Overview

overview

10

Static

static

3

XBinderOutput(1).exe

windows7-x64

10

XBinderOutput(1).exe

windows10-2004-x64

10

XBinderOutput(1).exe

windows10-ltsc 2021-x64

10

XBinderOutput(1).exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1786s
  • max time network
    1452s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XBinderOutput(1).exe

  • Size

    607KB

  • MD5

    19d31479381cfda2c9878b427f51a0c2

  • SHA1

    5b8774c60b71dd32e7325d0fbceb3434975ca7cc

  • SHA256

    e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550

  • SHA512

    14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2

  • SSDEEP

    12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK

Score
10/10
dcratcredential_accessdefense_evasiondiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Process spawned unexpected child process 46 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 64 IoCs
  • Manipulates Digital Signatures 4 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    persistence
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 64 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 31 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Modifies termsrv.dll 1 TTPs 1 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3732
    • C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
      "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3516
          • C:\blocksavesperfMonitorDll\reviewDll.exe
            "C:\blocksavesperfMonitorDll\reviewDll.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Windows\LiveKernelReports\conhost.exe
              "C:\Windows\LiveKernelReports\conhost.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Drops file in Drivers directory
              • Manipulates Digital Signatures
              • Boot or Logon Autostart Execution: Print Processors
              • Checks computer location settings
              • Deletes itself
              • Executes dropped EXE
              • Indicator Removal: Clear Windows Event Logs
              • Drops desktop.ini file(s)
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Modifies termsrv.dll
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4260
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat" "
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3820
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  8⤵
                    PID:748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3236
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\.NET Data Provider for Oracle\0410\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\INF\.NET Data Provider for Oracle\0410\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\.NET Data Provider for Oracle\0410\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhostw.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1104
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Videos\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2584
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\blocksavesperfMonitorDll\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3224
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\blocksavesperfMonitorDll\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Themes\aero\uk-UA\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\aero\uk-UA\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\aero\uk-UA\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\blocksavesperfMonitorDll\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\blocksavesperfMonitorDll\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2204
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\blocksavesperfMonitorDll\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\blocksavesperfMonitorDll\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2944
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
      1⤵
        PID:3632
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3864
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
        1⤵
          PID:3068
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
          1⤵
            PID:4644
          • C:\Windows\LiveKernelReports\conhost.exe
            C:\Windows\LiveKernelReports\conhost.exe
            1⤵
            • Executes dropped EXE
            PID:4768
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
            1⤵
              PID:4216
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
              1⤵
                PID:1900
              • C:\Windows\system32\rundll32.exe
                "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
                1⤵
                  PID:1356
                • C:\Windows\system32\rundll32.exe
                  "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
                  1⤵
                    PID:388
                  • C:\Windows\LiveKernelReports\conhost.exe
                    C:\Windows\LiveKernelReports\conhost.exe
                    1⤵
                    • Executes dropped EXE
                    PID:4396
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /delete /tn "conhost" /f
                    1⤵
                    • Process spawned unexpected child process
                    PID:4808
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /delete /tn "conhostc" /f
                    1⤵
                    • Process spawned unexpected child process
                    PID:1912
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /delete /tn "conhost" /f
                    1⤵
                    • Process spawned unexpected child process
                    PID:3420
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /delete /tn "conhostc" /f
                    1⤵
                    • Process spawned unexpected child process
                    PID:1728
                  • C:\Windows\system32\rundll32.exe
                    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
                    1⤵
                      PID:2012
                    • C:\Windows\system32\rundll32.exe
                      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
                      1⤵
                        PID:1136

                      Network

                      MITRE ATT&CK Enterprise v15

                      Reconnaissance

                      Resource Development

                      Initial Access

                      Replication Through Removable Media

                      1
                      T1091

                      Execution

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Persistence

                      Boot or Logon Autostart Execution

                      2
                      T1547

                      Print Processors

                      1
                      T1547.012

                      Winlogon Helper DLL

                      1
                      T1547.004

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Privilege Escalation

                      Boot or Logon Autostart Execution

                      2
                      T1547

                      Print Processors

                      1
                      T1547.012

                      Winlogon Helper DLL

                      1
                      T1547.004

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Defense Evasion

                      Indicator Removal

                      1
                      T1070

                      Clear Windows Event Logs

                      1
                      T1070.001

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Credentials from Password Stores

                      2
                      T1555

                      Credentials from Web Browsers

                      1
                      T1555.003

                      Windows Credential Manager

                      1
                      T1555.004

                      Unsecured Credentials

                      1
                      T1552

                      Credentials In Files

                      1
                      T1552.001

                      Discovery

                      Browser Information Discovery

                      1
                      T1217

                      Query Registry

                      2
                      T1012

                      System Information Discovery

                      2
                      T1082

                      System Location Discovery

                      1
                      T1614

                      System Language Discovery

                      1
                      T1614.001

                      Lateral Movement

                      Remote Services

                      1
                      T1021

                      Remote Desktop Protocol

                      1
                      T1021.001

                      Replication Through Removable Media

                      1
                      T1091

                      Collection

                      Data from Local System

                      1
                      T1005

                      Command and Control

                      Exfiltration

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Program Files (x86)\Microsoft.NET\RedistList\ebf1f9fa8afd6d
                        Filesize

                        216B

                        MD5

                        1a9fc1f643a1de0ab2bed1f7bdeda62e

                        SHA1

                        81cff6c0d0ad1b89729df8e0839c7fd328f6c9dd

                        SHA256

                        b5230afc88d8b30c3421d36cfdf5ec442873e77ebe5763f1add43c364b78cb80

                        SHA512

                        bbc0e8656e081bc1df82fbbb390595800a258d7e1d2e01a32056f4e9d30cad7091c336b494e06f1d07685fda13560a1369e311bc414825a85924ad3ddf6df10e

                        Download Submit

                      • C:\Program Files\Windows Photo Viewer\de-DE\ea9f0e6c9e2dcd
                        Filesize

                        244B

                        MD5

                        02dd8ad56d16201a69e5fcf73345429b

                        SHA1

                        8faf51cd1c1be7c9c83255b8155010899025515e

                        SHA256

                        11c44c1611e26a4e87169b59452ebcee5ad8eb4bb62f7ca5337f220c78f028c9

                        SHA512

                        49a3b4baa2e9201176ce683c692e519d6a3afca987b5f2338d8bced701516bfdd156e29bfee32804c471838ab44a58a899d18e1343e0f28c7a1d2297b8df9de5

                        Download Submit

                      • C:\Program Files\Windows Portable Devices\0a1fd5f707cd16
                        Filesize

                        254B

                        MD5

                        0089e8158db503a0cf3d78e4aa6c7e07

                        SHA1

                        bf6497a4e8e7bee66b3f6d959300533996cadf5f

                        SHA256

                        c195508d0ea54f354e8df91151ee7f67031cb8c9aa676163e453b9c97250401f

                        SHA512

                        0496f59867ba93fc6cd64ca2e5eb3a5ac5005b0d0cd16668a89b033057dfc05e629d8e3f678791174d8f8a360159d5398b4ab57143d9031575f948b5eec33a47

                        Download Submit

                      • C:\ProgramData\6ccacd8608530f
                        Filesize

                        362B

                        MD5

                        560cc3c0b1fd3ffbb030e4ea4a9390a2

                        SHA1

                        2689aa37347d61e4c870ffb986ebd37efbc18e2c

                        SHA256

                        eebd6afa3a952c60d368d98431420ac7cad0aec90784a0e21731e5cf5201c807

                        SHA512

                        6c600644a527250ec2735d8c1950742a07074e7b7ffbaebe84fb2a8b1ea02b4e9719e2dc9f0ed0962224d07ce45830c3621491d98838ea64061ff861ece66da7

                        Download Submit

                      • C:\Recovery\WindowsRE\c5b4cb5e9653cc
                        Filesize

                        467B

                        MD5

                        a0ad7316f4d0e0af5e4dd2a8a82ee65c

                        SHA1

                        98bbeecccb7766d215284f5d5664456bbd5e4736

                        SHA256

                        c791eef6ad1b83577158100cb9566d3020fb9b127c2257b21d4b6cfa8b1d5402

                        SHA512

                        da6a6f1b4686d235e1822f3e88c72a5f68550367a64b6c324aaa05c1b47e0cfabf0f77ba996d205f66539898e15fd52b8a7631f9533dec60cdde78de432fa4ea

                        Download Submit

                      • C:\Recovery\WindowsRE\e1ef82546f0b02
                        Filesize

                        709B

                        MD5

                        89d43c823ca3f166e41faba19c2ddd97

                        SHA1

                        c28a7c443ae001ce5c366860596e3b19d5565c56

                        SHA256

                        e5d7c2e768accc11dbe91233a8250ca157c43296f1b8a4496f694f5708bf793f

                        SHA512

                        429c7a5303e31e928313873e27907ee837f07275f0cbb2d8340919d60bc5934b7decf1790fa0837b6bc7db5fbb83ff7becd3f6805dbdb17803f222a39ee8f279

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp
                        Filesize

                        8KB

                        MD5

                        f3c546572680c1bc8a995889173473c7

                        SHA1

                        85da8072c452bbbeb85baefdcff96fd9de9349c0

                        SHA256

                        92f5626a35bd1b1f57e2584cadba0f73057642369ff0aea9d2a8535e19d4a2fd

                        SHA512

                        d23c368f09d7929b376e97f084913eb92d8162a93bdd2032c42fd43eaa16c1598bcc7531cb935c314dd69ee5bf9e6665bac89dea77d3acf181e251232d032dad

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx
                        Filesize

                        3.0MB

                        MD5

                        cba98d12dd6b630b3254223f2451e07d

                        SHA1

                        cf47fbce1297c6847a70bad5be29fa9576565c32

                        SHA256

                        e81bee299e5199bfc4e7d33f7ba8b2ac2397f4dea3e10b4cd94d739a989493fa

                        SHA512

                        23c2def7bd3ecb927be1317f5cb08bddb0474113437349acbe81f304ed531e34efc96341f7796152007fc1a9433c0ee854717c3c72c3fe23975236f05b4d55d7

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx
                        Filesize

                        3.0MB

                        MD5

                        d1dd210d6b1312cb342b56d02bd5e651

                        SHA1

                        1e5f8def40bb0cb0f7156b9c2bab9efb49cfb699

                        SHA256

                        bbd05cf6097ac9b1f89ea29d2542c1b7b67ee46848393895f5a9e43fa1f621e5

                        SHA512

                        37a33d86aa47380aa21b17b41dfc8d04f464de7e71820900397436d0916e91b353f184cefe0ad16ae7902f0128aae786d78f14b58beee0c46d583cf1bfd557b8

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
                        Filesize

                        16KB

                        MD5

                        94d5c6f4fcf80291320c32032a29346e

                        SHA1

                        c223910577dee2c14dc86f37c6defae5f9cf9f85

                        SHA256

                        498106b26404b8d16ff84bc1c93a2d59c6dcee952384207a6753b33f535cfe33

                        SHA512

                        f3afefa9f0f250374b0f4df3ca71b6e12c815e0548ab418847c9fbe803ba344d1714a1c52c5dfe9ed7b5d4cadfcec794a5ffd0d6770f80195c7b15865b2fdc1c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol
                        Filesize

                        6.0MB

                        MD5

                        60382910f9dadc6f0d43a8012ad8e781

                        SHA1

                        39f2682ce383f1e803c04587d3565028a17f6dd2

                        SHA256

                        f1756998832e5bbc6abc8c30be266d2a751a0093e40cf4c628b174976b14aa39

                        SHA512

                        a4f7fd7f76676f0d148ccd62908baf7a0e4d9f039595ffa712f209370c9550196b11b989dce2223839351a77ffef02e9b3994845d7724c3b71386988b32a2c16

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\tmp.edb
                        Filesize

                        192KB

                        MD5

                        cb880f47205b1f321001906ceec4cc00

                        SHA1

                        367724f2e99687c2d2b090788cb690b74157efaa

                        SHA256

                        2ff0a31099478d08e4ac8b444fa602950b89a2a0af1e0bf7971c56e663bc5b03

                        SHA512

                        bcd6c21004640426b3e53079d44ae7a5636a104a1b146b22dabbf3912923d1a1fbee7480070abe97e3bd4f8b8a2bc5262b4f435b11e235737ac0efea7002f013

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XBinderOutput(1).exe.log
                        Filesize

                        654B

                        MD5

                        2ff39f6c7249774be85fd60a8f9a245e

                        SHA1

                        684ff36b31aedc1e587c8496c02722c6698c1c4e

                        SHA256

                        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                        SHA512

                        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\reviewDll.exe.log
                        Filesize

                        1KB

                        MD5

                        7f3c0ae41f0d9ae10a8985a2c327b8fb

                        SHA1

                        d58622bf6b5071beacf3b35bb505bde2000983e3

                        SHA256

                        519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

                        SHA512

                        8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat
                        Filesize

                        269B

                        MD5

                        138612dafc7f69ff5345a52d3df8980a

                        SHA1

                        dd0c001ef448a19d67919da7e6b487d9f14bf5ae

                        SHA256

                        2d0c06c7a35de81225987c7d69cec6ba1ee90a454a816b9cc629c10bf11a52a8

                        SHA512

                        cbac81ed737af85628529c15ffbc71b2e41b65d6db2c728904d07afb27d25dae6a5539a5fec257b48c34ec376f69ba463f075ebe5b8c86b41522e967244a7f11

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
                        Filesize

                        1.1MB

                        MD5

                        0d015cc111d53a019e680b0bed11fcad

                        SHA1

                        3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

                        SHA256

                        2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

                        SHA512

                        c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

                        Download Submit

                      • C:\Users\Public\Videos\56085415360792
                        Filesize

                        669B

                        MD5

                        4dd3ed7933dc0e4d1169bdf5df52adc2

                        SHA1

                        e5e462d6e520e0b1da059a53da76573ab6ad8da3

                        SHA256

                        21d4742caf6cde6696a8d05819d85e18ec9e0992752c829de22619dff3f8145f

                        SHA512

                        ca4a5988276fe866da8e6f89dc3dbcba0c68b6b6b2a9532b5e5a58b7e82082122ab85beddc6f9e197e81003b3ae94b70bbdb63f402b5137e8b6cb9dfecfaf72a

                        Download Submit

                      • C:\Windows\INF\.NET Data Provider for Oracle\0410\24dbde2999530e
                        Filesize

                        455B

                        MD5

                        b7b6604195989a6b902e2bcb46dbad8d

                        SHA1

                        1d6cc9050489b23f3923a71abc861eb36e551f29

                        SHA256

                        efa2db891b7155d21a307ace9be3dedf6f3f7c8efa6acee66de5f92dd06f0c08

                        SHA512

                        6b0c99d0f2eeacbc38111d1be37b11576ab99a8d6ef81dc3dfbc3c567463e3c7df107f5d992420cbf2ceefbbe4608a7b7a63a6f4cebc28fcc3d8daa051b05599

                        Download Submit

                      • C:\Windows\LiveKernelReports\088424020bedd6
                        Filesize

                        339B

                        MD5

                        3236ad64ccdf47ab6d94377686c87ba8

                        SHA1

                        7f2e0e3fc2bf8467163eaecbc4ca0b22d1736073

                        SHA256

                        e2c69a7c3750b8e04f925b5494294640cd4659dba8d33c1ebdafcecefebcb088

                        SHA512

                        09a158711df8403992038f9f0f3e13aba91615cf0e9f7cba3312a6318aa3b55c37499c3f94a6ea6df6c72aa42da53c634b16230e91267f6de48562cb109fc40c

                        Download Submit

                      • C:\Windows\Resources\Themes\aero\uk-UA\ea1d8f6d871115
                        Filesize

                        675B

                        MD5

                        e3736b66421a1728fc6c808345060382

                        SHA1

                        ddbde4c72bb2ac74f65f20e6694cb0c79f742c91

                        SHA256

                        151554d200dec16eb05974d414c8cb182840e51a63b9a4e5e5d60d407b36c7f4

                        SHA512

                        6f56164ba740eb73d6b550d87304d5b5a9ab907e0381c2cc9adbca1693a770df4a8a7b6c05250f4dd7be5b26708a1f9fc6db4a37035d4cebaea9af347adbdc2a

                        Download Submit

                      • C:\Windows\Vss\Writers\66fc9ff0ee96c2
                        Filesize

                        497B

                        MD5

                        2718f64fad62f3accf9b0ebaafb1e820

                        SHA1

                        86ede34106c909c00bd4c0cb69de8d5648771fda

                        SHA256

                        8daba2f25b9ca4a1ccdd692045ac9f211f7be769b1b6cfc1132e116c58a5349f

                        SHA512

                        5908d5d83e53c7842becd7ba0d281fcca8641599e7a272891f53659268d38f9b2e4f1e80f6479871a31af26aa521ed3d99a9b771eb58d8d4e1cdc82de030e1fb

                        Download Submit

                      • C:\blocksavesperfMonitorDll\9e8d7a4ca61bd9
                        Filesize

                        723B

                        MD5

                        a399f7341ef1972689691d6dece8a92c

                        SHA1

                        9337bfc2d800dd833708b891297e724709d9ffb2

                        SHA256

                        7a50de93e1ccdb17e86cc3f3eddc360af70eb7ae4e4566bee44c0239b3d27d8d

                        SHA512

                        e3bcee703d95387143c1e1699a2a0fbcd33ee0f95821eff87011b2e4a1dd0714c0b60f19230f4a7862be6744402787e8ca93b09a208eefca61b6bf25019114de

                        Download Submit

                      • C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe
                        Filesize

                        222B

                        MD5

                        a6f295a2e58c722b5935cc905e81fd8b

                        SHA1

                        a2a30408197320a639e3e2f18a57fc8578c97b58

                        SHA256

                        8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

                        SHA512

                        839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

                        Download Submit

                      • C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat
                        Filesize

                        43B

                        MD5

                        7c582abd8874b9cc60df72d62bd86440

                        SHA1

                        564e7b01338d08f657f2c02fa8fc5b8dadb92331

                        SHA256

                        c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

                        SHA512

                        444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

                        Download Submit

                      • C:\blocksavesperfMonitorDll\ebf1f9fa8afd6d
                        Filesize

                        257B

                        MD5

                        8b6e8195ce3abc5c28f44cfd9f541881

                        SHA1

                        b1e474cb0f6033635bb2a023ea77fc318cbe66ab

                        SHA256

                        49802aa888ee285b5c738c5dfb187d7c0dd158426e7b47a490c23e26ede60c32

                        SHA512

                        215434f3d2ee660a824632e6fd7e9d6128736351090e3bb4d8a840b3dd45a727438827dc5f940664ee0b2910b9dcf754a8747a1f86253a425715091a0f79ea18

                        Download Submit

                      • C:\blocksavesperfMonitorDll\f3b6ecef712a24
                        Filesize

                        818B

                        MD5

                        7350f0fbd09b0ddfb9b6e6ee5c8eac00

                        SHA1

                        5e015bee370966fe9d9b43019400e5f365e0258f

                        SHA256

                        480925edd430e1d2f393bbba6f2b51a7c20b678756a3150157386c17c5e3a59e

                        SHA512

                        51db1882e659b09eb2099446cf5a692b0e9218eda94d04a6d98ac918ae1f851e039cf87c0d24cb331ffee38973d7a81764cca7af184831665ba72a2119ed51fb

                        Download Submit

                      • C:\blocksavesperfMonitorDll\reviewDll.exe
                        Filesize

                        828KB

                        MD5

                        d9dac9e1d95e84e6aec084cf2ddb3f3a

                        SHA1

                        a231a41c7ad994879b15116dcea41fdc09bb5879

                        SHA256

                        0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

                        SHA512

                        c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

                        Download Submit

                      • memory/1904-25-0x0000000000480000-0x0000000000556000-memory.dmp

                        Filesize

                        856KB

                        Download

                      • memory/3732-0-0x00007FF8E41C3000-0x00007FF8E41C5000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/3732-11-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/3732-7-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/3732-1-0x0000000000A10000-0x0000000000AAE000-memory.dmp

                        Filesize

                        632KB

                        Download

                      • memory/3864-137-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-152-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-138-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-139-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-140-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-141-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-143-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-142-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-147-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-146-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-145-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-144-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-150-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-148-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-149-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-136-0x000002515B1A0000-0x000002515B1A1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-151-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-153-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-154-0x000002515B1C0000-0x000002515B1C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-155-0x000002515B1D0000-0x000002515B1D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-156-0x000002515B1D0000-0x000002515B1D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-157-0x000002515B1E0000-0x000002515B1E1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-158-0x000002515CA30000-0x000002515CA31000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-159-0x000002515CA30000-0x000002515CA31000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-133-0x000002515B190000-0x000002515B191000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-135-0x000002515B1A0000-0x000002515B1A1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-134-0x000002515B1A0000-0x000002515B1A1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-131-0x000002515B190000-0x000002515B191000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-129-0x000002515B050000-0x000002515B051000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3864-94-0x0000025152D40000-0x0000025152D50000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3864-111-0x0000025152E50000-0x0000025152E60000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4768-167-0x000000001C170000-0x000000001C6A0000-memory.dmp

                        Filesize

                        5.2MB

                        Download