dcrat | 099f193ae7ddc90645efd6cf0e6ac01e571baeb31ee3ae1298567d4976cb22b2

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2022 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

099f193ae7ddc90645efd6cf0e6ac01e571baeb31ee3ae1298567d4976cb22b2.exe
Size

1.3MB
MD5

06cd04557fc3166b27de08fa647c1231
SHA1

4a8c53e9c6e039c497cfe3135042eaefda1a3cef
SHA256

099f193ae7ddc90645efd6cf0e6ac01e571baeb31ee3ae1298567d4976cb22b2
SHA512

52e81347c0796cdfc622fabd7c37543f2179bce3a03f3ae577416c954e5f29f48bcb1ca05d50dc7dbb994fd872821ea0714aa499a38a194629c68fca1f7ea47d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	1324	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	1324	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	1324	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	1324	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	1324	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	1324	schtasks.exe	34

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0002000000022dd9-137.dat	dcrat
behavioral1/files/0x0002000000022dd9-138.dat	dcrat
behavioral1/memory/1040-139-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/files/0x0002000000022ddf-145.dat	dcrat
behavioral1/files/0x0002000000022ddf-146.dat	dcrat
behavioral1/files/0x0002000000022ddf-164.dat	dcrat
behavioral1/files/0x0002000000022ddf-172.dat	dcrat
behavioral1/files/0x0002000000022ddf-179.dat	dcrat
behavioral1/files/0x0002000000022ddf-186.dat	dcrat
behavioral1/files/0x0002000000022ddf-193.dat	dcrat
behavioral1/files/0x0002000000022ddf-200.dat	dcrat
behavioral1/files/0x0002000000022ddf-207.dat	dcrat
behavioral1/files/0x0002000000022ddf-214.dat	dcrat
behavioral1/files/0x0002000000022ddf-221.dat	dcrat
behavioral1/files/0x0002000000022ddf-228.dat	dcrat
behavioral1/files/0x0002000000022ddf-235.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
1040	DllCommonsvc.exe
3548	dllhost.exe
3880	dllhost.exe
2620	dllhost.exe
4068	dllhost.exe
32	dllhost.exe
1040	dllhost.exe
4724	dllhost.exe
4484	dllhost.exe
4252	dllhost.exe
4740	dllhost.exe
3448	dllhost.exe
4196	dllhost.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	099f193ae7ddc90645efd6cf0e6ac01e571baeb31ee3ae1298567d4976cb22b2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\conhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4140	schtasks.exe
4628	schtasks.exe
3812	schtasks.exe
3992	schtasks.exe
3584	schtasks.exe
744	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	099f193ae7ddc90645efd6cf0e6ac01e571baeb31ee3ae1298567d4976cb22b2.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1040	DllCommonsvc.exe
2780	powershell.exe
544	powershell.exe
1956	powershell.exe
3548	dllhost.exe
1956	powershell.exe
544	powershell.exe
2780	powershell.exe
3880	dllhost.exe
2620	dllhost.exe
4068	dllhost.exe
32	dllhost.exe
1040	dllhost.exe
4724	dllhost.exe
4484	dllhost.exe
4252	dllhost.exe
4740	dllhost.exe
3448	dllhost.exe
4196	dllhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	DllCommonsvc.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	3548	dllhost.exe
Token: SeDebugPrivilege	3880	dllhost.exe
Token: SeDebugPrivilege	2620	dllhost.exe
Token: SeDebugPrivilege	4068	dllhost.exe
Token: SeDebugPrivilege	32	dllhost.exe
Token: SeDebugPrivilege	1040	dllhost.exe
Token: SeDebugPrivilege	4724	dllhost.exe
Token: SeDebugPrivilege	4484	dllhost.exe
Token: SeDebugPrivilege	4252	dllhost.exe
Token: SeDebugPrivilege	4740	dllhost.exe
Token: SeDebugPrivilege	3448	dllhost.exe
Token: SeDebugPrivilege	4196	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4244	4384	099f193ae7ddc90645efd6cf0e6ac01e571baeb31ee3ae1298567d4976cb22b2.exe	82
PID 4384 wrote to memory of 4244	4384	099f193ae7ddc90645efd6cf0e6ac01e571baeb31ee3ae1298567d4976cb22b2.exe	82
PID 4384 wrote to memory of 4244	4384	099f193ae7ddc90645efd6cf0e6ac01e571baeb31ee3ae1298567d4976cb22b2.exe	82
PID 4244 wrote to memory of 3648	4244	WScript.exe	86
PID 4244 wrote to memory of 3648	4244	WScript.exe	86
PID 4244 wrote to memory of 3648	4244	WScript.exe	86
PID 3648 wrote to memory of 1040	3648	cmd.exe	88
PID 3648 wrote to memory of 1040	3648	cmd.exe	88
PID 1040 wrote to memory of 544	1040	DllCommonsvc.exe	96
PID 1040 wrote to memory of 544	1040	DllCommonsvc.exe	96
PID 1040 wrote to memory of 1956	1040	DllCommonsvc.exe	97
PID 1040 wrote to memory of 1956	1040	DllCommonsvc.exe	97
PID 1040 wrote to memory of 2780	1040	DllCommonsvc.exe	101
PID 1040 wrote to memory of 2780	1040	DllCommonsvc.exe	101
PID 1040 wrote to memory of 3548	1040	DllCommonsvc.exe	102
PID 1040 wrote to memory of 3548	1040	DllCommonsvc.exe	102
PID 3548 wrote to memory of 2876	3548	dllhost.exe	104
PID 3548 wrote to memory of 2876	3548	dllhost.exe	104
PID 2876 wrote to memory of 2700	2876	cmd.exe	107
PID 2876 wrote to memory of 2700	2876	cmd.exe	107
PID 2876 wrote to memory of 3880	2876	cmd.exe	108
PID 2876 wrote to memory of 3880	2876	cmd.exe	108
PID 3880 wrote to memory of 1884	3880	dllhost.exe	109
PID 3880 wrote to memory of 1884	3880	dllhost.exe	109
PID 1884 wrote to memory of 2576	1884	cmd.exe	111
PID 1884 wrote to memory of 2576	1884	cmd.exe	111
PID 1884 wrote to memory of 2620	1884	cmd.exe	113
PID 1884 wrote to memory of 2620	1884	cmd.exe	113
PID 2620 wrote to memory of 4968	2620	dllhost.exe	114
PID 2620 wrote to memory of 4968	2620	dllhost.exe	114
PID 4968 wrote to memory of 4640	4968	cmd.exe	116
PID 4968 wrote to memory of 4640	4968	cmd.exe	116
PID 4968 wrote to memory of 4068	4968	cmd.exe	117
PID 4968 wrote to memory of 4068	4968	cmd.exe	117
PID 4068 wrote to memory of 4712	4068	dllhost.exe	119
PID 4068 wrote to memory of 4712	4068	dllhost.exe	119
PID 4712 wrote to memory of 4340	4712	cmd.exe	120
PID 4712 wrote to memory of 4340	4712	cmd.exe	120
PID 4712 wrote to memory of 32	4712	cmd.exe	121
PID 4712 wrote to memory of 32	4712	cmd.exe	121
PID 32 wrote to memory of 4680	32	dllhost.exe	122
PID 32 wrote to memory of 4680	32	dllhost.exe	122
PID 4680 wrote to memory of 204	4680	cmd.exe	124
PID 4680 wrote to memory of 204	4680	cmd.exe	124
PID 4680 wrote to memory of 1040	4680	cmd.exe	125
PID 4680 wrote to memory of 1040	4680	cmd.exe	125
PID 1040 wrote to memory of 3376	1040	dllhost.exe	127
PID 1040 wrote to memory of 3376	1040	dllhost.exe	127
PID 3376 wrote to memory of 3028	3376	cmd.exe	128
PID 3376 wrote to memory of 3028	3376	cmd.exe	128
PID 3376 wrote to memory of 4724	3376	cmd.exe	129
PID 3376 wrote to memory of 4724	3376	cmd.exe	129
PID 4724 wrote to memory of 4328	4724	dllhost.exe	130
PID 4724 wrote to memory of 4328	4724	dllhost.exe	130
PID 4328 wrote to memory of 4708	4328	cmd.exe	132
PID 4328 wrote to memory of 4708	4328	cmd.exe	132
PID 4328 wrote to memory of 4484	4328	cmd.exe	133
PID 4328 wrote to memory of 4484	4328	cmd.exe	133
PID 4484 wrote to memory of 1720	4484	dllhost.exe	134
PID 4484 wrote to memory of 1720	4484	dllhost.exe	134
PID 1720 wrote to memory of 364	1720	cmd.exe	136
PID 1720 wrote to memory of 364	1720	cmd.exe	136
PID 1720 wrote to memory of 4252	1720	cmd.exe	137
PID 1720 wrote to memory of 4252	1720	cmd.exe	137

C:\Users\Admin\AppData\Local\Temp\099f193ae7ddc90645efd6cf0e6ac01e571baeb31ee3ae1298567d4976cb22b2.exe
"C:\Users\Admin\AppData\Local\Temp\099f193ae7ddc90645efd6cf0e6ac01e571baeb31ee3ae1298567d4976cb22b2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2700
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2576
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4640
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4340
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:204
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3028
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4708
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:364
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        22⤵
        
        PID:1288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:532
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
        24⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:844
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        25⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
        26⤵
        
        PID:3664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:956
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        27⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat"
        28⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

Filesize
183B

MD5
8958a87c590f0b480a28b2065ee5116c

SHA1
b559edff93f5b9c3661ae192cbc53049adab6653

SHA256
33acdedb0708b1785ef0252d32616e3f7aebd6fe193b769eb7ff90a05b138b9d

SHA512
eba74f8ab12df3bb1e8fc0359ff46a68c8fc3e31e648e324bbc2dbc05fac4695043eb2adf9575195a1ac9291bd76244fd6998461ce7a5719ba93a88e7f632518

Download Submit
C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat

Filesize
183B

MD5
a2918362e8d78ede9910ea6711d99e93

SHA1
3011dabfd61a73b35c8b5b55b23326e02fd8abd9

SHA256
6aa56aa7ea5ab9c9ac3c8d8f02531834a91ecc30a9749e69bb67c30eda62f01a

SHA512
2768dc0f1390c42162ef5210e2c6668d1c4fce8fd82fb37d616ac94ca709731dd1c41a07f82be982d486636a6b342a6c7480dafbd77e5621ff5e2f18b479f639

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
183B

MD5
25c2a74a46c4c72c1610ddf3cb38cdf2

SHA1
344a01c465219089876fc278b8d013d2ed979787

SHA256
07db58bcca5fea1602d92957412461bd2ce840e36b81fda2eec5f2d0d347d7bb

SHA512
f404b98b1123c8b08ca448564616255998bf608bc47b4041531138f778aabe76830eec356cffc3f775c14dd3d46e6202be3ceec91cbfd97bde319a5daf20834a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

Filesize
183B

MD5
4286506aa8b264265c34d3116f493f25

SHA1
cd64e44078c4cc64f2b45734d3ca730821f230a2

SHA256
40c285bfea1062a30a8139cf5d91eadf8129a2803f8f03f1a79ceb7ff2507589

SHA512
ad7006ecc351c89aad3911ac520d2304c50750c4f6798a1873825afe545b819d893281b6a34044cfaa13b5877adfdecd1ee6deda356ea7ef7460447c68d033c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat

Filesize
183B

MD5
7299447b6ca2c449fdd493a39b84f256

SHA1
21fd62be6d420a1319d3c110a1d4ac52e9dd4df3

SHA256
b56dcd56b9c23a3f90f64ea5067d03ff9d8f031d0a0d33f228c14e439d545322

SHA512
f8e048c80baa9b3d96da65c045e867a87e15705d0b3d85cf4e30c068f3bdeb9dbb501cba20e15b6d32eb4f5e95df5a3b0e822e4023a30fafc21e86f24a056cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

Filesize
183B

MD5
46f0aa07cecdf7efe26e074aa00d2737

SHA1
2727bfceb38d8b545ef74d91465652ca42de6715

SHA256
8915dea88a33fadff1d4a1749edc693715315afeefd27113d5220a7c6156e7de

SHA512
fd8e99bb828a4b8cade2e32ec60539de4a542d3cea7982092c43054777cea15bc0d64cf1f09e274d836db81b042c6972b49d0c49bf8a8405a8162975c2a65885

Download Submit
C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

Filesize
183B

MD5
46f0aa07cecdf7efe26e074aa00d2737

SHA1
2727bfceb38d8b545ef74d91465652ca42de6715

SHA256
8915dea88a33fadff1d4a1749edc693715315afeefd27113d5220a7c6156e7de

SHA512
fd8e99bb828a4b8cade2e32ec60539de4a542d3cea7982092c43054777cea15bc0d64cf1f09e274d836db81b042c6972b49d0c49bf8a8405a8162975c2a65885

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
183B

MD5
fdb9dc288b8ff32503841d34b05d313a

SHA1
d1eb724d4e4ceb778ceedede68a64b484b774daa

SHA256
052eeab9ab8985c602d69a0929aa4f390b7e112402f96f0fb7c0b834a74f59b9

SHA512
18f8b0814e95c5de3c65b1d5792aaf7f7b7a64356a4be31dbe9a59fa556583ee2d9108f04cafaa65b43e7d650a283a05aa0d3da9a3e9cc5326e2fd70cf459138

Download Submit
C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

Filesize
183B

MD5
8e62e23fdf33ab1713a94839ead40f42

SHA1
553df484fa480a4f5c09f3b1e836acdd19b587c0

SHA256
e72a951e02cc8e9a576539f502484f6db8900830952b3414ef83130cf905db0b

SHA512
1b5769d17285be3d91b21044911a73cd1745e0973045e86cc8db15946b578b7b952c6521f1c1d014af93bca718cb8bdcdc02a49c25abe752dbab4f60eb7b0a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat

Filesize
183B

MD5
3ab249e997fd14334342025d93437a49

SHA1
de43e4b5d8019e28fc5f681c6d6e806573b4dcf1

SHA256
eb7e48dfe647a354aa29d9ff4fba47f1106527e5b158eb18a9c4d0312bc1bcf8

SHA512
39edb4abb454e9f4531b31f3fe417ced2c8cfe9bb4d031ef505b33469b0a543a05675155f9aace2f7262a484dbadeca2ff55ae96788aef4255088fa0df4af1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

Filesize
183B

MD5
d61c0af74515ad1e1744bb974df98a34

SHA1
b59101fdc2501c908753fe2f1e8f2c86451d52b5

SHA256
e4e4ad37b891cdca3dbfbc638d4faa1a9fa7082fce4a5e398c803719fa9406a6

SHA512
0a0c7c4764fe9be9abeda3236012c2a98272dd566f33ab2c600d492340ba571064f7573284d92ebc77864963523b56a1ea74ed717f2a70d35a713d46795c135e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat

Filesize
183B

MD5
5e1bc7ddd22b5243717006301753f067

SHA1
1bfcb3504d4329d7fc011ae8eec23ba9b0c8e469

SHA256
f3642a7a632b42c7917c5b750ee51ef953d7000e1c94d64a1f281872e08b09d9

SHA512
57d2cef139f71256f4efdefb72d99b0367a768890908ab12fb0907be625b6609b141033e018afa2e4a4eb62e4147bd7cb7cd200d83207ee73393c497b8070cc0

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/32-189-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/32-187-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/544-150-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/544-156-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/544-147-0x000001EA72D90000-0x000001EA72DB2000-memory.dmp

Filesize
136KB

Download
memory/1040-198-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1040-139-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/1040-140-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/1040-194-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1040-148-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/1956-157-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/1956-149-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/2620-177-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/2620-173-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/2780-158-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/2780-151-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/3448-233-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-229-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-152-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/3548-162-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/3880-166-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/3880-170-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/4068-182-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-180-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4196-236-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4196-240-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4252-219-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4252-215-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-208-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-212-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4724-205-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4724-201-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-226-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-222-0x00007FF948300000-0x00007FF948DC1000-memory.dmp

Filesize
10.8MB

Download