dcrat | 042254828dae5c5c9aaf2de603b3536277313791006926acfa729ba55407f327

Analysis

max time kernel
142s
max time network
137s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_042254828dae5c5c9aaf2de603b3536277313791006926acfa729ba55407f327.exe
Size

1.3MB
MD5

6ac8bb3995e737872c4de022e4730045
SHA1

7b272bf9721fa43e22ed5a15c41b5a5be2f12f35
SHA256

042254828dae5c5c9aaf2de603b3536277313791006926acfa729ba55407f327
SHA512

d156b83c275bf1f4363c9e07e43ae886d5b2e9d1b812f92cc19e43b558faf9dfe7c4e8ddd5e4c8f96b2ba9eb34dd2bd649ce3034760637835cbb0f51b2ac257f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2788	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2788	schtasks.exe	33

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193b3-10.dat	dcrat
behavioral1/memory/2756-13-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/2168-45-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/memory/948-185-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/2312-246-0x0000000000A10000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/1108-483-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/2792-543-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/1624-604-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/1092-724-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1060	powershell.exe
2388	powershell.exe
316	powershell.exe
2928	powershell.exe
3004	powershell.exe
1020	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2756	DllCommonsvc.exe
2168	Idle.exe
2828	Idle.exe
948	Idle.exe
2312	Idle.exe
1832	Idle.exe
2176	Idle.exe
1672	Idle.exe
1108	Idle.exe
2792	Idle.exe
1624	Idle.exe
1288	Idle.exe
1092	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	cmd.exe
2824	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
39	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
36	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_042254828dae5c5c9aaf2de603b3536277313791006926acfa729ba55407f327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe
1624	schtasks.exe
2012	schtasks.exe
2372	schtasks.exe
2416	schtasks.exe
2616	schtasks.exe
3044	schtasks.exe
2592	schtasks.exe
2908	schtasks.exe
2644	schtasks.exe
2676	schtasks.exe
3028	schtasks.exe
2272	schtasks.exe
2456	schtasks.exe
1504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2756	DllCommonsvc.exe
2388	powershell.exe
1020	powershell.exe
1060	powershell.exe
2928	powershell.exe
3004	powershell.exe
316	powershell.exe
2168	Idle.exe
2828	Idle.exe
948	Idle.exe
2312	Idle.exe
1832	Idle.exe
2176	Idle.exe
1672	Idle.exe
1108	Idle.exe
2792	Idle.exe
1624	Idle.exe
1288	Idle.exe
1092	Idle.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	DllCommonsvc.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2168	Idle.exe
Token: SeDebugPrivilege	2828	Idle.exe
Token: SeDebugPrivilege	948	Idle.exe
Token: SeDebugPrivilege	2312	Idle.exe
Token: SeDebugPrivilege	1832	Idle.exe
Token: SeDebugPrivilege	2176	Idle.exe
Token: SeDebugPrivilege	1672	Idle.exe
Token: SeDebugPrivilege	1108	Idle.exe
Token: SeDebugPrivilege	2792	Idle.exe
Token: SeDebugPrivilege	1624	Idle.exe
Token: SeDebugPrivilege	1288	Idle.exe
Token: SeDebugPrivilege	1092	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2244	2540	JaffaCakes118_042254828dae5c5c9aaf2de603b3536277313791006926acfa729ba55407f327.exe	29
PID 2540 wrote to memory of 2244	2540	JaffaCakes118_042254828dae5c5c9aaf2de603b3536277313791006926acfa729ba55407f327.exe	29
PID 2540 wrote to memory of 2244	2540	JaffaCakes118_042254828dae5c5c9aaf2de603b3536277313791006926acfa729ba55407f327.exe	29
PID 2540 wrote to memory of 2244	2540	JaffaCakes118_042254828dae5c5c9aaf2de603b3536277313791006926acfa729ba55407f327.exe	29
PID 2244 wrote to memory of 2824	2244	WScript.exe	30
PID 2244 wrote to memory of 2824	2244	WScript.exe	30
PID 2244 wrote to memory of 2824	2244	WScript.exe	30
PID 2244 wrote to memory of 2824	2244	WScript.exe	30
PID 2824 wrote to memory of 2756	2824	cmd.exe	32
PID 2824 wrote to memory of 2756	2824	cmd.exe	32
PID 2824 wrote to memory of 2756	2824	cmd.exe	32
PID 2824 wrote to memory of 2756	2824	cmd.exe	32
PID 2756 wrote to memory of 2388	2756	DllCommonsvc.exe	49
PID 2756 wrote to memory of 2388	2756	DllCommonsvc.exe	49
PID 2756 wrote to memory of 2388	2756	DllCommonsvc.exe	49
PID 2756 wrote to memory of 1060	2756	DllCommonsvc.exe	50
PID 2756 wrote to memory of 1060	2756	DllCommonsvc.exe	50
PID 2756 wrote to memory of 1060	2756	DllCommonsvc.exe	50
PID 2756 wrote to memory of 1020	2756	DllCommonsvc.exe	51
PID 2756 wrote to memory of 1020	2756	DllCommonsvc.exe	51
PID 2756 wrote to memory of 1020	2756	DllCommonsvc.exe	51
PID 2756 wrote to memory of 316	2756	DllCommonsvc.exe	53
PID 2756 wrote to memory of 316	2756	DllCommonsvc.exe	53
PID 2756 wrote to memory of 316	2756	DllCommonsvc.exe	53
PID 2756 wrote to memory of 3004	2756	DllCommonsvc.exe	54
PID 2756 wrote to memory of 3004	2756	DllCommonsvc.exe	54
PID 2756 wrote to memory of 3004	2756	DllCommonsvc.exe	54
PID 2756 wrote to memory of 2928	2756	DllCommonsvc.exe	56
PID 2756 wrote to memory of 2928	2756	DllCommonsvc.exe	56
PID 2756 wrote to memory of 2928	2756	DllCommonsvc.exe	56
PID 2756 wrote to memory of 2168	2756	DllCommonsvc.exe	61
PID 2756 wrote to memory of 2168	2756	DllCommonsvc.exe	61
PID 2756 wrote to memory of 2168	2756	DllCommonsvc.exe	61
PID 2168 wrote to memory of 2464	2168	Idle.exe	62
PID 2168 wrote to memory of 2464	2168	Idle.exe	62
PID 2168 wrote to memory of 2464	2168	Idle.exe	62
PID 2464 wrote to memory of 2300	2464	cmd.exe	64
PID 2464 wrote to memory of 2300	2464	cmd.exe	64
PID 2464 wrote to memory of 2300	2464	cmd.exe	64
PID 2464 wrote to memory of 2828	2464	cmd.exe	65
PID 2464 wrote to memory of 2828	2464	cmd.exe	65
PID 2464 wrote to memory of 2828	2464	cmd.exe	65
PID 2828 wrote to memory of 1872	2828	Idle.exe	66
PID 2828 wrote to memory of 1872	2828	Idle.exe	66
PID 2828 wrote to memory of 1872	2828	Idle.exe	66
PID 1872 wrote to memory of 1932	1872	cmd.exe	68
PID 1872 wrote to memory of 1932	1872	cmd.exe	68
PID 1872 wrote to memory of 1932	1872	cmd.exe	68
PID 1872 wrote to memory of 948	1872	cmd.exe	69
PID 1872 wrote to memory of 948	1872	cmd.exe	69
PID 1872 wrote to memory of 948	1872	cmd.exe	69
PID 948 wrote to memory of 1648	948	Idle.exe	70
PID 948 wrote to memory of 1648	948	Idle.exe	70
PID 948 wrote to memory of 1648	948	Idle.exe	70
PID 1648 wrote to memory of 2112	1648	cmd.exe	72
PID 1648 wrote to memory of 2112	1648	cmd.exe	72
PID 1648 wrote to memory of 2112	1648	cmd.exe	72
PID 1648 wrote to memory of 2312	1648	cmd.exe	73
PID 1648 wrote to memory of 2312	1648	cmd.exe	73
PID 1648 wrote to memory of 2312	1648	cmd.exe	73
PID 2312 wrote to memory of 892	2312	Idle.exe	74
PID 2312 wrote to memory of 892	2312	Idle.exe	74
PID 2312 wrote to memory of 892	2312	Idle.exe	74
PID 892 wrote to memory of 2352	892	cmd.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_042254828dae5c5c9aaf2de603b3536277313791006926acfa729ba55407f327.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_042254828dae5c5c9aaf2de603b3536277313791006926acfa729ba55407f327.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2300
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1932
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2112
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2352
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat"
        14⤵
        
        PID:1100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2416
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat"
        16⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1536
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat"
        18⤵
        
        PID:1240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2476
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"
        20⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2876
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"
        22⤵
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2036
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
        24⤵
        
        PID:3004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1748
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat"
        26⤵
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:704
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ad7d289685a12503857d78b4cb17076

SHA1
6aec30c5d67913aebcf374bcb21be6d33411a879

SHA256
31fbb2cf41908dd9c17af381d175941d33756bd806c9dfa6bfb65634925f8b59

SHA512
7d7c785cdfbb17335f3d2250fac1157a0bfbc37cac7efec0b8114dee2e7c7acb240424998e629c8c01cd9376484789919b26ab01ca0006606b62a22d0102e368

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fb461723633c6f9d13178936234f6ea

SHA1
674896963349cd95328e9968579bd52587199f81

SHA256
f831af2364766f578a29b160e5e1eb179a63628efd4261ee8cdc7608dc0efffd

SHA512
cb808860a9c60c8b837635874038237edd3c665fa61ff22729e958ac41ea560630ef2d28ed5e54fec2b6287dec89ab3c8b072ff6dfb42cffc34c7f12b72c785e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c1bf5ce03d7b98c19a62186abeac3cc

SHA1
f49a053185da6871529d2f24771e1237ed2494b0

SHA256
e3161907fb68ca7a011b3dc31e0c7615ccf8d4b9f6ac6a832ea844380f300a5e

SHA512
ea481e6ec3b0da2ab4516fdb5964862356db18f51a3c4b6d04305fbc152afe137916f08ea2228a3ea20b649fe77a63c40c3089bdc37499a157439423880605b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5432039fc98146c82000f421b3bacc27

SHA1
22b267bab8658724eb2d982007a4a3e66bd75ff8

SHA256
42735f34cd9785fd3b63315d0c14bb1efe752c4a87f4333e42e0137efb001694

SHA512
a3b32fcb6f9ac50df8beb9b42ccece6caaa7b6962818f8ed5ba32744b352ca099151c7265d2b3c29c5629b4f1844a8dbdc276666168cd1b9e0bf28836e06ab28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2e2d825407fcc53013ee0a561ceb702

SHA1
09bb576f9fd4d9d4021188a74359301828965a5d

SHA256
17661fc4d65efcc5435112a6c73d4365675ffd2376af002f599bec929741d8d5

SHA512
212da6148bda69b6d1bf32e1418a0701369feab279e7f3bc466e04109a1ca08df98fff0bf590ce233f68978aae0f63746f760fec0351449c3d5a5a44b701ed7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ab6c8a6fee39b10dc4ecdfbb789ed5d

SHA1
2aa6c5bcf2d0be5c983aa0f65dd8c524c3d29b84

SHA256
e252d5147e1021fd2dd6120b5a392949ae9dc6dff14764d47328ef72c6d0cb83

SHA512
3995ccff8639b4e639701b13112462aaf0346381a4cd2ccc7fe83e0373c7be5485e2a7fe5e912dcca12eb985145153969a03734c3e2cad50c6f1050c58e37f03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
520a81c5093debee2a974c77a66ddc06

SHA1
0c58bf1719cfc67a0c70a1585917736047d36d54

SHA256
4b1c9d2cfa34160aacbe743f450fb6377f364a9174703573339d74c4365a38f0

SHA512
c6b8c44582693ad20d8fe81b77a6c4b1fe6ffa04db0b659d4d5abcf8d7969e1555966149c4244d62a19ea02dc0ab69dec7805ed64c7ecbffb60fc06df2052425

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf670ea0be6818af344ba4343cd163e6

SHA1
f83a0c157be078710bfa7f1bdd243330b0b0b183

SHA256
9c8a2f4dba72f635dbd1a8ead03c1e13d7d29b6dc1a144bb4ab6618ec5dc9db4

SHA512
1cd4c98c67b144285fe15405abb3e92bc1eb3972acca6d6325f3d4cc426b82ed707e3a3b75d9219467e77f28282effa70fe2ef25a6e28b289a1bfadd0cc532a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70df21a35bdf0f69ce3775e4405b1cad

SHA1
a20aebf01bce1b18853c4ee0c6e7e1e6e7538455

SHA256
d258016b30c7cd9ace39d3931c6a7ddbca9d9aa0cc00f975d541e11f109d79df

SHA512
621fcfbf467538047ad1792d1b83626ed80c215a0d59b747c25df3ebea2e2c43573736d5e4124f1a41d9b4f3347d460a53e6784dec3ca53498750844da7ff4d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07c6d6b5bb2f57601d01fc813b3b6297

SHA1
ccb6cad899751ad4b22508e43c58be05f8aafccb

SHA256
3c4cb9e86ab0b5856450fbfd5c3bc8643a018ab74753d0bcbff6b4b0469f4cd6

SHA512
a349a81506237b7eeb8b1dc89cb8a72ce54b9bd6cf4b3bb4b55b6c0eeb33f6c8af6aaa9b2bfb28c80bd5bb2ed5588cac114edf81c787d35cb05f078e5ac6199b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat

Filesize
191B

MD5
64291f8ee52bc31d21fedd7dafa98a32

SHA1
a9baa24eb07806108f2755d85f158525ec2440f1

SHA256
371ae8f249edb0931e2c0efe3c0eca7647211e7c58b856280d193cecbecb6f6c

SHA512
a946b62c5dacd403a0ee1055de7a955a859a8acfd5a576823cde05f59cc84e99aafe6c4a4f6b114631912330fae00b33449924fc3de4067a199174234b4cb05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat

Filesize
191B

MD5
943894b6e6a82863647452a8f59dc0a8

SHA1
21fd2d06230837404545795b57811dcd2dcdb232

SHA256
1394dc56af5dfab28286a64390e7a066283e582a776d9a3a3b27b7720411b4ab

SHA512
d0d386499917680999f74fb92ed99c8d4c4636f23df76516c984571185cf5de81da401cc73e6b61896aeae51d0e1ef7f0a10b84b8d76d9fd63a37d5a707fe400

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1779.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat

Filesize
191B

MD5
50e47fad3714536b7310d37fea2c9e06

SHA1
86f5f985e9ed658277a41c809e51d7231b9f40d1

SHA256
222fb158b96d67890a6b34067ebec0632cffad41351df2dd38fab59d03072a90

SHA512
44e9cb74acd2da19e71c5d46c138fe0187f24c6d1b5ad20a9a79c80a29c1e9de6f12db2ea273d38cf10c1bceb8f16004f2e99cac2b0cb05f8e1d0e1e2156c44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat

Filesize
191B

MD5
8df5066fbf0761718bda119f5c73d1c1

SHA1
ac37b8c74f9e7d52e00f8c10dbf524020a7e94f9

SHA256
6ac6121bbb86a81aad18cf610752ee9a5c1f767c3c92d3578958b212b7e648f6

SHA512
db12d1fa61cf90244a24d777dc4f0df69c27ff4bec4ac10f47ae5b86f98f667af0f596bd7942622d38ae8bc9599ec9be647c1649a0084319f924da0123f04b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar178B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat

Filesize
191B

MD5
2212a91d2c2aa68ce6105d5e293a0a0a

SHA1
842fe7f1af2ca2ffa1203911586e438933665791

SHA256
bc79acc7d77a1c626ddc896a69c3a2aebcd7e9a73bfcbbbf6643a9e01f7c145b

SHA512
8aad974a3bc75a1322778b3b47d79b5dc63123ad9e690cfa0b8169c82f3828c5257d76ecb53025a42ae11275bed3bbc9e27a2a4278cada6c46d53a0b207b61b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat

Filesize
191B

MD5
79a831e038f4ff01f74429ea8a672d84

SHA1
9642dd9e60c7cb67e049aea9b741f1f4cdd890e9

SHA256
021085d578b613b30ce214f29f6edee0f41b6a5d0206dda89de576bd5faeec15

SHA512
bc6a5dffe8e2323e070bee00adba93da634d5b45e3d34e0af2535e47871ccd9cd6c3c04539477354b1b6e33cec42351e442fc37ba818c39943c10a0fad1f1be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat

Filesize
191B

MD5
2cb2b7688e1bbc3f7fcf9c9a6610893e

SHA1
41fdd283849f39870d7f1065bfb42f659d0068cf

SHA256
8b70b63ed874dd05bffdc5c042bd828a289331c49a8c56f880a537e741c63c9b

SHA512
77dd6c32c647db11082f3ff3efd19b72d466d6906f6490f81dc12da7ebf8ba3a7b2e34dca15da8e5abf6bf7ffe1fd13389892c7cbdfe718333b3ad2c5d64e9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat

Filesize
191B

MD5
6ef5ae3f7e9c34296579738d6ee539b4

SHA1
0b6a5ed87103ae888f8bddce8d3bf213e63ce5f6

SHA256
d960fa5b9bfe48f3bf77cbfc827690c672c755b4cb4dbf12be8306593c509e26

SHA512
f5de83d68cf28b46b280959912d4bd67dc6b812767dc26f64e4b117cf9dfbe12e2a6fa4839f5de333cf02bd653897376ed0569ff858dd3ba3c59e5f5e3e4e543

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat

Filesize
191B

MD5
f97a71c885cb90428d885755f7e11bd5

SHA1
cfc6cc5ffc97fa8ee6ed21e3d0f175607c5cee67

SHA256
386611a19fe36c29dfaa069a60f8fa42f38f12fdb0864018750732e720311570

SHA512
b3222e6dcbc0fc164b59537200964729ffd1e5890cc46f62d73f4b5c656da1250cc195e8c60d6df128a847cb4b195c6c2e9f1ac235855b911fd5202d50748857

Download Submit
C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat

Filesize
191B

MD5
dcc814afcb25596f085e253aee5bab4e

SHA1
c1a356718c4364623394b773b64e07b91bc4e534

SHA256
e29450402bdeb9ea074ba57d5d935ecbaeaaac8f3b6f246c9bba149d61af7b9b

SHA512
cd0a03d245d537b4532c73b07ec7913dbc445f2f8b60f6558f69555e3fe17bb6d4f176c5d925d079a104d72e7786e870b67a7c9cf912d1b86f7701b04ffbc396

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

Filesize
191B

MD5
20ee750e811997860badca41c60c1072

SHA1
71244f25dced1c305283da1f4a2c56c594b40712

SHA256
f92815f9fee31535fb0819a6adb9f6479e6b7cae964201fd3410c5b917cb55ee

SHA512
b9d6ba7e09fd469f143860c93651a559d10f8d953a49f338257f6b8ea13eac041a3edd7012f167b0ac8d888833036904fb9259b2be800437bc74b419912a80a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2GJEUVTA5QI07T2JCPQE.temp

Filesize
7KB

MD5
f0590984aebf69ac178873b61c29cde7

SHA1
9913e1d24a1ff0317757fc1a74cf959751c2d5bb

SHA256
f46dfbe8c26d82ddeb73fa95a890ae9e60582889e6781cfb257057cb35e6165f

SHA512
34b0ac4aa4f4f04863567dd0c5cd18c38c6da9bd7e0ce6e394cf0a1a05bf0c22ea73530ffd1f06214e8a19c00ea88fcd8b7a91329f47ac0280a701a1339efed5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/948-186-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/948-185-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/1092-724-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/1108-483-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/1288-664-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1624-604-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/2168-66-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2168-45-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/2312-246-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download
memory/2388-44-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2388-39-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2756-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2756-13-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/2756-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2756-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2756-17-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2792-544-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2792-543-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2828-125-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download