dcrat | 021bfab7fc448d154563c27a2710f19b2dab19fc09ca97ad2c7f192cda7d3f8d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2022 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

021bfab7fc448d154563c27a2710f19b2dab19fc09ca97ad2c7f192cda7d3f8d.exe
Size

1.3MB
MD5

1583f3a934bccee02023bfaa6b8082c2
SHA1

e01ad1d111cd956ba0a65734fb4a80a5bb8a11d2
SHA256

021bfab7fc448d154563c27a2710f19b2dab19fc09ca97ad2c7f192cda7d3f8d
SHA512

682c012092b11a6251f90373963044e0982fbb3879f79267b6f6bbb0549d1254886246e1ad417728d7097d585b5d9d7905df593a3c70cde7c2d08ce4a65b4ed5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1348	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1348	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	1348	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1348	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	1348	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	1348	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	1348	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	1348	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	1348	schtasks.exe	46

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0002000000022df0-137.dat	dcrat
behavioral1/files/0x0002000000022df0-138.dat	dcrat
behavioral1/memory/1472-139-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/files/0x0002000000022df5-164.dat	dcrat
behavioral1/files/0x0002000000022df5-163.dat	dcrat
behavioral1/files/0x0002000000022df5-171.dat	dcrat
behavioral1/files/0x0002000000022df5-179.dat	dcrat
behavioral1/files/0x0002000000022df5-186.dat	dcrat
behavioral1/files/0x0002000000022df5-193.dat	dcrat
behavioral1/files/0x0002000000022df5-200.dat	dcrat
behavioral1/files/0x0002000000022df5-207.dat	dcrat
behavioral1/files/0x0002000000022df5-214.dat	dcrat
behavioral1/files/0x0002000000022df5-221.dat	dcrat
behavioral1/files/0x0002000000022df5-228.dat	dcrat

Executes dropped EXE 11 IoCs

pid	Process
1472	DllCommonsvc.exe
5080	SppExtComObj.exe
2708	SppExtComObj.exe
4896	SppExtComObj.exe
3100	SppExtComObj.exe
1472	SppExtComObj.exe
544	SppExtComObj.exe
4676	SppExtComObj.exe
3480	SppExtComObj.exe
1552	SppExtComObj.exe
5084	SppExtComObj.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	021bfab7fc448d154563c27a2710f19b2dab19fc09ca97ad2c7f192cda7d3f8d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\services.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Registration\CRMLog\services.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1836	schtasks.exe
3784	schtasks.exe
3300	schtasks.exe
5100	schtasks.exe
2336	schtasks.exe
3208	schtasks.exe
1592	schtasks.exe
4864	schtasks.exe
3624	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	021bfab7fc448d154563c27a2710f19b2dab19fc09ca97ad2c7f192cda7d3f8d.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	SppExtComObj.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1472	DllCommonsvc.exe
3040	powershell.exe
4572	powershell.exe
1996	powershell.exe
3136	powershell.exe
4572	powershell.exe
3040	powershell.exe
1996	powershell.exe
3136	powershell.exe
5080	SppExtComObj.exe
2708	SppExtComObj.exe
4896	SppExtComObj.exe
3100	SppExtComObj.exe
1472	SppExtComObj.exe
544	SppExtComObj.exe
4676	SppExtComObj.exe
3480	SppExtComObj.exe
1552	SppExtComObj.exe
5084	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	DllCommonsvc.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	5080	SppExtComObj.exe
Token: SeDebugPrivilege	2708	SppExtComObj.exe
Token: SeDebugPrivilege	4896	SppExtComObj.exe
Token: SeDebugPrivilege	3100	SppExtComObj.exe
Token: SeDebugPrivilege	1472	SppExtComObj.exe
Token: SeDebugPrivilege	544	SppExtComObj.exe
Token: SeDebugPrivilege	4676	SppExtComObj.exe
Token: SeDebugPrivilege	3480	SppExtComObj.exe
Token: SeDebugPrivilege	1552	SppExtComObj.exe
Token: SeDebugPrivilege	5084	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 5044	4956	021bfab7fc448d154563c27a2710f19b2dab19fc09ca97ad2c7f192cda7d3f8d.exe	80
PID 4956 wrote to memory of 5044	4956	021bfab7fc448d154563c27a2710f19b2dab19fc09ca97ad2c7f192cda7d3f8d.exe	80
PID 4956 wrote to memory of 5044	4956	021bfab7fc448d154563c27a2710f19b2dab19fc09ca97ad2c7f192cda7d3f8d.exe	80
PID 5044 wrote to memory of 1324	5044	WScript.exe	81
PID 5044 wrote to memory of 1324	5044	WScript.exe	81
PID 5044 wrote to memory of 1324	5044	WScript.exe	81
PID 1324 wrote to memory of 1472	1324	cmd.exe	83
PID 1324 wrote to memory of 1472	1324	cmd.exe	83
PID 1472 wrote to memory of 3040	1472	DllCommonsvc.exe	93
PID 1472 wrote to memory of 3040	1472	DllCommonsvc.exe	93
PID 1472 wrote to memory of 3136	1472	DllCommonsvc.exe	100
PID 1472 wrote to memory of 3136	1472	DllCommonsvc.exe	100
PID 1472 wrote to memory of 1996	1472	DllCommonsvc.exe	94
PID 1472 wrote to memory of 1996	1472	DllCommonsvc.exe	94
PID 1472 wrote to memory of 4572	1472	DllCommonsvc.exe	98
PID 1472 wrote to memory of 4572	1472	DllCommonsvc.exe	98
PID 1472 wrote to memory of 3348	1472	DllCommonsvc.exe	101
PID 1472 wrote to memory of 3348	1472	DllCommonsvc.exe	101
PID 3348 wrote to memory of 3096	3348	cmd.exe	103
PID 3348 wrote to memory of 3096	3348	cmd.exe	103
PID 3348 wrote to memory of 5080	3348	cmd.exe	104
PID 3348 wrote to memory of 5080	3348	cmd.exe	104
PID 5080 wrote to memory of 4268	5080	SppExtComObj.exe	109
PID 5080 wrote to memory of 4268	5080	SppExtComObj.exe	109
PID 4268 wrote to memory of 3452	4268	cmd.exe	111
PID 4268 wrote to memory of 3452	4268	cmd.exe	111
PID 4268 wrote to memory of 2708	4268	cmd.exe	115
PID 4268 wrote to memory of 2708	4268	cmd.exe	115
PID 2708 wrote to memory of 1100	2708	SppExtComObj.exe	116
PID 2708 wrote to memory of 1100	2708	SppExtComObj.exe	116
PID 1100 wrote to memory of 2112	1100	cmd.exe	118
PID 1100 wrote to memory of 2112	1100	cmd.exe	118
PID 1100 wrote to memory of 4896	1100	cmd.exe	119
PID 1100 wrote to memory of 4896	1100	cmd.exe	119
PID 4896 wrote to memory of 2780	4896	SppExtComObj.exe	120
PID 4896 wrote to memory of 2780	4896	SppExtComObj.exe	120
PID 2780 wrote to memory of 3208	2780	cmd.exe	122
PID 2780 wrote to memory of 3208	2780	cmd.exe	122
PID 2780 wrote to memory of 3100	2780	cmd.exe	123
PID 2780 wrote to memory of 3100	2780	cmd.exe	123
PID 3100 wrote to memory of 396	3100	SppExtComObj.exe	124
PID 3100 wrote to memory of 396	3100	SppExtComObj.exe	124
PID 396 wrote to memory of 1560	396	cmd.exe	126
PID 396 wrote to memory of 1560	396	cmd.exe	126
PID 396 wrote to memory of 1472	396	cmd.exe	127
PID 396 wrote to memory of 1472	396	cmd.exe	127
PID 1472 wrote to memory of 1800	1472	SppExtComObj.exe	128
PID 1472 wrote to memory of 1800	1472	SppExtComObj.exe	128
PID 1800 wrote to memory of 1884	1800	cmd.exe	130
PID 1800 wrote to memory of 1884	1800	cmd.exe	130
PID 1800 wrote to memory of 544	1800	cmd.exe	131
PID 1800 wrote to memory of 544	1800	cmd.exe	131
PID 544 wrote to memory of 3712	544	SppExtComObj.exe	132
PID 544 wrote to memory of 3712	544	SppExtComObj.exe	132
PID 3712 wrote to memory of 4012	3712	cmd.exe	134
PID 3712 wrote to memory of 4012	3712	cmd.exe	134
PID 3712 wrote to memory of 4676	3712	cmd.exe	135
PID 3712 wrote to memory of 4676	3712	cmd.exe	135
PID 4676 wrote to memory of 4324	4676	SppExtComObj.exe	136
PID 4676 wrote to memory of 4324	4676	SppExtComObj.exe	136
PID 4324 wrote to memory of 2432	4324	cmd.exe	138
PID 4324 wrote to memory of 2432	4324	cmd.exe	138
PID 4324 wrote to memory of 3480	4324	cmd.exe	139
PID 4324 wrote to memory of 3480	4324	cmd.exe	139

C:\Users\Admin\AppData\Local\Temp\021bfab7fc448d154563c27a2710f19b2dab19fc09ca97ad2c7f192cda7d3f8d.exe
"C:\Users\Admin\AppData\Local\Temp\021bfab7fc448d154563c27a2710f19b2dab19fc09ca97ad2c7f192cda7d3f8d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8qly3hdiAY.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3348
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3096
      - C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3452
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2112
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3208
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1560
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1884
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4012
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2432
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"
        21⤵
        
        PID:4888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4120
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
        23⤵
        
        PID:4724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1476
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
        25⤵
        
        PID:2708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat

Filesize
203B

MD5
406f0e937c0ae1eac15c539a64ee28e7

SHA1
74846d1ac57c589ad9091e3a517e1e1a05571c0c

SHA256
ecdfe46bd4f5aa8d0f9bcc519b8c9277f17a95ea40e223eed9a7801c3096816c

SHA512
0457ba759bb005969b499b20042698526a3115cd312fb4a7664ede83d13286d34525a4493ea0b23c58c0e553aeb600f687fd85b7584361e056c77a37a74a3bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8qly3hdiAY.bat

Filesize
203B

MD5
5cc17be19f901607b6e4c9aa9aa3474e

SHA1
52bcb7bb4f042c6e9e281573a37a2916174771a7

SHA256
d8d51724c51071611856b930e52339b6cb831c44dc05403f9302012d78319ad5

SHA512
ad8e56959e040dc47795efae17bce2392fa409479d2d670c05ab3c3909a40a462e6f01d122def334efd8a56568f9fa5b7837e3c908a11ba512d5feac0d9bc4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat

Filesize
203B

MD5
ac2aad4585aa972715799bf79b560cd7

SHA1
416ddfab826d4fa77422e891cf4c694553b6bae9

SHA256
888c321734b938fdec271f8a0db66416ff88c67be07e7cf537f93fb28a522a28

SHA512
2bfee03d0e6f5320a5bf4f699e505ee4eb9041358bc0d905215d166fd360ae0dec3d4a736726837142d89c5283f4b538f6bee7d8c426e491fb39c769cff25dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

Filesize
203B

MD5
6a58bfd3aef9110549e094cdbbc587f8

SHA1
9e7a79c26efcb1f732c8d4023986506ac1642581

SHA256
aae78218c3177621819c0488b9d8c5d2b2e5ec96d1c85316b59e0ffa06b775f9

SHA512
51aaf90b35412238e6b99a9bd5b05f47550ef4e0e1ad4cba393bc45112a0ff714abecca95d5fa09e66dc2000b3e0cced1ea354636e2058a60dbab0ce6df691a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat

Filesize
203B

MD5
02d330c003635db685e0f8c7cdad8656

SHA1
aa5492ec5b76434197cba08c1d3a352a3887a838

SHA256
9c8e222066f38e8bf2b2ff7fb856178655bdb2c82be84f738a58c53afae02038

SHA512
83c06ff60baded8c06b3d5f66b5031c5e1e0cbb394881ee57f2581799869a4491ceb9a08dd856cb3cea3dcac17767d04e47bc7744c562f5d027d9b12909926a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

Filesize
203B

MD5
bf5bebab05ae0921a7c0b6036ae87bac

SHA1
e91cd9192c443c6c8e7a48f5f6bc3757ed028989

SHA256
dabc5ad8e6875ec60b999ab58c554fd7c4c9ee3d54c4c783b24764f311e25980

SHA512
5fd26e9f3b4800d83ae9e426d0c21f3bfb950461a9fc865662c8a5f78d6b89a03c01bfc160c997df1cd2ed0c949c412bb31d05d98e0b7e0b9680c1d31abd3f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

Filesize
203B

MD5
fc05164ac8f318fd95a7250938630ce6

SHA1
df1d0d71e0f7097f475a25b26b4e3f4af6678319

SHA256
0adacd3bf24c9946f669dbac7bc9df45815a6eadf2885ac6ae6da282b5450667

SHA512
c200ceb040a1653ad0729dcd3905f391988a5df45de9e39aeac16aaa9222d13d49938c05b4a052130e6ade2697c27155284b7dc2d014fce0eab4f8a41533bab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat

Filesize
203B

MD5
25c96f9a0bd047add5cb9bdfafc89d35

SHA1
a5526921b1e1a4c4f49f8e20f7d63139da52308d

SHA256
dda97c98e3146a68767da8be96b0ab42d50b72cb518962cb76b8eed660c63784

SHA512
ae304392a2f75e3ff7b61e4de7bcb8a03c13c1acb396c3c8b802ce593459abc93120091a3e8afe347557bc87d634f35877e911084fb8d78297c6124fae1a02c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
203B

MD5
a9cacb58386ac5e8be273e9736e4e5e8

SHA1
018fd3fb6db646f2cb3137837dd1f77421120450

SHA256
06828cf91270dfececbafb1208b4d76e56566e859f17ad9d13aaf5222c30f8ee

SHA512
5bd4cbf17496b7bf872305c8adbc27f9571531496a874e2c5037e39310f6d65eecabbd13e660e3f1bc26bf570b204a4e6ee23807a30de160554a390b78b09e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

Filesize
203B

MD5
2ec92c89bd6b9d380834ff1227990669

SHA1
cfd5fab719dd8317eac76cf030e6eb3e26ad6b36

SHA256
032cf5da84c390e01cdc50b1794bc2571a301e045dffdfb213b3ce7f9af9fd7f

SHA512
ee26edafbd1c61c6cd3e5c42ba4729ed0427eed1eea9da5102a9125db76c2ad74dfffd0c23b2af944020b9837f3146c9406fdf9cf7c53bbb4ea3d7da81e80c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat

Filesize
203B

MD5
7af3bd1a78ffdaac18f20405f35bcce3

SHA1
d0559f61a2d15288a4465375d77e352c5f892db8

SHA256
d9c453a0cb06755d85105dea136739cfd1abcf448c22a78035a1332d779fdf42

SHA512
70a1db05278126697ea3a8beddf93023f177218815293d850b93c1cf1ee1123a8fb3ea012258400b3122dc54588f3cfe66c5107b076a639c540f58cc4f11e706

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/544-205-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/544-201-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/1472-139-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/1472-194-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/1472-147-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/1472-198-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/1472-140-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/1552-226-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/1552-222-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/1996-161-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/1996-152-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/2708-177-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/2708-173-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/3040-150-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3040-159-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3040-146-0x0000028679B60000-0x0000028679B82000-memory.dmp

Filesize
136KB

Download
memory/3100-191-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/3100-187-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/3136-151-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-158-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-219-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/3480-215-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/4572-154-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-153-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-208-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/4676-212-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/4896-184-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/4896-180-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/5080-165-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/5080-169-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/5084-229-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/5084-233-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download