dcrat | c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212

Analysis

max time kernel
146s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe
Size

1.3MB
MD5

27ae919b3be2d7828dfd0c8b33360306
SHA1

a83ac006784190638f718f27ea6cb9763c67fdef
SHA256

c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212
SHA512

94c1f8ef256c811bd4049592c347becc709f339fad0ddb947c2460b3e1595479855c039b91b48f90d3559c527e504887a56e8d4ed0c3b2b9c3195754dee774c7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3520	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	3520	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	3520	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	3520	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3520	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	3520	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	3520	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3520	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	3520	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	3520	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	3520	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	3520	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b80-10.dat	dcrat
behavioral2/memory/1968-13-0x0000000000860000-0x0000000000970000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2624	powershell.exe
4316	powershell.exe
4388	powershell.exe
1668	powershell.exe
1608	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 13 IoCs

pid	Process
1968	DllCommonsvc.exe
1880	upfc.exe
2576	upfc.exe
320	upfc.exe
1864	upfc.exe
4224	upfc.exe
4264	upfc.exe
3968	upfc.exe
4144	upfc.exe
2940	upfc.exe
3960	upfc.exe
2772	upfc.exe
3892	upfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
40	raw.githubusercontent.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com
23	raw.githubusercontent.com
25	raw.githubusercontent.com
39	raw.githubusercontent.com
45	raw.githubusercontent.com
50	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\RuntimeBroker.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\38384e6a620884	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
784	schtasks.exe
1368	schtasks.exe
2464	schtasks.exe
1736	schtasks.exe
872	schtasks.exe
3924	schtasks.exe
3656	schtasks.exe
3488	schtasks.exe
1552	schtasks.exe
3668	schtasks.exe
2952	schtasks.exe
1844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1968	DllCommonsvc.exe
1968	DllCommonsvc.exe
1968	DllCommonsvc.exe
4316	powershell.exe
1668	powershell.exe
4316	powershell.exe
4388	powershell.exe
1608	powershell.exe
2624	powershell.exe
4388	powershell.exe
1608	powershell.exe
1668	powershell.exe
2624	powershell.exe
1880	upfc.exe
2576	upfc.exe
320	upfc.exe
1864	upfc.exe
4224	upfc.exe
4264	upfc.exe
3968	upfc.exe
4144	upfc.exe
2940	upfc.exe
3960	upfc.exe
2772	upfc.exe
3892	upfc.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	DllCommonsvc.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1880	upfc.exe
Token: SeDebugPrivilege	2576	upfc.exe
Token: SeDebugPrivilege	320	upfc.exe
Token: SeDebugPrivilege	1864	upfc.exe
Token: SeDebugPrivilege	4224	upfc.exe
Token: SeDebugPrivilege	4264	upfc.exe
Token: SeDebugPrivilege	3968	upfc.exe
Token: SeDebugPrivilege	4144	upfc.exe
Token: SeDebugPrivilege	2940	upfc.exe
Token: SeDebugPrivilege	3960	upfc.exe
Token: SeDebugPrivilege	2772	upfc.exe
Token: SeDebugPrivilege	3892	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4520	2872	JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe	82
PID 2872 wrote to memory of 4520	2872	JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe	82
PID 2872 wrote to memory of 4520	2872	JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe	82
PID 4520 wrote to memory of 2240	4520	WScript.exe	87
PID 4520 wrote to memory of 2240	4520	WScript.exe	87
PID 4520 wrote to memory of 2240	4520	WScript.exe	87
PID 2240 wrote to memory of 1968	2240	cmd.exe	89
PID 2240 wrote to memory of 1968	2240	cmd.exe	89
PID 1968 wrote to memory of 2624	1968	DllCommonsvc.exe	102
PID 1968 wrote to memory of 2624	1968	DllCommonsvc.exe	102
PID 1968 wrote to memory of 1608	1968	DllCommonsvc.exe	103
PID 1968 wrote to memory of 1608	1968	DllCommonsvc.exe	103
PID 1968 wrote to memory of 1668	1968	DllCommonsvc.exe	104
PID 1968 wrote to memory of 1668	1968	DllCommonsvc.exe	104
PID 1968 wrote to memory of 4388	1968	DllCommonsvc.exe	105
PID 1968 wrote to memory of 4388	1968	DllCommonsvc.exe	105
PID 1968 wrote to memory of 4316	1968	DllCommonsvc.exe	106
PID 1968 wrote to memory of 4316	1968	DllCommonsvc.exe	106
PID 1968 wrote to memory of 2196	1968	DllCommonsvc.exe	112
PID 1968 wrote to memory of 2196	1968	DllCommonsvc.exe	112
PID 2196 wrote to memory of 4124	2196	cmd.exe	114
PID 2196 wrote to memory of 4124	2196	cmd.exe	114
PID 2196 wrote to memory of 1880	2196	cmd.exe	118
PID 2196 wrote to memory of 1880	2196	cmd.exe	118
PID 1880 wrote to memory of 4728	1880	upfc.exe	119
PID 1880 wrote to memory of 4728	1880	upfc.exe	119
PID 4728 wrote to memory of 3728	4728	cmd.exe	121
PID 4728 wrote to memory of 3728	4728	cmd.exe	121
PID 4728 wrote to memory of 2576	4728	cmd.exe	122
PID 4728 wrote to memory of 2576	4728	cmd.exe	122
PID 2576 wrote to memory of 3088	2576	upfc.exe	123
PID 2576 wrote to memory of 3088	2576	upfc.exe	123
PID 3088 wrote to memory of 1844	3088	cmd.exe	125
PID 3088 wrote to memory of 1844	3088	cmd.exe	125
PID 3088 wrote to memory of 320	3088	cmd.exe	127
PID 3088 wrote to memory of 320	3088	cmd.exe	127
PID 320 wrote to memory of 5028	320	upfc.exe	129
PID 320 wrote to memory of 5028	320	upfc.exe	129
PID 5028 wrote to memory of 1192	5028	cmd.exe	131
PID 5028 wrote to memory of 1192	5028	cmd.exe	131
PID 5028 wrote to memory of 1864	5028	cmd.exe	132
PID 5028 wrote to memory of 1864	5028	cmd.exe	132
PID 1864 wrote to memory of 3332	1864	upfc.exe	133
PID 1864 wrote to memory of 3332	1864	upfc.exe	133
PID 3332 wrote to memory of 2428	3332	cmd.exe	135
PID 3332 wrote to memory of 2428	3332	cmd.exe	135
PID 3332 wrote to memory of 4224	3332	cmd.exe	136
PID 3332 wrote to memory of 4224	3332	cmd.exe	136
PID 4224 wrote to memory of 1756	4224	upfc.exe	137
PID 4224 wrote to memory of 1756	4224	upfc.exe	137
PID 1756 wrote to memory of 4456	1756	cmd.exe	139
PID 1756 wrote to memory of 4456	1756	cmd.exe	139
PID 1756 wrote to memory of 4264	1756	cmd.exe	140
PID 1756 wrote to memory of 4264	1756	cmd.exe	140
PID 4264 wrote to memory of 4084	4264	upfc.exe	141
PID 4264 wrote to memory of 4084	4264	upfc.exe	141
PID 4084 wrote to memory of 2024	4084	cmd.exe	143
PID 4084 wrote to memory of 2024	4084	cmd.exe	143
PID 4084 wrote to memory of 3968	4084	cmd.exe	144
PID 4084 wrote to memory of 3968	4084	cmd.exe	144
PID 3968 wrote to memory of 3916	3968	upfc.exe	145
PID 3968 wrote to memory of 3916	3968	upfc.exe	145
PID 3916 wrote to memory of 1632	3916	cmd.exe	147
PID 3916 wrote to memory of 1632	3916	cmd.exe	147

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lCQZmTZqZs.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4124
      - C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3728
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1844
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1192
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2428
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4456
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2024
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1632
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"
        21⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3804
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"
        23⤵
        
        PID:784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4328
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"
        25⤵
        
        PID:4576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2016
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
        27⤵
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1088
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\providercommon\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

Filesize
191B

MD5
0890ddf296a0f34bd783d107ab36727e

SHA1
220f70e2167f2e62398c40d8404b017e200fa6e3

SHA256
276d46ecabac7f83b5d8dc097b4e72e6cdd52160c2f76986d6322ad412997bd2

SHA512
ae98047cba27b432676a9f2c17055c3a5369454b12bcbd0a6cbbb872c19f0c0a00db649d412bb1813eff28c74c0013f8e99795edeef4ebe970a10c96f6df3a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat

Filesize
191B

MD5
c6a581d3e6545137c13ff5f11ebf088f

SHA1
ec3df16c6895e2f5ef2d29dbab6a1bc8cbc220c2

SHA256
6457f18669359d7cde3a9baef439897d3d5a527de7aea66177e5839e168c8122

SHA512
55ae14b7d97df422c60490ac052b6be12d626b7d8b825d9ae76846607b69dc366572fd29d2d1a14b88cd46ca327cce94cca45125ce8820eb0f53985ac2c777a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
191B

MD5
48f64da288c4649cc0b2544a7ffc4de4

SHA1
cbaf4e2c059d4f428be4d5b930608e205a262667

SHA256
d5922642a54dea33aee8b8c08232d0d5ad3e820da2979a342edb33d10b4e8b6a

SHA512
484cdfd1e7c055089bd44b82312ea11c703c23cf311a29028ba335accc66f5022438fdd21c173d26ebb5ce6689f729bb8975c9965766cd7e909b4a59b2e12cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

Filesize
191B

MD5
8d1911f81801c26f82a2699918ce7561

SHA1
cae1de014b7896ee3562576df7131a2db3b456b8

SHA256
ff01b5b83416897fdc41f87d49d5373180b900ac99c5500691c2363a1fac5830

SHA512
873e2de595c76f76243a842eb9ce5045bcb7808ae3bb141efd46ccd379a97780e0710a974ecf3d741eeda9f3067de1a5bb85fcfa080d256d74909e0ea322af4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
191B

MD5
c387d8457e5ad387e959f14611719721

SHA1
04214866d4698534f3fceffcdce8a6b32397edac

SHA256
0a590c5daa9231f94408b1bd3401da014672e1014de59b3b3762065a5f4ce1d7

SHA512
6a98947cf25d0f1aeba33e73445a6cd984629673d33bde3f79bba47a0527613e8e8c27c9af85570b27b62bb25e93cadaa53b2cb2ac2cd1a9e62c525ff8cf7d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat

Filesize
191B

MD5
1788742ec7ae0da834a9717355c22445

SHA1
0ab8acf8d0c504fe678a2e91e10470d258c1180a

SHA256
1002ec04f4085d0d2d7b6272fb36995f9b3ec672747c5751cbafcb64be05a362

SHA512
df721a61b8776f04d789e2941df261d906532b4ce8a677213aa8ed7d0a5f32f42e2a01aaaa763027583f4aa90e627aa6a0c2dcb8cbbb671095c448fff6eb3c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bi3edd1t.bzg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

Filesize
191B

MD5
bdbea8ee95706f8120200ff42fa34b84

SHA1
b272b901dee5711b17dc49abee1a6d2beb3f1b8d

SHA256
165d3d63fbb1d700b435418d5fc993a5985aee45fe2e7958c5013ca201e82ca8

SHA512
cb57fac1bf8f643dd90ab7e4710ede763b7a25dd3e1e48b374a6d356b67d47144d3ccf07f5f1be54ebc32d813b85dc88454c1d6e857ecbcfb2ece64148f92938

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

Filesize
191B

MD5
ed43f691f806affc7cf08245868e9afa

SHA1
6f3ed498bf8cf6d9ffb121df31007d95d020a3cf

SHA256
090cc6f94e14c4973686dd5519014cc17acd12daada2ef885e27e9d638190907

SHA512
20cd0839c3aae40a43b89198cc567e4a951a036613d0b0533b4b7629d4d4ac2a005583aa909b90240d87c315b61bb738bd3472529915db6050203c5714ae6ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCQZmTZqZs.bat

Filesize
191B

MD5
5a6f38411320a14bf3a52a9fdd62c444

SHA1
7fabe02c272697542ce23a04c4b9c6e19ca80597

SHA256
620df4355f041836eec48481d80386607fbf7e4f2bd11802db8c8884e4fbd7dd

SHA512
db2fcaa9c684ac5800c68680a8b088a2145862ffc7565f79474055cde516945ffafa3a94c1c48b210701c80878b00e1e4cfcd41604892697a7edd80d788ebe73

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat

Filesize
191B

MD5
763f088ecd13bede9c8a227d6b112f48

SHA1
38278f8a254fe0897f4569dca21512c5180679ac

SHA256
47cbab9f768acab9227b2bd23725234da5b57157c20a23a5f0f1aed171030a80

SHA512
95765a46df192c5b35b2e035355d1d109b3c6f87060e2c407750f890e2a12ca0997e68eff0bc6683f6349b49a049166843a32fbb0d613fc306143c5e478ba051

Download Submit
C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat

Filesize
191B

MD5
87c71baa55bf61fa7d82a78ac5fe6d35

SHA1
b5f9d4eabe0cdd7f0884cb7b7762bdb85732b141

SHA256
a630e2b24df3ef236187ac6fdde6e00e6f2447951bff435dc7a07be8903f710c

SHA512
3677a3e7ffeec7d432a9043a7f89b188133ce83f8039365827301142454c08f90fd1e6ddba634109cecf299063cb6ea27395b8155e4a5c6c23c5b266dc6a390a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1864-114-0x00000000030A0000-0x00000000030B2000-memory.dmp

Filesize
72KB

Download
memory/1880-92-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1968-15-0x0000000002A50000-0x0000000002A5C000-memory.dmp

Filesize
48KB

Download
memory/1968-17-0x000000001B590000-0x000000001B59C000-memory.dmp

Filesize
48KB

Download
memory/1968-12-0x00007FFD55753000-0x00007FFD55755000-memory.dmp

Filesize
8KB

Download
memory/1968-14-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/1968-13-0x0000000000860000-0x0000000000970000-memory.dmp

Filesize
1.1MB

Download
memory/1968-16-0x0000000002A60000-0x0000000002A6C000-memory.dmp

Filesize
48KB

Download
memory/2576-101-0x0000000001450000-0x0000000001462000-memory.dmp

Filesize
72KB

Download
memory/2772-165-0x00000000014B0000-0x00000000014C2000-memory.dmp

Filesize
72KB

Download
memory/2772-171-0x000000001C870000-0x000000001CA19000-memory.dmp

Filesize
1.7MB

Download
memory/2940-149-0x0000000002D10000-0x0000000002D22000-memory.dmp

Filesize
72KB

Download
memory/2940-154-0x000000001C530000-0x000000001C69A000-memory.dmp

Filesize
1.4MB

Download
memory/3960-162-0x000000001BF30000-0x000000001C09A000-memory.dmp

Filesize
1.4MB

Download
memory/3960-157-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/3968-139-0x000000001C9B0000-0x000000001CB1A000-memory.dmp

Filesize
1.4MB

Download
memory/4144-146-0x000000001C3C0000-0x000000001C52A000-memory.dmp

Filesize
1.4MB

Download
memory/4224-121-0x0000000002FB0000-0x0000000002FC2000-memory.dmp

Filesize
72KB

Download
memory/4264-128-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/4316-39-0x000001B6C1750000-0x000001B6C1772000-memory.dmp

Filesize
136KB

Download