dcrat | c6a693c64856fdf52245d75a87c9515fcd7ed28bd2522e57413a9cccb2d65162

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c6a693c64856fdf52245d75a87c9515fcd7ed28bd2522e57413a9cccb2d65162.exe
Size

1.3MB
MD5

42cd188d6340ecf1dd6ded0cbb9560be
SHA1

8a0b4763e10e9862fdc3bc0aeaf12a95faa99eb3
SHA256

c6a693c64856fdf52245d75a87c9515fcd7ed28bd2522e57413a9cccb2d65162
SHA512

dcb66a069e4b8255b1908fdc3503032bf54b03944ad23c22f7bc84aa9bea51d4c68e18494b70e1b53a8688a2a04bc7ae642f442019d530b2c5addf02b6e441c1
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2856	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016cd7-9.dat	dcrat
behavioral1/memory/2228-13-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/2156-59-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/1604-119-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/1752-239-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/792-299-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/1552-359-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/1376-479-0x0000000000160000-0x0000000000270000-memory.dmp	dcrat
behavioral1/memory/1520-539-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/2320-600-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2880	powershell.exe
2320	powershell.exe
1868	powershell.exe
2624	powershell.exe
2892	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2228	DllCommonsvc.exe
2156	lsass.exe
1604	lsass.exe
1264	lsass.exe
1752	lsass.exe
792	lsass.exe
1552	lsass.exe
2172	lsass.exe
1376	lsass.exe
1520	lsass.exe
2320	lsass.exe
1692	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2788	cmd.exe
2788	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
42	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c6a693c64856fdf52245d75a87c9515fcd7ed28bd2522e57413a9cccb2d65162.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
684	schtasks.exe
1492	schtasks.exe
2368	schtasks.exe
1768	schtasks.exe
1148	schtasks.exe
2340	schtasks.exe
632	schtasks.exe
3052	schtasks.exe
2248	schtasks.exe
2812	schtasks.exe
2668	schtasks.exe
2756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2228	DllCommonsvc.exe
2228	DllCommonsvc.exe
2228	DllCommonsvc.exe
2624	powershell.exe
2320	powershell.exe
1868	powershell.exe
2892	powershell.exe
2880	powershell.exe
2156	lsass.exe
1604	lsass.exe
1264	lsass.exe
1752	lsass.exe
792	lsass.exe
1552	lsass.exe
2172	lsass.exe
1376	lsass.exe
1520	lsass.exe
2320	lsass.exe
1692	lsass.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	DllCommonsvc.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2156	lsass.exe
Token: SeDebugPrivilege	1604	lsass.exe
Token: SeDebugPrivilege	1264	lsass.exe
Token: SeDebugPrivilege	1752	lsass.exe
Token: SeDebugPrivilege	792	lsass.exe
Token: SeDebugPrivilege	1552	lsass.exe
Token: SeDebugPrivilege	2172	lsass.exe
Token: SeDebugPrivilege	1376	lsass.exe
Token: SeDebugPrivilege	1520	lsass.exe
Token: SeDebugPrivilege	2320	lsass.exe
Token: SeDebugPrivilege	1692	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2776	2504	JaffaCakes118_c6a693c64856fdf52245d75a87c9515fcd7ed28bd2522e57413a9cccb2d65162.exe	30
PID 2504 wrote to memory of 2776	2504	JaffaCakes118_c6a693c64856fdf52245d75a87c9515fcd7ed28bd2522e57413a9cccb2d65162.exe	30
PID 2504 wrote to memory of 2776	2504	JaffaCakes118_c6a693c64856fdf52245d75a87c9515fcd7ed28bd2522e57413a9cccb2d65162.exe	30
PID 2504 wrote to memory of 2776	2504	JaffaCakes118_c6a693c64856fdf52245d75a87c9515fcd7ed28bd2522e57413a9cccb2d65162.exe	30
PID 2776 wrote to memory of 2788	2776	WScript.exe	31
PID 2776 wrote to memory of 2788	2776	WScript.exe	31
PID 2776 wrote to memory of 2788	2776	WScript.exe	31
PID 2776 wrote to memory of 2788	2776	WScript.exe	31
PID 2788 wrote to memory of 2228	2788	cmd.exe	33
PID 2788 wrote to memory of 2228	2788	cmd.exe	33
PID 2788 wrote to memory of 2228	2788	cmd.exe	33
PID 2788 wrote to memory of 2228	2788	cmd.exe	33
PID 2228 wrote to memory of 2320	2228	DllCommonsvc.exe	47
PID 2228 wrote to memory of 2320	2228	DllCommonsvc.exe	47
PID 2228 wrote to memory of 2320	2228	DllCommonsvc.exe	47
PID 2228 wrote to memory of 1868	2228	DllCommonsvc.exe	48
PID 2228 wrote to memory of 1868	2228	DllCommonsvc.exe	48
PID 2228 wrote to memory of 1868	2228	DllCommonsvc.exe	48
PID 2228 wrote to memory of 2624	2228	DllCommonsvc.exe	49
PID 2228 wrote to memory of 2624	2228	DllCommonsvc.exe	49
PID 2228 wrote to memory of 2624	2228	DllCommonsvc.exe	49
PID 2228 wrote to memory of 2892	2228	DllCommonsvc.exe	50
PID 2228 wrote to memory of 2892	2228	DllCommonsvc.exe	50
PID 2228 wrote to memory of 2892	2228	DllCommonsvc.exe	50
PID 2228 wrote to memory of 2880	2228	DllCommonsvc.exe	51
PID 2228 wrote to memory of 2880	2228	DllCommonsvc.exe	51
PID 2228 wrote to memory of 2880	2228	DllCommonsvc.exe	51
PID 2228 wrote to memory of 2384	2228	DllCommonsvc.exe	57
PID 2228 wrote to memory of 2384	2228	DllCommonsvc.exe	57
PID 2228 wrote to memory of 2384	2228	DllCommonsvc.exe	57
PID 2384 wrote to memory of 2136	2384	cmd.exe	59
PID 2384 wrote to memory of 2136	2384	cmd.exe	59
PID 2384 wrote to memory of 2136	2384	cmd.exe	59
PID 2384 wrote to memory of 2156	2384	cmd.exe	60
PID 2384 wrote to memory of 2156	2384	cmd.exe	60
PID 2384 wrote to memory of 2156	2384	cmd.exe	60
PID 2156 wrote to memory of 2052	2156	lsass.exe	61
PID 2156 wrote to memory of 2052	2156	lsass.exe	61
PID 2156 wrote to memory of 2052	2156	lsass.exe	61
PID 2052 wrote to memory of 1972	2052	cmd.exe	63
PID 2052 wrote to memory of 1972	2052	cmd.exe	63
PID 2052 wrote to memory of 1972	2052	cmd.exe	63
PID 2052 wrote to memory of 1604	2052	cmd.exe	64
PID 2052 wrote to memory of 1604	2052	cmd.exe	64
PID 2052 wrote to memory of 1604	2052	cmd.exe	64
PID 1604 wrote to memory of 2828	1604	lsass.exe	66
PID 1604 wrote to memory of 2828	1604	lsass.exe	66
PID 1604 wrote to memory of 2828	1604	lsass.exe	66
PID 2828 wrote to memory of 2324	2828	cmd.exe	68
PID 2828 wrote to memory of 2324	2828	cmd.exe	68
PID 2828 wrote to memory of 2324	2828	cmd.exe	68
PID 2828 wrote to memory of 1264	2828	cmd.exe	69
PID 2828 wrote to memory of 1264	2828	cmd.exe	69
PID 2828 wrote to memory of 1264	2828	cmd.exe	69
PID 1264 wrote to memory of 320	1264	lsass.exe	70
PID 1264 wrote to memory of 320	1264	lsass.exe	70
PID 1264 wrote to memory of 320	1264	lsass.exe	70
PID 320 wrote to memory of 3000	320	cmd.exe	72
PID 320 wrote to memory of 3000	320	cmd.exe	72
PID 320 wrote to memory of 3000	320	cmd.exe	72
PID 320 wrote to memory of 1752	320	cmd.exe	73
PID 320 wrote to memory of 1752	320	cmd.exe	73
PID 320 wrote to memory of 1752	320	cmd.exe	73
PID 1752 wrote to memory of 772	1752	lsass.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a693c64856fdf52245d75a87c9515fcd7ed28bd2522e57413a9cccb2d65162.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a693c64856fdf52245d75a87c9515fcd7ed28bd2522e57413a9cccb2d65162.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMYZ5DmT2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2136
      - C:\Program Files (x86)\Windows Defender\lsass.exe
        
        "C:\Program Files (x86)\Windows Defender\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1972
        
        C:\Program Files (x86)\Windows Defender\lsass.exe
        
        "C:\Program Files (x86)\Windows Defender\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2324
        
        C:\Program Files (x86)\Windows Defender\lsass.exe
        
        "C:\Program Files (x86)\Windows Defender\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3000
        
        C:\Program Files (x86)\Windows Defender\lsass.exe
        
        "C:\Program Files (x86)\Windows Defender\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
        13⤵
        
        PID:772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1688
        
        C:\Program Files (x86)\Windows Defender\lsass.exe
        
        "C:\Program Files (x86)\Windows Defender\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        15⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2912
        
        C:\Program Files (x86)\Windows Defender\lsass.exe
        
        "C:\Program Files (x86)\Windows Defender\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat"
        17⤵
        
        PID:2724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2904
        
        C:\Program Files (x86)\Windows Defender\lsass.exe
        
        "C:\Program Files (x86)\Windows Defender\lsass.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"
        19⤵
        
        PID:548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2152
        
        C:\Program Files (x86)\Windows Defender\lsass.exe
        
        "C:\Program Files (x86)\Windows Defender\lsass.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
        21⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1324
        
        C:\Program Files (x86)\Windows Defender\lsass.exe
        
        "C:\Program Files (x86)\Windows Defender\lsass.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
        23⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2992
        
        C:\Program Files (x86)\Windows Defender\lsass.exe
        
        "C:\Program Files (x86)\Windows Defender\lsass.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
        25⤵
        
        PID:1532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1584
        
        C:\Program Files (x86)\Windows Defender\lsass.exe
        
        "C:\Program Files (x86)\Windows Defender\lsass.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"
        27⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5332f1cc92fd3f7ec06d1c3ea7bb319f

SHA1
31f18b128c1b5bfa6b4516be5ad8ea63645f34e0

SHA256
ea6356bfb94cedcd973facbff586859d6ebfdcd9be548eaa597b4af3669e4aff

SHA512
6d693fb0e1ef3002a420b72668ed5e657987f8ebab0c301d568af153b9e42861636cc7a2b5eb26d7f2c5c9f017508df7f60ee663d8e93b6601be4bf21e55a454

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1459dc9cbedcb9d87abafdc53fa4207

SHA1
84e4dfe757cee22338f4383a584a9693587bf234

SHA256
73b9e190dca9acd59eb347953ccc0d0f4ee5dec270d4719b9d58b9ebfb48e1c7

SHA512
9135fff8a8091a94343a9a3557fc3936a0433cd2381bbf953a67868823323522e211512d31d7185edbe8f7acf9bcbad844cd2d3e64314a9171108b30b271c913

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d7bf530fb26b447214f6a9044be3fab

SHA1
ecff128f96826dce61c943b618ffdec9f82683a9

SHA256
01d219f93ee0477b4ac62f00871fe53c545e3fa95cef5d711c793d05a9125757

SHA512
501f8868dfb345a765173387465ca92588a17735805b460d002b2741cc952da564b58e826bc2ef7b5b34de61f726161cdb25112455337f01336273d43c03a362

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2b3bb03ad74fa342bec524392768358

SHA1
80986301963b1200b8bbae0e84991f6a22680ffe

SHA256
67bf4daecfd5a0e19bd474eb35457f3058e3aa6b99613395f286f6027bf82202

SHA512
994f35b6b3a373ae4790c708ed9354440f1224de6f787cec71df5c818169faa0138e97bf9ee0e3d31f12cb5fa16364e5c5d48146cea938d662d7d72510022704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aa10913062e97a5e95c423592889972

SHA1
65918cd3f2e541a997802b67182ec1b7e0d8a7d6

SHA256
5bcec0008103c39048ee8425cfe46c64aa97602e37b5472a8916b9c4ce50666d

SHA512
acaa1cdc9e092f852b3a157f5e4b008782908b6d926a1c4e0e56872786eba4532982eb4e3ec83ea45afc8510b79d08ebe33518665243e9a308ba0e2fda876b43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e7e946a956be72a4e936016b063b734

SHA1
d65f6a59e6ac74ad51d03ce0aff5737d8cf17e69

SHA256
dde79c8cded9f64d2b7b36e300dab369a49d388ef8a423f95341df565c8267cc

SHA512
89e6aa1c7f5f4531afd068b9b03ad96c6bb6a5fc697edc1514e855713e7aa412f2f78ec6ff5ed38bc535e69e19e0c79f1b3d3fab5a3c68016f0d1409dc122295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9da9e91ef3e984324a941818d2a11b0

SHA1
da742f717394cb68ed0803d136dbed6cfb399f2c

SHA256
db7808ed07912b105717d830e4edce9762c9cc76a7588119bcffa77710286518

SHA512
7f5ef2b18e28a2572c078c28dfc9f151948170bd0fc994e9d132d1d1e59176b85fc3116507a498e59e5402b455b2ed4bcf40bec7c5f882b4407d85f80b490845

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52a40d78a64f96afc676b37b9a96cdff

SHA1
8da718003b463674caeb5ff986b3b0f7c1c068c7

SHA256
1b1d75329583dbae612ccaf84edd35fcb1e4a71ddf4dd6a54f66438a34a23330

SHA512
77bb6f978ae6cd482bab0c501297c6c15c72bc38cdf2ad2aa2bf576061d43fe267cce30a71d4f6658242d50be850be8094e91663d27621cef1a7e104db009887

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7069debed3d5a041fa3e32e3f698a45

SHA1
64c8b2a58a79889559d97065b8f708c3ffc38a49

SHA256
81fc46f945a0e9dda4bff6afc36dfc036a6fb3e985d4b45f8e3e7cc0149873e3

SHA512
b072567593e1d20845af2521382515177bc935be24e70d523d301bc63e142b0d9fe347268d3de051b70e95e51b39b44b7ee293f449a99966613262e25d342182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc3259bef30622280356988f13b1b84f

SHA1
9c7b409e9fd86aa416a4279cb7a898413d33f017

SHA256
a1ca319a5e790972e0b19d5708bc1be943e12c96a4d3fcc520efba9c5710aba9

SHA512
b5f22885d9125c8c7c7d5b675af80839efae7701b6f7c84e6834161214a2a657bce45cbe1309765ba306ab7ee76f0efdf2968f7766cfe85b1e405890fd7a6508

Download Submit
C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat

Filesize
214B

MD5
6fdf73dbcbca8ac63adbd02637f959b4

SHA1
7245216b3f79212f761c1e782623b3dbfa321807

SHA256
4ca401e20397833eb01beb0eb08e3aaef45f8331b9d5c5d279fcca116d2f9d58

SHA512
c5f8199110ed3ab585ce603f89876a7aa762867ad7e1794d4e16d4acc21d69a67757b0dc11e02e9a984d5571ab2ae7456990e0f9eb686505d12b981ca1eb9fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMYZ5DmT2.bat

Filesize
214B

MD5
890c6ba26a30e4e580221e1eab72df4e

SHA1
b59cc411f4db7be30e5ee1bdf259ae2d8450d47a

SHA256
e1b2f282aabc58cd1a17ef83b0e1e1c39bfaa6f9d772afb5f4975554e1b5979e

SHA512
7c063e513d54118a7d82f17f2ae9badc8233454be72c9b5bff43d4a1cda293223dff4f61940fd7cffa95f6bcc80f8ac16ac367b904b07e34cea5bf288d0cdba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat

Filesize
214B

MD5
ffe059e70be2ed80c0aed818a3a3ea1d

SHA1
c2621e528f09729371a4333487481cfdff7710b1

SHA256
c513d29f0db0ceafbd101cb99edf840267307b52a478077595934267048af5a9

SHA512
c1496e25746202ed03491248457a9cfc0847f0ba36c64c8671d4de5a68a152ed8059c2335a92e44ce92090845970aaad716e3b330d9496e851a5c07b2d1eb761

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB2ED.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat

Filesize
214B

MD5
daf76abe36b281d2bfb5538d85696e26

SHA1
51b9ba939588403720ec733a8d3a52fc62e75833

SHA256
06fef9033d5a728e4dc5d5c155b5e44f746bda0fde530281ce495df863317c8b

SHA512
fbe8d147794092ad6af46d07f2bd73f910fe4ae3064c1eb63bd1577afb84f2a0608358d5d243d59a91beb75c3ce74818e6bf6655cae758128b32a119abf362c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat

Filesize
214B

MD5
60d0c99935a5ac450836fcf40ae30e7a

SHA1
73c45e7a1b5c1a720abfe8eba250a3bb4e0f4855

SHA256
edf422887344765165ba8eedb19809abf817148a832ea5e9043258d3b03e35c5

SHA512
c72b0790726a53b9854107623b7e994c438a5a0639caf84f4b5fb1017d049d5bad1af00f34c98e96a72b4e9aaeea8ebec668e120f3528c3aa4f9c1db661e6747

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

Filesize
214B

MD5
62ce4502a890eddcea01d5e88ad1051d

SHA1
e675e34b1030e7642694b10ecbd70f56449a412d

SHA256
810c8347df7830263fdadb5a4016f8d48c0daca594ee6e688e507c7c3974964c

SHA512
1b541acf972e184e5f9a4fc736c18e11ce8704894704f7c231af284b97f5146e699114ff974f49633b4f5b980929eab14596369714a85007157ae74033cb1f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB2FF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat

Filesize
214B

MD5
4011317865fe8fabe799d3cacfaa3f7c

SHA1
c13592c798ab8e3ea93df692024b58e15425f4b5

SHA256
17f26ee9ea2fc6eecc231c5faf1780eefa9fab4fdde6fb3c628b1472bc3fd769

SHA512
fada0742adfe858c61aae59c75ec4a9901ff53be703814cd0537794a10a301fc8e0d080835c31666dcba27296a7a17c0c2bd4d6685792110688132bc3cf8b8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

Filesize
214B

MD5
4508a95ba219693bfba14fe9f7227fc0

SHA1
cb99988bea1690cea137945f8742a95539b06fb0

SHA256
f152f4dad6a0e3959abdc924e961067e8fa48c2e0b6c2ab353aca437fefcab1b

SHA512
73a9be3d6bb21bf26004b7be327ce3557d58940086cefc1882a2245a683b6f63eace500dcfe786557f6ab16695fec419071e0b163ed765aebb2b3c207b785d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat

Filesize
214B

MD5
8805fe7720193abb456d2264936cfdf7

SHA1
115ee6acb1b9e004ee42d42248f30b4160333ea9

SHA256
3e89d466702092d47f31f10d6eefa4ff03f72fa1bba2b2f13ad8fd2ae5a586cd

SHA512
342c5d68be32888ca2c9406a5b660694d7c23161489565bb8172b4bcec13856e5d96a60476f6ae260197bb3013c1f18dd123fbde7e1aecdfb98e9683a11f5e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

Filesize
214B

MD5
6900752d9bca06c74907da88b1d9fda7

SHA1
118671ce6f0f869868235462a63d3bd509b35748

SHA256
0e936743266702b3c431ec2ec88cf5e1970f60c96fab63ddd00dad851459b5ec

SHA512
e18509e88747d0498613e7a3e251ed329af7a1a1e606886ea3ea1e0528a6e53d41b6a90ef3238c0ffb962e6e80829c160745064a6e338308d1ae7c4407c7cf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

Filesize
214B

MD5
53999cd6f3f668bfef453fd28b70e6e3

SHA1
713c460901afee3cfc3b289ab070dbf7b7b48920

SHA256
adb9028eb8647c48ca26442842bbf1efa982261020e316a2bf19446a31ae0657

SHA512
c9fb74a2b3822f7eb82986cd53d8389b1d5105ffffd149a0f7b9dd0c9edb34a622a82b495cdfa204548763e6468a1868cdf70b3cb2163348ee93b0dc6fcfb2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

Filesize
214B

MD5
dfb1512a165446cc9772190b42487bef

SHA1
41791431d641d3ff66adbb541603ec72c26d97db

SHA256
52eb4fb6969dec2201e8182cbd2a0f78736973a241177294b7ea3415f06077a0

SHA512
1994980608d4e4df32df80632507cb16710898d2bc69f919b0aa4ca6bcf339d29e85a199230f3405adfbfb3cc142a3173e1280dee64c977000fe076be9b67471

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7e5072bd61f15aa5034338a4f760b5c9

SHA1
d04cf12b4932544ae4da3267880290552464d0ec

SHA256
5df55ab90789da3e7c171c47a1fddeff23319628a12a58a9c1ea5cd59a1994b7

SHA512
cc1b523525a390feb71b8eb435963167739b2ef5f3b8183385f68d3ab7d0f1ffc573e65f274a7a1b2a5d4043f234b1454efd75a3380aed963effcabf74233406

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/792-299-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/1264-179-0x00000000007D0000-0x00000000007E2000-memory.dmp

Filesize
72KB

Download
memory/1376-479-0x0000000000160000-0x0000000000270000-memory.dmp

Filesize
1.1MB

Download
memory/1520-539-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-540-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1552-359-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/1604-119-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/1752-239-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/2156-60-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2156-59-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2172-419-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2228-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2228-13-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2228-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2228-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2228-17-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/2320-600-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/2320-601-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2624-50-0x0000000002060000-0x0000000002068000-memory.dmp

Filesize
32KB

Download
memory/2624-40-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download