dcrat | 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Size

3.5MB
MD5

6c5f6433bae4cbf3dc2d1fd40b716b08
SHA1

0eba0dd22b3f5053798eba26e027ef7383602774
SHA256

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
SHA512

f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d
SSDEEP

98304:HCLp6aQhP2k4Xrn/kRCH9ldADNbkAiS5uSM:HK6P2k4XD/kRCd/8YTSm

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

backgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 12 IoCs

Processes:

backgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe

pid	Process
2412	backgroundTaskHost.exe
2080	backgroundTaskHost.exe
4628	backgroundTaskHost.exe
3952	backgroundTaskHost.exe
3680	backgroundTaskHost.exe
4612	backgroundTaskHost.exe
3044	backgroundTaskHost.exe
1128	backgroundTaskHost.exe
2788	backgroundTaskHost.exe
4052	backgroundTaskHost.exe
1608	backgroundTaskHost.exe
2788	backgroundTaskHost.exe

Drops file in Program Files directory 4 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

description	ioc	Process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\29c1c3cc0f7685	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
File created	C:\Program Files\Mozilla Firefox\fontdrvhost.exe	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
File created	C:\Program Files\Mozilla Firefox\5b884080fd4f94	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

Drops file in Windows directory 2 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

description	ioc	Process
File created	C:\Windows\IdentityCRL\production\taskhostw.exe	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
File created	C:\Windows\IdentityCRL\production\ea9f0e6c9e2dcd	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
460	PING.EXE
2676	PING.EXE
2948	PING.EXE
392	PING.EXE
3532	PING.EXE
3812	PING.EXE
4532	PING.EXE
4436	PING.EXE

Modifies registry class 13 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	backgroundTaskHost.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4436	PING.EXE
460	PING.EXE
2676	PING.EXE
2948	PING.EXE
392	PING.EXE
3532	PING.EXE
3812	PING.EXE
4532	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

pid	Process
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Token: SeDebugPrivilege	2412	backgroundTaskHost.exe
Token: SeDebugPrivilege	2080	backgroundTaskHost.exe
Token: SeDebugPrivilege	4628	backgroundTaskHost.exe
Token: SeDebugPrivilege	3952	backgroundTaskHost.exe
Token: SeDebugPrivilege	3680	backgroundTaskHost.exe
Token: SeDebugPrivilege	4612	backgroundTaskHost.exe
Token: SeDebugPrivilege	3044	backgroundTaskHost.exe
Token: SeDebugPrivilege	1128	backgroundTaskHost.exe
Token: SeDebugPrivilege	2788	backgroundTaskHost.exe
Token: SeDebugPrivilege	4052	backgroundTaskHost.exe
Token: SeDebugPrivilege	1608	backgroundTaskHost.exe
Token: SeDebugPrivilege	2788	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.execmd.exebackgroundTaskHost.execmd.exebackgroundTaskHost.execmd.exebackgroundTaskHost.execmd.exebackgroundTaskHost.execmd.exebackgroundTaskHost.execmd.exebackgroundTaskHost.execmd.exebackgroundTaskHost.execmd.exe

description	pid	Process	procid_target
PID 4708 wrote to memory of 3408	4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	87
PID 4708 wrote to memory of 3408	4708	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	87
PID 3408 wrote to memory of 4844	3408	cmd.exe	89
PID 3408 wrote to memory of 4844	3408	cmd.exe	89
PID 3408 wrote to memory of 2200	3408	cmd.exe	90
PID 3408 wrote to memory of 2200	3408	cmd.exe	90
PID 3408 wrote to memory of 2412	3408	cmd.exe	91
PID 3408 wrote to memory of 2412	3408	cmd.exe	91
PID 2412 wrote to memory of 208	2412	backgroundTaskHost.exe	96
PID 2412 wrote to memory of 208	2412	backgroundTaskHost.exe	96
PID 208 wrote to memory of 2332	208	cmd.exe	98
PID 208 wrote to memory of 2332	208	cmd.exe	98
PID 208 wrote to memory of 460	208	cmd.exe	99
PID 208 wrote to memory of 460	208	cmd.exe	99
PID 208 wrote to memory of 2080	208	cmd.exe	104
PID 208 wrote to memory of 2080	208	cmd.exe	104
PID 2080 wrote to memory of 3496	2080	backgroundTaskHost.exe	106
PID 2080 wrote to memory of 3496	2080	backgroundTaskHost.exe	106
PID 3496 wrote to memory of 60	3496	cmd.exe	108
PID 3496 wrote to memory of 60	3496	cmd.exe	108
PID 3496 wrote to memory of 2676	3496	cmd.exe	109
PID 3496 wrote to memory of 2676	3496	cmd.exe	109
PID 3496 wrote to memory of 4628	3496	cmd.exe	110
PID 3496 wrote to memory of 4628	3496	cmd.exe	110
PID 4628 wrote to memory of 2608	4628	backgroundTaskHost.exe	111
PID 4628 wrote to memory of 2608	4628	backgroundTaskHost.exe	111
PID 2608 wrote to memory of 3984	2608	cmd.exe	113
PID 2608 wrote to memory of 3984	2608	cmd.exe	113
PID 2608 wrote to memory of 1580	2608	cmd.exe	114
PID 2608 wrote to memory of 1580	2608	cmd.exe	114
PID 2608 wrote to memory of 3952	2608	cmd.exe	115
PID 2608 wrote to memory of 3952	2608	cmd.exe	115
PID 3952 wrote to memory of 4540	3952	backgroundTaskHost.exe	116
PID 3952 wrote to memory of 4540	3952	backgroundTaskHost.exe	116
PID 4540 wrote to memory of 4528	4540	cmd.exe	118
PID 4540 wrote to memory of 4528	4540	cmd.exe	118
PID 4540 wrote to memory of 1328	4540	cmd.exe	119
PID 4540 wrote to memory of 1328	4540	cmd.exe	119
PID 4540 wrote to memory of 3680	4540	cmd.exe	120
PID 4540 wrote to memory of 3680	4540	cmd.exe	120
PID 3680 wrote to memory of 436	3680	backgroundTaskHost.exe	123
PID 3680 wrote to memory of 436	3680	backgroundTaskHost.exe	123
PID 436 wrote to memory of 4636	436	cmd.exe	125
PID 436 wrote to memory of 4636	436	cmd.exe	125
PID 436 wrote to memory of 2948	436	cmd.exe	126
PID 436 wrote to memory of 2948	436	cmd.exe	126
PID 436 wrote to memory of 4612	436	cmd.exe	127
PID 436 wrote to memory of 4612	436	cmd.exe	127
PID 4612 wrote to memory of 2436	4612	backgroundTaskHost.exe	128
PID 4612 wrote to memory of 2436	4612	backgroundTaskHost.exe	128
PID 2436 wrote to memory of 636	2436	cmd.exe	130
PID 2436 wrote to memory of 636	2436	cmd.exe	130
PID 2436 wrote to memory of 392	2436	cmd.exe	131
PID 2436 wrote to memory of 392	2436	cmd.exe	131
PID 2436 wrote to memory of 3044	2436	cmd.exe	132
PID 2436 wrote to memory of 3044	2436	cmd.exe	132
PID 3044 wrote to memory of 2896	3044	backgroundTaskHost.exe	133
PID 3044 wrote to memory of 2896	3044	backgroundTaskHost.exe	133
PID 2896 wrote to memory of 3108	2896	cmd.exe	135
PID 2896 wrote to memory of 3108	2896	cmd.exe	135
PID 2896 wrote to memory of 3532	2896	cmd.exe	136
PID 2896 wrote to memory of 3532	2896	cmd.exe	136
PID 2896 wrote to memory of 1128	2896	cmd.exe	140
PID 2896 wrote to memory of 1128	2896	cmd.exe	140

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jszP8stzPH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4844
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2200
- - C:\Users\Public\AccountPictures\backgroundTaskHost.exe
    "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BD0ryYfNdr.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2332
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:460
    - - C:\Users\Public\AccountPictures\backgroundTaskHost.exe
        
        "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:60
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2676
        
        C:\Users\Public\AccountPictures\backgroundTaskHost.exe
        
        "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1580
        
        C:\Users\Public\AccountPictures\backgroundTaskHost.exe
        
        "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWxYzFHQ21.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1328
        
        C:\Users\Public\AccountPictures\backgroundTaskHost.exe
        
        "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PaEim0VbRY.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2948
        
        C:\Users\Public\AccountPictures\backgroundTaskHost.exe
        
        "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:392
        
        C:\Users\Public\AccountPictures\backgroundTaskHost.exe
        
        "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PaEim0VbRY.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3532
        
        C:\Users\Public\AccountPictures\backgroundTaskHost.exe
        
        "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"
        18⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3812
        
        C:\Users\Public\AccountPictures\backgroundTaskHost.exe
        
        "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KrnlOsdLyH.bat"
        20⤵
        
        PID:4344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4860
        
        C:\Users\Public\AccountPictures\backgroundTaskHost.exe
        
        "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat"
        22⤵
        
        PID:1580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2372
        
        C:\Users\Public\AccountPictures\backgroundTaskHost.exe
        
        "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2ERwRXGzbm.bat"
        24⤵
        
        PID:1976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4532
        
        C:\Users\Public\AccountPictures\backgroundTaskHost.exe
        
        "C:\Users\Public\AccountPictures\backgroundTaskHost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qJsMcbRTCu.bat"
        26⤵
        
        PID:4560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
8ee01a9d8d8d1ecf515b687bf5e354ca

SHA1
c3b943dce30e425ae34e6737c7d5c3cdd92f79c5

SHA256
c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1

SHA512
6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ERwRXGzbm.bat

Filesize
182B

MD5
6297e7d5ecc85fec0e54cc067581ca74

SHA1
02e450000d6f147cc467c93c1ed74a8f90162a91

SHA256
f9697dc4769e5d47c2b861862203b862dea22bfca94915b20811c98a056ef6f8

SHA512
c808a01d426645f16fe173ce03291f7b6e1d145cb2ef8b1dbd50392b45f096cdf3b7bdec4bd7bee9a518a414f0c80586014e40101ea09fbf00c3bf61146dddc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat

Filesize
230B

MD5
6377ec5e1c3b8622f324ea625626af6b

SHA1
80860efea595ed72d5457c28a399831c1aa30c23

SHA256
c194b882b23e677916461f9195a97ca9b9fe78a4571d58fa81a0b90f9671c9f2

SHA512
7b0689774ee3586c10508dd707c2324de6bbb87e7adf8843ea7195aa006f5d34d2ebefa82d73f8c32e4bc74f3647fc19f505b415a326061dcfbf853cb72aabb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat

Filesize
182B

MD5
579ddf83684ba55a7adda6c240c37911

SHA1
6f5516e7c28ded0699ebb175b6a91636a4e631af

SHA256
2c4e4bbc58f95edded30b2a6647aeaa212fb25888dd9d1c3ee5c7a62734f05df

SHA512
4447c44b3de60bbed6ea3751bb4f2561d56c94ac8fc3beeb82c792b8c86534635d6b4377990b270f71ca85b19583bcf996622ea4f3819585546c3cadfa59a281

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD0ryYfNdr.bat

Filesize
182B

MD5
f47676aa5caf45a862265600f87badeb

SHA1
a927b76c2649afff665c44e01e0aa70290ec8c87

SHA256
fc7ca33027cfa7a8d05fd90a0c5b45d8d209a1320da79cb2b16806e1b680778e

SHA512
1657af6beeb65862dd4c8e4ba195803e684a5222b8905d3dad073db31a18cd13cf0a5178f87b365635bc061c405954eae7d4f92eb52a8057afa233204c9f87f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KrnlOsdLyH.bat

Filesize
230B

MD5
902fcb2b060f9511830ea1e883af5782

SHA1
7a60a9d1bbc89f25574bfb0ee537d7f2abb3f83f

SHA256
58d5bbfe247a55871105c25bb7e644b7bc4bf870313ff70d4942e1a5b616e986

SHA512
4b8c7a536f179e74f5182983abb486072342ea152fe64328de42435a283fb79776b090359fd9d9a331aad2b4ddde8cf5e7617cd4489439a043985b3db8721379

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaEim0VbRY.bat

Filesize
182B

MD5
318581eb7c0682cfa68c2896453b54d0

SHA1
e0139e6f1701983f82d151627d106bd3b0aaa621

SHA256
89e1a9acd7924984cd68b355d10021e9f9f78c1afd9b6beac3130939a419fffa

SHA512
6a1f0fd9c0113d5a5a46c5777d9b0e03beed320e8fe5b0ff42f7d0cbd63a43d18c9aaa32cf9e42fc8c109a34679656487df12c9de363972ae7cec07212c2ac04

Download Submit
C:\Users\Admin\AppData\Local\Temp\jszP8stzPH.bat

Filesize
230B

MD5
963779672271214a08958b2f3b292a83

SHA1
141f7c06e9f1499421e3e44f21ac9285bb0e62b6

SHA256
3ab1af6d364ff0a2df8b080d219a4cbbe575ccaaabfd368eaa985345871f05e3

SHA512
43426808c0c64a571adc8bb80fb014b1f12bd58a5cd2dc8b62d4f89c75e636c8da142461e428dbec36b076300ae103b7158297a813a551f709a56775c4e47f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat

Filesize
182B

MD5
3f5774a125a5114a5f39e87ff7b4bf83

SHA1
a45d9ffc9029e74f321892e49f5c8b218972aa99

SHA256
4c727a04460b77729e865e1a0abdf04cc2542ae2d50c03d6a07167f342c2f5cc

SHA512
969d804ee93af9023dc902a7ddff2c27fa5f44aef16b14fa99517c19fadf1f5f5ee9cce417f1fe4eb1fe0783e8e6aec4df1b1eaeb81917bc335365d7081470b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qJsMcbRTCu.bat

Filesize
182B

MD5
37eaf9e07d0fc94b8297d2ce7e7a4e11

SHA1
cde06585ca490ebc5eb24ea353e5199043901522

SHA256
861ff7aedb09565f0dba587bc448b315d8272606112e893b0d114bd4ab3d5f29

SHA512
665b6232a8a9757d2c742d15475fd580e113e304127f2cd6755e47d596e82040cdcabc1605fd46a1fd9200b880837ebb1cf5a3df5f8fbeef6ebcdbf654e28337

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat

Filesize
230B

MD5
36a3c608902bc3dc4e2c47530f03deaa

SHA1
d75cd63aafd81185d3f2a27aa8134fcdbb52014e

SHA256
136afdfa10df4366f5b891a606b0082a77097ad0767084765ef8a4c3393df6d5

SHA512
9258a99069af7abd22361bfcd2e9b61ffccb4eaa4242c7ade7fc530e90e302661395ba29108bceb2bd97fe6c66caa7a8d4be9a1056f356c94368e019c9abbe2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWxYzFHQ21.bat

Filesize
230B

MD5
1c8f15107f14079883711c9b820b3b35

SHA1
6b2f4d6ec38113588319b31fc2691245799e78ac

SHA256
9ae9571d43551ebf3a36fe5021784a4672ae2c530b65654a7fa97d3c23e4d60e

SHA512
ad69863b936b1b063ab9413d8d17ea2b3df36fde8b791f3c5e243ca13e9f1f257b47fdc206af6a8321a2f9b32c427a10344452e176ed80210e59382557c8c3bd

Download Submit
C:\Windows\IdentityCRL\production\taskhostw.exe

Filesize
3.5MB

MD5
6c5f6433bae4cbf3dc2d1fd40b716b08

SHA1
0eba0dd22b3f5053798eba26e027ef7383602774

SHA256
9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

SHA512
f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d

Download Submit
memory/1128-305-0x000000001C660000-0x000000001C72D000-memory.dmp

Filesize
820KB

Download
memory/1608-389-0x000000001BD00000-0x000000001BDCD000-memory.dmp

Filesize
820KB

Download
memory/2080-137-0x000000001C840000-0x000000001C90D000-memory.dmp

Filesize
820KB

Download
memory/2412-102-0x000000001C320000-0x000000001C3ED000-memory.dmp

Filesize
820KB

Download
memory/2412-108-0x000000001C320000-0x000000001C3ED000-memory.dmp

Filesize
820KB

Download
memory/2788-417-0x000000001C470000-0x000000001C53D000-memory.dmp

Filesize
820KB

Download
memory/2788-333-0x000000001BB40000-0x000000001BC0D000-memory.dmp

Filesize
820KB

Download
memory/3044-277-0x000000001BB20000-0x000000001BBED000-memory.dmp

Filesize
820KB

Download
memory/3680-221-0x000000001BF70000-0x000000001C03D000-memory.dmp

Filesize
820KB

Download
memory/3952-193-0x000000001C290000-0x000000001C35D000-memory.dmp

Filesize
820KB

Download
memory/4052-361-0x000000001C3B0000-0x000000001C47D000-memory.dmp

Filesize
820KB

Download
memory/4612-249-0x000000001BE00000-0x000000001BECD000-memory.dmp

Filesize
820KB

Download
memory/4628-165-0x000000001BA60000-0x000000001BB2D000-memory.dmp

Filesize
820KB

Download
memory/4708-23-0x0000000002F60000-0x0000000002F70000-memory.dmp

Filesize
64KB

Download
memory/4708-24-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-42-0x000000001BA10000-0x000000001BA20000-memory.dmp

Filesize
64KB

Download
memory/4708-43-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-45-0x000000001BA20000-0x000000001BA30000-memory.dmp

Filesize
64KB

Download
memory/4708-48-0x000000001BF30000-0x000000001BF8A000-memory.dmp

Filesize
360KB

Download
memory/4708-46-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-50-0x000000001BED0000-0x000000001BEDE000-memory.dmp

Filesize
56KB

Download
memory/4708-52-0x000000001BEE0000-0x000000001BEF0000-memory.dmp

Filesize
64KB

Download
memory/4708-54-0x000000001BEF0000-0x000000001BEFE000-memory.dmp

Filesize
56KB

Download
memory/4708-56-0x000000001BF90000-0x000000001BFA8000-memory.dmp

Filesize
96KB

Download
memory/4708-58-0x000000001C000000-0x000000001C04E000-memory.dmp

Filesize
312KB

Download
memory/4708-38-0x000000001C400000-0x000000001C928000-memory.dmp

Filesize
5.2MB

Download
memory/4708-75-0x000000001CC80000-0x000000001CD4D000-memory.dmp

Filesize
820KB

Download
memory/4708-77-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-40-0x000000001B9E0000-0x000000001B9EE000-memory.dmp

Filesize
56KB

Download
memory/4708-36-0x000000001BEB0000-0x000000001BEC2000-memory.dmp

Filesize
72KB

Download
memory/4708-34-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-33-0x000000001BE90000-0x000000001BEA6000-memory.dmp

Filesize
88KB

Download
memory/4708-37-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-31-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

Filesize
64KB

Download
memory/4708-28-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/4708-29-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-26-0x000000001B9C0000-0x000000001B9CE000-memory.dmp

Filesize
56KB

Download
memory/4708-0-0x00007FFBF6CA3000-0x00007FFBF6CA5000-memory.dmp

Filesize
8KB

Download
memory/4708-18-0x000000001B9A0000-0x000000001B9B8000-memory.dmp

Filesize
96KB

Download
memory/4708-19-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-21-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/4708-14-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-16-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/4708-12-0x000000001B980000-0x000000001B99C000-memory.dmp

Filesize
112KB

Download
memory/4708-13-0x000000001BE40000-0x000000001BE90000-memory.dmp

Filesize
320KB

Download
memory/4708-10-0x0000000002F30000-0x0000000002F3E000-memory.dmp

Filesize
56KB

Download
memory/4708-8-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-7-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-6-0x000000001B950000-0x000000001B976000-memory.dmp

Filesize
152KB

Download
memory/4708-4-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-3-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-2-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4708-1-0x0000000000980000-0x0000000000D06000-memory.dmp

Filesize
3.5MB

Download