dcrat | 7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc

Analysis

max time kernel
144s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe
Size

1.3MB
MD5

aaba96c96dfa7d7a795c069095afddf9
SHA1

a7e6f3dc3757e5bf84e2b6185efa21ea551183dd
SHA256

7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc
SHA512

a198a8a8e5680ed9a7338216049a608c742c0f594d4c85ce8688eafff367a54c578e33c2346ea132842946f68a05d96f4cebb5cf75729de66faec2db0ea9d8c8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1504	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1504	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b78-10.dat	dcrat
behavioral2/memory/2660-13-0x0000000000820000-0x0000000000930000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4136	powershell.exe
3472	powershell.exe
3144	powershell.exe
2900	powershell.exe
3260	powershell.exe
2036	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 13 IoCs

pid	Process
2660	DllCommonsvc.exe
2372	upfc.exe
4280	upfc.exe
1264	upfc.exe
4488	upfc.exe
1612	upfc.exe
4508	upfc.exe
716	upfc.exe
4348	upfc.exe
3948	upfc.exe
3572	upfc.exe
2276	upfc.exe
2156	upfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
58	raw.githubusercontent.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com
56	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com
48	raw.githubusercontent.com
55	raw.githubusercontent.com
57	raw.githubusercontent.com
24	raw.githubusercontent.com
25	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\upfc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\ea1d8f6d871115	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\csrss.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Media\Garden\upfc.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Garden\ea1d8f6d871115	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe
2304	schtasks.exe
1120	schtasks.exe
3416	schtasks.exe
3024	schtasks.exe
1044	schtasks.exe
3420	schtasks.exe
4976	schtasks.exe
2732	schtasks.exe
3020	schtasks.exe
1612	schtasks.exe
4644	schtasks.exe
2596	schtasks.exe
3508	schtasks.exe
3176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2660	DllCommonsvc.exe
3144	powershell.exe
3260	powershell.exe
2900	powershell.exe
2036	powershell.exe
3472	powershell.exe
2036	powershell.exe
4136	powershell.exe
3260	powershell.exe
3144	powershell.exe
3472	powershell.exe
2900	powershell.exe
4136	powershell.exe
2372	upfc.exe
4280	upfc.exe
1264	upfc.exe
4488	upfc.exe
1612	upfc.exe
4508	upfc.exe
716	upfc.exe
4348	upfc.exe
3948	upfc.exe
3572	upfc.exe
2276	upfc.exe
2156	upfc.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	DllCommonsvc.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	2372	upfc.exe
Token: SeDebugPrivilege	4280	upfc.exe
Token: SeDebugPrivilege	1264	upfc.exe
Token: SeDebugPrivilege	4488	upfc.exe
Token: SeDebugPrivilege	1612	upfc.exe
Token: SeDebugPrivilege	4508	upfc.exe
Token: SeDebugPrivilege	716	upfc.exe
Token: SeDebugPrivilege	4348	upfc.exe
Token: SeDebugPrivilege	3948	upfc.exe
Token: SeDebugPrivilege	3572	upfc.exe
Token: SeDebugPrivilege	2276	upfc.exe
Token: SeDebugPrivilege	2156	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4436	5016	JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe	83
PID 5016 wrote to memory of 4436	5016	JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe	83
PID 5016 wrote to memory of 4436	5016	JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe	83
PID 4436 wrote to memory of 3096	4436	WScript.exe	85
PID 4436 wrote to memory of 3096	4436	WScript.exe	85
PID 4436 wrote to memory of 3096	4436	WScript.exe	85
PID 3096 wrote to memory of 2660	3096	cmd.exe	87
PID 3096 wrote to memory of 2660	3096	cmd.exe	87
PID 2660 wrote to memory of 4136	2660	DllCommonsvc.exe	105
PID 2660 wrote to memory of 4136	2660	DllCommonsvc.exe	105
PID 2660 wrote to memory of 3472	2660	DllCommonsvc.exe	106
PID 2660 wrote to memory of 3472	2660	DllCommonsvc.exe	106
PID 2660 wrote to memory of 3144	2660	DllCommonsvc.exe	107
PID 2660 wrote to memory of 3144	2660	DllCommonsvc.exe	107
PID 2660 wrote to memory of 2900	2660	DllCommonsvc.exe	108
PID 2660 wrote to memory of 2900	2660	DllCommonsvc.exe	108
PID 2660 wrote to memory of 2036	2660	DllCommonsvc.exe	109
PID 2660 wrote to memory of 2036	2660	DllCommonsvc.exe	109
PID 2660 wrote to memory of 3260	2660	DllCommonsvc.exe	110
PID 2660 wrote to memory of 3260	2660	DllCommonsvc.exe	110
PID 2660 wrote to memory of 2992	2660	DllCommonsvc.exe	117
PID 2660 wrote to memory of 2992	2660	DllCommonsvc.exe	117
PID 2992 wrote to memory of 3900	2992	cmd.exe	119
PID 2992 wrote to memory of 3900	2992	cmd.exe	119
PID 2992 wrote to memory of 2372	2992	cmd.exe	125
PID 2992 wrote to memory of 2372	2992	cmd.exe	125
PID 2372 wrote to memory of 3512	2372	upfc.exe	133
PID 2372 wrote to memory of 3512	2372	upfc.exe	133
PID 3512 wrote to memory of 3196	3512	cmd.exe	135
PID 3512 wrote to memory of 3196	3512	cmd.exe	135
PID 3512 wrote to memory of 4280	3512	cmd.exe	137
PID 3512 wrote to memory of 4280	3512	cmd.exe	137
PID 4280 wrote to memory of 3000	4280	upfc.exe	141
PID 4280 wrote to memory of 3000	4280	upfc.exe	141
PID 3000 wrote to memory of 1004	3000	cmd.exe	143
PID 3000 wrote to memory of 1004	3000	cmd.exe	143
PID 3000 wrote to memory of 1264	3000	cmd.exe	145
PID 3000 wrote to memory of 1264	3000	cmd.exe	145
PID 1264 wrote to memory of 1988	1264	upfc.exe	148
PID 1264 wrote to memory of 1988	1264	upfc.exe	148
PID 1988 wrote to memory of 2028	1988	cmd.exe	150
PID 1988 wrote to memory of 2028	1988	cmd.exe	150
PID 1988 wrote to memory of 4488	1988	cmd.exe	152
PID 1988 wrote to memory of 4488	1988	cmd.exe	152
PID 4488 wrote to memory of 2896	4488	upfc.exe	154
PID 4488 wrote to memory of 2896	4488	upfc.exe	154
PID 2896 wrote to memory of 208	2896	cmd.exe	156
PID 2896 wrote to memory of 208	2896	cmd.exe	156
PID 2896 wrote to memory of 1612	2896	cmd.exe	159
PID 2896 wrote to memory of 1612	2896	cmd.exe	159
PID 1612 wrote to memory of 1668	1612	upfc.exe	161
PID 1612 wrote to memory of 1668	1612	upfc.exe	161
PID 1668 wrote to memory of 2224	1668	cmd.exe	163
PID 1668 wrote to memory of 2224	1668	cmd.exe	163
PID 1668 wrote to memory of 4508	1668	cmd.exe	165
PID 1668 wrote to memory of 4508	1668	cmd.exe	165
PID 4508 wrote to memory of 1480	4508	upfc.exe	167
PID 4508 wrote to memory of 1480	4508	upfc.exe	167
PID 1480 wrote to memory of 4724	1480	cmd.exe	169
PID 1480 wrote to memory of 4724	1480	cmd.exe	169
PID 1480 wrote to memory of 716	1480	cmd.exe	171
PID 1480 wrote to memory of 716	1480	cmd.exe	171
PID 716 wrote to memory of 1004	716	upfc.exe	173
PID 716 wrote to memory of 1004	716	upfc.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Garden\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.371\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3260
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lOqaIh1y4I.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3900
      - C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3196
        
        C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1004
        
        C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2028
        
        C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:208
        
        C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2224
        
        C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4724
        
        C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
        19⤵
        
        PID:1004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3260
        
        C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
        21⤵
        
        PID:4092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2028
        
        C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        23⤵
        
        PID:4488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4716
        
        C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"
        25⤵
        
        PID:3940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1976
        
        C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
        27⤵
        
        PID:4460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1480
        
        C:\Program Files\MSBuild\Microsoft\upfc.exe
        
        "C:\Program Files\MSBuild\Microsoft\upfc.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\providercommon\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Garden\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Media\Garden\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Garden\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
360B

MD5
9c55101be2ebfdb081df7c244c716cc3

SHA1
fdaa04885c4e66ff74233b300bb2c7b9cf361c1f

SHA256
1b3931bfac2580bc46999fd6287dddddc7176cac7886bcf3ad6c45a3eff5102f

SHA512
33caf3447d23dd060453efb1a8980853ae7309b436f9bff4fa5ebf3afb9e0e649a434cc525c8da650d31a3f1f595d84f6be48da67242215d4889a8a9b6ffc262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

Filesize
208B

MD5
c22a5c4af75b1cd14d6f9eb4c7570d28

SHA1
a6ce61631307fd1e70f844d392bd6566ce97e277

SHA256
7a8dada5019c83041edac26011cf733f2243108875da8944dc34b6aeef0717b0

SHA512
77ed73b39857317586d6f278e9bf5120b7c414ef06a7e240585b0dd8d3696f61a809643b93e808194531b7b79979dafac339c59f556562069a1a4697f5789639

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat

Filesize
208B

MD5
594dca00f537e8718a70c3e989bb6fcb

SHA1
2842580a3c14eb9a72e3a8bc4917aabc55d88531

SHA256
1979a09ac230058a2288cd8b36c917e5e12728a1c49921ab2ee04bbe446af744

SHA512
aae64ea8f076fe853a96a3f7db4e7b2e35cbddcc9308fead26f487e226f46e01b83122a227fa2aae9c6734efa85e77183082b2da8694cbb0197095861fb949e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

Filesize
208B

MD5
f60b652b59f5d0e9088fd9ce1210f3f6

SHA1
65c123dbd19c60b503657c914857331724ec1e29

SHA256
a1c0fdd9a52db152747db724c4d986c5ac2835c2a2fd9cc5f8eaabc15cc075dc

SHA512
a3a122bdf3085a2cce07c622af499170aaf3e2598af62d7a74648a1f14a79d1e7bc7c92fc023123441c6c31f1f203bea90df8f97b24d515c005de9964458c85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

Filesize
208B

MD5
ab04dfc5283bbc2da63aa59cb8c822b3

SHA1
ca909962828009b6f2ceddf751287b2a3fdf60fa

SHA256
0da8d8bce43476e2fcfca6201a3d6347a372727655404c01882a5f12bcdb20d8

SHA512
c774d85fdff892e36efa380ccc2603e59337c22775867fa2473ebdd1cab1214bacc937373c29134f36c019eea376a165f6dd4e47497192cec5d94d5a62732913

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mwyr3jqe.ccb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat

Filesize
208B

MD5
1e6383b8e070266ba0b8f2c5d60f1ccd

SHA1
81bda72ea2fc0ea171642f206ecc086055826b74

SHA256
074a45a818de965db6b1b51b0c50e43f0d1c6c2942244458239a3fbc414cacc6

SHA512
0814ba0653706a3d331ecebe3561851fc94addf3332ba1eb387f0e9cbb01311e3ca074b425c7680703c78cfa9959bd631dec49af76b7b043702d3964ed35ed0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

Filesize
208B

MD5
2a5c2c060705769628872c699644aaea

SHA1
934040becc8ce53b7ec9371764d44f8972383246

SHA256
a7dad2c583f0bb51652a1fec577d7d84d82b21eb1549f27171c9a63fd6c96fc4

SHA512
ec07944906bc607b4d93c7afb5e101b3fe9fef2c7d712d30ae897e098e5d063c3595fff4eae254ba29d2fc6c79bd456fe9aac7e1e300d005efe2906385a164c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOqaIh1y4I.bat

Filesize
208B

MD5
aa2a20fc556cefb49e9580d99137b5c5

SHA1
e9b98372e131a3e25376885ee32cb407588ec906

SHA256
c2bb266cd8618f0f65bd4debcb29462b423ae6a15e3ded622cbbc0b56cd867ab

SHA512
3fdcae73d9961513af032330f328e86e2ab5a699adbd3110a47c4ed9f5cef3711f6c119ab40acb96588395b83f0336dd905334aef6b79bf49bcaacb98827204d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

Filesize
208B

MD5
d10c9a6d44ecf384e7b458b34e55b497

SHA1
867eac7e44a9fd63c494cdfdc59a2750a804efc0

SHA256
e37304d5ab5d874e96c072ec3bc04557d17490bf5cbe6c76edd42a146c37f8c0

SHA512
892405c00e141458305bb6f45f36239610cb54729599e445dcf36ab341759db64ca72e57e4acaf9702f783e75e4a2338243a66f900795976712ecde635391be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
208B

MD5
f179e692c8a8166a7700ec5f2eb7a0b8

SHA1
9cddd8d417902ffbbd33e9be3e79aa7e5c6f689d

SHA256
aba595daea1339d6020d3b2112a223e44b3f3008af20ad0e946cb41b9d0523df

SHA512
cf64079e47c0537d6e4ce002e83fa683d7c81ebfb34b921aa521b0fd8336dd1cd1ee962ce3eea91dbb436014ccc96caf06cc703bb233646f93925d270b42ca95

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

Filesize
208B

MD5
1337b4af82b689e5685cb38ffee7a00e

SHA1
d39be675c3be0fd230b9403a4cfafcf9e1ccfbe7

SHA256
ed9b9bbf99ef61689b17d9f60f1aa1c2d15b5d1fbcd88d8acf81a228eb507e9d

SHA512
79eae8f4cfd496658aa0353eddb272c9d842390308130fe422c7bd4ef181d4af4c52e27da38e8590c7956c20f44e6665ade3cc970a7792274ad6b1e9373960d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

Filesize
208B

MD5
f83edb6acfacb6c72d4d835f3f3803e8

SHA1
8ed2a7d17cec7854474bbcbc198b5302e1b8e64c

SHA256
88f1717d0bd5e0fe01ea21ce1d6e7404560a144f7026ba49dec741fdafc0307a

SHA512
84d81265ab4d3426fe1654ab6d397f1e6580dd04e27a41e7f24e908d7de848ad421289eff3604daa5be2d9fa2a84ee05d3c002aa3ad67b6a05b0e33ee29cd361

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2156-183-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/2276-176-0x0000000002D30000-0x0000000002D42000-memory.dmp

Filesize
72KB

Download
memory/2372-110-0x000000001CA30000-0x000000001CB9A000-memory.dmp

Filesize
1.4MB

Download
memory/2372-109-0x000000001C2E0000-0x000000001C3E2000-memory.dmp

Filesize
1.0MB

Download
memory/2372-113-0x000000001CA30000-0x000000001CB9A000-memory.dmp

Filesize
1.4MB

Download
memory/2372-112-0x000000001C2E0000-0x000000001C3E2000-memory.dmp

Filesize
1.0MB

Download
memory/2660-17-0x000000001B560000-0x000000001B56C000-memory.dmp

Filesize
48KB

Download
memory/2660-12-0x00007FFB28AD3000-0x00007FFB28AD5000-memory.dmp

Filesize
8KB

Download
memory/2660-16-0x0000000001100000-0x000000000110C000-memory.dmp

Filesize
48KB

Download
memory/2660-15-0x0000000001120000-0x000000000112C000-memory.dmp

Filesize
48KB

Download
memory/2660-13-0x0000000000820000-0x0000000000930000-memory.dmp

Filesize
1.1MB

Download
memory/2660-14-0x00000000010F0000-0x0000000001102000-memory.dmp

Filesize
72KB

Download
memory/3260-51-0x0000026E79A60000-0x0000026E79A82000-memory.dmp

Filesize
136KB

Download
memory/3948-163-0x0000000002A30000-0x0000000002A42000-memory.dmp

Filesize
72KB

Download
memory/4280-122-0x000000001C310000-0x000000001C412000-memory.dmp

Filesize
1.0MB

Download
memory/4280-117-0x0000000001680000-0x0000000001692000-memory.dmp

Filesize
72KB

Download
memory/4280-123-0x000000001CB60000-0x000000001CCCA000-memory.dmp

Filesize
1.4MB

Download
memory/4488-132-0x0000000002DE0000-0x0000000002DF2000-memory.dmp

Filesize
72KB

Download