dcrat | 768cd3db80d967ef4a276ea425f41bfc533ea9bffabfa1603249ae5f2301b659

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_768cd3db80d967ef4a276ea425f41bfc533ea9bffabfa1603249ae5f2301b659.exe
Size

1.3MB
MD5

8c6c6f8d6559aaa828807de12b6adeae
SHA1

d802c8b9338c1bb4359e1ea288cf0625225d5d2e
SHA256

768cd3db80d967ef4a276ea425f41bfc533ea9bffabfa1603249ae5f2301b659
SHA512

12921bb89ff2fbcc4ec6ca93a770f1dc01ddadbb30b1d0b5a21f84f5d54b5eaaf3cf58f1a5c3afdea2691231d51669e5316236392283c2f8cf7cdc7b8418bdca
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2704	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016ace-9.dat	dcrat
behavioral1/memory/3052-13-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/1732-58-0x0000000000980000-0x0000000000A90000-memory.dmp	dcrat
behavioral1/memory/2816-125-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/2932-185-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat
behavioral1/memory/2604-305-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/2968-366-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/840-426-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/508-486-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2252-546-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/memory/756-606-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2384	powershell.exe
2720	powershell.exe
2368	powershell.exe
2568	powershell.exe
1656	powershell.exe
1664	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
3052	DllCommonsvc.exe
1732	DllCommonsvc.exe
2816	DllCommonsvc.exe
2932	DllCommonsvc.exe
2568	DllCommonsvc.exe
2604	DllCommonsvc.exe
2968	DllCommonsvc.exe
840	DllCommonsvc.exe
508	DllCommonsvc.exe
2252	DllCommonsvc.exe
756	DllCommonsvc.exe
1328	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	cmd.exe
2928	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
35	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
28	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\de-DE\smss.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Registration\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Tasks\DllCommonsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Tasks\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_768cd3db80d967ef4a276ea425f41bfc533ea9bffabfa1603249ae5f2301b659.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2988	schtasks.exe
2724	schtasks.exe
2388	schtasks.exe
2840	schtasks.exe
2628	schtasks.exe
1888	schtasks.exe
2996	schtasks.exe
2232	schtasks.exe
2740	schtasks.exe
1056	schtasks.exe
1376	schtasks.exe
2584	schtasks.exe
2680	schtasks.exe
2820	schtasks.exe
2020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3052	DllCommonsvc.exe
2368	powershell.exe
1656	powershell.exe
2720	powershell.exe
2568	powershell.exe
2384	powershell.exe
1664	powershell.exe
1732	DllCommonsvc.exe
2816	DllCommonsvc.exe
2932	DllCommonsvc.exe
2568	DllCommonsvc.exe
2604	DllCommonsvc.exe
2968	DllCommonsvc.exe
840	DllCommonsvc.exe
508	DllCommonsvc.exe
2252	DllCommonsvc.exe
756	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	DllCommonsvc.exe
Token: SeDebugPrivilege	1732	DllCommonsvc.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2816	DllCommonsvc.exe
Token: SeDebugPrivilege	2932	DllCommonsvc.exe
Token: SeDebugPrivilege	2568	DllCommonsvc.exe
Token: SeDebugPrivilege	2604	DllCommonsvc.exe
Token: SeDebugPrivilege	2968	DllCommonsvc.exe
Token: SeDebugPrivilege	840	DllCommonsvc.exe
Token: SeDebugPrivilege	508	DllCommonsvc.exe
Token: SeDebugPrivilege	2252	DllCommonsvc.exe
Token: SeDebugPrivilege	756	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2456	2208	JaffaCakes118_768cd3db80d967ef4a276ea425f41bfc533ea9bffabfa1603249ae5f2301b659.exe	30
PID 2208 wrote to memory of 2456	2208	JaffaCakes118_768cd3db80d967ef4a276ea425f41bfc533ea9bffabfa1603249ae5f2301b659.exe	30
PID 2208 wrote to memory of 2456	2208	JaffaCakes118_768cd3db80d967ef4a276ea425f41bfc533ea9bffabfa1603249ae5f2301b659.exe	30
PID 2208 wrote to memory of 2456	2208	JaffaCakes118_768cd3db80d967ef4a276ea425f41bfc533ea9bffabfa1603249ae5f2301b659.exe	30
PID 2456 wrote to memory of 2928	2456	WScript.exe	31
PID 2456 wrote to memory of 2928	2456	WScript.exe	31
PID 2456 wrote to memory of 2928	2456	WScript.exe	31
PID 2456 wrote to memory of 2928	2456	WScript.exe	31
PID 2928 wrote to memory of 3052	2928	cmd.exe	33
PID 2928 wrote to memory of 3052	2928	cmd.exe	33
PID 2928 wrote to memory of 3052	2928	cmd.exe	33
PID 2928 wrote to memory of 3052	2928	cmd.exe	33
PID 3052 wrote to memory of 2568	3052	DllCommonsvc.exe	50
PID 3052 wrote to memory of 2568	3052	DllCommonsvc.exe	50
PID 3052 wrote to memory of 2568	3052	DllCommonsvc.exe	50
PID 3052 wrote to memory of 1656	3052	DllCommonsvc.exe	51
PID 3052 wrote to memory of 1656	3052	DllCommonsvc.exe	51
PID 3052 wrote to memory of 1656	3052	DllCommonsvc.exe	51
PID 3052 wrote to memory of 1664	3052	DllCommonsvc.exe	52
PID 3052 wrote to memory of 1664	3052	DllCommonsvc.exe	52
PID 3052 wrote to memory of 1664	3052	DllCommonsvc.exe	52
PID 3052 wrote to memory of 2384	3052	DllCommonsvc.exe	53
PID 3052 wrote to memory of 2384	3052	DllCommonsvc.exe	53
PID 3052 wrote to memory of 2384	3052	DllCommonsvc.exe	53
PID 3052 wrote to memory of 2368	3052	DllCommonsvc.exe	55
PID 3052 wrote to memory of 2368	3052	DllCommonsvc.exe	55
PID 3052 wrote to memory of 2368	3052	DllCommonsvc.exe	55
PID 3052 wrote to memory of 2720	3052	DllCommonsvc.exe	57
PID 3052 wrote to memory of 2720	3052	DllCommonsvc.exe	57
PID 3052 wrote to memory of 2720	3052	DllCommonsvc.exe	57
PID 3052 wrote to memory of 1732	3052	DllCommonsvc.exe	62
PID 3052 wrote to memory of 1732	3052	DllCommonsvc.exe	62
PID 3052 wrote to memory of 1732	3052	DllCommonsvc.exe	62
PID 1732 wrote to memory of 2736	1732	DllCommonsvc.exe	63
PID 1732 wrote to memory of 2736	1732	DllCommonsvc.exe	63
PID 1732 wrote to memory of 2736	1732	DllCommonsvc.exe	63
PID 2736 wrote to memory of 2028	2736	cmd.exe	65
PID 2736 wrote to memory of 2028	2736	cmd.exe	65
PID 2736 wrote to memory of 2028	2736	cmd.exe	65
PID 2736 wrote to memory of 2816	2736	cmd.exe	66
PID 2736 wrote to memory of 2816	2736	cmd.exe	66
PID 2736 wrote to memory of 2816	2736	cmd.exe	66
PID 2816 wrote to memory of 2828	2816	DllCommonsvc.exe	67
PID 2816 wrote to memory of 2828	2816	DllCommonsvc.exe	67
PID 2816 wrote to memory of 2828	2816	DllCommonsvc.exe	67
PID 2828 wrote to memory of 2672	2828	cmd.exe	69
PID 2828 wrote to memory of 2672	2828	cmd.exe	69
PID 2828 wrote to memory of 2672	2828	cmd.exe	69
PID 2828 wrote to memory of 2932	2828	cmd.exe	70
PID 2828 wrote to memory of 2932	2828	cmd.exe	70
PID 2828 wrote to memory of 2932	2828	cmd.exe	70
PID 2932 wrote to memory of 2300	2932	DllCommonsvc.exe	71
PID 2932 wrote to memory of 2300	2932	DllCommonsvc.exe	71
PID 2932 wrote to memory of 2300	2932	DllCommonsvc.exe	71
PID 2300 wrote to memory of 2064	2300	cmd.exe	73
PID 2300 wrote to memory of 2064	2300	cmd.exe	73
PID 2300 wrote to memory of 2064	2300	cmd.exe	73
PID 2300 wrote to memory of 2568	2300	cmd.exe	74
PID 2300 wrote to memory of 2568	2300	cmd.exe	74
PID 2300 wrote to memory of 2568	2300	cmd.exe	74
PID 2568 wrote to memory of 2808	2568	DllCommonsvc.exe	75
PID 2568 wrote to memory of 2808	2568	DllCommonsvc.exe	75
PID 2568 wrote to memory of 2808	2568	DllCommonsvc.exe	75
PID 2808 wrote to memory of 1868	2808	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_768cd3db80d967ef4a276ea425f41bfc533ea9bffabfa1603249ae5f2301b659.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_768cd3db80d967ef4a276ea425f41bfc533ea9bffabfa1603249ae5f2301b659.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2028
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2672
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2064
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1868
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        14⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:948
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        16⤵
        
        PID:460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2820
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        18⤵
        
        PID:2480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2332
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"
        20⤵
        
        PID:940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2196
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"
        22⤵
        
        PID:1584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2428
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        24⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1684
        
        C:\Windows\Tasks\DllCommonsvc.exe
        
        "C:\Windows\Tasks\DllCommonsvc.exe"
        25⤵
        Executes dropped EXE
        
        PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a563da951a25e214d711c105ce309983

SHA1
21271556df3086f32e76b09a99d0544c66ebcde4

SHA256
ece2c91401c131ef6b74fd30a2a258f5a6fabf0d8260724a4a8b502634637c10

SHA512
a149d007df12a699a7a7a46dab8e725e88e56a332d0c247e23fc05c2bde2caa2fbbaafa0109cc6ee69d5a6285f33c4bbc48e7f12b39bb969e3c8fe10de29f258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
994540f64f697ad4cdb013d53591027c

SHA1
80f530213c12045527e041d833acde5a5ba72dfb

SHA256
4c6bd4e56ff9aa215ab37404ddb2514a83230790ab22a2e847964898ea4736f2

SHA512
d35fc2b2cc6575796dbbbee3089e902cf887142c4b2d6236ba6c8477af091e6aa448b8dacd9bd1f0144c610f70d04b59c9c056add95c5b8d03523addbdc3b29d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b15d86855935d608cee1d486d92bc38b

SHA1
4ddf3a229b460e2a68eab205b88974a99bc6b2a8

SHA256
d77817bbf30cb7af698c96f822a7f43293f6723b8060aa6b906b9efbdc3d57b4

SHA512
bcb1bad68f4615fe3d52762dfc23d6e1d96e13c26fc9865d8772d76897aa8d69662b53a7a5e247ca4075f3e9d8644ae99767310d9346390c3d17d67025fa1e84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c0fd48887401f02c2dd0210135b05e4

SHA1
a62f1ce17208460132783ca192ddf57c43161f09

SHA256
57c332b41c3243978dcdc44708daf74ddac5932734af46a3afb25a15a39ab16e

SHA512
87cdd0edf33679e92807e2a7b481a1b537762dd0372b2b1a38f706513bd479598e09e7470498a848b3f587d46f735a8e2ab9723e01b73901875f70fb27ec4750

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da7ee668e72e3ff97ddb9556b6b33596

SHA1
ac894f9f38e04e004b1503fab91f7c6b9fe9315f

SHA256
c23646b31fbba2825d68a6381c538f7550c11142be043185450e00db9f0f0ccb

SHA512
0db08ae108919a8a39deeaae02fa1cec9a867020554c9c7b81636297ad8a50ed1d7556c6beb53c1fd2067b4faf6cd575809b83e1f2de94a6db34c2ba9993ba70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1741d15d8506f6f49a888364d06ff15d

SHA1
bacfd63ea61b7fcd8ef043726d443ec38e647d44

SHA256
9db4e5b710b6e5507eaca128d8da324cee27ae3da54437b3e9f2ba716185ee04

SHA512
54b111ea7421171dd7903a1891302f70cfe2cbe083919d01938885f37ed08fd263e0a5322d0202681dd25c16871e79c7ea4ffd11d898b6083ba2bb8c540a6165

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e045461272b958708ab764f9d7ebe416

SHA1
876e99ae25b2ea027c8a781febf5ddee1a9d7ae0

SHA256
4716d570f0abf061ac3bc410bbf097c95e335955e51a14ef63126504b1cadeca

SHA512
47739eaca5b0351a6a2b745b4ce005599f72a328e5deda774947825b553c286f74badbb91cf5268817875b0c368917f595ad96a59264efc049aa5c83ed4d3fe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75a586e4b564fe2cf1b3c91a473fecba

SHA1
02bd28256f314d186e4c94ca91a8fd300b8b59c0

SHA256
85534b5865aa39acfb3a58b875a753f80dbf7e85c06ef3ed3b87c710f8aff31e

SHA512
18c09614d2fd347baba6bfded51cd619990f26a159e6ac0ddea4f168897933efc070c4ea36157dd8a5a84e30312cb2044b6229c2451495ae5eddd9fe87345553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82e1807ea51efcb08c174e11286d1c00

SHA1
c63ca8f55c28329b941df8ed1247ede5357e5df7

SHA256
cf0e039853fdb638df41b50dec0bc049682673bbd0c6ae0f96e8e8fff9a70700

SHA512
f964a07e2ab78e4cdd865108a92da4cae48b999a0a63a07a603f9a2394b6364ac9281b54ede77136622604c1d74344a3f9a42b8fee2b7faac5ee47eaa28ac052

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
198B

MD5
cd012ba5dbfc6daa47af21de5e9401c9

SHA1
021d275f33571f945786b5a65109cb481be7fc3f

SHA256
fb290d8f3d19d90de3234f77b917935186fdbf508cd70443419954616dcfa8b0

SHA512
d886bc87a0eb1eee9bd45bfb01979060b14282848727a08f0d6ff62f7f730651361eb93950a538e4e629747051c638092e1f518585d8b606505c188b039ec84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC563.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat

Filesize
198B

MD5
ea84526b6f89fe6610133001c70d4532

SHA1
2bb0c22b5d5e06026b9bb2a356515fe3f9167f7c

SHA256
d2ad3147b5c95405d75ea409c0130054ef68fc76ff9cf942daec5c8aebbdef6a

SHA512
94aefee170953191977dd957a49307e7ebd6b5ea5dd1bd9da8d327d90575ed83b87ab851dfd49e863922c3b555786f43e559c9748bd18a181f93326b024867ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
198B

MD5
e721d4c5a7e7784e453ab70ccc6c0fa2

SHA1
10f18e2d56fef11beee9e119f27ab5a123511c3a

SHA256
eed73b88fedb27d2e39ee7a1158cff2922c24bfa9292859a379bde454478952f

SHA512
5413131f01513efd9ab613fb700880defefde953698af3c5053718fbf23a746e7a0f479cf9db2a15551276a6ca5482ff192c90f7784f3e6ad8f79c5bb15c9622

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

Filesize
198B

MD5
ef1e675d7462d0b1a400af9afff709ef

SHA1
29108ee9f11d3d7f10fbe3918fa377f439cc0b70

SHA256
10fe6d21adada982bfaa487ce302617f9086cb2b163f73adea47d31a7aa8a765

SHA512
d39384a0cc68b67a3b44da82df39797255d1aef5c2ec6a575f06805cbc2b33607cd5cfc36cc64aa4016ed3634311b9bf2d4311b7c69eaba5e04d2e6485340d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat

Filesize
198B

MD5
1c22f3740930d487462e317ff3ac79a6

SHA1
e60d49fff30d23eeb611265f076a777ce31f508c

SHA256
c241a28e0dcb6f614302b5e92b311b0be87faedb3855d7bb926aa54c00021e6a

SHA512
99da2bf0c7ac8826dcb394d5ff7bcfb4cf9ae67b0585fc0092cb49b4c9dec2638ddbaf28080001a07b7262138ab74eb3246df76a7a628339adde80eded14bda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC586.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

Filesize
198B

MD5
4ab923617d03293f4095796432af77d6

SHA1
d8a2e628c9a54fc3dd34ae919db1b8f8c1ef4df2

SHA256
03a458195b51e73d1377870ec8446c5d9b4d855dbc61ea0ddfbadbc4211c16fa

SHA512
1dea4b609b3783727fbb071de4c22f47411fb6e696c99311e1881462724bd38a5614e5f434cece03301fcd1d3354fd65474d7c994ec8e1113e2afaad74038904

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

Filesize
198B

MD5
d502211bdd91240441ab8cd7b16e7a49

SHA1
44ee3d80eea97f22c814e827253779e1ce2320d8

SHA256
0884117ea0189578bcf0cc04f723d762025514abc342b64ea24968ff0fc9740e

SHA512
0ce8a3cb4a1a2d45e206fbfe56a25825fe974b0e3f2e8bd3e0a7a5a90220e39066f42b159f9ca4bd1462f5950e29d40f7d94cb1d1877dd1649a8aa3e016429d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat

Filesize
198B

MD5
498b3a871722eaa996c6ffd0f4383995

SHA1
6197f0e2ee6338c20a830b0bb9adb39dfcb2837e

SHA256
27a220de8359043986b6317ed1c91228a2294ba4d1f49ff23a37a0fe1a44508b

SHA512
8e64ee3ee68f4850c161f8c811b2739445d54cd19ed4803958ea539229f86b8815f34c7ca2688ec04567c56eed237caeb8807b9cc6f070e7423c0743e30edc24

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat

Filesize
198B

MD5
597224f6c3f37ab5794f2b01d7aac6f4

SHA1
658c7e4865877315c207417d445eed80680857b3

SHA256
21e4e291dbf3fcb45794b9574eed35208ba3ad2d86f04fb276f0ce6f3d4002b3

SHA512
ab97cbae88e805d5c7f1b99a1f6aa79a5d30f010096665f86ac3de59ce88eaaae777fcc088994817d4252d811e77662264d96ab8161ac494a360e50d68d8a63e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5VXDMYHO3KQJ7LV0IYT0.temp

Filesize
7KB

MD5
2b6539fef2bcdca2709592096f210feb

SHA1
d710644422b788d1d0ff514ce33d3fa685e24946

SHA256
d5f9db9232bb9ec2570c728227a16cbd63b769459c78250fae9c41844d758d63

SHA512
63a89ff4523ec0d6db7a69e58dd49a515f7da63e59d7fb0091cb88afdb286e29eb3618c41fc97c0472e76fc923d6a834e0f3a85f1c9681c5dfcae32b39b89dc5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/508-486-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/756-606-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/840-426-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/1656-65-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download
memory/1732-58-0x0000000000980000-0x0000000000A90000-memory.dmp

Filesize
1.1MB

Download
memory/1732-66-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2252-546-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/2368-64-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2604-306-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2604-305-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2816-125-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/2932-186-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2932-185-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/2968-366-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/3052-17-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/3052-16-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/3052-15-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/3052-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/3052-13-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download