dcrat | 54f2479305900643ed02f63d213d55347303ff4b19b09f53da6ffad03e43a03c

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54f2479305900643ed02f63d213d55347303ff4b19b09f53da6ffad03e43a03c.exe
Size

1.3MB
MD5

3595002c578afca86243abd924c082e7
SHA1

feb18e3a398ae6c8904ad82ec62b832891d1535f
SHA256

54f2479305900643ed02f63d213d55347303ff4b19b09f53da6ffad03e43a03c
SHA512

cc6a40b1e97dd407e1eb8b931d3973cb1a562d6f47f6b150d818ff5b6d5d82222073dace97765333237885f640fcab34075c23e364db7fad936dd251ce657f84
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3572	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	3572	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	3572	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	3572	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	3572	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	3572	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	3572	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3572	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3572	schtasks.exe	69

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000022e62-137.dat	dcrat
behavioral1/files/0x0006000000022e62-138.dat	dcrat
behavioral1/memory/1344-139-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/files/0x0006000000022e70-146.dat	dcrat
behavioral1/files/0x0006000000022e70-147.dat	dcrat
behavioral1/files/0x0006000000022e70-168.dat	dcrat
behavioral1/files/0x0006000000022e70-176.dat	dcrat
behavioral1/files/0x0006000000022e70-183.dat	dcrat
behavioral1/files/0x0006000000022e70-190.dat	dcrat
behavioral1/files/0x0006000000022e70-197.dat	dcrat
behavioral1/files/0x0006000000022e70-204.dat	dcrat
behavioral1/files/0x0006000000022e70-211.dat	dcrat
behavioral1/files/0x0006000000022e70-218.dat	dcrat
behavioral1/files/0x0006000000022e70-225.dat	dcrat
behavioral1/files/0x0006000000022e70-232.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
1344	DllCommonsvc.exe
1828	SearchApp.exe
4128	SearchApp.exe
4332	SearchApp.exe
1000	SearchApp.exe
3916	SearchApp.exe
2540	SearchApp.exe
2544	SearchApp.exe
1316	SearchApp.exe
4800	SearchApp.exe
2508	SearchApp.exe
720	SearchApp.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	54f2479305900643ed02f63d213d55347303ff4b19b09f53da6ffad03e43a03c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1028	schtasks.exe
4528	schtasks.exe
1104	schtasks.exe
204	schtasks.exe
2408	schtasks.exe
640	schtasks.exe
2144	schtasks.exe
4112	schtasks.exe
344	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	54f2479305900643ed02f63d213d55347303ff4b19b09f53da6ffad03e43a03c.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1344	DllCommonsvc.exe
2736	powershell.exe
3024	powershell.exe
3304	powershell.exe
3232	powershell.exe
2736	powershell.exe
1828	SearchApp.exe
3024	powershell.exe
3304	powershell.exe
3232	powershell.exe
4128	SearchApp.exe
4332	SearchApp.exe
1000	SearchApp.exe
3916	SearchApp.exe
2540	SearchApp.exe
2544	SearchApp.exe
1316	SearchApp.exe
4800	SearchApp.exe
2508	SearchApp.exe
720	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	DllCommonsvc.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	1828	SearchApp.exe
Token: SeDebugPrivilege	4128	SearchApp.exe
Token: SeDebugPrivilege	4332	SearchApp.exe
Token: SeDebugPrivilege	1000	SearchApp.exe
Token: SeDebugPrivilege	3916	SearchApp.exe
Token: SeDebugPrivilege	2540	SearchApp.exe
Token: SeDebugPrivilege	2544	SearchApp.exe
Token: SeDebugPrivilege	1316	SearchApp.exe
Token: SeDebugPrivilege	4800	SearchApp.exe
Token: SeDebugPrivilege	2508	SearchApp.exe
Token: SeDebugPrivilege	720	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1260	1932	54f2479305900643ed02f63d213d55347303ff4b19b09f53da6ffad03e43a03c.exe	80
PID 1932 wrote to memory of 1260	1932	54f2479305900643ed02f63d213d55347303ff4b19b09f53da6ffad03e43a03c.exe	80
PID 1932 wrote to memory of 1260	1932	54f2479305900643ed02f63d213d55347303ff4b19b09f53da6ffad03e43a03c.exe	80
PID 1260 wrote to memory of 1496	1260	WScript.exe	84
PID 1260 wrote to memory of 1496	1260	WScript.exe	84
PID 1260 wrote to memory of 1496	1260	WScript.exe	84
PID 1496 wrote to memory of 1344	1496	cmd.exe	86
PID 1496 wrote to memory of 1344	1496	cmd.exe	86
PID 1344 wrote to memory of 3232	1344	DllCommonsvc.exe	96
PID 1344 wrote to memory of 3232	1344	DllCommonsvc.exe	96
PID 1344 wrote to memory of 2736	1344	DllCommonsvc.exe	97
PID 1344 wrote to memory of 2736	1344	DllCommonsvc.exe	97
PID 1344 wrote to memory of 3024	1344	DllCommonsvc.exe	98
PID 1344 wrote to memory of 3024	1344	DllCommonsvc.exe	98
PID 1344 wrote to memory of 3304	1344	DllCommonsvc.exe	101
PID 1344 wrote to memory of 3304	1344	DllCommonsvc.exe	101
PID 1344 wrote to memory of 1828	1344	DllCommonsvc.exe	105
PID 1344 wrote to memory of 1828	1344	DllCommonsvc.exe	105
PID 1828 wrote to memory of 1668	1828	SearchApp.exe	108
PID 1828 wrote to memory of 1668	1828	SearchApp.exe	108
PID 1668 wrote to memory of 836	1668	cmd.exe	110
PID 1668 wrote to memory of 836	1668	cmd.exe	110
PID 1668 wrote to memory of 4128	1668	cmd.exe	111
PID 1668 wrote to memory of 4128	1668	cmd.exe	111
PID 4128 wrote to memory of 3348	4128	SearchApp.exe	112
PID 4128 wrote to memory of 3348	4128	SearchApp.exe	112
PID 3348 wrote to memory of 4892	3348	cmd.exe	114
PID 3348 wrote to memory of 4892	3348	cmd.exe	114
PID 3348 wrote to memory of 4332	3348	cmd.exe	116
PID 3348 wrote to memory of 4332	3348	cmd.exe	116
PID 4332 wrote to memory of 4912	4332	SearchApp.exe	117
PID 4332 wrote to memory of 4912	4332	SearchApp.exe	117
PID 4912 wrote to memory of 4808	4912	cmd.exe	119
PID 4912 wrote to memory of 4808	4912	cmd.exe	119
PID 4912 wrote to memory of 1000	4912	cmd.exe	120
PID 4912 wrote to memory of 1000	4912	cmd.exe	120
PID 1000 wrote to memory of 1920	1000	SearchApp.exe	121
PID 1000 wrote to memory of 1920	1000	SearchApp.exe	121
PID 1920 wrote to memory of 4392	1920	cmd.exe	123
PID 1920 wrote to memory of 4392	1920	cmd.exe	123
PID 1920 wrote to memory of 3916	1920	cmd.exe	124
PID 1920 wrote to memory of 3916	1920	cmd.exe	124
PID 3916 wrote to memory of 2556	3916	SearchApp.exe	125
PID 3916 wrote to memory of 2556	3916	SearchApp.exe	125
PID 2556 wrote to memory of 4744	2556	cmd.exe	127
PID 2556 wrote to memory of 4744	2556	cmd.exe	127
PID 2556 wrote to memory of 2540	2556	cmd.exe	128
PID 2556 wrote to memory of 2540	2556	cmd.exe	128
PID 2540 wrote to memory of 1780	2540	SearchApp.exe	130
PID 2540 wrote to memory of 1780	2540	SearchApp.exe	130
PID 1780 wrote to memory of 1884	1780	cmd.exe	131
PID 1780 wrote to memory of 1884	1780	cmd.exe	131
PID 1780 wrote to memory of 2544	1780	cmd.exe	132
PID 1780 wrote to memory of 2544	1780	cmd.exe	132
PID 2544 wrote to memory of 756	2544	SearchApp.exe	133
PID 2544 wrote to memory of 756	2544	SearchApp.exe	133
PID 756 wrote to memory of 3912	756	cmd.exe	135
PID 756 wrote to memory of 3912	756	cmd.exe	135
PID 756 wrote to memory of 1316	756	cmd.exe	136
PID 756 wrote to memory of 1316	756	cmd.exe	136
PID 1316 wrote to memory of 4988	1316	SearchApp.exe	137
PID 1316 wrote to memory of 4988	1316	SearchApp.exe	137
PID 4988 wrote to memory of 1056	4988	cmd.exe	139
PID 4988 wrote to memory of 1056	4988	cmd.exe	139

C:\Users\Admin\AppData\Local\Temp\54f2479305900643ed02f63d213d55347303ff4b19b09f53da6ffad03e43a03c.exe
"C:\Users\Admin\AppData\Local\Temp\54f2479305900643ed02f63d213d55347303ff4b19b09f53da6ffad03e43a03c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
    - - C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:836
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4892
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4808
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4392
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4744
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1884
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3912
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1056
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat"
        22⤵
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2820
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat"
        24⤵
        
        PID:380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1380
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat

Filesize
185B

MD5
5800cec4bb265625dd3f53ecc773706c

SHA1
de54d75b7a56c41a1806d127ccb182098ea7bf7d

SHA256
8292905419bb74c084b59a78b7dd4402d6af003433ffd04f28713d74b591d212

SHA512
1ad19182ee55aa5342923a0ec6c8f006d074c66326c25f7e242df93b594870e7126395a00f511a50995b56573c37f3bb8fc4c2d0a1de27b817dfb353dadeb931

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

Filesize
185B

MD5
27218ab35d64f60045ccf4f0429764d5

SHA1
5981b0a076fe47642cc664bd0fea8b88f8c1381a

SHA256
6a0bb4e38ef5696549d5036998e230fc8290ad0aa3300b3b29a4f298f4ba49cc

SHA512
29c468e06b8c233f9b0e0c2bc6913de22ec6a9a6bb3bb5e1e963ee41631eb3eefa9afa8cc146fed6b4c2c3d53b3de7cebb49e8ca73579d2b24cc0d6c4c836b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat

Filesize
185B

MD5
a4b3be53755c65a7d750ffa4086b9586

SHA1
c8a6859733e9defd450b1f6af695845145744acc

SHA256
e5f05b402af214aedd9261066c536662dd0ac3ca39c24dedc3ed537d05a1ee80

SHA512
62cf847f5249e0762ed2984616a4fd586bf05c936f6a008f273599304de8e6f2faab7c94377a134be50013421a851774e8c4d9fd730cf50591b296aa4b7d4842

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

Filesize
185B

MD5
6ad0c385b3590fd3fcc1974bd72618f1

SHA1
aec81fb4199afbec9dc34606ef3533ebc837e583

SHA256
e85cc84aee7ec419af6eff9fcd2ccc6281c69a50692765c8a27cb8164efff794

SHA512
86ffc30e6149d6216eba3fd47cee6125b5497e5ad734a4f0486da88d31e58a5e4495dfb870c9af5e2e79965a8fd6effd365fab8bc7f66bdc21a2338685f35664

Download Submit
C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat

Filesize
185B

MD5
7f2f294de3a8eabdf2ba5fcf7a9d1a45

SHA1
73f8d9f49a70ef9193f636fe59b85685043dd0d4

SHA256
d03933265fd3959b2c89898cf18f908410e29b565708e485c4dca24ded41263c

SHA512
cf672474020041cf92548d59b99642ff96a1c5a6a8fa085840b49b6a43e87a46af1bde36cfbdf5fd55d2c1185f939f3a3589f9eb738696e163c4f710d5341da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat

Filesize
185B

MD5
4994dd303653a308a1ab384cb5ee96e8

SHA1
1e2621e6b9b09a6195dbd7712f6ec49d2f46800c

SHA256
14e0ae65a5b386e0cda652746d082ac5383abee57ea57d9096ea93fe5d1e15d9

SHA512
f5b8d79b71afe72cf70a72d259584367e85966f64c0e2f64eb20a31cc40b55debcd17ffada85ce5b54a6bff1a2b693af6a85a0376ea7bd25173c3cf6f602b211

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat

Filesize
185B

MD5
27db18f7b8822a6563828da783597782

SHA1
0d0b9cb91ecb8c1534eacaffc55131632688c554

SHA256
4ac630cdc049607da74472c4d993156a3754f5a23a941f3b9411b70b4fecd0b6

SHA512
f7a47f2ca5202b1de7ea5475aca1be4aeb973f2676e0841e4452c89696e86016d03bb5cc4648e243987159311acf818aa072fb265e930a6b7bd726790a6268d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

Filesize
185B

MD5
df23313648100993e127974ad613bdb7

SHA1
3854ae65fed7393f6de57c0b00c2e24067caa46a

SHA256
b4df3ccda8de153b53d2a20d91b536ca06c95db0938cd018cb578f63d58c5be9

SHA512
cfc20152480879c92856de20127c21bf5481192c07df191e7eec5a3db483791aa49fad39ca1f759476aa339639c68f26f5e290be98c76e916857777ed74459af

Download Submit
C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat

Filesize
185B

MD5
86ff11d2641fd9a228d8368288b6dc56

SHA1
fd240a11dcad68362435c7dc78cd580329690c57

SHA256
64f753b29ad99a2fd8aeb9e72b05c5900fb399b49024512c2585c5a7e9b80edb

SHA512
e56a4c4e924aa6d276249a8538563336c11f2ea4fb75d9bcbdb07a8bdaf338044c6d5ba41b3426a17d3a922a40651eda842fdc433a0124243908e2ade0ddad19

Download Submit
C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat

Filesize
185B

MD5
21baa7003ba5c9c9ac11b5afea55ffc1

SHA1
7ab45d434264639989ddcaa938e44d39acf0780d

SHA256
0c82df325a428f68047373951e75883bf02e3cd0113dce9f3192c31732cdf743

SHA512
141152708259cab97e70fc496c728044e7a76552f22ee8504701a835409856e60a61698304142877961c756c2f755ddfc1280ff7f8bd81d5031ca6e2022fe1f2

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/720-234-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/720-233-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/1000-188-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/1000-184-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/1316-216-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/1316-212-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/1344-140-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/1344-139-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/1344-148-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/1828-166-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/1828-153-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/2508-230-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/2508-226-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/2540-202-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/2540-198-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/2544-209-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/2544-205-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/2736-150-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/2736-155-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/3024-151-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/3024-159-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/3024-149-0x0000018C5ADE0000-0x0000018C5AE02000-memory.dmp

Filesize
136KB

Download
memory/3232-154-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/3232-161-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/3304-152-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/3304-162-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/3916-191-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/3916-195-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/4128-170-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/4128-174-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/4332-181-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/4332-177-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/4800-223-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download
memory/4800-219-0x00007FFCC3960000-0x00007FFCC4421000-memory.dmp

Filesize
10.8MB

Download