dcrat | 7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
Size

762KB
MD5

90b452d84800d6430baba6ef4a5b965d
SHA1

d0597496e9fe52aeae9b299af9c23934b15bc1c7
SHA256

7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309
SHA512

3f805f25b6ae57fdeecb0c29275e9aab0d6cefe8e7ca162bab21b1631a1641ecd93b78fecd64a42d34baab2f34ee34e1e6bf2df30e86b15a5847c4035179ab8c
SSDEEP

12288:rkYHTs61mU1+6hH5aFJeV/3iXPrQfkXmm1RhdLB9XKynVwGQIgNa61+:rkYHTv5dIFJeVDE2a61+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4824-1-0x0000000000A70000-0x0000000000B36000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0007000000023480-21.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 16 IoCs

pid	Process
952	sysmon.exe
2832	sysmon.exe
64	sysmon.exe
1896	sysmon.exe
3388	sysmon.exe
3424	sysmon.exe
100	sysmon.exe
548	sysmon.exe
4836	sysmon.exe
4200	sysmon.exe
1896	sysmon.exe
3292	sysmon.exe
3472	sysmon.exe
2888	sysmon.exe
4456	sysmon.exe
2188	sysmon.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\e1ef82546f0b02	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
File created	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
File created	C:\Program Files (x86)\Windows Portable Devices\56085415360792	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
File created	C:\Program Files\Windows NT\SppExtComObj.exe	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
File opened for modification	C:\Program Files\Windows NT\SppExtComObj.exe	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\pris\dllhost.exe	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
File created	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\pris\5940a34987c991	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4352	PING.EXE
3472	PING.EXE
4540	PING.EXE
3644	PING.EXE
2904	PING.EXE
4780	PING.EXE
4104	PING.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sysmon.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2904	PING.EXE
4780	PING.EXE
4104	PING.EXE
4352	PING.EXE
3472	PING.EXE
4540	PING.EXE
3644	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
Token: SeDebugPrivilege	952	sysmon.exe
Token: SeDebugPrivilege	2832	sysmon.exe
Token: SeDebugPrivilege	64	sysmon.exe
Token: SeDebugPrivilege	1896	sysmon.exe
Token: SeDebugPrivilege	3388	sysmon.exe
Token: SeDebugPrivilege	3424	sysmon.exe
Token: SeDebugPrivilege	100	sysmon.exe
Token: SeDebugPrivilege	548	sysmon.exe
Token: SeDebugPrivilege	4836	sysmon.exe
Token: SeDebugPrivilege	4200	sysmon.exe
Token: SeDebugPrivilege	1896	sysmon.exe
Token: SeDebugPrivilege	3292	sysmon.exe
Token: SeDebugPrivilege	3472	sysmon.exe
Token: SeDebugPrivilege	2888	sysmon.exe
Token: SeDebugPrivilege	4456	sysmon.exe
Token: SeDebugPrivilege	2188	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2112	4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe	82
PID 4824 wrote to memory of 2112	4824	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe	82
PID 2112 wrote to memory of 924	2112	cmd.exe	84
PID 2112 wrote to memory of 924	2112	cmd.exe	84
PID 2112 wrote to memory of 3732	2112	cmd.exe	85
PID 2112 wrote to memory of 3732	2112	cmd.exe	85
PID 2112 wrote to memory of 952	2112	cmd.exe	86
PID 2112 wrote to memory of 952	2112	cmd.exe	86
PID 952 wrote to memory of 3384	952	sysmon.exe	90
PID 952 wrote to memory of 3384	952	sysmon.exe	90
PID 3384 wrote to memory of 4768	3384	cmd.exe	92
PID 3384 wrote to memory of 4768	3384	cmd.exe	92
PID 3384 wrote to memory of 4780	3384	cmd.exe	93
PID 3384 wrote to memory of 4780	3384	cmd.exe	93
PID 3384 wrote to memory of 2832	3384	cmd.exe	98
PID 3384 wrote to memory of 2832	3384	cmd.exe	98
PID 2832 wrote to memory of 1928	2832	sysmon.exe	99
PID 2832 wrote to memory of 1928	2832	sysmon.exe	99
PID 1928 wrote to memory of 1212	1928	cmd.exe	101
PID 1928 wrote to memory of 1212	1928	cmd.exe	101
PID 1928 wrote to memory of 2228	1928	cmd.exe	102
PID 1928 wrote to memory of 2228	1928	cmd.exe	102
PID 1928 wrote to memory of 64	1928	cmd.exe	103
PID 1928 wrote to memory of 64	1928	cmd.exe	103
PID 64 wrote to memory of 1824	64	sysmon.exe	104
PID 64 wrote to memory of 1824	64	sysmon.exe	104
PID 1824 wrote to memory of 3528	1824	cmd.exe	106
PID 1824 wrote to memory of 3528	1824	cmd.exe	106
PID 1824 wrote to memory of 4104	1824	cmd.exe	107
PID 1824 wrote to memory of 4104	1824	cmd.exe	107
PID 1824 wrote to memory of 1896	1824	cmd.exe	110
PID 1824 wrote to memory of 1896	1824	cmd.exe	110
PID 1896 wrote to memory of 2880	1896	sysmon.exe	111
PID 1896 wrote to memory of 2880	1896	sysmon.exe	111
PID 2880 wrote to memory of 3396	2880	cmd.exe	113
PID 2880 wrote to memory of 3396	2880	cmd.exe	113
PID 2880 wrote to memory of 4352	2880	cmd.exe	114
PID 2880 wrote to memory of 4352	2880	cmd.exe	114
PID 2880 wrote to memory of 3388	2880	cmd.exe	115
PID 2880 wrote to memory of 3388	2880	cmd.exe	115
PID 3388 wrote to memory of 4460	3388	sysmon.exe	116
PID 3388 wrote to memory of 4460	3388	sysmon.exe	116
PID 4460 wrote to memory of 924	4460	cmd.exe	118
PID 4460 wrote to memory of 924	4460	cmd.exe	118
PID 4460 wrote to memory of 3472	4460	cmd.exe	119
PID 4460 wrote to memory of 3472	4460	cmd.exe	119
PID 4460 wrote to memory of 3424	4460	cmd.exe	120
PID 4460 wrote to memory of 3424	4460	cmd.exe	120
PID 3424 wrote to memory of 212	3424	sysmon.exe	121
PID 3424 wrote to memory of 212	3424	sysmon.exe	121
PID 212 wrote to memory of 1040	212	cmd.exe	123
PID 212 wrote to memory of 1040	212	cmd.exe	123
PID 212 wrote to memory of 3584	212	cmd.exe	124
PID 212 wrote to memory of 3584	212	cmd.exe	124
PID 212 wrote to memory of 100	212	cmd.exe	125
PID 212 wrote to memory of 100	212	cmd.exe	125
PID 100 wrote to memory of 4472	100	sysmon.exe	126
PID 100 wrote to memory of 4472	100	sysmon.exe	126
PID 4472 wrote to memory of 4756	4472	cmd.exe	128
PID 4472 wrote to memory of 4756	4472	cmd.exe	128
PID 4472 wrote to memory of 4240	4472	cmd.exe	129
PID 4472 wrote to memory of 4240	4472	cmd.exe	129
PID 4472 wrote to memory of 548	4472	cmd.exe	130
PID 4472 wrote to memory of 548	4472	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
"C:\Users\Admin\AppData\Local\Temp\7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SxE0obVb9B.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:924
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3732
- - C:\Recovery\WindowsRE\sysmon.exe
    "C:\Recovery\WindowsRE\sysmon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lpuFzxtUQC.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3384
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4768
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4780
    - - C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NnkzcdwAFb.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2228
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r03uRlrkNn.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4104
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AeLHIw7ndo.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4352
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1LArpmQ7xZ.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3472
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W7vO5ocqvr.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3584
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EMqflE6MDZ.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4240
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y182dPLPTa.bat"
        18⤵
        
        PID:4448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3468
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Z0zJXQy9U.bat"
        20⤵
        
        PID:2652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4540
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NS7UfUfsaQ.bat"
        22⤵
        
        PID:4216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3736
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bjcQ5hKx2L.bat"
        24⤵
        
        PID:1948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2248
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O2a76Ow1QW.bat"
        26⤵
        
        PID:3260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4228
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D80XHT6V1e.bat"
        28⤵
        
        PID:4004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1040
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vNvnxsZ1IN.bat"
        30⤵
        
        PID:3784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:1000
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1LArpmQ7xZ.bat"
        32⤵
        
        PID:744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:3244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3644
        
        C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r03uRlrkNn.bat"
        34⤵
        
        PID:1756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:4928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sysmon.exe

Filesize
762KB

MD5
90b452d84800d6430baba6ef4a5b965d

SHA1
d0597496e9fe52aeae9b299af9c23934b15bc1c7

SHA256
7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309

SHA512
3f805f25b6ae57fdeecb0c29275e9aab0d6cefe8e7ca162bab21b1631a1641ecd93b78fecd64a42d34baab2f34ee34e1e6bf2df30e86b15a5847c4035179ab8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\1LArpmQ7xZ.bat

Filesize
160B

MD5
0ba1b9497b1d31ec4f67e175c5d9a4b0

SHA1
3eb01e6a58d36128912a415742916b7b4407fc35

SHA256
832ebc020b915d614b31abc26fc7ee19bcec9892795d5fb498763d9a546e2704

SHA512
d895845dbc3d095411aea98945c52e5440467005729cba8f8f021ff913ab6907bc8abd298b0a7819c5d55bd4c7034c8a0489b8f320f6b362cdf0e77801d0e718

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Z0zJXQy9U.bat

Filesize
160B

MD5
3294a472ef7adfe75217be02231c160e

SHA1
1492df539ba1aeb0a44e985882557d4e83b69261

SHA256
42f464dcf34b0bb699741b6ddd6d6951af009c7145099e047dc4045c74b23978

SHA512
357a68ffd2afb94cff2da1f8c8b8d9f87934782da1b7545c8a0cecf7f089555d34ee721e521451432af0ebd0b43c1fb4cf65b05db9067208abe0e740f726230f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AeLHIw7ndo.bat

Filesize
160B

MD5
f0d22a7ac30659d28a3ff2172a27af5e

SHA1
4fb454500ff6f1af7cbff8cb5e84123b36721f07

SHA256
2790635dfa1133cccccb7377eb68edc7922925be5f3e35141d2207f9d498eeb5

SHA512
7d25eeaea82e7d70fcca8820fe9d0fa036d2691b5caab872ac0208dc4890f395d4cf0b2f9303c066565097713496e9c458c7f57f76207b4eb8a444666bdecac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D80XHT6V1e.bat

Filesize
208B

MD5
c558c7a4286e0b55e163f18f42f99afc

SHA1
822dd7f428f5dc91ef2cf00182b079382bfd0523

SHA256
42042362e2ec0350e7d3356bccbe772b2c90d84f32cc6034f7d4e6017b1e144d

SHA512
7b350024540850e47e2b0335ac1993f3dbc55d325b158ef3ee44c8f5d236e4c7d077a0745a60594c74822dbf3e64a1da43aa2438b442e39e9eaa5da64fd711a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMqflE6MDZ.bat

Filesize
208B

MD5
3153fc292148a2d952346652ea2b69bc

SHA1
9a41d3dd53ffdb7bb547449599c98733a59c5dda

SHA256
1b8efe3338820651d22c02aabfd451d6b6bd651a70a83e54a020a0d5532f0a0c

SHA512
3e4c1c0f3ad6da28ab7a3cdfdc412771d1da3c7f14ddb727677796c9c58874ccc16d9ea419389a82df229ebf5e0c25d213c90b17c54b2fd1bd4c3252a7c14e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\NS7UfUfsaQ.bat

Filesize
208B

MD5
930089cb17fb0eb8237127766d414c70

SHA1
c93d01e7401f0e3e064afcf997c93fdb5c7aeaaf

SHA256
429a43ec3db6d313fafe2fbd6f1291c4253be83c8ad6b14755886f0698a6cbf8

SHA512
efb22db820a5aa97cbf280f3a3bbbceec0807f7816c19d238437f2ca30c8ef064ecb42df42494c3df493bf1f6690ef8162d573f27bb3a7ad6e30bda6ae1f5e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NnkzcdwAFb.bat

Filesize
208B

MD5
da55f30c1ede3fdf86f39180a8c01697

SHA1
0844f910b2d407f2a4a9749b7742458ce0c76eb2

SHA256
c87193edf3726002e0cd544b9a60a5387e887b13bdb9518abed4878b68cb281f

SHA512
b6459a03be82a139a429dbdbfad6a58c45fc528edbc26d52df84055257d396637d01bf7f3dde90242d6d09d2cf1f9a432ea389cf8362b1530457eea279e286cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\O2a76Ow1QW.bat

Filesize
208B

MD5
9afb2c07541e98bae74b1195128ced50

SHA1
3387463cd353b34db92622d86349894141ade4b2

SHA256
8dd86154c8f60fb56c14c74358594af761825913814d955194e724d2e3bcc332

SHA512
e5a12e01744b2e7a217bc456ab7781a65047bcbe5bb543dc7d219dda4a79878014948cb66d16fdd4b4232755bce47b4b04dff276f9f1db79cfab05dea84849ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\SxE0obVb9B.bat

Filesize
208B

MD5
db0488e58e9563193ccefdf671765cc5

SHA1
afb083f8a404022de8e6e2cd0d23eb4ea15f2427

SHA256
c711d11a68e42150a9ef7ebbb857b308648d63672b52fac977e3181ddb58f6ba

SHA512
b921a7098361dc3b6da1620ef3141f282279806574c8129bd9ceba5771030d941fca39700ad47078a54069fd8d629e4884f3415b0321cc5edeb1604208b3501f

Download Submit
C:\Users\Admin\AppData\Local\Temp\W7vO5ocqvr.bat

Filesize
208B

MD5
a40dfec978652968c1cd2c8f0db54034

SHA1
7c9bfbd4ba955415f78701a7f3b8aa0c07625af4

SHA256
d95f331ac65399a88cdbaadd528cecb4b55faa6bf18852d00d42b56979528e40

SHA512
f461d470073cb907f9629e9999877439b42b48ed3abe24159f5907a813c4319e7b8d80d2f19c45327c0de4dee5265a86cb2209ad0b189e4e58d3def0a1a7c5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y182dPLPTa.bat

Filesize
208B

MD5
071ac6f6bfbc8b5710980110d6f6f1cd

SHA1
cf76e6cb7cd541e5fe9239000eaa8b8550993693

SHA256
764a854f69781aa53641740c4172930fd446ab671b668ee2e76ac52b5752dda6

SHA512
42043b410bc287ec40e800d6d8a2cdbcc1491fb14ebc1029a42ea855a3797119d555dd9ebf0cde351615ae5048ca151f31aba4b7d58383609353a78a3f63d5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjcQ5hKx2L.bat

Filesize
208B

MD5
5e1c21d9482727b01431917d315eb45d

SHA1
4d1cebfdd629de1c1ab6afc716ab62e9c9d2d8ca

SHA256
05ca1cfc87a17817bdb22af15f0e2287ec4969f97bb38a8a7440c3540c94586a

SHA512
05bd4314651b3084981773c3f484d69768fb0b4e02a0bfe30f9c9ffa1f573a51965df10424368210eadee5a52c37d81bde386934d9d4da578e6e671009d7cc99

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpuFzxtUQC.bat

Filesize
160B

MD5
3c22a355d46dfbf7b35779474513343e

SHA1
8b2f07fadf3587ed529c38005d07117c57df27e0

SHA256
f4feaee37f8651822abe19482dc628fe96f1d7f36c9094921de42f683dfe738b

SHA512
5fee641cada63c6ad356e6045eb496d88caad866c25452653e9d8132a4d7a8670415c9e4cce6da5fef6a994b95cfb1aaca7377cf71d45ac4bbb4ffb1e645b8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\r03uRlrkNn.bat

Filesize
160B

MD5
1d70fde1a007ab550369c3ad2d15c963

SHA1
d8ca54929c6f278656631be73b7ccb9cee3245d2

SHA256
85fc906a2cf3267eaccd1f9c37cc45fda4844ec7ae0ffedfed2cd4acbf82fef6

SHA512
f21fc09ba212095fbdc8f43e6e417a7e767db8f40b0407816d3b0f38b5d51680d45b9601d58958429cc5ef00c27ee2c93f00e455fb6148c932149c95819d781d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vNvnxsZ1IN.bat

Filesize
208B

MD5
ecedd517085a446a048608e30854e7b8

SHA1
5a0932755f76f80802f83091ce6ead6f64ffa266

SHA256
0e0263ab4dc0b10353c4bbc28eb5d9fb317f131f293b6376f67908c1f8c041c0

SHA512
c184efff224ddd2af7f11f75438160f478997e00d8ccf0a8452b28d9c93458579fabf610ce00617bd3d10840b29d2ef37dfb09ed87f8755bc2429d4e65774189

Download Submit
memory/952-37-0x00007FFCA9BA0000-0x00007FFCAA661000-memory.dmp

Filesize
10.8MB

Download
memory/952-36-0x00007FFCA9BA0000-0x00007FFCAA661000-memory.dmp

Filesize
10.8MB

Download
memory/952-47-0x00007FFCA9BA0000-0x00007FFCAA661000-memory.dmp

Filesize
10.8MB

Download
memory/4824-26-0x00007FFCA9BA0000-0x00007FFCAA661000-memory.dmp

Filesize
10.8MB

Download
memory/4824-32-0x00007FFCA9BA0000-0x00007FFCAA661000-memory.dmp

Filesize
10.8MB

Download
memory/4824-29-0x00007FFCA9BA0000-0x00007FFCAA661000-memory.dmp

Filesize
10.8MB

Download
memory/4824-27-0x00007FFCA9BA0000-0x00007FFCAA661000-memory.dmp

Filesize
10.8MB

Download
memory/4824-0-0x00007FFCA9BA3000-0x00007FFCA9BA5000-memory.dmp

Filesize
8KB

Download
memory/4824-12-0x000000001B6A0000-0x000000001B6AE000-memory.dmp

Filesize
56KB

Download
memory/4824-10-0x00007FFCA9BA0000-0x00007FFCAA661000-memory.dmp

Filesize
10.8MB

Download
memory/4824-9-0x000000001B690000-0x000000001B69E000-memory.dmp

Filesize
56KB

Download
memory/4824-7-0x000000001B6D0000-0x000000001B6E8000-memory.dmp

Filesize
96KB

Download
memory/4824-5-0x000000001B760000-0x000000001B7B0000-memory.dmp

Filesize
320KB

Download
memory/4824-4-0x000000001B6B0000-0x000000001B6CC000-memory.dmp

Filesize
112KB

Download
memory/4824-2-0x00007FFCA9BA0000-0x00007FFCAA661000-memory.dmp

Filesize
10.8MB

Download
memory/4824-1-0x0000000000A70000-0x0000000000B36000-memory.dmp

Filesize
792KB

Download