dcrat | 5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6296cf36bbbbe91b8ff186d18a08afa3.exe
Size

2.4MB
MD5

6296cf36bbbbe91b8ff186d18a08afa3
SHA1

3c71d4099d817731504433785dd2166f81d8ef15
SHA256

5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70
SHA512

773640b9edeeb969c92a6835f66959d6fa1c2fc4fb2d79091475653e9c05eeaf30f330f664800eaed53a7cab52cb473b6b7b2c707a17ffaa22673b1e41fd8a67
SSDEEP

49152:tBOdJrx6sOXg8ghhfCSUkIkA7JkUZkuyiTK:nuPOXhmgSUku7So9TK

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	6296cf36bbbbe91b8ff186d18a08afa3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ComponentBrowserruntimeHostNet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 17 IoCs

pid	Process
3540	ComponentBrowserruntimeHostNet.exe
4080	RuntimeBroker.exe
3848	RuntimeBroker.exe
1476	RuntimeBroker.exe
1900	RuntimeBroker.exe
2576	RuntimeBroker.exe
1252	RuntimeBroker.exe
4304	RuntimeBroker.exe
1708	RuntimeBroker.exe
3680	RuntimeBroker.exe
460	RuntimeBroker.exe
1876	RuntimeBroker.exe
676	RuntimeBroker.exe
2004	RuntimeBroker.exe
1164	RuntimeBroker.exe
1312	RuntimeBroker.exe
2560	RuntimeBroker.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\SppExtComObj.exe	ComponentBrowserruntimeHostNet.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\SppExtComObj.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\e1ef82546f0b02	ComponentBrowserruntimeHostNet.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\e6c9b481da804f	ComponentBrowserruntimeHostNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6296cf36bbbbe91b8ff186d18a08afa3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1860	PING.EXE
1160	PING.EXE
4464	PING.EXE
3256	PING.EXE
3868	PING.EXE
1816	PING.EXE
3004	PING.EXE
5112	PING.EXE
2492	PING.EXE

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	ComponentBrowserruntimeHostNet.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	6296cf36bbbbe91b8ff186d18a08afa3.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
3868	PING.EXE
3004	PING.EXE
1816	PING.EXE
1860	PING.EXE
1160	PING.EXE
4464	PING.EXE
3256	PING.EXE
2492	PING.EXE
5112	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe
3540	ComponentBrowserruntimeHostNet.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	ComponentBrowserruntimeHostNet.exe
Token: SeDebugPrivilege	4080	RuntimeBroker.exe
Token: SeDebugPrivilege	3848	RuntimeBroker.exe
Token: SeDebugPrivilege	1476	RuntimeBroker.exe
Token: SeDebugPrivilege	1900	RuntimeBroker.exe
Token: SeDebugPrivilege	2576	RuntimeBroker.exe
Token: SeDebugPrivilege	1252	RuntimeBroker.exe
Token: SeDebugPrivilege	4304	RuntimeBroker.exe
Token: SeDebugPrivilege	1708	RuntimeBroker.exe
Token: SeDebugPrivilege	3680	RuntimeBroker.exe
Token: SeDebugPrivilege	460	RuntimeBroker.exe
Token: SeDebugPrivilege	1876	RuntimeBroker.exe
Token: SeDebugPrivilege	676	RuntimeBroker.exe
Token: SeDebugPrivilege	2004	RuntimeBroker.exe
Token: SeDebugPrivilege	1164	RuntimeBroker.exe
Token: SeDebugPrivilege	1312	RuntimeBroker.exe
Token: SeDebugPrivilege	2560	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3776	2932	6296cf36bbbbe91b8ff186d18a08afa3.exe	83
PID 2932 wrote to memory of 3776	2932	6296cf36bbbbe91b8ff186d18a08afa3.exe	83
PID 2932 wrote to memory of 3776	2932	6296cf36bbbbe91b8ff186d18a08afa3.exe	83
PID 3776 wrote to memory of 1900	3776	WScript.exe	85
PID 3776 wrote to memory of 1900	3776	WScript.exe	85
PID 3776 wrote to memory of 1900	3776	WScript.exe	85
PID 1900 wrote to memory of 3540	1900	cmd.exe	87
PID 1900 wrote to memory of 3540	1900	cmd.exe	87
PID 3540 wrote to memory of 2228	3540	ComponentBrowserruntimeHostNet.exe	88
PID 3540 wrote to memory of 2228	3540	ComponentBrowserruntimeHostNet.exe	88
PID 2228 wrote to memory of 3532	2228	cmd.exe	90
PID 2228 wrote to memory of 3532	2228	cmd.exe	90
PID 2228 wrote to memory of 3616	2228	cmd.exe	91
PID 2228 wrote to memory of 3616	2228	cmd.exe	91
PID 2228 wrote to memory of 4080	2228	cmd.exe	99
PID 2228 wrote to memory of 4080	2228	cmd.exe	99
PID 4080 wrote to memory of 3032	4080	RuntimeBroker.exe	101
PID 4080 wrote to memory of 3032	4080	RuntimeBroker.exe	101
PID 3032 wrote to memory of 5024	3032	cmd.exe	103
PID 3032 wrote to memory of 5024	3032	cmd.exe	103
PID 3032 wrote to memory of 4908	3032	cmd.exe	104
PID 3032 wrote to memory of 4908	3032	cmd.exe	104
PID 3032 wrote to memory of 3848	3032	cmd.exe	112
PID 3032 wrote to memory of 3848	3032	cmd.exe	112
PID 3848 wrote to memory of 3544	3848	RuntimeBroker.exe	114
PID 3848 wrote to memory of 3544	3848	RuntimeBroker.exe	114
PID 3544 wrote to memory of 2472	3544	cmd.exe	116
PID 3544 wrote to memory of 2472	3544	cmd.exe	116
PID 3544 wrote to memory of 444	3544	cmd.exe	117
PID 3544 wrote to memory of 444	3544	cmd.exe	117
PID 3544 wrote to memory of 1476	3544	cmd.exe	119
PID 3544 wrote to memory of 1476	3544	cmd.exe	119
PID 1476 wrote to memory of 2612	1476	RuntimeBroker.exe	121
PID 1476 wrote to memory of 2612	1476	RuntimeBroker.exe	121
PID 2612 wrote to memory of 1632	2612	cmd.exe	123
PID 2612 wrote to memory of 1632	2612	cmd.exe	123
PID 2612 wrote to memory of 2492	2612	cmd.exe	124
PID 2612 wrote to memory of 2492	2612	cmd.exe	124
PID 2612 wrote to memory of 1900	2612	cmd.exe	129
PID 2612 wrote to memory of 1900	2612	cmd.exe	129
PID 1900 wrote to memory of 5080	1900	RuntimeBroker.exe	131
PID 1900 wrote to memory of 5080	1900	RuntimeBroker.exe	131
PID 5080 wrote to memory of 228	5080	cmd.exe	133
PID 5080 wrote to memory of 228	5080	cmd.exe	133
PID 5080 wrote to memory of 3772	5080	cmd.exe	134
PID 5080 wrote to memory of 3772	5080	cmd.exe	134
PID 5080 wrote to memory of 2576	5080	cmd.exe	136
PID 5080 wrote to memory of 2576	5080	cmd.exe	136
PID 2576 wrote to memory of 1432	2576	RuntimeBroker.exe	138
PID 2576 wrote to memory of 1432	2576	RuntimeBroker.exe	138
PID 1432 wrote to memory of 1100	1432	cmd.exe	140
PID 1432 wrote to memory of 1100	1432	cmd.exe	140
PID 1432 wrote to memory of 3004	1432	cmd.exe	141
PID 1432 wrote to memory of 3004	1432	cmd.exe	141
PID 1432 wrote to memory of 1252	1432	cmd.exe	143
PID 1432 wrote to memory of 1252	1432	cmd.exe	143
PID 1252 wrote to memory of 2628	1252	RuntimeBroker.exe	145
PID 1252 wrote to memory of 2628	1252	RuntimeBroker.exe	145
PID 2628 wrote to memory of 760	2628	cmd.exe	147
PID 2628 wrote to memory of 760	2628	cmd.exe	147
PID 2628 wrote to memory of 1816	2628	cmd.exe	148
PID 2628 wrote to memory of 1816	2628	cmd.exe	148
PID 2628 wrote to memory of 4304	2628	cmd.exe	151
PID 2628 wrote to memory of 4304	2628	cmd.exe	151

C:\Users\Admin\AppData\Local\Temp\6296cf36bbbbe91b8ff186d18a08afa3.exe
"C:\Users\Admin\AppData\Local\Temp\6296cf36bbbbe91b8ff186d18a08afa3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
      "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qGdJNRUMld.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3532
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3616
      - C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LABVXhA6Sh.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4908
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TFXmW6rvw2.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:444
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7nxekELsf0.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2492
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4evtisdSvL.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3772
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L3SaAS0x6v.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3004
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HSh65PBXsw.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1816
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XcOf3EZBsc.bat"
        19⤵
        
        PID:4960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xSqhLDmV5E.bat"
        21⤵
        
        PID:4916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1160
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TuuHawadIr.bat"
        23⤵
        
        PID:1612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1624
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hI88NPPq5Z.bat"
        25⤵
        
        PID:776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5112
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LABVXhA6Sh.bat"
        27⤵
        
        PID:512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2188
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l0cWqgOPfJ.bat"
        29⤵
        
        PID:3788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2204
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KvMN3vAFGm.bat"
        31⤵
        
        PID:3176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4648
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ECvQfnJznV.bat"
        33⤵
        
        PID:2964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:1700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4464
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX3O4psMNH.bat"
        35⤵
        
        PID:4372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:1612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3256
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vD0ZrSnetJ.bat"
        37⤵
        
        PID:3820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:1432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat

Filesize
112B

MD5
bfbf412350fa794765180eb365d663fb

SHA1
04021ba70227e0a5f7cf29c7b85d0190f82d7f37

SHA256
b7a5da4f22c70794c60b65e06512f5f3f9e2e2803e98a99567ab859fd56f0f60

SHA512
23b6b4429e43f8fe66b0e37908d1a0580a60938281928b7b98c9fc8fb531ab7c61bc426514990b6e97fa6a95d0509e8934b77480725c748ecec20997e4371139

Download Submit
C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

Filesize
1.8MB

MD5
bd5df5dc5869453a2501a80c6fc937f4

SHA1
ce691012b4a2a0d75dfb74d54f4f61ab6194ff91

SHA256
c7c51c52d0201decd12006c38608e5e3c935708f5d5014268095040bfae4e479

SHA512
f1a09d8691e0fb0185d14d34bbd664f60d0c3ce4c91d5ad8fceaea98f47b4cec9394def0ef081d24a422ef15c55e2d5ddcd14ae65afb1de6986735398100ea7d

Download Submit
C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe

Filesize
254B

MD5
fce58ab003f289bc419d62ce02f832fb

SHA1
dfa69ae2ce984c05356fba2074172bce822ed518

SHA256
f7a2151aa23631bde2ff93435f0209ec2a3f8f2aff2b9024f75b5e20a70677b9

SHA512
9284e6ed46b9e60329acb0f4829170fc047ff12990d7b7d8a0e0b739b59905a65318dde0f95992b33a930211bd20d1759e745be6a1f4fa2e58b94f58b514171f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4evtisdSvL.bat

Filesize
215B

MD5
7909a691d0605dbef8c9954d0b7d9fab

SHA1
9192c8fdd32b5b8d5446c0181d1b4b06a7b2f749

SHA256
c25a459039c0b5c4505e8dbb96c0a3d676c9d1d7c730e6f47eec6ebca299847b

SHA512
22e3926f9e05bf3a0d9399447b82bf0b8b12ab0a83021c3cb8997c7f9247a647fe41c6a4d66ff725c087e389793d29cf7fc223b06b938e144f543c71e5927a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7nxekELsf0.bat

Filesize
167B

MD5
04421c714f0aaf2fad35c3d7f338dfb6

SHA1
b7d115dd75b38a4d5236a95a4b6a2f8af79b15fe

SHA256
eca6fcdcbf1ef4a7b6548dc35bd66494b32613fa9b61aecc166ffd789127f534

SHA512
ffc040bb9538fda71079549a0d1f60d28ab3f43d9e8edc2bbd946b00ed80c49f8b4a655d93a228b219e9942da91d9a4b68287f566483c46d9a113ee0539b84dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECvQfnJznV.bat

Filesize
167B

MD5
b97cc58b57f2116a549464a33eb954d1

SHA1
cb1bf6ce51c3926ff36dd2c1ca9929521fa4953c

SHA256
9f1e8fc02750eb93dfc6cc30348073856110803aaee32566feb8058a2e530522

SHA512
b1119150d8509022e455f891b9548357f386a47034b8277b09d2ed4b3ef2c422b9e78e6c9e658e91e1c9998d1e1fb47d134dd93b5833c4ac75f97ded55a6834d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSh65PBXsw.bat

Filesize
167B

MD5
42ac05ba1873d48c5bba6dc6e2ed703e

SHA1
825bfe0c4aa31782a24198a1f5c18632a011c825

SHA256
370c9e062806ee63a6eee32636a31ac1435fa2d15ca5efbea8d3d46247edf2f0

SHA512
bf9b891e4d6a1a12591bb1fc69da288164b9d872d0ae7597aab48e4d98ac2c70e11f278969fd796614e3635c5d81004df534235988b2d3c614fe83462fd63618

Download Submit
C:\Users\Admin\AppData\Local\Temp\KvMN3vAFGm.bat

Filesize
215B

MD5
74ead6be3c673bd3a5ed9cfc0eadd9c8

SHA1
00cfc6cb122f1a3383dc00226e4f33b84b8b2c66

SHA256
be3dd4305118838674caa22f22517a2a0c853d99b1355e572f43bd41f5a5f112

SHA512
665bc8c169f6be89054165da81d04bb0f575c56b32dce3d48f97847ca9ae699083afde7bed5530826699ebda55799721b48cfc137679eda936f45230dc668093

Download Submit
C:\Users\Admin\AppData\Local\Temp\L3SaAS0x6v.bat

Filesize
167B

MD5
07a0e1769b125a7d8218e104521efb7a

SHA1
3d92b951d8ccb5ddfd6b531aa96af79016b71b24

SHA256
e182f1ce455e5e98d52f69201d80e6558a1c62431e421d52e703868b7c5aa2cb

SHA512
1fff731a11240456d11eaa9296d20a61e61c8598e1656a15a150d5a0fd67fbb8a7dbbb341f0316c140f7e297607a45da99b208e2017a63c3ff653da0ec9355cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LABVXhA6Sh.bat

Filesize
215B

MD5
5a8028f75b6f341b68de5a2adb6cd2a0

SHA1
83d438fe30076baa11c80d7b489b55887dc5ec30

SHA256
e0d19f702ed690b87b3a4d1c47557614a4286fb8d52991c52afeddb6b8154bfb

SHA512
bd4caa9ef69ce1f577fa951c1442e4812bb6a1c3de3aad0c8d750e3efff5c46bda0c86019011bce1fd73ab6766ce3cbadd88e757d14e65b8c181d54464e632b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX3O4psMNH.bat

Filesize
167B

MD5
da8f345282911bc8bab20684a76e2c2d

SHA1
b231ed966020894484015b9aa9ca20fe277899a3

SHA256
d5ba96f11d8cbd3451fdf7c31aabe888dbe441e54f9a05224cef79f461dbdc9f

SHA512
e13817d404dfc8b7b83882d3b83cdbf5f606ad4367a5093865dfd9c6fbcf7e44a91e448543e676e5bc1a8c7f37de6dd5aa0cf43168dddc8963c23b06818eb52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TFXmW6rvw2.bat

Filesize
215B

MD5
fa1f09a451ee98f65710b5e0a15b76f4

SHA1
7fae72369954a9af8e1b4e3d989fee1234c188e2

SHA256
1205c73aced9bf53068e7bab47ca4182a5e3ab6b23eb9798109591c035b7d4a2

SHA512
4c7096c1bf5ba2ae9319ea53324dc0d75dfa2e0ebb51e1dd8eba0abba816d2a8f3d6b8b9f416327f4acb807b30faccec43fe05cecfb612d763ae831dd8c5627c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TuuHawadIr.bat

Filesize
215B

MD5
b030a6c1af07cece003eac1a281e62d4

SHA1
ac17f3d5cf08b91b1b4fe58a5956e9215046342d

SHA256
2b3eba044cdb8fb15755cf88d91e0178d9298820dfe43f084cd8ec92c4e96136

SHA512
61d3592387f4ebdd7f665f40575f7ae79c9800df7291c63a2f09749233c80853b49e821345483aa3f64954391e45bfeac764eb0a1178bc82b8e41dd81f6e6ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcOf3EZBsc.bat

Filesize
167B

MD5
04d67a05e9fb476723b371717a6a88fd

SHA1
41264550859f778be92c0f249c4833ee299bb9a2

SHA256
147477aee070c44742ea3513a2a10dd9053ddc524707e9b54f019989b815b1fd

SHA512
8edcd5b9cb021f39fa22e1471003f8628da4ba6600206d58bd74c08370bf247f176362a983edf9a3e3c12f461cb58c324d96beb4fcb2dcb474b35913083ed96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hI88NPPq5Z.bat

Filesize
167B

MD5
601c42869d42e33605a08f0122e6e9ee

SHA1
8c4e4fee72c23cde536bd0badc0f2fc32925cb21

SHA256
c8d57393e1a8f146e0fe23ef09003df5ca52a358ded70c40216b98ffe1ca2ab0

SHA512
838319f3fe90380299ac82d56b4a0ee0359c7faf4793b0c03c125e4102c6c69b7736ab1f3585ba1c86b0dd09b8f298b3a103de3bf82d8b8361967e50532460f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\l0cWqgOPfJ.bat

Filesize
215B

MD5
e34d7dc293008ddcd3ac7e97fceff899

SHA1
76b2bb0fb0838bd88fcbc8e2d4466578eeb8774b

SHA256
b218035d91471ff8e84dac2108fa8915433a1e270a75d851455b64c5a5c5e417

SHA512
7e8eb6256e4ff76faf0063237db80d4818ec265f944a304ad67c7d03ae1e107c2060e644afb19904d8f4a6626a460b0b549e4c26f64934a503cf29e2400dfe65

Download Submit
C:\Users\Admin\AppData\Local\Temp\qGdJNRUMld.bat

Filesize
215B

MD5
f84f4acffc00cc2983f8d49bd1ff5b38

SHA1
ad756132cec39cb9af00d32eedeab18415650dc3

SHA256
3e5456fcc020be83809ec0d1cb8c243dc0322e28147417e2d0debc7bfd66fa6e

SHA512
75906f22de681c9365e196066662a0c9072b749005d67891223cd152cfd363218db48148ecd276d589c8cd7fb1af09dcc8e61fb56014af99b284bf194f2558d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vD0ZrSnetJ.bat

Filesize
167B

MD5
c1a2cfa4501d73f04a338a8228370eb3

SHA1
545c2a2bcafab7cca1643e23812719140128bb9b

SHA256
000495a5b94fede89fa548a93c0b4079d134658dbe3c7f5f43ea83fd8e9337a1

SHA512
fe2b176785abfbafc51a0e3ebe3c78a8beb091336791ddb6ceead6e1ce8e64208ad5cc92c20baf9816168afabe211faac5b0454cda8f919d0c86ee85e296ecbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xSqhLDmV5E.bat

Filesize
167B

MD5
f65f3828ae8e8bc981c37b7db40d732e

SHA1
855852809e432e2a1139bb7c1f23d309e024eabd

SHA256
8cabeea6eb732d31c00c95ec38a73a1b5ded6c7cd337b5e701c6d90c987f956b

SHA512
3c16e3dafd2eb87e83dd4b10e667c562871a3e7a590b93f1f869176b381d6f92ad64b2011627cb25a39d6cfa56c43a8b12961098072f9d46cb6a9c24531ee0ef

Download Submit
memory/3540-22-0x000000001B670000-0x000000001B67C000-memory.dmp

Filesize
48KB

Download
memory/3540-20-0x000000001B840000-0x000000001B858000-memory.dmp

Filesize
96KB

Download
memory/3540-18-0x000000001BAC0000-0x000000001BB10000-memory.dmp

Filesize
320KB

Download
memory/3540-17-0x000000001B820000-0x000000001B83C000-memory.dmp

Filesize
112KB

Download
memory/3540-15-0x000000001B660000-0x000000001B66E000-memory.dmp

Filesize
56KB

Download
memory/3540-13-0x0000000000910000-0x0000000000AEA000-memory.dmp

Filesize
1.9MB

Download
memory/3540-12-0x00007FFD6E7F3000-0x00007FFD6E7F5000-memory.dmp

Filesize
8KB

Download