dcrat | e45f912e0de3b3db2b9abedbfaf0bd9b2745d05cb8b4029ff824af33dad398b5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e45f912e0de3b3db2b9abedbfaf0bd9b2745d05cb8b4029ff824af33dad398b5.exe
Size

1.3MB
MD5

2775a04a1ac73a1b242a0b1280e5a1be
SHA1

ddab6b05a4f92dd26bfccb906ff4340909f59c47
SHA256

e45f912e0de3b3db2b9abedbfaf0bd9b2745d05cb8b4029ff824af33dad398b5
SHA512

eed477e4150d1a14a1c18a455406067c5ed7b8d44630fb65b2f359765763600ba3d472c6c857ae6c08da5e516f0384b26744b025c2c5da0cd301a54db585759c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	5068	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	5068	schtasks.exe	70

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001abdc-284.dat	dcrat
behavioral1/files/0x000900000001abdc-285.dat	dcrat
behavioral1/memory/4280-286-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/files/0x000600000001abf2-557.dat	dcrat
behavioral1/files/0x000600000001abf2-558.dat	dcrat
behavioral1/files/0x000600000001abf2-583.dat	dcrat
behavioral1/files/0x000600000001abf2-590.dat	dcrat
behavioral1/files/0x000600000001abf2-595.dat	dcrat
behavioral1/files/0x000600000001abf2-600.dat	dcrat
behavioral1/files/0x000600000001abf2-605.dat	dcrat

Executes dropped EXE 7 IoCs

pid	Process
4280	DllCommonsvc.exe
1360	taskhostw.exe
4252	taskhostw.exe
4616	taskhostw.exe
4764	taskhostw.exe
3616	taskhostw.exe
3316	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\9e8d7a4ca61bd9	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HoloShell\pris\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\HoloShell\pris\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4536	schtasks.exe
4676	schtasks.exe
4720	schtasks.exe
4380	schtasks.exe
4012	schtasks.exe
4632	schtasks.exe
4576	schtasks.exe
4624	schtasks.exe
4532	schtasks.exe
2120	schtasks.exe
4964	schtasks.exe
3960	schtasks.exe
1936	schtasks.exe
3524	schtasks.exe
4740	schtasks.exe
4428	schtasks.exe
4912	schtasks.exe
3284	schtasks.exe
4656	schtasks.exe
4580	schtasks.exe
4556	schtasks.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	e45f912e0de3b3db2b9abedbfaf0bd9b2745d05cb8b4029ff824af33dad398b5.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4280	DllCommonsvc.exe
4280	DllCommonsvc.exe
4280	DllCommonsvc.exe
4508	powershell.exe
3148	powershell.exe
3204	powershell.exe
668	powershell.exe
488	powershell.exe
3692	powershell.exe
3148	powershell.exe
4752	powershell.exe
3204	powershell.exe
1484	powershell.exe
4752	powershell.exe
4508	powershell.exe
3148	powershell.exe
3204	powershell.exe
668	powershell.exe
4752	powershell.exe
4508	powershell.exe
3692	powershell.exe
488	powershell.exe
668	powershell.exe
1484	powershell.exe
3692	powershell.exe
488	powershell.exe
1484	powershell.exe
1360	taskhostw.exe
4252	taskhostw.exe
4616	taskhostw.exe
4764	taskhostw.exe
3616	taskhostw.exe
3316	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	DllCommonsvc.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeIncreaseQuotaPrivilege	3204	powershell.exe
Token: SeSecurityPrivilege	3204	powershell.exe
Token: SeTakeOwnershipPrivilege	3204	powershell.exe
Token: SeLoadDriverPrivilege	3204	powershell.exe
Token: SeSystemProfilePrivilege	3204	powershell.exe
Token: SeSystemtimePrivilege	3204	powershell.exe
Token: SeProfSingleProcessPrivilege	3204	powershell.exe
Token: SeIncBasePriorityPrivilege	3204	powershell.exe
Token: SeCreatePagefilePrivilege	3204	powershell.exe
Token: SeBackupPrivilege	3204	powershell.exe
Token: SeRestorePrivilege	3204	powershell.exe
Token: SeShutdownPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeSystemEnvironmentPrivilege	3204	powershell.exe
Token: SeRemoteShutdownPrivilege	3204	powershell.exe
Token: SeUndockPrivilege	3204	powershell.exe
Token: SeManageVolumePrivilege	3204	powershell.exe
Token: 33	3204	powershell.exe
Token: 34	3204	powershell.exe
Token: 35	3204	powershell.exe
Token: 36	3204	powershell.exe
Token: SeIncreaseQuotaPrivilege	3148	powershell.exe
Token: SeSecurityPrivilege	3148	powershell.exe
Token: SeTakeOwnershipPrivilege	3148	powershell.exe
Token: SeLoadDriverPrivilege	3148	powershell.exe
Token: SeSystemProfilePrivilege	3148	powershell.exe
Token: SeSystemtimePrivilege	3148	powershell.exe
Token: SeProfSingleProcessPrivilege	3148	powershell.exe
Token: SeIncBasePriorityPrivilege	3148	powershell.exe
Token: SeCreatePagefilePrivilege	3148	powershell.exe
Token: SeBackupPrivilege	3148	powershell.exe
Token: SeRestorePrivilege	3148	powershell.exe
Token: SeShutdownPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeSystemEnvironmentPrivilege	3148	powershell.exe
Token: SeRemoteShutdownPrivilege	3148	powershell.exe
Token: SeUndockPrivilege	3148	powershell.exe
Token: SeManageVolumePrivilege	3148	powershell.exe
Token: 33	3148	powershell.exe
Token: 34	3148	powershell.exe
Token: 35	3148	powershell.exe
Token: 36	3148	powershell.exe
Token: SeIncreaseQuotaPrivilege	4752	powershell.exe
Token: SeSecurityPrivilege	4752	powershell.exe
Token: SeTakeOwnershipPrivilege	4752	powershell.exe
Token: SeLoadDriverPrivilege	4752	powershell.exe
Token: SeSystemProfilePrivilege	4752	powershell.exe
Token: SeSystemtimePrivilege	4752	powershell.exe
Token: SeProfSingleProcessPrivilege	4752	powershell.exe
Token: SeIncBasePriorityPrivilege	4752	powershell.exe
Token: SeCreatePagefilePrivilege	4752	powershell.exe
Token: SeBackupPrivilege	4752	powershell.exe
Token: SeRestorePrivilege	4752	powershell.exe
Token: SeShutdownPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 3468	2492	e45f912e0de3b3db2b9abedbfaf0bd9b2745d05cb8b4029ff824af33dad398b5.exe	66
PID 2492 wrote to memory of 3468	2492	e45f912e0de3b3db2b9abedbfaf0bd9b2745d05cb8b4029ff824af33dad398b5.exe	66
PID 2492 wrote to memory of 3468	2492	e45f912e0de3b3db2b9abedbfaf0bd9b2745d05cb8b4029ff824af33dad398b5.exe	66
PID 3468 wrote to memory of 4940	3468	WScript.exe	67
PID 3468 wrote to memory of 4940	3468	WScript.exe	67
PID 3468 wrote to memory of 4940	3468	WScript.exe	67
PID 4940 wrote to memory of 4280	4940	cmd.exe	69
PID 4940 wrote to memory of 4280	4940	cmd.exe	69
PID 4280 wrote to memory of 4508	4280	DllCommonsvc.exe	93
PID 4280 wrote to memory of 4508	4280	DllCommonsvc.exe	93
PID 4280 wrote to memory of 3204	4280	DllCommonsvc.exe	92
PID 4280 wrote to memory of 3204	4280	DllCommonsvc.exe	92
PID 4280 wrote to memory of 3148	4280	DllCommonsvc.exe	94
PID 4280 wrote to memory of 3148	4280	DllCommonsvc.exe	94
PID 4280 wrote to memory of 668	4280	DllCommonsvc.exe	96
PID 4280 wrote to memory of 668	4280	DllCommonsvc.exe	96
PID 4280 wrote to memory of 4752	4280	DllCommonsvc.exe	98
PID 4280 wrote to memory of 4752	4280	DllCommonsvc.exe	98
PID 4280 wrote to memory of 3692	4280	DllCommonsvc.exe	100
PID 4280 wrote to memory of 3692	4280	DllCommonsvc.exe	100
PID 4280 wrote to memory of 488	4280	DllCommonsvc.exe	102
PID 4280 wrote to memory of 488	4280	DllCommonsvc.exe	102
PID 4280 wrote to memory of 1484	4280	DllCommonsvc.exe	104
PID 4280 wrote to memory of 1484	4280	DllCommonsvc.exe	104
PID 4280 wrote to memory of 504	4280	DllCommonsvc.exe	108
PID 4280 wrote to memory of 504	4280	DllCommonsvc.exe	108
PID 504 wrote to memory of 1524	504	cmd.exe	110
PID 504 wrote to memory of 1524	504	cmd.exe	110
PID 504 wrote to memory of 1360	504	cmd.exe	112
PID 504 wrote to memory of 1360	504	cmd.exe	112
PID 1360 wrote to memory of 720	1360	taskhostw.exe	113
PID 1360 wrote to memory of 720	1360	taskhostw.exe	113
PID 720 wrote to memory of 3404	720	cmd.exe	115
PID 720 wrote to memory of 3404	720	cmd.exe	115
PID 720 wrote to memory of 4252	720	cmd.exe	116
PID 720 wrote to memory of 4252	720	cmd.exe	116
PID 4252 wrote to memory of 3736	4252	taskhostw.exe	117
PID 4252 wrote to memory of 3736	4252	taskhostw.exe	117
PID 3736 wrote to memory of 4736	3736	cmd.exe	119
PID 3736 wrote to memory of 4736	3736	cmd.exe	119
PID 3736 wrote to memory of 4616	3736	cmd.exe	120
PID 3736 wrote to memory of 4616	3736	cmd.exe	120
PID 4616 wrote to memory of 3740	4616	taskhostw.exe	121
PID 4616 wrote to memory of 3740	4616	taskhostw.exe	121
PID 3740 wrote to memory of 4712	3740	cmd.exe	123
PID 3740 wrote to memory of 4712	3740	cmd.exe	123
PID 3740 wrote to memory of 4764	3740	cmd.exe	124
PID 3740 wrote to memory of 4764	3740	cmd.exe	124
PID 4764 wrote to memory of 1928	4764	taskhostw.exe	125
PID 4764 wrote to memory of 1928	4764	taskhostw.exe	125
PID 1928 wrote to memory of 1844	1928	cmd.exe	127
PID 1928 wrote to memory of 1844	1928	cmd.exe	127
PID 1928 wrote to memory of 3616	1928	cmd.exe	128
PID 1928 wrote to memory of 3616	1928	cmd.exe	128
PID 3616 wrote to memory of 2212	3616	taskhostw.exe	129
PID 3616 wrote to memory of 2212	3616	taskhostw.exe	129
PID 2212 wrote to memory of 4836	2212	cmd.exe	131
PID 2212 wrote to memory of 4836	2212	cmd.exe	131
PID 2212 wrote to memory of 3316	2212	cmd.exe	132
PID 2212 wrote to memory of 3316	2212	cmd.exe	132

C:\Users\Admin\AppData\Local\Temp\e45f912e0de3b3db2b9abedbfaf0bd9b2745d05cb8b4029ff824af33dad398b5.exe
"C:\Users\Admin\AppData\Local\Temp\e45f912e0de3b3db2b9abedbfaf0bd9b2745d05cb8b4029ff824af33dad398b5.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\HoloShell\pris\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gIDmmVNPO8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:504
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1524
      - C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3404
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4736
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4712
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1844
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4836
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\HoloShell\pris\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\HoloShell\pris\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\HoloShell\pris\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e481468a32ecf4b5542a62bed1d4d0a6

SHA1
ec0798ad1834cff776bf5dc4beed466ee65572a3

SHA256
edb4afae1a0a4a3f77bd990e7c51fcf607d2125b9b980961837e25af036bccac

SHA512
0be1c2a0d58387c4986cb5006c0e39f7eb37e6344b4d03eb84216d869b8197f2c3510930916b097b843bb0b13712df6a31960d1b44bdb32cd2f71c9e743b7d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4e049f15ea374a88c4508cc4272a9ea

SHA1
12cb8d9523fe884f47deea2d7cd3608a2a2a3081

SHA256
3104f6f22526403c27ac573a0245625203d0b2c47339c066c42ccbd113e92a25

SHA512
cd9a6b4663c3526064b05628724de69ff7bc841f204dc93b50f064642c49b007da21e8351b21f925251a5c16aa4ecb10cb7b2ef22dc588e3e227da00284a67c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5bd086e29775bab4e76f669f888cebd6

SHA1
36c319f938b89e5af0bbf9af76614648a218bf77

SHA256
5db7be677eb00b287e0ee24984fcbfa2e6bde826f8b0eb7b27c4825ee80a8e6a

SHA512
e89a18d63c728a5409e3d95d6839872f2332aa8f81e0e14575bb8f444b5bc3be2a076454f6bee2db85cc4baf9de739a36c42843ab549fa221513d31087540877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f44d3f009cab6e3855aced7c441a19e

SHA1
801d474e59be3bd8919ef31d53b85c4cb724facf

SHA256
39dfecb92d361601341312151c78065189849aea603bce56219fb1ce625270c8

SHA512
73762d54758042868f0389cca618dffe02e57aacf6dc0b1cd4fe7fc4439b2492348d8de5e7513862d6c0e40f8896b04f3d3aaac619645429087621159a8269a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f44d3f009cab6e3855aced7c441a19e

SHA1
801d474e59be3bd8919ef31d53b85c4cb724facf

SHA256
39dfecb92d361601341312151c78065189849aea603bce56219fb1ce625270c8

SHA512
73762d54758042868f0389cca618dffe02e57aacf6dc0b1cd4fe7fc4439b2492348d8de5e7513862d6c0e40f8896b04f3d3aaac619645429087621159a8269a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c2aba98cda4942cba72d72402300444

SHA1
e4c8c10d272db65dbee29d1a3ad28ca9b15d34c5

SHA256
afc4ce9eec63cdf635e9c6d60dc2ef15c64f242dbdf514d85cc8572eaf1fd9e9

SHA512
b572682cfb3e2b69886fda8fbb0d2ef59d7f4d5154c42f3846e3ebbf32db0bee8e38715e6a17a2586b6f4d43c74bd3989df75da7946b1a7c31e123a566ce5f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c2aba98cda4942cba72d72402300444

SHA1
e4c8c10d272db65dbee29d1a3ad28ca9b15d34c5

SHA256
afc4ce9eec63cdf635e9c6d60dc2ef15c64f242dbdf514d85cc8572eaf1fd9e9

SHA512
b572682cfb3e2b69886fda8fbb0d2ef59d7f4d5154c42f3846e3ebbf32db0bee8e38715e6a17a2586b6f4d43c74bd3989df75da7946b1a7c31e123a566ce5f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
185B

MD5
e577dc747c6a4ea4ad7593c35f0f5693

SHA1
86f519c6358b1bd6f4d6e63fe81ee57f73536189

SHA256
0d202cda6b5de1b66e96188f5632c432c61eedc40b72ae41a8453d8eb4a0226a

SHA512
a637032bc878fe2774b491dae84e34a3e6898165c0817549fe9888fe5adac2a705b0aa21e3116f1c07e8134592b2b2a7577e8447b7a3d7402a811d83e99d124c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
185B

MD5
bdc17ab19cecebbef4102c70fbe4e507

SHA1
1b76ecf18d232bf3dbe7ba1c23511a6312f21f17

SHA256
f6d0c431230e3cb64752667d631a58fdabe6dd278b1ae550ed7c25a481091b6c

SHA512
2d519188078b2ff8a36cb665f002de3d532b1423ffd606da3c5c13a10807472810ba24dc121eb1ef1f827d171c83309591bd4936da313f4aff9a8690d849272c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIDmmVNPO8.bat

Filesize
185B

MD5
0a0ad27bef2258c59f3d39defae63c2c

SHA1
2ccf76982648e9a8570f6f568ece38ac01594d0c

SHA256
82003616035a219d7d73e82f813c31666641b922e0c3dae48cd2cc159470672b

SHA512
b8cc4c614906142e5f165af2d6a7c17ccfc121fb64038a3a78324bba14865c13baccba5bbfe084a719d0502b9edf7fc0f5cd4d53b53893141a1f6a406369094f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat

Filesize
185B

MD5
3f81891f31faea4023ba573defaa12b2

SHA1
cc907323aa4ac5b254f3b221cc0af029e99432f5

SHA256
34f3c0c42c149831b92a354acfbdc13445b01c1d799e4d5f5188f6a9581e6961

SHA512
e7ef9062d75da112135134767ef1a24fdab3c93af0b27a58080a0ae9498aa6d5e5a72be22a88c600b41d21f20f75a51c24ecfab2ce57557c48ce97630688e7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

Filesize
185B

MD5
1cdc631dc2405fdccacc9d17631c87de

SHA1
b24e2f1628bc200b0198fea8b80aa232294295fc

SHA256
52ef7ee366bda1de9197a39cbf4d7c850dc0a51f05d2fcf0e7a19301bc52b51e

SHA512
d27c5fe1a311c5fd38011e4738398f512e7529f42a5a0eb72742666733308d70e88c86220677da4647284a181d6335d158e5715e61df7adb220f436af626ca60

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
185B

MD5
930c37c1564645a6925cc59483ad4e98

SHA1
8ef0ac6ca96ee85784a6761a907a2640bcf1dd56

SHA256
992886fddab6fdf9313405b05c74a09c8ec34662e55c35ebcc1f2f2af76606cc

SHA512
a6e9105b3be5ab736d583551cc6dba5c66d692186d7311d92537cab67bc2fd9d348373f188fef0316193c527f8b799b1db1f5019158eac45d6956bb1699a85af

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2492-152-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-134-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-160-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-161-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-162-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-163-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-164-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-165-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-166-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-167-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-168-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-169-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-171-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-172-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-173-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-170-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-174-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-175-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-176-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-177-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-178-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-179-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-180-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-181-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-182-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-183-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-121-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-123-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-122-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-158-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-157-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-125-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-126-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-156-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-155-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-128-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-129-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-130-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-131-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-132-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-133-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-159-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-135-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-154-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-136-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-137-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-120-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-153-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-151-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-139-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-138-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-150-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-149-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-148-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-147-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-146-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-145-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-144-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-143-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-142-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-141-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-140-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3148-332-0x0000018FF9EE0000-0x0000018FF9F02000-memory.dmp

Filesize
136KB

Download
memory/3148-336-0x0000018FFA0B0000-0x0000018FFA126000-memory.dmp

Filesize
472KB

Download
memory/3468-185-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3468-186-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4252-585-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/4280-290-0x00000000023A0000-0x00000000023AC000-memory.dmp

Filesize
48KB

Download
memory/4280-289-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/4280-288-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/4280-287-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/4280-286-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download