PID 2992 wrote to memory of 2884	2992	cmd.exe	73
PID 2992 wrote to memory of 2884	2992	cmd.exe	73
PID 2992 wrote to memory of 2884	2992	cmd.exe	73
PID 2884 wrote to memory of 3032	2884	explorer.exe	74
PID 2884 wrote to memory of 3032	2884	explorer.exe	74
PID 2884 wrote to memory of 3032	2884	explorer.exe	74
PID 3032 wrote to memory of 2428	3032	cmd.exe	76
PID 3032 wrote to memory of 2428	3032	cmd.exe	76
PID 3032 wrote to memory of 2428	3032	cmd.exe	76
PID 3032 wrote to memory of 1944	3032	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Media Player\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPAkuZtN5R.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2324
      - C:\Users\All Users\Microsoft\Media Player\explorer.exe
        
        "C:\Users\All Users\Microsoft\Media Player\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2624
        
        C:\Users\All Users\Microsoft\Media Player\explorer.exe
        
        "C:\Users\All Users\Microsoft\Media Player\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2644
        
        C:\Users\All Users\Microsoft\Media Player\explorer.exe
        
        "C:\Users\All Users\Microsoft\Media Player\explorer.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2428
        
        C:\Users\All Users\Microsoft\Media Player\explorer.exe
        
        "C:\Users\All Users\Microsoft\Media Player\explorer.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
        13⤵
        
        PID:2712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2728
        
        C:\Users\All Users\Microsoft\Media Player\explorer.exe
        
        "C:\Users\All Users\Microsoft\Media Player\explorer.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        15⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1088
        
        C:\Users\All Users\Microsoft\Media Player\explorer.exe
        
        "C:\Users\All Users\Microsoft\Media Player\explorer.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
        17⤵
        
        PID:736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:572
        
        C:\Users\All Users\Microsoft\Media Player\explorer.exe
        
        "C:\Users\All Users\Microsoft\Media Player\explorer.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"
        19⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1712
        
        C:\Users\All Users\Microsoft\Media Player\explorer.exe
        
        "C:\Users\All Users\Microsoft\Media Player\explorer.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
        21⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1660
        
        C:\Users\All Users\Microsoft\Media Player\explorer.exe
        
        "C:\Users\All Users\Microsoft\Media Player\explorer.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
        23⤵
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1484
        
        C:\Users\All Users\Microsoft\Media Player\explorer.exe
        
        "C:\Users\All Users\Microsoft\Media Player\explorer.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat"
        25⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2420
        
        C:\Users\All Users\Microsoft\Media Player\explorer.exe
        
        "C:\Users\All Users\Microsoft\Media Player\explorer.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Media Player\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Media Player\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Media Player\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Registration\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82fc3b829a45a56f901c2afb48394d22

SHA1
e3f05dfd5fa29fec5c6d834f15b3ff56a6bbc326

SHA256
8138f8346d74229ebe87d5e60b83aedfcfb1dd33ff6a0d68eadc0a4cb31aa358

SHA512
0145b9bf8912a2f036963495a878996aaafb2a4842f254cdcef6d978bda268557a166abb5325820cdf966ee7611cbbddf3b8eb9f47f02dc8396fb6174d773892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ca9fc325b7e75d234ec1b8c5e4fbb7e

SHA1
0ae8af2bc34f65b4a190fb7b4a82a66da35ac071

SHA256
ebf37df9a903cb9e9f6089ed01cb562b3b0ffa571c286cdafc428e3ad4b34703

SHA512
08ef3846036ab275f3e59992967015e67b8699812645191525ef314e1c4f2c53c88c2089081569e34653211bf382e12a70c361910123fe9245e625120900b8b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61ef1c467ea2db1013204eb505c86cd8

SHA1
0b11862cd853dc7ebca73a4ab6eb876a243cf52e

SHA256
f53dcdf452a3adc7bb337ee9da2fabac7dc38484a958e5b9939b0cfd6d78bbbc

SHA512
6384f2b863dde0e4a3e4da2e5edcfce4c2485efc153a976d5c60a4ac47db8049f14bb61f07a4cce78559f8cafef913e5989bdbf7deb8073d8227886af75d90c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6d15e539fc88032b43087666add807f

SHA1
9f4402e2cec801077ec01627c3638d16fc0a902e

SHA256
05eda68cff103c3c40b1fef5e1a06d81eee38c158fe916840b8b99887ddd980b

SHA512
2abe416cfa5379c124bfbd9a5c51ff8875f0399dd01ab4cf49cafa3468260563f007c8c9d2b31dd8484a8408980f9f33aba1b9703179f880e2eacd1e476ba13c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c573531d633a0dd8d292c2e6beed2c4

SHA1
b924621c53061a8f16abf96f9a22c42fa53f2337

SHA256
1a6f4d45791737ef0c797d9e98ecd6eadac5ae0c8826cb0ea40b0c0ea4c25f0d

SHA512
508c6447d3b79428bfef8921c41898c6032667b146da157fc238edfb9582aaaea1f57b43398dc309629b540440fd160f5448a6ba75ae7faa509ce6fa1def23cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a79265b2db8479d60fd04c2ab067fd31

SHA1
89669b50fa8263fdb0c4055b74ad66b4687a2de7

SHA256
a40897608ae634d3c74e9a3c41239647238a2ae23ea64d2d78a6a2dfb6862256

SHA512
3a3b4c4f153c0f018eb5b22755e874e7e7b17e18eb1e4e3c3467b0a6b3be40666da226ed2c66da44e8972d292bd2a5ec9ec151adab0e5796939f3436e5c9f252

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5baac9d9728cdf00c6d8fc118731cd4

SHA1
3e6b6ab3ba0a93eba1da914f10062211d33df129

SHA256
42ebef64b4efc8e242f4e78ec6d2b57604f3ec997ddf92d6c54d484370333df2

SHA512
d823d3d5dd63b44b7fea47ee182ad6183333d38d89d2481b762d56478fb27b5434720f6667d093c20afdea0a58850aa7df629a8bb740ed3ba2a826a9efa6a80f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fb1cd7309b915d16f086ce4183adbc3

SHA1
8528ed2b21243b3ace443602d3e773ffd33d55e9

SHA256
e63309f9b451d5dcd800a9aa85b14909739d8012573ed5341dbfda296f747072

SHA512
52418e369808a55d07e1f109d9758da26d29aa6276251228ca48c34e81f0d4c57975c1ff1d67e385333cec8dcbb2b1c4fa0bfbf074f5c95cd9fc571b0e050a55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01fae948283e99dac394da6c25645112

SHA1
875b6d4000c85f0829e1fc9e176d195985c208ef

SHA256
514594ec6ec64c1780221c335210971bfa49598ee2cbfe8a50e707b42d323d5f

SHA512
cc82578658444cf16cdbef8102ab5bde6b2133aa1fed02f86db73fb45033d136095bc1b2e73cbf159241d85196af129dffa0da57a0ee207fbb6ac79f0c8278e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

Filesize
219B

MD5
e3ea371774529d96f1fb811005eefe22

SHA1
4fe3cf3237bca3b900141a0ce3efa11a3368cf6c

SHA256
024a1cede4f9349641e5e5d5cbf3d00e292df062bf830df781ec30e37edf9d90

SHA512
62c135ddb38dfc6db63673b544d3d0c7faa858d8438dec4c7e810eddc5fb7814caa6f183c1a5c528056113b412ce77e372e910311b1518994f18bd00a998d723

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat

Filesize
219B

MD5
c2cbf8f8e53cdb46a3a9ff3a33faa010

SHA1
68f8b9aaebed7d080826d2baa2f4a1bbcd338b16

SHA256
26ca6230f34548016e1e08e24444f1daa2f38286c69605dca222331c253ac8fb

SHA512
47faf7ecd110d5bcf892e343f4ade3c76c9bdd62d65d88dd2ac2e94b4f6f53a8f7b6bdfe3d132d61568596ba08ad230027609b737ce3e906ea46967e3eaf7d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat

Filesize
219B

MD5
0bcee82600fddd603a9cd9d86b4a8531

SHA1
beda3679c9d326cd24b16553a95ad79d45e3b377

SHA256
73cf0b5b2f9741da156ddf479b128b26e44a6156dd2798099d44dec126b232cc

SHA512
f978022883e8f3f6293191102d39486963e1ab37d30895aedb3c864bd4ec62e47248fdb06d76c26f2dfaf805596ab6ab3d75efb43d618e2be4867b5b4ca85fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3803.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

Filesize
219B

MD5
f6726826b420a57e7f8bb61af5ee32b5

SHA1
bbed6b906202eb8abc54354e8c21bc09e583bf10

SHA256
a51bf1ece3bba667a79b91c68fe9e740e6e5945b7ea2f757c545f7211c673582

SHA512
655d850252eaa2d4a1761088579333f1f23c0752b6139c9d4a8df3f0aed33da9c87ab999d5360607a6cfcc0e786d2231a4c861fe4a143de0bdd57a39971d740f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

Filesize
219B

MD5
446719d29a5ee9600d0df0dd29b19231

SHA1
3d357f17fdaffc0f19e28936068216321f7689c8

SHA256
631c4350c8dd784314dfa3d8d58e30da21a507faf79479ef496a2f1e232927cb

SHA512
e2e35551e126a8fb44e29f0df56c272a833060056b7615f04bf2bf2647fa73e791ff06a8a06e3579d7717e995166bf8e1977246302e00507347ff699909782ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3816.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

Filesize
219B

MD5
809f1bb41a47be58005f027b8b242594

SHA1
72664358408ef599d322fdc7eb2b6dca9fc61d7b

SHA256
faff4cd648a2a44a68916c3418960c7a7ade86372c0ee5cbc66847ed338f4702

SHA512
fb1f7411a565e1b7ff07b826af70a8fefe03471b2500df76f48c4d63c9133154b8759bd025c85ea1e7b34aea9b11b23d78e5fe204c2b07c6eb1726ee962a85c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
219B

MD5
685e920bbf838b4e22fb107d396c5a99

SHA1
51e7d60730c36a87473f29d2d89bd04ae24e7d84

SHA256
f63e741887125291f0ca11b80b812c5727b8dae45078c7295f664803f12f8874

SHA512
6fe7eb2478162d6eb59c6f33f02f4e09d349a484271ebf9bd243831c1361142f469d81e59a3a13b6123bf1610c6d19d7626fcf36a9ba75d60f96caecfba0094c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPAkuZtN5R.bat

Filesize
219B

MD5
677a657ae10c5f78fec863edc9f94033

SHA1
ad453e1cca213460ce7591861f35e8ab531a4e81

SHA256
e1027e70facacdfc17c7e34e200d9a5e5bf20049ab019d97e53ed9c42a631a8a

SHA512
8fb7c388fab716625c994109f4cca0162bdb64785ecea6f4d537a71247cc86a6db6deb6510ff5e9a877971e93574187b3af9ecd80bc67d2b2a62a4a6490be75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat

Filesize
219B

MD5
e78128e15a3ce5be9e1c6f47156d8aab

SHA1
132cd68fba0336b880bfe83d358dea408b7f6d5e

SHA256
c01d47736a316c800fa6dbbacab8a1f8f7b50af96204f0c4852055bceadedca1

SHA512
93dda825812a2527f1c9862cc7b9895352685d0c52f676c4db963ccdd4d32578be2f987d3134b3678dc2ef9fcd8c50aff525f5b94034360fc972f89d39281d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat

Filesize
219B

MD5
90befc612c4c9e37b0c546046c924b34

SHA1
fcdfd90e74c889e7df8b9e87b94fc0d7a95fae32

SHA256
ea7e1c5cf52bf9dc81039c96a4320a407bc2fef8648bdd4cfdce4c1d9d5bfca0

SHA512
1cc2987ddbf4a992588d6130c39b036ddf585b40693b83bf43c0f62424fda091e9833462da150686f5ec89f8e6bc6bce09e80030690c99af496acd2ad8e725f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

Filesize
219B

MD5
d2721afadbdaf461f62fa906fb6b5364

SHA1
92481b1ed5b3b96ca97a88a5aa652654a54b115b

SHA256
2501d76a91839807ded959a1c28dab3b3e5246da34a0902446cc3eb4c028a1d1

SHA512
79e21735c966c25129e8150207cfd67ad81aae74ff4b9a8b29f6a71cd8cee2f2ae3774a7bc91465eaf3060773ed4c35a238d1dec0f55105885736621f351df0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M9JWN9VF7ZKKS1AEFQOI.temp

Filesize
7KB

MD5
129ab73b24e7e5f9b6105a0cd16f9aa9

SHA1
725433b60da429d95193c29983b3fa0c6d1d7705

SHA256
ccc5d712f88135c0bcbc1d2cd4d8b058a4e66f6615124deafa1804cf6ba2ee67

SHA512
583c824374e7094d56140481f9b3eed54104fa58632f75d8adc133bebb05b2e1561912c03bf9056272f479ed111090c2234cd1148076b1081d62a2616130751f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/336-13-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/336-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/336-14-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/336-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/336-15-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/784-305-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1032-38-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/1032-37-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/1640-66-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/1640-67-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1944-245-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/2512-126-0x0000000000BF0000-0x0000000000D00000-memory.dmp

Filesize
1.1MB

Download
memory/2924-660-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2924-661-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download