dcrat | 9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
Size

483KB
MD5

80f82098b4ff87c7980403091b1b17bd
SHA1

e148a4bf5d34eddec309012bfb68e459d9129e5b
SHA256

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623
SHA512

f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a
SSDEEP

6144:rSpXb1XT7pvYgsVaeR2gmwhqLhyImR+/tVZecPmzF7aPM1Ujvbj7SHMsz61+:rOr1Xnppc3hTVStVscVPGSXmHj61+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3512-1-0x0000000000C40000-0x0000000000CC0000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0008000000023bdd-11.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 19 IoCs

pid	Process
4580	lsass.exe
32	lsass.exe
3260	lsass.exe
2724	lsass.exe
5080	lsass.exe
1900	lsass.exe
2892	lsass.exe
4036	lsass.exe
2052	lsass.exe
2460	lsass.exe
4180	lsass.exe
4820	lsass.exe
2700	lsass.exe
4324	lsass.exe
4900	lsass.exe
1884	lsass.exe
4680	lsass.exe
2124	lsass.exe
4204	lsass.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SystemResources\OfficeClickToRun.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2984	PING.EXE
4812	PING.EXE
464	PING.EXE
1808	PING.EXE
532	PING.EXE
2944	PING.EXE
4824	PING.EXE
4888	PING.EXE

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
4812	PING.EXE
464	PING.EXE
1808	PING.EXE
532	PING.EXE
2944	PING.EXE
4824	PING.EXE
4888	PING.EXE
2984	PING.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
Token: SeDebugPrivilege	4580	lsass.exe
Token: SeDebugPrivilege	32	lsass.exe
Token: SeDebugPrivilege	3260	lsass.exe
Token: SeDebugPrivilege	2724	lsass.exe
Token: SeDebugPrivilege	5080	lsass.exe
Token: SeDebugPrivilege	1900	lsass.exe
Token: SeDebugPrivilege	2892	lsass.exe
Token: SeDebugPrivilege	4036	lsass.exe
Token: SeDebugPrivilege	2052	lsass.exe
Token: SeDebugPrivilege	2460	lsass.exe
Token: SeDebugPrivilege	4180	lsass.exe
Token: SeDebugPrivilege	4820	lsass.exe
Token: SeDebugPrivilege	2700	lsass.exe
Token: SeDebugPrivilege	4324	lsass.exe
Token: SeDebugPrivilege	4900	lsass.exe
Token: SeDebugPrivilege	1884	lsass.exe
Token: SeDebugPrivilege	4680	lsass.exe
Token: SeDebugPrivilege	2124	lsass.exe
Token: SeDebugPrivilege	4204	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 4572	3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe	82
PID 3512 wrote to memory of 4572	3512	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe	82
PID 4572 wrote to memory of 1760	4572	cmd.exe	84
PID 4572 wrote to memory of 1760	4572	cmd.exe	84
PID 4572 wrote to memory of 620	4572	cmd.exe	85
PID 4572 wrote to memory of 620	4572	cmd.exe	85
PID 4572 wrote to memory of 4580	4572	cmd.exe	86
PID 4572 wrote to memory of 4580	4572	cmd.exe	86
PID 4580 wrote to memory of 1380	4580	lsass.exe	87
PID 4580 wrote to memory of 1380	4580	lsass.exe	87
PID 1380 wrote to memory of 4544	1380	cmd.exe	89
PID 1380 wrote to memory of 4544	1380	cmd.exe	89
PID 1380 wrote to memory of 2136	1380	cmd.exe	90
PID 1380 wrote to memory of 2136	1380	cmd.exe	90
PID 1380 wrote to memory of 32	1380	cmd.exe	91
PID 1380 wrote to memory of 32	1380	cmd.exe	91
PID 32 wrote to memory of 464	32	lsass.exe	92
PID 32 wrote to memory of 464	32	lsass.exe	92
PID 464 wrote to memory of 2928	464	cmd.exe	94
PID 464 wrote to memory of 2928	464	cmd.exe	94
PID 464 wrote to memory of 3916	464	cmd.exe	95
PID 464 wrote to memory of 3916	464	cmd.exe	95
PID 464 wrote to memory of 3260	464	cmd.exe	101
PID 464 wrote to memory of 3260	464	cmd.exe	101
PID 3260 wrote to memory of 2064	3260	lsass.exe	102
PID 3260 wrote to memory of 2064	3260	lsass.exe	102
PID 2064 wrote to memory of 4872	2064	cmd.exe	104
PID 2064 wrote to memory of 4872	2064	cmd.exe	104
PID 2064 wrote to memory of 912	2064	cmd.exe	105
PID 2064 wrote to memory of 912	2064	cmd.exe	105
PID 2064 wrote to memory of 2724	2064	cmd.exe	108
PID 2064 wrote to memory of 2724	2064	cmd.exe	108
PID 2724 wrote to memory of 3528	2724	lsass.exe	109
PID 2724 wrote to memory of 3528	2724	lsass.exe	109
PID 3528 wrote to memory of 2720	3528	cmd.exe	111
PID 3528 wrote to memory of 2720	3528	cmd.exe	111
PID 3528 wrote to memory of 4480	3528	cmd.exe	112
PID 3528 wrote to memory of 4480	3528	cmd.exe	112
PID 3528 wrote to memory of 5080	3528	cmd.exe	114
PID 3528 wrote to memory of 5080	3528	cmd.exe	114
PID 5080 wrote to memory of 1552	5080	lsass.exe	115
PID 5080 wrote to memory of 1552	5080	lsass.exe	115
PID 1552 wrote to memory of 4388	1552	cmd.exe	117
PID 1552 wrote to memory of 4388	1552	cmd.exe	117
PID 1552 wrote to memory of 3660	1552	cmd.exe	118
PID 1552 wrote to memory of 3660	1552	cmd.exe	118
PID 1552 wrote to memory of 1900	1552	cmd.exe	120
PID 1552 wrote to memory of 1900	1552	cmd.exe	120
PID 1900 wrote to memory of 4176	1900	lsass.exe	121
PID 1900 wrote to memory of 4176	1900	lsass.exe	121
PID 4176 wrote to memory of 1672	4176	cmd.exe	123
PID 4176 wrote to memory of 1672	4176	cmd.exe	123
PID 4176 wrote to memory of 3224	4176	cmd.exe	124
PID 4176 wrote to memory of 3224	4176	cmd.exe	124
PID 4176 wrote to memory of 2892	4176	cmd.exe	125
PID 4176 wrote to memory of 2892	4176	cmd.exe	125
PID 2892 wrote to memory of 3984	2892	lsass.exe	126
PID 2892 wrote to memory of 3984	2892	lsass.exe	126
PID 3984 wrote to memory of 620	3984	cmd.exe	128
PID 3984 wrote to memory of 620	3984	cmd.exe	128
PID 3984 wrote to memory of 2984	3984	cmd.exe	129
PID 3984 wrote to memory of 2984	3984	cmd.exe	129
PID 3984 wrote to memory of 4036	3984	cmd.exe	130
PID 3984 wrote to memory of 4036	3984	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
"C:\Users\Admin\AppData\Local\Temp\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2LQnCqCzGR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1760
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:620
- - C:\Users\Public\Downloads\lsass.exe
    "C:\Users\Public\Downloads\lsass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L70BpVXrOQ.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4544
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2136
    - - C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:32
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\285J1A1WUD.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3916
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L70BpVXrOQ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:912
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\thAzAlBiSC.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4480
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qZ8E8OSIiX.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3660
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q4KhmYWH96.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3224
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8ybTWoiUnd.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2984
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hFxofDmc2H.bat"
        18⤵
        
        PID:660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4812
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g08gBSmlqM.bat"
        20⤵
        
        PID:2160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:464
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uw07fWAZe6.bat"
        22⤵
        
        PID:3260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3720
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TCMSovEgtl.bat"
        24⤵
        
        PID:4300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:5024
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat"
        26⤵
        
        PID:2900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:536
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uHdcbfRrII.bat"
        28⤵
        
        PID:3808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1808
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RI9pGJW8L1.bat"
        30⤵
        
        PID:4020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3680
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g08gBSmlqM.bat"
        32⤵
        
        PID:1804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:3556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:532
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QjhCqOFzVv.bat"
        34⤵
        
        PID:1496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:4304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2944
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hFxofDmc2H.bat"
        36⤵
        
        PID:1860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4824
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n5TyArTaLh.bat"
        38⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:1748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4888
        
        C:\Users\Public\Downloads\lsass.exe
        
        "C:\Users\Public\Downloads\lsass.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BSGjULhCAT.bat"
        40⤵
        
        PID:4300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:3084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
0f31e501ab247a1b471e8e69930fda3d

SHA1
cc4a26314aad742126f6df0e92b777a786eade0b

SHA256
f6562e9acf0bb58a78a8ad59d5bc88bdf7a2508b84745605dfc28a19f60e4742

SHA512
65c14701fa94622aca52146b0f2d501ac2acdd4acd2a4c666903a800f26310832404a66478f861dd9b10a0a74d99e2b683fb73aef5d153b7ac26aabb96cfea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\285J1A1WUD.bat

Filesize
211B

MD5
8115102361d6967b09e38c233eea1854

SHA1
bad19c90814fb0854c462b81b91768f7533f4343

SHA256
2512f7c0d32635f7d1a1d2ee828ae6c4bc46748cdf7916b557833e8dd88fa8f0

SHA512
8924e024f55460e053de04ece7781156e8b57833634eb635c4e4c1a1a433ccfc55d82b7f4ef1823f238893fdb098d2c2a288826e9fa57d15e30a0633cd10858a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LQnCqCzGR.bat

Filesize
211B

MD5
96f222fdcea650d74470a6041b696a8e

SHA1
9d79583cf7c035592fd6ac6fb89477d777bf3b0d

SHA256
04c944fbc1d2ecc05cdf5fd9bd96887cd13cc0c2dd70d577a431b98de37c81c2

SHA512
761fb5ef490a31c32933165286866d5cebc735a671dfd6bc165fbdd4e355d56a2b3b876f27c8b2f393639664d08bc074fe9fbfe6632dc92c02f50c5615a8bec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat

Filesize
211B

MD5
0a48c7b4d25cdd644b2ab59a04c73a0a

SHA1
6ec3419986c514232569796ca59094511aa16eb2

SHA256
5f3ecbc2f6b2679ada65a4a56a8eb3028bd826371d579b0bf3dce482aac1c9f7

SHA512
0e22505f51e860b65cf22f4aff5304dd16ccb1606ec51cce64552e966f76031ac669906299e60cae53e35d6c335b1a319d23bfaa028102af84b60d7b3ca53d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ybTWoiUnd.bat

Filesize
163B

MD5
756c2d0c33e936038abe377a660e7b34

SHA1
ab7253ed768316d234ae6a87f9200421c8efe070

SHA256
5598a91267cead2be342c2f74dbf024cc7f4f8f4088856d019443a71a7c00097

SHA512
59a18372a82448ac52efdfe6974799677fe6f0681cea94b4ff10fa2afb9260d6356d7d3ef45477ba710d67ac511a2236aa6dd45daa05fab079b563dbffebecd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSGjULhCAT.bat

Filesize
211B

MD5
5563036669001db9ac17390a1c154f71

SHA1
25e582d4b8889287c027a4049a11f6bbd2c9d984

SHA256
a21dbaeefa9da9857f195b853d7ed139189af80968e6c7e3ad47915007a7328d

SHA512
09463788c82de722139e4d874e8f8bd278d6dfa130d6c6410c20e0eaeb36de6e2623702802921ffe35cc6991bbe89fa3cf849982f230867239a18ea34c92ab59

Download Submit
C:\Users\Admin\AppData\Local\Temp\L70BpVXrOQ.bat

Filesize
211B

MD5
4cce4c7fb60d0fad09e29dd2265af97e

SHA1
2d21b19e35f27798d58cd6478845648931fc15b9

SHA256
838f84294476d58557fd06779d58043f7e46d3f05fbebe0655b3bc1d1f8ec5fc

SHA512
54e6e0bb4faf5821fd8db8e41de80574094c34232eb61643096084cc8183918e0c1b80986e33c78a655d140822ac9cd073d17f21ce66005e384cd7fba15bd52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q4KhmYWH96.bat

Filesize
211B

MD5
f074db2a51b489aadbd947117aac2d52

SHA1
76ce4e31d8a49a3492fd48c126168add8b7c1f6b

SHA256
e2bf3edda0adaade38d4b21496e93962b49bbde5fde2428f6a77f42d52f1131e

SHA512
aa76e58f35f39dfdcf7a1f3e2305ba65c423a4a9d281c48117973f9365b6873d462a95075efb120de4ae56c242739e97949c2f1b63dcaca5a8c67974c118d560

Download Submit
C:\Users\Admin\AppData\Local\Temp\QjhCqOFzVv.bat

Filesize
163B

MD5
01b3a91666ed8e39e13ae89e5e9e2817

SHA1
32c61b33aef8dbff3fb894fa9db5ae29f67ec280

SHA256
41d0a1a25a4d6f67f8b0447d86f84ce4489e669e1080efbba5bfa1c852d423fa

SHA512
9cf653a1248aa11335d8e6890b99dc0e5f681a31d2e219816885c60c9c38a4bba467d8cd707fa68145a44facb5c8f2fdf36e1f771991a8f33da30b079dfd6a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RI9pGJW8L1.bat

Filesize
211B

MD5
de162ffe506629aef32f0062c7cbd4a3

SHA1
56f9a5a285e588720e9e0703649db0eea2104bf0

SHA256
eb0efc74b0a14797b4f97c5fc546123de63a517a44ce477b0507cc3fb793d2af

SHA512
b27319b9b24f5ade82e5bce9e912625044b306d65b6424df6149c57ab65482d1b772cd0c7250fee84e2ecd06f84223475cd7dbe1037c71207345da13ff89c94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCMSovEgtl.bat

Filesize
211B

MD5
1e962259877b6fe668e7d5b86943889c

SHA1
889f99da2661b7d1cd04575e370f0a04d4bb1a3e

SHA256
24ce835f3ef34c30dbf174f93560177e6c2bf873396650fd6f8609f14c78bf91

SHA512
5293870bd9185b0f68372f2911ee7448be587533c6ce537d8388a999e853cd848995e1ea6c0e37bdb5a5857fdb56b2f64d46d09f016860de24ede26d94cee9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\g08gBSmlqM.bat

Filesize
163B

MD5
2187eaef6b38384bcaca269294e9f9f7

SHA1
2ebc72cc7cb86e237058d81ef26cc627161298af

SHA256
9e5dbc9e7ec01d6011ba5450773e4c5b7622292ef485e364a838a0ec5b566628

SHA512
801bb3362fdb05f8189153867f2afc61d39df59dc2be188469618ced90354d131135a5d3ed3ac147a0032a4f9be07a86f774e65cb0098f30597b9fc9c0abb7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hFxofDmc2H.bat

Filesize
163B

MD5
acd6f354c0b895caea9082d9154400c3

SHA1
8fe990af7c0dfcbd6fad98fe9162b73ced29b91b

SHA256
55badcd0541ec634287b2bd10bb94dfb6f89e609b8a9c2cf6546d65642ea5fbb

SHA512
b996345bb25e6f8789ef2fbb830b0a2e97e80f67db736d8ca51e86680b877d776b26575fd456e95d57c5d0210006e324df4952998c1e267f6fa0aff206fd3b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5TyArTaLh.bat

Filesize
163B

MD5
cb5dd6bef2b7d2a61be9c1a0277e11c2

SHA1
b361d84e5f9687d68c8a0051705cc6a8981c76ab

SHA256
0deb7c5b5adbf752c9546a891eb58df93a71aa86c33ddad617fd4046bb14e780

SHA512
73d67006fdddca0f509aa7e823c5e6a5ad81746bd03944d72ed1f873c83cccafa7afc24283a13e1c596af0cfc1e08e4c93d41fa60484050f1d77e2f4c55fc6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\qZ8E8OSIiX.bat

Filesize
211B

MD5
a567758d9764110c2cc0149f7d71b1b9

SHA1
6a829938604dc558491d465f11f56e735e028696

SHA256
4bd6f2bcdb6021f5da49a66d989dc80c1354e8ba51e2d637e7651008d3f57643

SHA512
6708bf1d24f85e55998b4ebd1db279014df7d83060774886ba375138b6976cd0efc47ba67216c126133505611ffb3b44037a9c27463497d9d6f570938f2ea01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\thAzAlBiSC.bat

Filesize
211B

MD5
6c885914621f7eed0537062bfb8c1642

SHA1
d1db0eb803bfd85c2757157051b617fbe6bc9362

SHA256
ad406454048316b718a1bc0efed2231271cd9889666d212a5bc807861951ff99

SHA512
39b3ef3f207cd86818fdd54f3e4691a171e7babaa4db93cbd316872b9167fa7694da2630fc07b0466581767c779d839dee6f17db1beefdbdf67f79d9e3c9b544

Download Submit
C:\Users\Admin\AppData\Local\Temp\uHdcbfRrII.bat

Filesize
163B

MD5
7df66ca10f07b63ad0e0084b4dcd61bc

SHA1
e438bf8db58fea2f5425ccbe772e6a29489d6175

SHA256
f20995edea2af044ab59be3d4c33df3a5ebebcc4f046bb1dc69f6860e60f37ef

SHA512
a66a555776b247b8c9a5e43a8d12ababf3dbca8b375e0167913305cc6ad01148cb1cb92dc73b60f7165b5a6bd8815c901e98945a5a06675b0e6f33b99758958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uw07fWAZe6.bat

Filesize
211B

MD5
835db451705bdfe091eadc33e1efbe8e

SHA1
09b2fa4fba4be85e173f2b74bb7a5f1ee2dfb7ae

SHA256
5f300b7b662636c9d47fb9b417abc18854aedf20ea5ed64f5a2ed2563c83a167

SHA512
8daf387431e6e5d7d73170c2e8e5738223a2d2f66ff4923a120f94498828b5380b60a2df5fdfbbb29b9a52ea9a887c54606bd6c4b99d3bb2254c0b6c072302a2

Download Submit
C:\Users\Public\Downloads\lsass.exe

Filesize
483KB

MD5
80f82098b4ff87c7980403091b1b17bd

SHA1
e148a4bf5d34eddec309012bfb68e459d9129e5b

SHA256
9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

SHA512
f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a

Download Submit
memory/32-38-0x000000001BA00000-0x000000001BB02000-memory.dmp

Filesize
1.0MB

Download
memory/3512-18-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/3512-0-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

Filesize
8KB

Download
memory/3512-2-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/3512-1-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/4580-23-0x00007FFB39AF0000-0x00007FFB3A5B1000-memory.dmp

Filesize
10.8MB

Download
memory/4580-29-0x000000001B800000-0x000000001B902000-memory.dmp

Filesize
1.0MB

Download
memory/4580-30-0x00007FFB39AF0000-0x00007FFB3A5B1000-memory.dmp

Filesize
10.8MB

Download