dcrat | 319a6b5972934aef9f7596b13e4ae84e03d77c42aa11fdfbc9e96a750e2497a6

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2022, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

319a6b5972934aef9f7596b13e4ae84e03d77c42aa11fdfbc9e96a750e2497a6.exe
Size

1.3MB
MD5

070801084b08d2473c0c98c020632130
SHA1

26bbc11d9a8b57182f91ff1013a0714655eb35d6
SHA256

319a6b5972934aef9f7596b13e4ae84e03d77c42aa11fdfbc9e96a750e2497a6
SHA512

1d2386b4db2e3cba5e020d50cfd1f816e7f749daf0b57d3eb82147ec317fc3101f8594247fa61e8d21af383df20ebb47f30340a831c6207a4329ce792ee9c3be
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1732	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1732	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1732	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1732	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1732	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1732	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1732	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1732	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1732	schtasks.exe	43

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000022e6c-137.dat	dcrat
behavioral1/files/0x0006000000022e6c-138.dat	dcrat
behavioral1/memory/4856-139-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/files/0x0006000000022e77-163.dat	dcrat
behavioral1/files/0x0006000000022e77-164.dat	dcrat
behavioral1/files/0x0006000000022e77-171.dat	dcrat
behavioral1/files/0x0006000000022e77-179.dat	dcrat
behavioral1/files/0x0006000000022e77-186.dat	dcrat
behavioral1/files/0x0006000000022e77-193.dat	dcrat
behavioral1/files/0x0006000000022e77-200.dat	dcrat
behavioral1/files/0x0006000000022e77-207.dat	dcrat
behavioral1/files/0x0006000000022e77-214.dat	dcrat
behavioral1/files/0x0006000000022e77-221.dat	dcrat
behavioral1/files/0x0006000000022e77-228.dat	dcrat

Executes dropped EXE 11 IoCs

pid	Process
4856	DllCommonsvc.exe
4736	conhost.exe
4848	conhost.exe
2496	conhost.exe
1324	conhost.exe
3156	conhost.exe
4488	conhost.exe
4660	conhost.exe
2568	conhost.exe
3136	conhost.exe
3276	conhost.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	319a6b5972934aef9f7596b13e4ae84e03d77c42aa11fdfbc9e96a750e2497a6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	conhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1584	schtasks.exe
1064	schtasks.exe
1412	schtasks.exe
1512	schtasks.exe
2064	schtasks.exe
1068	schtasks.exe
1944	schtasks.exe
2112	schtasks.exe
1132	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	319a6b5972934aef9f7596b13e4ae84e03d77c42aa11fdfbc9e96a750e2497a6.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	conhost.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4856	DllCommonsvc.exe
4856	DllCommonsvc.exe
4856	DllCommonsvc.exe
4856	DllCommonsvc.exe
4856	DllCommonsvc.exe
3556	powershell.exe
2664	powershell.exe
208	powershell.exe
4660	powershell.exe
3556	powershell.exe
2664	powershell.exe
208	powershell.exe
4660	powershell.exe
4736	conhost.exe
4848	conhost.exe
2496	conhost.exe
1324	conhost.exe
3156	conhost.exe
4488	conhost.exe
4660	conhost.exe
2568	conhost.exe
3136	conhost.exe
3276	conhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	DllCommonsvc.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4736	conhost.exe
Token: SeDebugPrivilege	4848	conhost.exe
Token: SeDebugPrivilege	2496	conhost.exe
Token: SeDebugPrivilege	1324	conhost.exe
Token: SeDebugPrivilege	3156	conhost.exe
Token: SeDebugPrivilege	4488	conhost.exe
Token: SeDebugPrivilege	4660	conhost.exe
Token: SeDebugPrivilege	2568	conhost.exe
Token: SeDebugPrivilege	3136	conhost.exe
Token: SeDebugPrivilege	3276	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4956	4020	319a6b5972934aef9f7596b13e4ae84e03d77c42aa11fdfbc9e96a750e2497a6.exe	80
PID 4020 wrote to memory of 4956	4020	319a6b5972934aef9f7596b13e4ae84e03d77c42aa11fdfbc9e96a750e2497a6.exe	80
PID 4020 wrote to memory of 4956	4020	319a6b5972934aef9f7596b13e4ae84e03d77c42aa11fdfbc9e96a750e2497a6.exe	80
PID 4956 wrote to memory of 4944	4956	WScript.exe	84
PID 4956 wrote to memory of 4944	4956	WScript.exe	84
PID 4956 wrote to memory of 4944	4956	WScript.exe	84
PID 4944 wrote to memory of 4856	4944	cmd.exe	86
PID 4944 wrote to memory of 4856	4944	cmd.exe	86
PID 4856 wrote to memory of 4660	4856	DllCommonsvc.exe	97
PID 4856 wrote to memory of 4660	4856	DllCommonsvc.exe	97
PID 4856 wrote to memory of 2664	4856	DllCommonsvc.exe	98
PID 4856 wrote to memory of 2664	4856	DllCommonsvc.exe	98
PID 4856 wrote to memory of 3556	4856	DllCommonsvc.exe	103
PID 4856 wrote to memory of 3556	4856	DllCommonsvc.exe	103
PID 4856 wrote to memory of 208	4856	DllCommonsvc.exe	100
PID 4856 wrote to memory of 208	4856	DllCommonsvc.exe	100
PID 4856 wrote to memory of 3876	4856	DllCommonsvc.exe	105
PID 4856 wrote to memory of 3876	4856	DllCommonsvc.exe	105
PID 3876 wrote to memory of 1984	3876	cmd.exe	107
PID 3876 wrote to memory of 1984	3876	cmd.exe	107
PID 3876 wrote to memory of 4736	3876	cmd.exe	110
PID 3876 wrote to memory of 4736	3876	cmd.exe	110
PID 4736 wrote to memory of 3576	4736	conhost.exe	111
PID 4736 wrote to memory of 3576	4736	conhost.exe	111
PID 3576 wrote to memory of 1928	3576	cmd.exe	113
PID 3576 wrote to memory of 1928	3576	cmd.exe	113
PID 3576 wrote to memory of 4848	3576	cmd.exe	114
PID 3576 wrote to memory of 4848	3576	cmd.exe	114
PID 4848 wrote to memory of 1420	4848	conhost.exe	116
PID 4848 wrote to memory of 1420	4848	conhost.exe	116
PID 1420 wrote to memory of 3360	1420	cmd.exe	118
PID 1420 wrote to memory of 3360	1420	cmd.exe	118
PID 1420 wrote to memory of 2496	1420	cmd.exe	119
PID 1420 wrote to memory of 2496	1420	cmd.exe	119
PID 2496 wrote to memory of 3884	2496	conhost.exe	120
PID 2496 wrote to memory of 3884	2496	conhost.exe	120
PID 3884 wrote to memory of 4712	3884	cmd.exe	122
PID 3884 wrote to memory of 4712	3884	cmd.exe	122
PID 3884 wrote to memory of 1324	3884	cmd.exe	123
PID 3884 wrote to memory of 1324	3884	cmd.exe	123
PID 1324 wrote to memory of 3916	1324	conhost.exe	124
PID 1324 wrote to memory of 3916	1324	conhost.exe	124
PID 3916 wrote to memory of 4948	3916	cmd.exe	126
PID 3916 wrote to memory of 4948	3916	cmd.exe	126
PID 3916 wrote to memory of 3156	3916	cmd.exe	127
PID 3916 wrote to memory of 3156	3916	cmd.exe	127
PID 3156 wrote to memory of 1316	3156	conhost.exe	128
PID 3156 wrote to memory of 1316	3156	conhost.exe	128
PID 1316 wrote to memory of 3908	1316	cmd.exe	130
PID 1316 wrote to memory of 3908	1316	cmd.exe	130
PID 1316 wrote to memory of 4488	1316	cmd.exe	131
PID 1316 wrote to memory of 4488	1316	cmd.exe	131
PID 4488 wrote to memory of 5076	4488	conhost.exe	132
PID 4488 wrote to memory of 5076	4488	conhost.exe	132
PID 5076 wrote to memory of 3964	5076	cmd.exe	134
PID 5076 wrote to memory of 3964	5076	cmd.exe	134
PID 5076 wrote to memory of 4660	5076	cmd.exe	135
PID 5076 wrote to memory of 4660	5076	cmd.exe	135
PID 4660 wrote to memory of 208	4660	conhost.exe	136
PID 4660 wrote to memory of 208	4660	conhost.exe	136
PID 208 wrote to memory of 4348	208	cmd.exe	138
PID 208 wrote to memory of 4348	208	cmd.exe	138
PID 208 wrote to memory of 2568	208	cmd.exe	139
PID 208 wrote to memory of 2568	208	cmd.exe	139

C:\Users\Admin\AppData\Local\Temp\319a6b5972934aef9f7596b13e4ae84e03d77c42aa11fdfbc9e96a750e2497a6.exe
"C:\Users\Admin\AppData\Local\Temp\319a6b5972934aef9f7596b13e4ae84e03d77c42aa11fdfbc9e96a750e2497a6.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tQKTHgWtjS.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3876
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1984
      - C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1928
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3360
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4712
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4948
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3908
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3964
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4348
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
        21⤵
        
        PID:4752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4532
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"
        23⤵
        
        PID:1184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3060
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        25⤵
        
        PID:3968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

Filesize
198B

MD5
72ec6a4b65d9aa539f5b9d2046673acc

SHA1
393e05238691e0dc6b1872ce00f7efb11bd24432

SHA256
d7788cb9a87a74c0d259d65fb107b69653fb03ed567c7f6bd7696e424152aea0

SHA512
f39447f27ac497d1cbe6083c9e78d9c3158a3d9631b917de366f7e171a8badb2d5ec76d8472b9c67366ee7bb2cfc52b59bf649e1c46f2cbe4e9cdc51717c96cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
198B

MD5
0dd62bfcf73e5f0cecc4c6b23c76d676

SHA1
02ba4c224c02f27947c23a13ef64d2dd801c9d8c

SHA256
0723723dfddc55432c29814266d10b66e42ecda99162aab7d11b357563b9b875

SHA512
8775aa9d7bac548869be1b984cc9f74af7630066068ab12645250e4f4e6cf0e8dc5a32f1a3df929c7a8212338d8deefcb54be3757decbd14e86e93dad425161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
198B

MD5
0536b20273787a6f4fbfa5fa9161b7de

SHA1
0cb631a0501ba120d22dfd55413eef7e3bf2a8df

SHA256
6836bc5525c4d11137b54e4664527448c5b54afda1b335209d3bfa6f24681c7f

SHA512
8da7daea68359cdd86215e8639708040319b12dcaa26e501763f6a73920e160746e9f81e9e3472dc2d21e144025b586ff8c34967b7efac2083920e9a1cacef9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

Filesize
198B

MD5
c05e5f38628d774dca22d35e94251f1a

SHA1
1390ef1270357e5acefc9fccf795b6158cc093a8

SHA256
3af084807a5eb81bbef3adcb4bbf491d77a8551af66cd6d9417eb8f62126f762

SHA512
4f7cef29860713ed5c186f89001610afdc35a88171c86c05a0cfced11215b0d23fd8b0269b39c65c2270361b7fa378280008866c7adb26fa1b4182b23dd4df68

Download Submit
C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

Filesize
198B

MD5
8a13af970e4029bfd40ee80f91da6d36

SHA1
923b311dd5935652b2d11e602e1e81761fd95dc4

SHA256
c69c98f0eddfe31c332aba2bb52dd6a5272e12143d53139388b59401310e3a11

SHA512
6c42a4b44665401ddac52f923ff68e0b2725d567c756de719360f65c0906f571f133041e970ff767501b9afb355f02b44dfb4ce2634430217cecfbf870979290

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat

Filesize
198B

MD5
249c268c40ee6ce82b9242b79c01dc6a

SHA1
84f039ce60d2f5e571a766a33eecd0eaf4af4129

SHA256
0d77518a4e42dcd0611ddff69ebca0886ce47eb23071903e0a96f96ba729028c

SHA512
b8a58b2c1da4e713fbc80dcf6ab63945b35106f4af719f66066a1cdc6de608184c9336a15e70f801e90663de33f935d104404e48b4dd45bd69ba78d3db8bbdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
198B

MD5
15b584b0a212a064d6c753ebbbf3b12b

SHA1
1cefdd3f4712d44fc15abce1c3d21bdbb0fccc41

SHA256
74ecc0b5b994dfa73772ab469c5ae1b32da02196514165450d0bb5fbda926aab

SHA512
8012bd7690095be729eb52c28c592f8922a6de9722b9a71963763dea40a7ecb3817894a6df891c7d1b9c3f6e7b4d9c21cdb2e6ba3620448b61bd938a6ea8428d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat

Filesize
198B

MD5
69a882a42a4689c8ddd1e565b1e93a3a

SHA1
0118599b728667f98cdbc9d056df8ed2c854d50a

SHA256
00ae077adf6e24f6b3946a460b4a0736a8d25c7e7f6822dcf9bf6e7189feb130

SHA512
4af2fa123f688e4a38753ad23dce786e63676abbd2ee59c641f4914b3f98b730a2c86d79ae30b6deddcc96e00a3de6e208c259fa9c536d1bca7e4df6fc7f2146

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

Filesize
198B

MD5
0a0a0dafa3d3c66b213202f4ba7d09b8

SHA1
ff1f5b91893615b08db0a4bd3c6b9f5f791bb3d3

SHA256
c27df58d07b4f0fb4d1c4299d543a7f7d209d7526f0bed4637b2dac6026e5b35

SHA512
c734af1b14f600c8db190a886f9fbea36ceefad49001c65f0fa27ceab20197afd0b8d4c70be538ac813a3af46495c6ca8f63f8ebf5cced98a147eccb2d99274a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQKTHgWtjS.bat

Filesize
198B

MD5
6d664ef57c042a41ccc28647c855f2f8

SHA1
d9bed653b1401f064aa472fb99b206fd4aa71bd0

SHA256
8e9bc6c63597d01125c24a2bdf7ce9b3e96b7cbb0990bb281bc795657edc5fd9

SHA512
5068fcb67add269cf4258257fe4529b00cae721b9552f3bbdf0b4282710cb66f628fa1f3283acbfca49552f2b2ac019ed0752c521fe183024dfc6f5020cf31a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
198B

MD5
0541e3d4507fe2b3faf455290e28ce36

SHA1
1aa1416b9c72ef9c25306042b3f1e60f9c30af16

SHA256
3308f7713a18f9b355132271ee1c80917d7bb19c476b978481df605fb2397f00

SHA512
3af7290f946dffbd6e54d05a3acf703dbaec9ba27b802cffdfd3acd355ee0927e013ba035f8e2dffdb416300545e2fe29042194c1cc7d2f9d5a3b7728d2b7c10

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/208-160-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/208-151-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/1324-187-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/1324-191-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2496-184-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2496-180-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2568-215-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2568-219-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2664-156-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2664-149-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3136-222-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3136-226-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3156-198-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3156-194-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3276-229-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3276-233-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3556-157-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3556-148-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3556-145-0x000001C0AA2A0000-0x000001C0AA2C2000-memory.dmp

Filesize
136KB

Download
memory/4488-201-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4488-205-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4660-212-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4660-208-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4660-153-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4660-161-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4736-169-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4736-165-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4848-177-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4848-173-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4856-147-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4856-140-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4856-139-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download