dcrat | 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Size

3.5MB
MD5

6c5f6433bae4cbf3dc2d1fd40b716b08
SHA1

0eba0dd22b3f5053798eba26e027ef7383602774
SHA256

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
SHA512

f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d
SSDEEP

98304:HCLp6aQhP2k4Xrn/kRCH9ldADNbkAiS5uSM:HK6P2k4XD/kRCd/8YTSm

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exedllhost.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 15 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	Process
4832	dllhost.exe
3032	dllhost.exe
436	dllhost.exe
3084	dllhost.exe
1408	dllhost.exe
1860	dllhost.exe
3772	dllhost.exe
4884	dllhost.exe
2176	dllhost.exe
2972	dllhost.exe
548	dllhost.exe
3440	dllhost.exe
3596	dllhost.exe
384	dllhost.exe
3264	dllhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\6cb0b6c459d5d3	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
File created	C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
File created	C:\Program Files\Java\jdk-1.8\9e8d7a4ca61bd9	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2004	PING.EXE
1920	PING.EXE
3888	PING.EXE
3196	PING.EXE

Modifies registry class 15 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
3196	PING.EXE
2004	PING.EXE
1920	PING.EXE
3888	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

pid	Process
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Token: SeDebugPrivilege	4832	dllhost.exe
Token: SeDebugPrivilege	3032	dllhost.exe
Token: SeDebugPrivilege	436	dllhost.exe
Token: SeDebugPrivilege	3084	dllhost.exe
Token: SeDebugPrivilege	1408	dllhost.exe
Token: SeDebugPrivilege	1860	dllhost.exe
Token: SeDebugPrivilege	3772	dllhost.exe
Token: SeDebugPrivilege	4884	dllhost.exe
Token: SeDebugPrivilege	2176	dllhost.exe
Token: SeDebugPrivilege	2972	dllhost.exe
Token: SeDebugPrivilege	548	dllhost.exe
Token: SeDebugPrivilege	3440	dllhost.exe
Token: SeDebugPrivilege	3596	dllhost.exe
Token: SeDebugPrivilege	384	dllhost.exe
Token: SeDebugPrivilege	3264	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.execmd.exedllhost.execmd.exedllhost.execmd.exedllhost.execmd.exedllhost.execmd.exedllhost.execmd.exedllhost.execmd.exedllhost.execmd.exe

description	pid	Process	procid_target
PID 1308 wrote to memory of 4524	1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	91
PID 1308 wrote to memory of 4524	1308	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	91
PID 4524 wrote to memory of 924	4524	cmd.exe	93
PID 4524 wrote to memory of 924	4524	cmd.exe	93
PID 4524 wrote to memory of 2676	4524	cmd.exe	94
PID 4524 wrote to memory of 2676	4524	cmd.exe	94
PID 4524 wrote to memory of 4832	4524	cmd.exe	101
PID 4524 wrote to memory of 4832	4524	cmd.exe	101
PID 4832 wrote to memory of 2332	4832	dllhost.exe	104
PID 4832 wrote to memory of 2332	4832	dllhost.exe	104
PID 2332 wrote to memory of 8	2332	cmd.exe	106
PID 2332 wrote to memory of 8	2332	cmd.exe	106
PID 2332 wrote to memory of 4308	2332	cmd.exe	107
PID 2332 wrote to memory of 4308	2332	cmd.exe	107
PID 2332 wrote to memory of 3032	2332	cmd.exe	109
PID 2332 wrote to memory of 3032	2332	cmd.exe	109
PID 3032 wrote to memory of 1148	3032	dllhost.exe	112
PID 3032 wrote to memory of 1148	3032	dllhost.exe	112
PID 1148 wrote to memory of 1308	1148	cmd.exe	114
PID 1148 wrote to memory of 1308	1148	cmd.exe	114
PID 1148 wrote to memory of 4564	1148	cmd.exe	115
PID 1148 wrote to memory of 4564	1148	cmd.exe	115
PID 1148 wrote to memory of 436	1148	cmd.exe	119
PID 1148 wrote to memory of 436	1148	cmd.exe	119
PID 436 wrote to memory of 1756	436	dllhost.exe	123
PID 436 wrote to memory of 1756	436	dllhost.exe	123
PID 1756 wrote to memory of 2176	1756	cmd.exe	125
PID 1756 wrote to memory of 2176	1756	cmd.exe	125
PID 1756 wrote to memory of 956	1756	cmd.exe	126
PID 1756 wrote to memory of 956	1756	cmd.exe	126
PID 1756 wrote to memory of 3084	1756	cmd.exe	129
PID 1756 wrote to memory of 3084	1756	cmd.exe	129
PID 3084 wrote to memory of 2636	3084	dllhost.exe	131
PID 3084 wrote to memory of 2636	3084	dllhost.exe	131
PID 2636 wrote to memory of 1076	2636	cmd.exe	133
PID 2636 wrote to memory of 1076	2636	cmd.exe	133
PID 2636 wrote to memory of 2004	2636	cmd.exe	134
PID 2636 wrote to memory of 2004	2636	cmd.exe	134
PID 2636 wrote to memory of 1408	2636	cmd.exe	136
PID 2636 wrote to memory of 1408	2636	cmd.exe	136
PID 1408 wrote to memory of 4980	1408	dllhost.exe	139
PID 1408 wrote to memory of 4980	1408	dllhost.exe	139
PID 4980 wrote to memory of 3196	4980	cmd.exe	141
PID 4980 wrote to memory of 3196	4980	cmd.exe	141
PID 4980 wrote to memory of 1920	4980	cmd.exe	142
PID 4980 wrote to memory of 1920	4980	cmd.exe	142
PID 4980 wrote to memory of 1860	4980	cmd.exe	144
PID 4980 wrote to memory of 1860	4980	cmd.exe	144
PID 1860 wrote to memory of 536	1860	dllhost.exe	147
PID 1860 wrote to memory of 536	1860	dllhost.exe	147
PID 536 wrote to memory of 5056	536	cmd.exe	149
PID 536 wrote to memory of 5056	536	cmd.exe	149
PID 536 wrote to memory of 4800	536	cmd.exe	150
PID 536 wrote to memory of 4800	536	cmd.exe	150
PID 536 wrote to memory of 3772	536	cmd.exe	153
PID 536 wrote to memory of 3772	536	cmd.exe	153
PID 3772 wrote to memory of 4468	3772	dllhost.exe	156
PID 3772 wrote to memory of 4468	3772	dllhost.exe	156
PID 4468 wrote to memory of 4816	4468	cmd.exe	158
PID 4468 wrote to memory of 4816	4468	cmd.exe	158
PID 4468 wrote to memory of 404	4468	cmd.exe	159
PID 4468 wrote to memory of 404	4468	cmd.exe	159
PID 4468 wrote to memory of 4884	4468	cmd.exe	161
PID 4468 wrote to memory of 4884	4468	cmd.exe	161

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0x37yGnMh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:924
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2676
- - C:\Users\Public\dllhost.exe
    "C:\Users\Public\dllhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BP5Pm95y6C.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:8
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4308
    - - C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MCv5EqkMBH.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4564
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JURhlZmnbW.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:956
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcOKbH0YFO.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2JnastWSjL.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3196
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1920
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m2M6WqyfOt.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4800
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WsfXZ1b1OE.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:404
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grDS520PRI.bat"
        18⤵
        
        PID:4456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4980
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AAGHIO57vH.bat"
        20⤵
        
        PID:4356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2416
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZLKnXXaim4.bat"
        22⤵
        
        PID:1000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3824
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat"
        24⤵
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3888
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v8evR6XBmk.bat"
        26⤵
        
        PID:4932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3196
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ybJBPcXt9a.bat"
        28⤵
        
        PID:3504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4996
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ybJBPcXt9a.bat"
        30⤵
        
        PID:1804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3444
        
        C:\Users\Public\dllhost.exe
        
        "C:\Users\Public\dllhost.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe

Filesize
3.5MB

MD5
6c5f6433bae4cbf3dc2d1fd40b716b08

SHA1
0eba0dd22b3f5053798eba26e027ef7383602774

SHA256
9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

SHA512
f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
8ee01a9d8d8d1ecf515b687bf5e354ca

SHA1
c3b943dce30e425ae34e6737c7d5c3cdd92f79c5

SHA256
c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1

SHA512
6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\2JnastWSjL.bat

Filesize
155B

MD5
92b46ad56d16e21708a94d958bb038dd

SHA1
44f5c37b405386c9ee24531b8477763021d33a62

SHA256
fa3502218c067956414c84190d292e6316594c7e16f1498ad3b04733b2475410

SHA512
2bc078a2f48ba40fde2d2f6c08301e58a4fc41e17fd202e0b2d99647725077d89880bb62be3e170eb85428f991a7a3bf6a752c20cde7ed1d244e5084f73dd395

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAGHIO57vH.bat

Filesize
203B

MD5
d123bf3fbaa0d1012e2bb8adeb2c7406

SHA1
2266f5b9d4344f0154a6da3bcbca92fae225ea64

SHA256
b9e97df409b6fe05774b4bd2e95bbcec6b2ffc989a0f63585485181ec134d0e4

SHA512
e2c194adb29b3efc856d4460f8012a9c12227eec34da92c79b00b2978a40e204ea4fbda752f79b247cbb1c57b577e050ce4ada1886085638ca9f1267558cbd45

Download Submit
C:\Users\Admin\AppData\Local\Temp\BP5Pm95y6C.bat

Filesize
203B

MD5
94cc0d1e47dd9251e54dfeae25c5d02f

SHA1
a9038f49165bd82f37efd7d24ef474fa2905ae97

SHA256
bc296e63f640984fcb03269c54368f09ec2fb3e56a1cb9d1d15f4fa00d848e3d

SHA512
a472ceb8fb3c600520f0dfd7f4b6c71c64c70d4a505ead5b4582a07a95b406c506524cad27965a6c753c8c44f7663356861a74049be77ea157246a979800a4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\I0x37yGnMh.bat

Filesize
203B

MD5
39d55f6433ba488b1e386bba76180957

SHA1
91d060019c4d2f6851fab11df6521a275d8d932e

SHA256
edb7ff66236283bf2e01af77b5963f6f3222a4cb39ef47d4bfc2f0ba8261cce8

SHA512
58dbb43b7ef6982d8edccf127bcbbf92f2be30190414d7ef1f2575515679369894268eacbb8586555b39d6bef63dd9d6e091990bc4fa31e9bcd0e1d9078d8f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JURhlZmnbW.bat

Filesize
203B

MD5
f06a02e4d5bc476b1eeda20294b6d1bb

SHA1
5f7677f2d10d6ccdf310d26becba48ab08024183

SHA256
05e2db1a44ec4111dab633ba163f3cf2bf5153df0a4e0fd7872845c335f8bcfc

SHA512
5066256328db820db986880068e3728af3ae396024c1ed691d58eba3f01332cb7d4f87a7dc577f1d734903199976f7d7ad8668819fe47b33298b593d5865e7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCv5EqkMBH.bat

Filesize
203B

MD5
b19b9c5e4aa90386a445070db5a2c416

SHA1
7e041aca6226678d3031bfec934c5e9812f9a1d1

SHA256
7708819fc28b88c79475ffbf588e4f8d542189e4b5f9c87b0cb7c8059085fb57

SHA512
b86ee8dd62f0f9806be40e492f9f240e042c2563d076e1f2ecac81463a78bff01998757080c39a7dcd62badef8ed81003dd13aeceb9c3a922ec8a049cd34aa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsfXZ1b1OE.bat

Filesize
203B

MD5
990c39c3d21bca0bf60a4f76cbe53f07

SHA1
e55fcbcd1d422b1b0f98b9f1ee052a8de1cfc0e2

SHA256
52e12c91239f41b0c305129d7440a97517a74178aad2289024e8ce5a0e8de583

SHA512
940b689e3a0c4fc56557b6f8f6e1df2cdb49e4d5f7a83344f76d7c65b5b4f63b2276e3a0b2483b0c1e08fb64a0b90a8f10146ede8a5afc798c2d526cce2a35ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZLKnXXaim4.bat

Filesize
203B

MD5
77df627fc67e61dc098f16d1ffae5839

SHA1
742cfe3ad27f60a104559c5bbbcebbfcc6dd4897

SHA256
4e8ea0f9b29aad57524678c243941ed6d2d2bc4614be8ef9b0f43405d6f63a87

SHA512
620d9b4d182f2f893fc04153008ce077cc87dff1cbd02c1f97430ceac70ea98f6802dd2a1eaa3be24504ab20d7ab08ba115370e20f1d3dc1dd5fb05090061ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcOKbH0YFO.bat

Filesize
155B

MD5
d6426ece98d7628bcd9d97f8d7155680

SHA1
7cd33afeb9af51c97f9ac0a5640170314b605b9a

SHA256
2a6723df6e14944b6b2acd1e53c1db4a9303ddbbc9da1f62512962b0aa87b91c

SHA512
905604fe7b0ac681bb70821e5578ac3609b2bd44bebf319b40518e4eec6bfabce3f27418e727c74d901d9eaea06722bcc8001ce4a20727808943ca36fe6e1f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\grDS520PRI.bat

Filesize
203B

MD5
15e3ad5eb76fa344ec75792eb3e13a89

SHA1
48fcb072a11774209776884985e9340af752ec18

SHA256
10a2f2eeda1c046c03ed160dfc3371da4de3bd6e25c696977314ce64e41f1688

SHA512
c8c54b3c5352c4d9b29f38d6397b2ad0fc9a0899cceb861e3e0d974fb8265d4f4fa4b1c3b91a8629b176f157696c5abefbc5adcbe69b49da9c0ded8c7f24c181

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2M6WqyfOt.bat

Filesize
203B

MD5
203c334cdce00c249caad55d83d9a952

SHA1
82b3b8f183c3f0dcb0db3707694990d3c81dbc5e

SHA256
8ed7aaf066ecd2a7ef371ce390db4bac7c8e28c0a252341763687464fafcc163

SHA512
51273c8390850ff345186564ad2aeb241f7b2f88b32218e79da3f2c76ab741843266900eddbbb7109da55108c9d763e0de3398123be9136a3a3f1cd16f8bb477

Download Submit
C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat

Filesize
155B

MD5
c4c013f517623caf0759b986e4a3f81f

SHA1
9991ca37420c3c6250ba1257e805554e701f742b

SHA256
da779cef0a1c9a6013785590db2cf51bda1241aee6f84413cc8c17f5578ec4ed

SHA512
74b699952f4b5c0d5fd35e6b83196025cd6c6155a7bf71937cd541e5ddf83e7c0554604df374a996ee2f9eb97ae4930c46a1a14c42b74c5b8976ebe8c5b41917

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8evR6XBmk.bat

Filesize
155B

MD5
1eb87f6fc991a8eccffdc03eb84ca0c9

SHA1
3cf4b63983cdfac76bfe122779290558b30daae5

SHA256
0813301b4376947dc485dd6bc696a2898d7dc52b7ade3bf8f5311e38811e7e29

SHA512
5075951c3749c718010d2c4bd697c045dd9acc6ee169d2b202e02035859d6de661d0a94b84225542f7d4e2ca07ab1e0e87b6a729144e754f0132ea94fa5fac5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybJBPcXt9a.bat

Filesize
203B

MD5
3777e8ec9c23fab201a7aac199967079

SHA1
9c4a61167a20c03098a7efa5b1fbae0902f26fc0

SHA256
7fa90748babeb1f697424cfb32a5cb1d783fff4494906f8a6abc4f99f6bc6824

SHA512
331aa807350c31fa2e2c86fbda99f9ace2d386d29041edf4061289bb98cfb898dab2c22253946bba1f3ea1504fc05fdae6936671a0b56ae40fd39bfb307bb440

Download Submit
memory/384-489-0x000000001CC90000-0x000000001CD5D000-memory.dmp

Filesize
820KB

Download
memory/384-488-0x000000001CBE0000-0x000000001CC89000-memory.dmp

Filesize
676KB

Download
memory/436-170-0x000000001D8F0000-0x000000001D9BD000-memory.dmp

Filesize
820KB

Download
memory/436-169-0x000000001D840000-0x000000001D8E9000-memory.dmp

Filesize
676KB

Download
memory/548-401-0x000000001C270000-0x000000001C319000-memory.dmp

Filesize
676KB

Download
memory/548-402-0x000000001C320000-0x000000001C3ED000-memory.dmp

Filesize
820KB

Download
memory/1308-79-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-1-0x0000000000C90000-0x0000000001016000-memory.dmp

Filesize
3.5MB

Download
memory/1308-34-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-37-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-38-0x000000001D7E0000-0x000000001DD08000-memory.dmp

Filesize
5.2MB

Download
memory/1308-40-0x000000001BBE0000-0x000000001BBEE000-memory.dmp

Filesize
56KB

Download
memory/1308-41-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-43-0x000000001BD00000-0x000000001BD10000-memory.dmp

Filesize
64KB

Download
memory/1308-44-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-46-0x000000001D1F0000-0x000000001D200000-memory.dmp

Filesize
64KB

Download
memory/1308-48-0x000000001D310000-0x000000001D36A000-memory.dmp

Filesize
360KB

Download
memory/1308-50-0x000000001D200000-0x000000001D20E000-memory.dmp

Filesize
56KB

Download
memory/1308-52-0x000000001D210000-0x000000001D220000-memory.dmp

Filesize
64KB

Download
memory/1308-58-0x000000001D3C0000-0x000000001D40E000-memory.dmp

Filesize
312KB

Download
memory/1308-56-0x000000001D2E0000-0x000000001D2F8000-memory.dmp

Filesize
96KB

Download
memory/1308-54-0x000000001D2B0000-0x000000001D2BE000-memory.dmp

Filesize
56KB

Download
memory/1308-64-0x00007FFAC20B3000-0x00007FFAC20B5000-memory.dmp

Filesize
8KB

Download
memory/1308-71-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-33-0x000000001D270000-0x000000001D286000-memory.dmp

Filesize
88KB

Download
memory/1308-77-0x000000001D610000-0x000000001D6DD000-memory.dmp

Filesize
820KB

Download
memory/1308-0-0x00007FFAC20B3000-0x00007FFAC20B5000-memory.dmp

Filesize
8KB

Download
memory/1308-78-0x000000001D6E0000-0x000000001D789000-memory.dmp

Filesize
676KB

Download
memory/1308-31-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-11-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-2-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-28-0x000000001D1D0000-0x000000001D1E2000-memory.dmp

Filesize
72KB

Download
memory/1308-30-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

Filesize
64KB

Download
memory/1308-3-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-4-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-26-0x000000001BB50000-0x000000001BB5E000-memory.dmp

Filesize
56KB

Download
memory/1308-24-0x000000001BB40000-0x000000001BB50000-memory.dmp

Filesize
64KB

Download
memory/1308-22-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/1308-20-0x000000001BBB0000-0x000000001BBC8000-memory.dmp

Filesize
96KB

Download
memory/1308-7-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-6-0x000000001BB60000-0x000000001BB86000-memory.dmp

Filesize
152KB

Download
memory/1308-15-0x000000001BB90000-0x000000001BBAC000-memory.dmp

Filesize
112KB

Download
memory/1308-36-0x000000001D290000-0x000000001D2A2000-memory.dmp

Filesize
72KB

Download
memory/1308-10-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-18-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/1308-13-0x0000000003130000-0x000000000313E000-memory.dmp

Filesize
56KB

Download
memory/1308-9-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-16-0x000000001D220000-0x000000001D270000-memory.dmp

Filesize
320KB

Download
memory/1308-8-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

Filesize
10.8MB

Download
memory/1408-227-0x000000001CB50000-0x000000001CBF9000-memory.dmp

Filesize
676KB

Download
memory/1408-228-0x000000001CC00000-0x000000001CCCD000-memory.dmp

Filesize
820KB

Download
memory/1860-257-0x000000001CEB0000-0x000000001CF7D000-memory.dmp

Filesize
820KB

Download
memory/1860-256-0x000000001CE00000-0x000000001CEA9000-memory.dmp

Filesize
676KB

Download
memory/2176-343-0x000000001DA30000-0x000000001DAD9000-memory.dmp

Filesize
676KB

Download
memory/2176-344-0x000000001E010000-0x000000001E0DD000-memory.dmp

Filesize
820KB

Download
memory/2972-373-0x000000001D390000-0x000000001D45D000-memory.dmp

Filesize
820KB

Download
memory/2972-372-0x000000001D2E0000-0x000000001D389000-memory.dmp

Filesize
676KB

Download
memory/3032-141-0x000000001D500000-0x000000001D5CD000-memory.dmp

Filesize
820KB

Download
memory/3032-140-0x000000001CF00000-0x000000001CFA9000-memory.dmp

Filesize
676KB

Download
memory/3084-198-0x000000001D400000-0x000000001D4A9000-memory.dmp

Filesize
676KB

Download
memory/3084-199-0x000000001DA00000-0x000000001DACD000-memory.dmp

Filesize
820KB

Download
memory/3440-430-0x000000001C640000-0x000000001C6E9000-memory.dmp

Filesize
676KB

Download
memory/3440-431-0x000000001C6F0000-0x000000001C7BD000-memory.dmp

Filesize
820KB

Download
memory/3596-459-0x000000001D220000-0x000000001D2C9000-memory.dmp

Filesize
676KB

Download
memory/3596-460-0x000000001D2D0000-0x000000001D39D000-memory.dmp

Filesize
820KB

Download
memory/3772-285-0x000000001CC30000-0x000000001CCD9000-memory.dmp

Filesize
676KB

Download
memory/3772-286-0x000000001CCE0000-0x000000001CDAD000-memory.dmp

Filesize
820KB

Download
memory/4832-111-0x000000001D460000-0x000000001D52D000-memory.dmp

Filesize
820KB

Download
memory/4832-110-0x000000001CE80000-0x000000001CF29000-memory.dmp

Filesize
676KB

Download
memory/4884-314-0x000000001C8D0000-0x000000001C979000-memory.dmp

Filesize
676KB

Download
memory/4884-315-0x000000001C980000-0x000000001CA4D000-memory.dmp

Filesize
820KB

Download