Overview

overview

10

Static

static

10

bot.exe

windows7-x64

10

bot.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 21:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bot.exe

  • Size

    3.2MB

  • MD5

    d9f7208d0116dcde22ece5048ac6c37d

  • SHA1

    f9b23d695bb875f032292983fe537c48bc02a657

  • SHA256

    15ba1de7e069b6615cc13a43cc2b50426065e92e018066b0e3a3af43bba522ee

  • SHA512

    152289834cfcf4fc78bd0799a78752587b06dd1c839ee46e050a03c99e1d527de995bd9430fbaee6da3d999293f00dbaa1d07736137e08c7740d5edb7263b114

  • SSDEEP

    49152:ubA3j4Ovfe+uuyV5rPOf82wtPXbGuTVHXZiyF3U5zKY7SeVZ9:ubSvfmV5kjwVbLXq5zKY9VZ9

Score
10/10
dcratdiscoveryevasioninfostealerratspywarestealertrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 30 IoCs
  • Drops file in Windows directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\bot.exe
    "C:\Users\Admin\AppData\Local\Temp\bot.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeagentFont\E1OrDChd6wfhvlLu9Zc8rvL1kfwV.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BridgeagentFont\LMbhEUlzAGhXQ88TEAwD9DBna.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe
          "C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3900
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XGbYzrvfKy.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1736
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3772
              • C:\Recovery\WindowsRE\RuntimeBroker.exe
                "C:\Recovery\WindowsRE\RuntimeBroker.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:5056
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d72c47b-6d5b-4bdb-a39b-a7eafa4d339a.vbs"
                  7⤵
                    PID:4464
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\993f3783-6b5e-4c5b-b882-c5bf3e716e2d.vbs"
                    7⤵
                      PID:3732
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13208/
                      7⤵
                      • Enumerates system info in registry
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:3124
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9442b46f8,0x7ff9442b4708,0x7ff9442b4718
                        8⤵
                          PID:3408
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
                          8⤵
                            PID:4584
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
                            8⤵
                              PID:5068
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
                              8⤵
                                PID:460
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                                8⤵
                                  PID:3952
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
                                  8⤵
                                    PID:3788
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
                                    8⤵
                                      PID:5256
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
                                      8⤵
                                        PID:5404
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 /prefetch:8
                                        8⤵
                                          PID:5620
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 /prefetch:8
                                          8⤵
                                            PID:5840
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
                                            8⤵
                                              PID:5848
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
                                              8⤵
                                                PID:5860
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
                                                8⤵
                                                  PID:6104
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
                                                  8⤵
                                                    PID:2880
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1312 /prefetch:1
                                                    8⤵
                                                      PID:5548
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17787883000380641429,9047125881494543526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
                                                      8⤵
                                                        PID:5676
                                              • C:\Windows\SysWOW64\reg.exe
                                                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry key
                                                PID:544
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\SppExtComObj.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1804
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Documents\SppExtComObj.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3080
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\SppExtComObj.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2884
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\WaaSMedicAgent.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3280
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1592
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2904
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4604
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2864
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\Saved Pictures\backgroundTaskHost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2484
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\Saved Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4456
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\Engines\RuntimeBroker.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3368
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2228
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3988
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2156
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2112
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2024
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3056
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2880
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4356
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1948
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1960
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Containerreview" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3324
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2028
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4972
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2212
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4796
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\SearchApp.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2912
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\SearchApp.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4468
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\SearchApp.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:220
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3772
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4556
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2948
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\fontdrvhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2272
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3580
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3036
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\fontdrvhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2840
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4032
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3876
                                        • C:\Windows\system32\vssvc.exe
                                          C:\Windows\system32\vssvc.exe
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3992
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:2696
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:2880
                                            • C:\Windows\system32\wbem\WmiApSrv.exe
                                              C:\Windows\system32\wbem\WmiApSrv.exe
                                              1⤵
                                                PID:4972

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Reconnaissance

                                              Resource Development

                                              Initial Access

                                              Execution

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Persistence

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Privilege Escalation

                                              Abuse Elevation Control Mechanism

                                              1
                                              T1548

                                              Bypass User Account Control

                                              1
                                              T1548.002

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Defense Evasion

                                              Abuse Elevation Control Mechanism

                                              1
                                              T1548

                                              Bypass User Account Control

                                              1
                                              T1548.002

                                              Impair Defenses

                                              1
                                              T1562

                                              Disable or Modify Tools

                                              1
                                              T1562.001

                                              Modify Registry

                                              3
                                              T1112

                                              Credential Access

                                              Credentials from Password Stores

                                              1
                                              T1555

                                              Credentials from Web Browsers

                                              1
                                              T1555.003

                                              Unsecured Credentials

                                              1
                                              T1552

                                              Credentials In Files

                                              1
                                              T1552.001

                                              Discovery

                                              Browser Information Discovery

                                              1
                                              T1217

                                              Query Registry

                                              3
                                              T1012

                                              System Information Discovery

                                              4
                                              T1082

                                              System Location Discovery

                                              1
                                              T1614

                                              System Language Discovery

                                              1
                                              T1614.001

                                              Lateral Movement

                                              Collection

                                              Data from Local System

                                              1
                                              T1005

                                              Command and Control

                                              Exfiltration

                                              Impact

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Program Files (x86)\Windows NT\Accessories\RCXED56.tmp
                                                Filesize

                                                2.8MB

                                                MD5

                                                5cda084243dbc6380dc06e48df1d69f1

                                                SHA1

                                                ab0be390dfaf3db224cefce7931cf5a898e2607c

                                                SHA256

                                                72aa0a0180397c111e045f0991a0ba0006754c20b37720c54b0c1278a39ab863

                                                SHA512

                                                23fdf97edc98ab5a880b13b142b9a735a0fcbf571c832fadfb64e435e53a7b04d77d05d2b1a920d38eaa027eb68f485881042b784e23e147fed30fa710dae386

                                                Download Submit

                                              • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\SearchApp.exe
                                                Filesize

                                                2.8MB

                                                MD5

                                                3c27f86ca9706cf41a2c7604a3181fb5

                                                SHA1

                                                82c9a59d91b0f60c43fb6cef3fb0b17cb17179ea

                                                SHA256

                                                64786455abcd9320548af07eff22be9e4ba0aebd4744d4b2522c793e185f36c0

                                                SHA512

                                                3a1c255b7c03f7eeb5665171ae6850a5721bf4b886117aed3f1db7af75ab9e9fb67507c13acfb4274d935da0e3ddc520dd73e159977b72f368cd580bb21d1f52

                                                Download Submit

                                              • C:\Recovery\WindowsRE\RCXD837.tmp
                                                Filesize

                                                2.8MB

                                                MD5

                                                4fbc1aa1b27521d565072c6deeb57095

                                                SHA1

                                                91818e19accdd2c79c11f139eaa3db9c3158f3ae

                                                SHA256

                                                3b8f08b74dce788d8c3cab300ce544d9682b8fc12fabd19f9d010e2b70ba815a

                                                SHA512

                                                b2950287141c7f3521c496dad2a0e3e56b0227e4711dbc4c7c7edbb9ee7672411e6a590ae099e398c846987ed8c9f0c682a699fbddc5ff9fb1b75695d68a52e0

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                443a627d539ca4eab732bad0cbe7332b

                                                SHA1

                                                86b18b906a1acd2a22f4b2c78ac3564c394a9569

                                                SHA256

                                                1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

                                                SHA512

                                                923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                99afa4934d1e3c56bbce114b356e8a99

                                                SHA1

                                                3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

                                                SHA256

                                                08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

                                                SHA512

                                                76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                5KB

                                                MD5

                                                f6936be237e1af91647c9ad44bfe616b

                                                SHA1

                                                d836dc38e78379e58c4bff7a648600c68ddd1ce4

                                                SHA256

                                                0ab5666ddbb0e02334cb13290ae346c1c555b3e405ed29427372b2f9c4601788

                                                SHA512

                                                c7ea70fcd97929a4c690700ba092ba3a35af5cf7c291459b02fec87a52d3748468690a3d3670ff31238814ed826534ed137009bf5311e8d2e9ff618d18e6c0d9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                5ea5fc29f5107651b28203f31cd8264b

                                                SHA1

                                                82e9f935b5ea0c792942c7de57ad074088c90771

                                                SHA256

                                                49d487e507a79eb06c8427f147bd166f338405383a997ce24c61ef73d4fff3f0

                                                SHA512

                                                e0582a524b6d1a40f009aa920fd59543edbc9a1a80805b16ce84ceef3556c24512f63c9c9538a5d18d7e12292aaee54c5dadaf7db503ae6c86f07ec6b7cb913d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                603070122dabdf15d870c61c5ebd2c5b

                                                SHA1

                                                a41d36a1c6142c640f142777e963030b67b7624d

                                                SHA256

                                                36484fe5ce6924ceeab618b50063076f387b6588296aca027d4fd28ee0d30fa7

                                                SHA512

                                                5173f9ea2f8dc6d99a084e99e8b1a0f257cb161e5973de9a383f4656e90a4ac11c8a66ade704bcded8bf0a085debadbe71c923711a4ddbc82ef59bfbbda8f3c5

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                206702161f94c5cd39fadd03f4014d98

                                                SHA1

                                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                SHA256

                                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                SHA512

                                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                46295cac801e5d4857d09837238a6394

                                                SHA1

                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                SHA256

                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                SHA512

                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                10KB

                                                MD5

                                                1b1562b26799b8c48fb4cac618dc09c6

                                                SHA1

                                                6b8c34f2041c9415f50283eacba1552f31438831

                                                SHA256

                                                8f82370a59b3b4c54a77dff08919f0474e079263464f3e26d2bcb865c18bbb33

                                                SHA512

                                                2aa9e12a5f5e35c4efa947282a40803bfd62a414bd72c50821d5dcb333e11c99aeaf4a81f7cd482e64050c73466771646cb83cf999cb4bc3095ba29d4773b6b2

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\4d72c47b-6d5b-4bdb-a39b-a7eafa4d339a.vbs
                                                Filesize

                                                715B

                                                MD5

                                                30fc01150f183af0858e33b2035e3cee

                                                SHA1

                                                e3e5cb75136c3d4fc28386d85597993d21056822

                                                SHA256

                                                dbb379553215f4e6c7b9e600b47bf83fe8e33bd937b102f938ff3981a0e9681f

                                                SHA512

                                                951bc48324d7e62182f963bea7a25b700aba8e3ff0c872eba65e6767c182ff05677eb0c10434efd168786673ae08a077005a6123026ae364812dd13f5fcd658b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\993f3783-6b5e-4c5b-b882-c5bf3e716e2d.vbs
                                                Filesize

                                                491B

                                                MD5

                                                f11b9209f270974b490a736f8061f7f3

                                                SHA1

                                                461a150e86f65a8869c9da80bc00ffcb1cfad5db

                                                SHA256

                                                4a14d4606d5b1f029b5a95e1bfe4f06a21fe1b6ccf6f6249d2bb48c7d39319c8

                                                SHA512

                                                6303fb085ff3e2f2c58b2f9d99ddc5cf629f5ed10eb74527729448a662d6d82c2ba65a9811d5e65b45705f984a371a716b6ad609cbeec7ad86ccc68b6c5932a7

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\XGbYzrvfKy.bat
                                                Filesize

                                                204B

                                                MD5

                                                4db5caeed90f70e97f551b4e762114cc

                                                SHA1

                                                13927a8e944ab6a7c13f17b8dd9241e9674d320c

                                                SHA256

                                                a6d2ec929dc95344ba26b194b9639ab62e836168b9c7fb2925a057d58d4ca730

                                                SHA512

                                                357a9d2606eb7fafb8182a95a0ab7161a612a7bb0cbfa43f6df6d61233ab7e4427353e05c453bc7b75592988927234590127efd01667a054955d2e663b00b890

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe
                                                Filesize

                                                2.8MB

                                                MD5

                                                e5cc3d0de29f576e27666e7c6738a584

                                                SHA1

                                                29bb5d5edfa88565a2ef1b30ca3921167e5fb637

                                                SHA256

                                                eec25bbb0c3ea26e79b4162e8b1a1aa42b9f6b83d2fc710865001cf8750fe24b

                                                SHA512

                                                dfd555f50e1dbf31dfce1f95167911697409b4586a25cf4fb88cda430ffc5ac2d2273e12678a7f9cdf26b4909f1d6022497d8c351ea0ba94b34f1085c53bc8fa

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\BridgeagentFont\E1OrDChd6wfhvlLu9Zc8rvL1kfwV.vbe
                                                Filesize

                                                224B

                                                MD5

                                                980b8c4323c6a30adefa83e5889189eb

                                                SHA1

                                                da4a52e22d8f64ac9e7b86a48100af08aed9ba6b

                                                SHA256

                                                20b473780053528b67968274f63a4fd23cbf74e019b7532e0acb5d5b9fdaa2d4

                                                SHA512

                                                2c82f4449d8aad3b41eea51771149b6b7f2eb64f995b7589f8f195274d3c1faa05fcb179c5bb1fc3f0589d4f4725d78cd63f33b55fe173c10137ee5b3dcc837d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\BridgeagentFont\LMbhEUlzAGhXQ88TEAwD9DBna.bat
                                                Filesize

                                                159B

                                                MD5

                                                3765c22496f7fd5eabd91a49ef3156dd

                                                SHA1

                                                d4f01e65b1f02fa044042350660cf7786fb708b8

                                                SHA256

                                                21bced2882fcd08eddd626fcfd74964fb4387ce489d6a42d382c016f05b36564

                                                SHA512

                                                7d74455d1b9ce74efb82be9c1b8ca1b0c4d887a0a7c3afe1b2a39652c2fe1331ac16d564c0e4bf2ce6c5b0fb3650b9a5506c9fb322cbb069f30b1a09d0889a00

                                                Download Submit

                                              • memory/3900-34-0x000000001BDD0000-0x000000001BDDA000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3900-29-0x000000001BB90000-0x000000001BB9C000-memory.dmp

                                                Filesize

                                                48KB

                                                Download

                                              • memory/3900-37-0x000000001BE00000-0x000000001BE0C000-memory.dmp

                                                Filesize

                                                48KB

                                                Download

                                              • memory/3900-39-0x000000001BE20000-0x000000001BE2C000-memory.dmp

                                                Filesize

                                                48KB

                                                Download

                                              • memory/3900-36-0x000000001BDF0000-0x000000001BDF8000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3900-35-0x000000001BDE0000-0x000000001BDEE000-memory.dmp

                                                Filesize

                                                56KB

                                                Download

                                              • memory/3900-32-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

                                                Filesize

                                                48KB

                                                Download

                                              • memory/3900-33-0x000000001BE40000-0x000000001BE48000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3900-30-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3900-24-0x000000001B510000-0x000000001B518000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3900-15-0x000000001B4C0000-0x000000001B510000-memory.dmp

                                                Filesize

                                                320KB

                                                Download

                                              • memory/3900-17-0x0000000001260000-0x0000000001270000-memory.dmp

                                                Filesize

                                                64KB

                                                Download

                                              • memory/3900-14-0x0000000000E90000-0x0000000000EAC000-memory.dmp

                                                Filesize

                                                112KB

                                                Download

                                              • memory/3900-31-0x000000001BBB0000-0x000000001BBBC000-memory.dmp

                                                Filesize

                                                48KB

                                                Download

                                              • memory/3900-28-0x000000001C0C0000-0x000000001C5E8000-memory.dmp

                                                Filesize

                                                5.2MB

                                                Download

                                              • memory/3900-38-0x000000001BE10000-0x000000001BE18000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3900-222-0x00007FF94B2D3000-0x00007FF94B2D5000-memory.dmp

                                                Filesize

                                                8KB

                                                Download

                                              • memory/3900-26-0x000000001B540000-0x000000001B548000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3900-12-0x00007FF94B2D3000-0x00007FF94B2D5000-memory.dmp

                                                Filesize

                                                8KB

                                                Download

                                              • memory/3900-27-0x000000001BB60000-0x000000001BB72000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/3900-25-0x000000001B520000-0x000000001B52C000-memory.dmp

                                                Filesize

                                                48KB

                                                Download

                                              • memory/3900-18-0x00000000028F0000-0x0000000002906000-memory.dmp

                                                Filesize

                                                88KB

                                                Download

                                              • memory/3900-19-0x0000000001270000-0x0000000001278000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3900-21-0x0000000002A70000-0x0000000002A7A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3900-23-0x0000000002A80000-0x0000000002A8C000-memory.dmp

                                                Filesize

                                                48KB

                                                Download

                                              • memory/3900-22-0x000000001B470000-0x000000001B4C6000-memory.dmp

                                                Filesize

                                                344KB

                                                Download

                                              • memory/3900-20-0x0000000002910000-0x0000000002918000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3900-16-0x0000000001250000-0x0000000001258000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3900-13-0x0000000000500000-0x00000000007E0000-memory.dmp

                                                Filesize

                                                2.9MB

                                                Download

                                              • memory/5056-244-0x000000001CBA0000-0x000000001CBF6000-memory.dmp

                                                Filesize

                                                344KB

                                                Download