dcrat | f31e2a85b52a7fe60a58fd8e4961c970adaea94c36565599ea37647bff58b36a

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f31e2a85b52a7fe60a58fd8e4961c970adaea94c36565599ea37647bff58b36a.exe
Size

1.3MB
MD5

c5f1e7d1410a3d4ae4a7c83167b47257
SHA1

def7ae0016c46e84a69a00384aece244030e3d96
SHA256

f31e2a85b52a7fe60a58fd8e4961c970adaea94c36565599ea37647bff58b36a
SHA512

fbaf603b117788200e25098ed6f1f9ec48b0086128236d8981b7d670f6cda62dbe231be77bf042376cebae5d9b7d83c7fb9907e9e0cb1215b43a864e38043deb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	3020	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000018766-9.dat	dcrat
behavioral1/memory/2692-13-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/904-66-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/1616-185-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2068-245-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/2580-365-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/2320-425-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/2276-486-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/1736-606-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1112	powershell.exe
2668	powershell.exe
1736	powershell.exe
1356	powershell.exe
1816	powershell.exe
660	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2692	DllCommonsvc.exe
904	lsm.exe
2596	lsm.exe
1616	lsm.exe
2068	lsm.exe
1968	lsm.exe
2580	lsm.exe
2320	lsm.exe
2276	lsm.exe
2016	lsm.exe
1736	lsm.exe
2032	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	cmd.exe
2328	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f31e2a85b52a7fe60a58fd8e4961c970adaea94c36565599ea37647bff58b36a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2836	schtasks.exe
2772	schtasks.exe
2816	schtasks.exe
2424	schtasks.exe
2904	schtasks.exe
2928	schtasks.exe
2620	schtasks.exe
812	schtasks.exe
2720	schtasks.exe
1072	schtasks.exe
1464	schtasks.exe
2648	schtasks.exe
2644	schtasks.exe
2204	schtasks.exe
2572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2668	powershell.exe
660	powershell.exe
1816	powershell.exe
1356	powershell.exe
1112	powershell.exe
1736	powershell.exe
904	lsm.exe
2596	lsm.exe
1616	lsm.exe
2068	lsm.exe
1968	lsm.exe
2580	lsm.exe
2320	lsm.exe
2276	lsm.exe
2016	lsm.exe
1736	lsm.exe
2032	lsm.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	DllCommonsvc.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	904	lsm.exe
Token: SeDebugPrivilege	2596	lsm.exe
Token: SeDebugPrivilege	1616	lsm.exe
Token: SeDebugPrivilege	2068	lsm.exe
Token: SeDebugPrivilege	1968	lsm.exe
Token: SeDebugPrivilege	2580	lsm.exe
Token: SeDebugPrivilege	2320	lsm.exe
Token: SeDebugPrivilege	2276	lsm.exe
Token: SeDebugPrivilege	2016	lsm.exe
Token: SeDebugPrivilege	1736	lsm.exe
Token: SeDebugPrivilege	2032	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2332	2504	JaffaCakes118_f31e2a85b52a7fe60a58fd8e4961c970adaea94c36565599ea37647bff58b36a.exe	30
PID 2504 wrote to memory of 2332	2504	JaffaCakes118_f31e2a85b52a7fe60a58fd8e4961c970adaea94c36565599ea37647bff58b36a.exe	30
PID 2504 wrote to memory of 2332	2504	JaffaCakes118_f31e2a85b52a7fe60a58fd8e4961c970adaea94c36565599ea37647bff58b36a.exe	30
PID 2504 wrote to memory of 2332	2504	JaffaCakes118_f31e2a85b52a7fe60a58fd8e4961c970adaea94c36565599ea37647bff58b36a.exe	30
PID 2332 wrote to memory of 2328	2332	WScript.exe	31
PID 2332 wrote to memory of 2328	2332	WScript.exe	31
PID 2332 wrote to memory of 2328	2332	WScript.exe	31
PID 2332 wrote to memory of 2328	2332	WScript.exe	31
PID 2328 wrote to memory of 2692	2328	cmd.exe	33
PID 2328 wrote to memory of 2692	2328	cmd.exe	33
PID 2328 wrote to memory of 2692	2328	cmd.exe	33
PID 2328 wrote to memory of 2692	2328	cmd.exe	33
PID 2692 wrote to memory of 1112	2692	DllCommonsvc.exe	50
PID 2692 wrote to memory of 1112	2692	DllCommonsvc.exe	50
PID 2692 wrote to memory of 1112	2692	DllCommonsvc.exe	50
PID 2692 wrote to memory of 2668	2692	DllCommonsvc.exe	51
PID 2692 wrote to memory of 2668	2692	DllCommonsvc.exe	51
PID 2692 wrote to memory of 2668	2692	DllCommonsvc.exe	51
PID 2692 wrote to memory of 1736	2692	DllCommonsvc.exe	52
PID 2692 wrote to memory of 1736	2692	DllCommonsvc.exe	52
PID 2692 wrote to memory of 1736	2692	DllCommonsvc.exe	52
PID 2692 wrote to memory of 1356	2692	DllCommonsvc.exe	53
PID 2692 wrote to memory of 1356	2692	DllCommonsvc.exe	53
PID 2692 wrote to memory of 1356	2692	DllCommonsvc.exe	53
PID 2692 wrote to memory of 1816	2692	DllCommonsvc.exe	54
PID 2692 wrote to memory of 1816	2692	DllCommonsvc.exe	54
PID 2692 wrote to memory of 1816	2692	DllCommonsvc.exe	54
PID 2692 wrote to memory of 660	2692	DllCommonsvc.exe	55
PID 2692 wrote to memory of 660	2692	DllCommonsvc.exe	55
PID 2692 wrote to memory of 660	2692	DllCommonsvc.exe	55
PID 2692 wrote to memory of 2980	2692	DllCommonsvc.exe	62
PID 2692 wrote to memory of 2980	2692	DllCommonsvc.exe	62
PID 2692 wrote to memory of 2980	2692	DllCommonsvc.exe	62
PID 2980 wrote to memory of 1756	2980	cmd.exe	64
PID 2980 wrote to memory of 1756	2980	cmd.exe	64
PID 2980 wrote to memory of 1756	2980	cmd.exe	64
PID 2980 wrote to memory of 904	2980	cmd.exe	65
PID 2980 wrote to memory of 904	2980	cmd.exe	65
PID 2980 wrote to memory of 904	2980	cmd.exe	65
PID 904 wrote to memory of 2748	904	lsm.exe	67
PID 904 wrote to memory of 2748	904	lsm.exe	67
PID 904 wrote to memory of 2748	904	lsm.exe	67
PID 2748 wrote to memory of 2704	2748	cmd.exe	69
PID 2748 wrote to memory of 2704	2748	cmd.exe	69
PID 2748 wrote to memory of 2704	2748	cmd.exe	69
PID 2748 wrote to memory of 2596	2748	cmd.exe	70
PID 2748 wrote to memory of 2596	2748	cmd.exe	70
PID 2748 wrote to memory of 2596	2748	cmd.exe	70
PID 2596 wrote to memory of 2328	2596	lsm.exe	71
PID 2596 wrote to memory of 2328	2596	lsm.exe	71
PID 2596 wrote to memory of 2328	2596	lsm.exe	71
PID 2328 wrote to memory of 2968	2328	cmd.exe	73
PID 2328 wrote to memory of 2968	2328	cmd.exe	73
PID 2328 wrote to memory of 2968	2328	cmd.exe	73
PID 2328 wrote to memory of 1616	2328	cmd.exe	74
PID 2328 wrote to memory of 1616	2328	cmd.exe	74
PID 2328 wrote to memory of 1616	2328	cmd.exe	74
PID 1616 wrote to memory of 2952	1616	lsm.exe	75
PID 1616 wrote to memory of 2952	1616	lsm.exe	75
PID 1616 wrote to memory of 2952	1616	lsm.exe	75
PID 2952 wrote to memory of 1816	2952	cmd.exe	77
PID 2952 wrote to memory of 1816	2952	cmd.exe	77
PID 2952 wrote to memory of 1816	2952	cmd.exe	77
PID 2952 wrote to memory of 2068	2952	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f31e2a85b52a7fe60a58fd8e4961c970adaea94c36565599ea37647bff58b36a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f31e2a85b52a7fe60a58fd8e4961c970adaea94c36565599ea37647bff58b36a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EJnFTOvMAp.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1756
      - C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2704
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2968
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1816
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        13⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2920
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"
        15⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2140
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"
        17⤵
        
        PID:952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2932
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
        19⤵
        
        PID:2088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1796
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
        21⤵
        
        PID:2152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2380
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"
        23⤵
        
        PID:660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1108
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat"
        25⤵
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:876
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2519595cded600906dff6391e58f8bb8

SHA1
ad2fd30550379dc351bf2290ede5aa6c152aebbf

SHA256
e07361325801796c07805f3fb8a2b010d785f92873f42f2ffe810422253a15a5

SHA512
3e197d8076763ad2fabd47cdb820883b6feb49bd8f576e3b380c94f95d875bc607dcfd9d602c68e6e08afb49ba9db789c3dd4f34719d6d4e889401bd2dbe8b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0f77dda17a9a8aa4e3d446a01fcffaf

SHA1
d0ec3d817fa33cac178c3468cd8afba57fd31401

SHA256
0af653c5c4429467a3e678670481b0290865ac59418d858d1b1b31542435f0e0

SHA512
3ada0aec81e38c767ba07885aab8280139889de3b35b36b5098a7d2062d56019330eee667bd63dbef43188ea2aea10cd94600126133f0c86f22476df2f1e9d13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
843aa3d1c1fd6f0e6cd83cb3d4ad05eb

SHA1
dda665507dc0da4c576b20c6d1667c641500f8a3

SHA256
ae5bb213dc5da94b3849ccb80006b038e7033d5fa114719d97d8812cfc262cc2

SHA512
d47f6dfc37bf2b3e58a45c67fb5440649a0c5a0d17846350dd36ea0a15356fb09b56ba84c52e95493f9abafe3eb30e07608ba986f318297d8a278bb4c2a2cb29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
870518ec4b70d5ea17a5d5bb2e8ab4c2

SHA1
8c7a23f6454c1fccc7b9155c6368184de5d8691f

SHA256
bdd9573dc907fd4df156d91eb4a712a40b9480a6c2d3d324ba46ca4f407f24c7

SHA512
5864fdd13bb5c1d2f6c41dbf5870dfaf6bf3940a861cb08c87df99d462f8345e5c4f242fb654ed261157a348e40077536fd196c147ce6571b20bcf3b70e8ff97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60fa12051a910e613a90f0357d206446

SHA1
3e80841bd71f69353e55409db6fd1ccbdb15753e

SHA256
05827331fbecc03ec7113871a673bdf8db9689fa20ec59a0437696a23793137f

SHA512
515c1ac9fda3a4371a3ac82088ec97607fcdc37991f9b254fe2ae3fbbb33a1bac4670709b14dccf59245da10fef787560999e4bb6869a8bbd72bee08246197b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c13093609ad45ea869e6767033e2fae0

SHA1
850db0a000a81b9495a773abbd270929200b90de

SHA256
53df656a35bd9fc284f285e54a8d8951ff551f8f54952b1bd44a8076dc0e3f60

SHA512
dcc9f1391f144dba30690c14182f0006c4fb53a7d1696a14c174dbcb57bde35ba0cf06b4bd61f36c1fb262d05be66c289de01ce80deb0fc5f4e65a47fccd2dae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be95240158ce315ebd89e38d13f66369

SHA1
769c4c357d2929565858ba68b824cd40ae9bd238

SHA256
2dae0de7e2c9d3898534bde3682426f5289c2fa5fe47f8c6516ac1505e243758

SHA512
a71105d71060a77ea141f72afa6d5eada91e1e2a7c7e82c4102979c27654044f718cd1accb600eb76569b56e7a0485994f47f12c83dbb7df99d26d6475237133

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d95beb43dfdce56e81e2236ece38a76d

SHA1
22efa15550b3f505c1e0d0a64d0bb6dec9812cdc

SHA256
bd423db8062a9936f487d1431e483aec4f89189980da3d7918d74c64f8ee6d08

SHA512
be2f86dc57f7da94b841a510fe8cc797e32e369460fd0118c99cdecd0e39bd12e39ae4ded4d0b1f7013a1e038b35ff72838fddb77e7cbc503a49dc4e15a830d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdffbb8ac36c3d26aa192448cc3b08b1

SHA1
160da49e3b183202015e01d86b7bd5a631d5759e

SHA256
bed5818680c67be54cda9712d002920b51c7c15efe2c4f5da4043a74dad8d5f7

SHA512
ec31c16d314fa1ea9f0afda41902c6d4d4a4ca5ce0387494ca6e45454166dc984450c9c9e50e5ad1eb21f77e774b9384bf55498b62f90c4b33d3de289e57619f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

Filesize
224B

MD5
415014ff61d48b54e9b38bc578891d5d

SHA1
9db6d0f5b5d863db49cd3b4fb35f792fc9169eed

SHA256
9ebf67df90e84757ab188d4179b137ecfe0d660266c06ff3a8a0500960547a21

SHA512
c5b9dea7cce057ae95102c9072a1a5a93bec1db5a72273fcf3f295db2268e55b102a1f12ef467a15f09d14553f5a3d2c59fbded6a689f6959c187393ace9f0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat

Filesize
224B

MD5
6fcac04e0632baa74688446481362a7a

SHA1
8523b2f20e3149519c0cce647e1d8db8f38c2f08

SHA256
9880c43f0071e7009dbf47e9cbd0ccaf8315b71576cccbef34eade5fdabc7fbe

SHA512
76c344a1650867a2c49f9f876ed39a6d1667d91ce439e75b954ab2693264a1ab8230cbad54bef0ef93a964abe2ed1e9feaa73851bbf7c5e097f19a4f1cae41ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1A8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EJnFTOvMAp.bat

Filesize
224B

MD5
9881ca0267ec992e9d5347ecea782a61

SHA1
865b05be84d66457faf425d7cf30b040e72154f3

SHA256
e580f470d5783abb169180d8cb9f5e0f718426760b95550fd8252c5119f0bcd6

SHA512
3cb20106d955e0a329215111117483c4d1c8b11b0dce26ec8aae07eb60ab9af3a1164b939d0e8a27d0dd1d9d1409926f5b05436e7833dfa606756f7e3e46f2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat

Filesize
224B

MD5
fec4cecd7e64afcbef153e0f8e7d4b5a

SHA1
122a425fca23eb0e7702700f8f8fbdc58312118f

SHA256
5dd957feb6a82feeaaf44cd0a4519d89cbd70c7d535ff9aadea0c531ea5d4d9f

SHA512
60cf7865ad1d2ad84bea44157c9eccf3a548bf638440b21d7f7030e1d4731d97c2889d78b6d0123f5947d64630b5ed5a391c7d23def68fbac67dfca97fb00b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
224B

MD5
4b4afab5de6a112ae88cb079c26fcd25

SHA1
d1a91ed010ef96f852ce8dc23993feb067794dad

SHA256
3a463be79f3070c6de475b746957dc60ef4049756d86569fd5b5027e4c434ea9

SHA512
5b630156bb91221d75bc519ec4d80638a79854c5db2a25b2b0aa86dbc306614642c9a5621176d32c5dbf94ee3a811e5f24c9896c64f6d78171947422788ec3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
224B

MD5
df9fbcbce1160c385d67511cc93c4b9e

SHA1
31122885fe3348a0e96679a583d55f51b03954e9

SHA256
4c465bfee89a8b908164ff90e346a17cadb1ce2f79a60b5d0e15cb22e00b8634

SHA512
d667ec038a436a552f4ec08a0e9deb890ab48543676828a8e9bf15f64ef58c874fc334bfeffb24d9e4094155f7f17a6cde24637c02b6ed0dca4ee38ef5b5da8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat

Filesize
224B

MD5
35a92b7649a2326859c7c183aaba3cb1

SHA1
4fc687e60e6cc241b492be4eb2cd7565c4ba24fe

SHA256
24587fb4ec3f903b1809fe81c5950c75dd4176c12504bbd8235ce4bfd72c1bf8

SHA512
a748abdf9c91e6426319b5cf6d84ba3766d5f78a6a4c6e5904de0939311446d5eff286cdbd42c6f08dd3eccc48931f85e7c6084d3fb35d9c5b4df4c95fb34fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1DA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat

Filesize
224B

MD5
54764a0241c70d32ff98449b7b04c6a4

SHA1
b13566ddb185a66c5744c957732e4151ea4ad74d

SHA256
bd7e66764149627c78b4395cde0deaef5b13001dc10b6106ba66f1b03a3d662f

SHA512
4a67e7d3193fe5edd797df0407ecc60a63f9db187fc2dcb4e34e22a82bf8746702ce479a416b5933533f3489d6256b74d8ea208361c62f7d7ae23805d0782356

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat

Filesize
224B

MD5
b78f35cb1add8f978952af5efd12fc1b

SHA1
2543558d65844a25b8af443cc9fcb4ae5682f070

SHA256
ebc6d58508e22a15365f1004017881734f8b61a66161145c30e7abe5e8d163e6

SHA512
59e0418f39a44da1b5c371353f1ac4d4bfe18e6313d2e43c565d9032984a1dff53508a4e544a0a44114b851acf59a5a8e23a2e8388753cd3f07a8a9c95a73b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

Filesize
224B

MD5
976b6e018b144b8ff8d414453ffc69e4

SHA1
a1d3fdd3c1f724d8666a77820307e8741f8141c1

SHA256
08c9eb2275e1a07bd1c3a6d6481a169c7d657e290dd1eb86b726c00f8d05c1d5

SHA512
3d2cbb7466629f768fd3ec54f06e39c39ab419fc9f768ac29b0eb815311409af4801c0cf48a80613147462047fd3b06d0a2f3849f75688ee30fd3366b6bec848

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

Filesize
224B

MD5
2d08e5817dcee9266fb4fc1719392cf2

SHA1
69b57d54f6169d7286607dc1788abb9689aa0c0b

SHA256
28c109c2c3c73769f04b6e51fb10af2efcd8706fdd401b4387807a59bc99093c

SHA512
6e29c71f8450d95618ec7a97145d2e421f4b3b3edaf0aa8feb3c99b3eff5825991418a7a37fb179e8f6a39e8d24aae571a0a3eae51a758b0c885a193d7c4da81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ef3ff9fcf454357d0957da81c18e0725

SHA1
4f99985f10ca52b2b6f19df376877701108168b8

SHA256
521e3eedf8aead4e43ca7251b09ddb281cf3351b5e1a3de692713ce34c407a49

SHA512
0f5016eed21c9682bf8881f7466f2d26d0546b530e7b20f5617b77552405b29fdecb4b322643940c407a7e7bdcefec063de07aaa8c4c009edacd3ee995b0a0e0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/904-67-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/904-66-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/1616-185-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/1736-607-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1736-606-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/1968-305-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2016-546-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2068-245-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/2276-486-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/2320-426-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2320-425-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/2580-365-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/2668-42-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2668-43-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2692-16-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/2692-13-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2692-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2692-15-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/2692-17-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download