dcrat | f02c9eb5022fbd8443e2520f9fa26ab281f5acfb6f388d9ca0ac47e7fcef9855

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f02c9eb5022fbd8443e2520f9fa26ab281f5acfb6f388d9ca0ac47e7fcef9855.exe
Size

1.3MB
MD5

f5b68e5b9f82c43001d1c6e06f3e9bd9
SHA1

acdbf672821f69b541bb82b49996c641e8f2abbb
SHA256

f02c9eb5022fbd8443e2520f9fa26ab281f5acfb6f388d9ca0ac47e7fcef9855
SHA512

1ca97514866a1fc591d50e93683d25424014e631223654fe614252c259677cccfa5724594d40639956e9e8fe61056b0964d746143b85f15e765d8ae31e1970b3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2728	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016890-9.dat	dcrat
behavioral1/memory/2440-13-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/1212-59-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/2092-119-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2184-179-0x0000000000CD0000-0x0000000000DE0000-memory.dmp	dcrat
behavioral1/memory/2760-239-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/1512-299-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2756-359-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/2884-419-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/2036-598-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/600-658-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
236	powershell.exe
1960	powershell.exe
328	powershell.exe
1720	powershell.exe
1976	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2440	DllCommonsvc.exe
1212	csrss.exe
2092	csrss.exe
2184	csrss.exe
2760	csrss.exe
1512	csrss.exe
2756	csrss.exe
2884	csrss.exe
2564	csrss.exe
2600	csrss.exe
2036	csrss.exe
600	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	cmd.exe
2504	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
41	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f02c9eb5022fbd8443e2520f9fa26ab281f5acfb6f388d9ca0ac47e7fcef9855.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2396	schtasks.exe
2744	schtasks.exe
2808	schtasks.exe
2592	schtasks.exe
2700	schtasks.exe
2992	schtasks.exe
2816	schtasks.exe
2740	schtasks.exe
2824	schtasks.exe
1860	schtasks.exe
1740	schtasks.exe
1624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2440	DllCommonsvc.exe
1960	powershell.exe
236	powershell.exe
1976	powershell.exe
328	powershell.exe
1720	powershell.exe
1212	csrss.exe
2092	csrss.exe
2184	csrss.exe
2760	csrss.exe
1512	csrss.exe
2756	csrss.exe
2884	csrss.exe
2564	csrss.exe
2600	csrss.exe
2036	csrss.exe
600	csrss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	DllCommonsvc.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1212	csrss.exe
Token: SeDebugPrivilege	2092	csrss.exe
Token: SeDebugPrivilege	2184	csrss.exe
Token: SeDebugPrivilege	2760	csrss.exe
Token: SeDebugPrivilege	1512	csrss.exe
Token: SeDebugPrivilege	2756	csrss.exe
Token: SeDebugPrivilege	2884	csrss.exe
Token: SeDebugPrivilege	2564	csrss.exe
Token: SeDebugPrivilege	2600	csrss.exe
Token: SeDebugPrivilege	2036	csrss.exe
Token: SeDebugPrivilege	600	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2148	2340	JaffaCakes118_f02c9eb5022fbd8443e2520f9fa26ab281f5acfb6f388d9ca0ac47e7fcef9855.exe	30
PID 2340 wrote to memory of 2148	2340	JaffaCakes118_f02c9eb5022fbd8443e2520f9fa26ab281f5acfb6f388d9ca0ac47e7fcef9855.exe	30
PID 2340 wrote to memory of 2148	2340	JaffaCakes118_f02c9eb5022fbd8443e2520f9fa26ab281f5acfb6f388d9ca0ac47e7fcef9855.exe	30
PID 2340 wrote to memory of 2148	2340	JaffaCakes118_f02c9eb5022fbd8443e2520f9fa26ab281f5acfb6f388d9ca0ac47e7fcef9855.exe	30
PID 2148 wrote to memory of 2504	2148	WScript.exe	31
PID 2148 wrote to memory of 2504	2148	WScript.exe	31
PID 2148 wrote to memory of 2504	2148	WScript.exe	31
PID 2148 wrote to memory of 2504	2148	WScript.exe	31
PID 2504 wrote to memory of 2440	2504	cmd.exe	33
PID 2504 wrote to memory of 2440	2504	cmd.exe	33
PID 2504 wrote to memory of 2440	2504	cmd.exe	33
PID 2504 wrote to memory of 2440	2504	cmd.exe	33
PID 2440 wrote to memory of 236	2440	DllCommonsvc.exe	47
PID 2440 wrote to memory of 236	2440	DllCommonsvc.exe	47
PID 2440 wrote to memory of 236	2440	DllCommonsvc.exe	47
PID 2440 wrote to memory of 1976	2440	DllCommonsvc.exe	48
PID 2440 wrote to memory of 1976	2440	DllCommonsvc.exe	48
PID 2440 wrote to memory of 1976	2440	DllCommonsvc.exe	48
PID 2440 wrote to memory of 1720	2440	DllCommonsvc.exe	49
PID 2440 wrote to memory of 1720	2440	DllCommonsvc.exe	49
PID 2440 wrote to memory of 1720	2440	DllCommonsvc.exe	49
PID 2440 wrote to memory of 1960	2440	DllCommonsvc.exe	50
PID 2440 wrote to memory of 1960	2440	DllCommonsvc.exe	50
PID 2440 wrote to memory of 1960	2440	DllCommonsvc.exe	50
PID 2440 wrote to memory of 328	2440	DllCommonsvc.exe	51
PID 2440 wrote to memory of 328	2440	DllCommonsvc.exe	51
PID 2440 wrote to memory of 328	2440	DllCommonsvc.exe	51
PID 2440 wrote to memory of 1456	2440	DllCommonsvc.exe	57
PID 2440 wrote to memory of 1456	2440	DllCommonsvc.exe	57
PID 2440 wrote to memory of 1456	2440	DllCommonsvc.exe	57
PID 1456 wrote to memory of 2236	1456	cmd.exe	59
PID 1456 wrote to memory of 2236	1456	cmd.exe	59
PID 1456 wrote to memory of 2236	1456	cmd.exe	59
PID 1456 wrote to memory of 1212	1456	cmd.exe	60
PID 1456 wrote to memory of 1212	1456	cmd.exe	60
PID 1456 wrote to memory of 1212	1456	cmd.exe	60
PID 1212 wrote to memory of 2956	1212	csrss.exe	62
PID 1212 wrote to memory of 2956	1212	csrss.exe	62
PID 1212 wrote to memory of 2956	1212	csrss.exe	62
PID 2956 wrote to memory of 2472	2956	cmd.exe	64
PID 2956 wrote to memory of 2472	2956	cmd.exe	64
PID 2956 wrote to memory of 2472	2956	cmd.exe	64
PID 2956 wrote to memory of 2092	2956	cmd.exe	65
PID 2956 wrote to memory of 2092	2956	cmd.exe	65
PID 2956 wrote to memory of 2092	2956	cmd.exe	65
PID 2092 wrote to memory of 1400	2092	csrss.exe	66
PID 2092 wrote to memory of 1400	2092	csrss.exe	66
PID 2092 wrote to memory of 1400	2092	csrss.exe	66
PID 1400 wrote to memory of 2280	1400	cmd.exe	68
PID 1400 wrote to memory of 2280	1400	cmd.exe	68
PID 1400 wrote to memory of 2280	1400	cmd.exe	68
PID 1400 wrote to memory of 2184	1400	cmd.exe	69
PID 1400 wrote to memory of 2184	1400	cmd.exe	69
PID 1400 wrote to memory of 2184	1400	cmd.exe	69
PID 2184 wrote to memory of 2004	2184	csrss.exe	70
PID 2184 wrote to memory of 2004	2184	csrss.exe	70
PID 2184 wrote to memory of 2004	2184	csrss.exe	70
PID 2004 wrote to memory of 1772	2004	cmd.exe	72
PID 2004 wrote to memory of 1772	2004	cmd.exe	72
PID 2004 wrote to memory of 1772	2004	cmd.exe	72
PID 2004 wrote to memory of 2760	2004	cmd.exe	73
PID 2004 wrote to memory of 2760	2004	cmd.exe	73
PID 2004 wrote to memory of 2760	2004	cmd.exe	73
PID 2760 wrote to memory of 1428	2760	csrss.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f02c9eb5022fbd8443e2520f9fa26ab281f5acfb6f388d9ca0ac47e7fcef9855.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f02c9eb5022fbd8443e2520f9fa26ab281f5acfb6f388d9ca0ac47e7fcef9855.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2236
      - C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2472
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2280
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1772
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        13⤵
        
        PID:1428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2436
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
        15⤵
        
        PID:1420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2612
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
        17⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2360
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        19⤵
        
        PID:576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2140
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat"
        21⤵
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2276
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
        23⤵
        
        PID:2672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1088
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"
        25⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1304
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        27⤵
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab8aebd041c46bdf840e029e1554f068

SHA1
8a5750de4241856a16636838ee7e41920fe41219

SHA256
fbe70011b2f8d9deb3b0e575d5b692080f0e8557369ac88696135a6d7e061e41

SHA512
649d093b6b68a0d4f56eb42015eaf4fa15323c29e023dee8e366f45443a25b74af83d05c7d15942c3c1eb8677e30d2ba9d384c869efe8ae95fea851376425897

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e673b5b4aab55d9dcb7a319b5f7cc969

SHA1
0f198198007affd6a99cb9d233876706a0ffbc65

SHA256
4026ede3fd4dc50422e4bb49befe4357fef39cec6dc8a1b0b5951c75a3d499c9

SHA512
b217e0f8616d5adb61b5437bc6e453fff76eca0c14eb93dcd884114d176c09efe5fe691057b6ab55b385d3be488a8b877fe052939afdeced1a9a892eb30c54bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47df74d00b8fcdec9872149553de0fa4

SHA1
0568902dacb19e9b7fc28f068820da7914567223

SHA256
c7418bc31d2b03e6550a500498e7ebcfae0fac16d94aaa5c82af11e9d865637a

SHA512
ec0305aaed1250f0f1aae3c3230c955598b2252b9baa215d0cd0ed2f30467abe8e5f766bb27edcb17bdb41508fa968f9fe24d9e88ed9fc098b2c14500323f0bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf77b2396a4ab55fa019a5c01b985620

SHA1
e1b8c73102ce9dc90b4e2df24ecd2b23e8b5495f

SHA256
fca6d5d37cdd4b3ab4d99d6c0914afc2a54d494d9cf2af02017ca377901450bf

SHA512
bcbc55aae2b77b49271d92908e29fd03d56655f6903474697862575d897a52818113513e84bb1317f0e3b1d266d8635b8cd60d0d2d6906b2b1f30cc13cc77a23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27e23e90a3005bc7a0b82b79d74db866

SHA1
f7eaa4c0045462e79762393297485ce3c0ae52e5

SHA256
adc78a5460d8a3d205759f73e377200d8d939972051cd4ac9a0de28badba9d7c

SHA512
3566005463125d75b4d2252324cc845df6a1450c5efe31ab34f428f1c172e3f00ca6d1a5927bc4ec3a5b7dab3349cf3157a209be8f2df2f701e72fefd80e151d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
176b8d7fd7455a519fe4407f1cfdf07d

SHA1
d7d028db05400afc2d95ef924d15674ae41ecc1e

SHA256
cc8a508cfea28370c38697d38519a30b63b10b9540ccf5a63f63d5863d78e49d

SHA512
d51951f65658853f8426e0d5dff46c9bf551bd54a1e98b80bda15f8691fd21ef3ab55d01ea16da64ddb9b51452f7b30b32942752899308976b8453188b8fc962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1820c65bbec5748df56712f68f0d3747

SHA1
4f4cdd8457e774dc9ef3c95422c3f4d1f2026d4b

SHA256
59f54abd5f1818b1d4961341571ca82f8e6974f7e47f7971cb3512d4261e10e5

SHA512
5f8122e97ba718178a2fe67dd481c8809a029772d717228d7ede2134888f26422b4cf88bf439960cf3291c326d68ac082fff79f97c8007271cba26ab9ff16d63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a5e20123b09d63018f1c750a3d8b30d

SHA1
8f335620e824e522332819b5959206c015452237

SHA256
07768329b34fbbecbfc5658b3f608a4e3351b2271c0e0f6e8ba55b158b93ca2e

SHA512
731c61d5582ea25084ff144afa3aeda3118c5a2781b27437768053254f20b75412bf0d54efea472a298ab491deaf5c07babbad6fa6dc2a6f9e9d5830c5146bb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c4f3cea09c821a4304408ffeb79d8d4

SHA1
5b75e0879bda183c71bde77aef07148883b07cfc

SHA256
db9020b53acc15a4791d0042c57f382908ff7ba03dad831ee4a74dd93a52378d

SHA512
ba90c1b6f52c5eaea5e475d9f0422b02a785dafc4bd806a72b472791dd4fac1955aa28e1d3148861efdbdee02397e532d43cfcc5dba2ae3c6989de4fb8a90a15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
569941a4bdc9cbb835034697169c2c7b

SHA1
d151ea9b9a5d12f60af81dcef24709de90851561

SHA256
1459906a0a12dc9c1749cc1819f039b111be08e76545a7b05b067501f963de97

SHA512
c5d486e340bedd365af06cb54bccffdfb06aa7fadc87ae140d336a51aa318b379eea41d30274b6ab0f84f696b6e946231ce7dd19ffc88373c5df44b65d5a6466

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat

Filesize
222B

MD5
ec6a41b88a99e0503e6564fb9061f84d

SHA1
6ec04e146f819765579157f3e8b2434475b90ec0

SHA256
397cf328993853c0591174197a5cda472940e60df64d1d701e91fc87a00caf56

SHA512
d499c53816bf9c8f49be141714a41d8456b34698430d5de20e49724a3e042db93a403adaafb0412598870fbb8c95cc884fc915c5fcdeba6d40adfa678d13860c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

Filesize
222B

MD5
a5c161fa37f202e902dfcd2177c685db

SHA1
31d37f53ea518f4cdf2db55c95176ebf97251b29

SHA256
f6b9e66eda1f8a9d074e0249ab8f7ba66f72122b58abe8a2ec071dace6333549

SHA512
c259ebe7e795cc12aaa960382832ebe5cf82d5a11e2d36469e2a3100171a6f4630ea1003ecc319c9841c94259586650a1a22cffcb030e049041f7a6dd43e369a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDEFC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

Filesize
222B

MD5
4bf7969d9e051701500998925be7a34f

SHA1
60b6316885610d377950890505950003f7bb8138

SHA256
4d307f58d85e6e19c0021761f80826de3a4cefe34db51e6940edd81d636a13bd

SHA512
097252ddd01c9ceb1f7da3e2503901b62beffb3c351b7c7c7c77afafb9e4c3d94dff2b75a7c5aaeaf73ff03a3d70670fdd9917b0e033719023e04e3ea6e6d1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
222B

MD5
08c47b0520d5fb464d4ac71d1ce18e5b

SHA1
c1ef0f2d9bb521dbfcbf58a77ca95be99c9e4274

SHA256
50ebab911f304ef527ff6684bc9dd577a1e801ddd7a00b1cb0d8eac3212e8052

SHA512
37bc11b55f6a71d3e07d8272764b57be707392cddd49a9907faf9907c4a1507d47bff8f141212a292aa0f60a8a5faff5ed0161f91dc6a37b81f9e974331a4914

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDF1E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat

Filesize
222B

MD5
0c4e54d3b730db40add627a01ff3ef28

SHA1
c6248e12438cbe90cb7d73fa7c444150767bfc56

SHA256
87ae8d2fa78c3d80cbfd63b289688ce42109dddef96a6c838174beefa45b2ee3

SHA512
654438e68ef23deb229a8276d6a5ee1053a7fa7f7e0387ccc952e1515f077a32d722ff33a78c3887d802d6575ecd1c23043f7512292f8d0d505697cfc114f058

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat

Filesize
222B

MD5
a41065e0b5e00ee98918c512d334a30e

SHA1
30f1a8e1f313faabac881e20153a3d3b679cf29c

SHA256
045cdfcb1b16d267c9f6fa26772420c86e15254b7305f0395f2f0217758dd0fa

SHA512
8ddbadf450556f03706cc708d52d68ca65da27de8ba38e3bc388aff70af695e6f93eb0b05acc7cc6031325397f3a5ee66ccc8cdbe8dd04f0f04bf9fad42fca49

Download Submit
C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

Filesize
222B

MD5
354ad8129cc2c7b848e81047a7c1b878

SHA1
4fa26333478ec5b974f0a081ca837c326f5eb456

SHA256
96b0642b5f925f14106e5b357baeb022c1debdd2799af456fa76850b8a9ebaa3

SHA512
b68010fb6997913bcfa2007ce1d001f1f69eb6cd824e5d6b5b7805c3c9146e69ec39b891e09fc56944b2e66bebe6e1ba7b50b14b56145cebaf4657801fa4b12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat

Filesize
222B

MD5
74c94ad50adb5d5182d8a3014731e375

SHA1
477d922e067a0ef78c067094cced119b4a656ee1

SHA256
dab9c1ac5524d2bdb010a07ec6884ca47a9af27d5ccd35fc28a803d358c56e31

SHA512
c25a1a0a19b4be156022e24c97daf6f8489d2b21ec2d7afb6406aba441c4de1c2881107dce68b23a6cbee9371911277f045a7986b32f8da53ab251f46c0c3281

Download Submit
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

Filesize
222B

MD5
1557d8f14fb6f8632c7d1d8bb48e5cf3

SHA1
3b811ccc1e1e3495722e400fc328a8a67bf338b3

SHA256
ea853d61a1bc0fc9e5844613dbf76f00e27df652e19c78945ecc94ff47337c95

SHA512
ec20d5d472096e50187049e8813ba7dfd97c8481b3747a9e1ff31567e849b07d505cd04031724f1a1b36b3914f08d0ff6b0aa0fbe0e4dfa965950b54b85da21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
222B

MD5
54d3a7d6f0aaa828933672907c192931

SHA1
2f52e275882d22f01e65b18b802a953880b3001c

SHA256
0ae64c69109ae4fd38f62cde95cb95860013af366f71bfb12a035e029bf0bc3f

SHA512
bad65e29ebda771ad648a8ec3603a5b9147fb19466d1ecabccced96f66e48598c5e2dab162b522dbf1f1a703e8b27b398dcc1da8239d5a3eacf018b8125d4296

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
222B

MD5
6d6254912256058c59192d99adf90c65

SHA1
1bea9a0729dbbc4a17518b84e970a978190ad2c9

SHA256
b884e25bc7fefdc2d14f0e7cb8b9153337117938d96e85ce8dde2b372fd086ad

SHA512
8054b2abb94d048f8c4ae86995ec33b49b472a905a7ec31548c4021205f4f2601ab220f59d1b79ce9ef9e2ce5b7ba8e0d798c0407509a1372d9d420dc010fcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
222B

MD5
eb47c2b8eb90414e3ff15707a45f771c

SHA1
714655e112c10d86bd56dc7af250a68b34be81a9

SHA256
7da383fe6be683a229ebcad316939dccd13f1ec91c118be916fd09c089a951d2

SHA512
781910ad2c1697daa2b044f90b102ea0858cf7fc6180ea89978d3d895761a0cd693e70699a55ffef1783f4e6e2b66a3590f001f7387b2dc239a18d526f6755ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
819bfd1571143b5ec8a3839e8e78706a

SHA1
b4f3eb8434ddea1955aee317cdf68074ceb7e876

SHA256
1d03e77d5b52ec77077002464944591613ad1240af0d87e8b577fc916214c0d0

SHA512
c3a8c6656965de783d44f9a190745f7ce624aaa632795c49bc9f47099e3f2773fd002ac478110ffa1e6504a505a4e1a4206d8ee988452e1e3e0fd3a86d8a94f3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/600-658-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/1212-59-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/1212-60-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1512-299-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1960-46-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/1976-45-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2036-598-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2092-119-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2184-179-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

Filesize
1.1MB

Download
memory/2440-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2440-14-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2440-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2440-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2440-13-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/2756-359-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/2760-239-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/2884-420-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2884-419-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download