dcrat | beadfeeaf9a0098d087b787fefe0d22e983a8d3cfa229b5b9a7e5d82dfec0c6d

Analysis

max time kernel
146s
max time network
143s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 02:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

beadfeeaf9a0098d087b787fefe0d22e983a8d3cfa229b5b9a7e5d82dfec0c6d.exe
Size

1.3MB
MD5

c86a437db52135725b8430ee3fc1b88f
SHA1

79a23ee39098f5b640ac07a9cdbb33497c98dc69
SHA256

beadfeeaf9a0098d087b787fefe0d22e983a8d3cfa229b5b9a7e5d82dfec0c6d
SHA512

32b1df626214f3291c8950088f84bf6b890189774303a71c7ec452bfcefe93a93f08480d42ca2bfb2102da1b8d9b0e44ef8600a4ab042010849b7ad2f70194a2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	4056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	4056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	4056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	4056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	4056	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a00000001abfb-284.dat	dcrat
behavioral1/files/0x000a00000001abfb-285.dat	dcrat
behavioral1/memory/3864-286-0x00000000004D0000-0x00000000005E0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac10-304.dat	dcrat
behavioral1/files/0x000600000001ac10-305.dat	dcrat
behavioral1/files/0x000600000001ac10-480.dat	dcrat
behavioral1/files/0x000600000001ac10-486.dat	dcrat
behavioral1/files/0x000600000001ac10-492.dat	dcrat
behavioral1/files/0x000600000001ac10-497.dat	dcrat
behavioral1/files/0x000600000001ac10-503.dat	dcrat
behavioral1/files/0x000600000001ac10-508.dat	dcrat
behavioral1/files/0x000600000001ac10-513.dat	dcrat
behavioral1/files/0x000600000001ac10-518.dat	dcrat
behavioral1/files/0x000600000001ac10-523.dat	dcrat
behavioral1/files/0x000600000001ac10-529.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3864	DllCommonsvc.exe
384	taskhostw.exe
4680	taskhostw.exe
1232	taskhostw.exe
688	taskhostw.exe
1732	taskhostw.exe
1108	taskhostw.exe
4892	taskhostw.exe
2896	taskhostw.exe
1832	taskhostw.exe
4840	taskhostw.exe
2096	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2280	schtasks.exe
4736	schtasks.exe
4732	schtasks.exe
4552	schtasks.exe
4616	schtasks.exe
4528	schtasks.exe
1516	schtasks.exe
1268	schtasks.exe
3816	schtasks.exe
2820	schtasks.exe
4564	schtasks.exe
4584	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	beadfeeaf9a0098d087b787fefe0d22e983a8d3cfa229b5b9a7e5d82dfec0c6d.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3864	DllCommonsvc.exe
3864	DllCommonsvc.exe
3864	DllCommonsvc.exe
3864	DllCommonsvc.exe
3864	DllCommonsvc.exe
3864	DllCommonsvc.exe
3864	DllCommonsvc.exe
3184	powershell.exe
3172	powershell.exe
4372	powershell.exe
4388	powershell.exe
4372	powershell.exe
4712	powershell.exe
384	taskhostw.exe
3172	powershell.exe
4372	powershell.exe
3184	powershell.exe
4388	powershell.exe
3172	powershell.exe
4712	powershell.exe
3184	powershell.exe
4388	powershell.exe
4712	powershell.exe
4680	taskhostw.exe
1232	taskhostw.exe
688	taskhostw.exe
1732	taskhostw.exe
1108	taskhostw.exe
4892	taskhostw.exe
2896	taskhostw.exe
1832	taskhostw.exe
4840	taskhostw.exe
2096	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3864	DllCommonsvc.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	384	taskhostw.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeIncreaseQuotaPrivilege	4372	powershell.exe
Token: SeSecurityPrivilege	4372	powershell.exe
Token: SeTakeOwnershipPrivilege	4372	powershell.exe
Token: SeLoadDriverPrivilege	4372	powershell.exe
Token: SeSystemProfilePrivilege	4372	powershell.exe
Token: SeSystemtimePrivilege	4372	powershell.exe
Token: SeProfSingleProcessPrivilege	4372	powershell.exe
Token: SeIncBasePriorityPrivilege	4372	powershell.exe
Token: SeCreatePagefilePrivilege	4372	powershell.exe
Token: SeBackupPrivilege	4372	powershell.exe
Token: SeRestorePrivilege	4372	powershell.exe
Token: SeShutdownPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeSystemEnvironmentPrivilege	4372	powershell.exe
Token: SeRemoteShutdownPrivilege	4372	powershell.exe
Token: SeUndockPrivilege	4372	powershell.exe
Token: SeManageVolumePrivilege	4372	powershell.exe
Token: 33	4372	powershell.exe
Token: 34	4372	powershell.exe
Token: 35	4372	powershell.exe
Token: 36	4372	powershell.exe
Token: SeIncreaseQuotaPrivilege	3172	powershell.exe
Token: SeSecurityPrivilege	3172	powershell.exe
Token: SeTakeOwnershipPrivilege	3172	powershell.exe
Token: SeLoadDriverPrivilege	3172	powershell.exe
Token: SeSystemProfilePrivilege	3172	powershell.exe
Token: SeSystemtimePrivilege	3172	powershell.exe
Token: SeProfSingleProcessPrivilege	3172	powershell.exe
Token: SeIncBasePriorityPrivilege	3172	powershell.exe
Token: SeCreatePagefilePrivilege	3172	powershell.exe
Token: SeBackupPrivilege	3172	powershell.exe
Token: SeRestorePrivilege	3172	powershell.exe
Token: SeShutdownPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeSystemEnvironmentPrivilege	3172	powershell.exe
Token: SeRemoteShutdownPrivilege	3172	powershell.exe
Token: SeUndockPrivilege	3172	powershell.exe
Token: SeManageVolumePrivilege	3172	powershell.exe
Token: 33	3172	powershell.exe
Token: 34	3172	powershell.exe
Token: 35	3172	powershell.exe
Token: 36	3172	powershell.exe
Token: SeIncreaseQuotaPrivilege	3184	powershell.exe
Token: SeSecurityPrivilege	3184	powershell.exe
Token: SeTakeOwnershipPrivilege	3184	powershell.exe
Token: SeLoadDriverPrivilege	3184	powershell.exe
Token: SeSystemProfilePrivilege	3184	powershell.exe
Token: SeSystemtimePrivilege	3184	powershell.exe
Token: SeProfSingleProcessPrivilege	3184	powershell.exe
Token: SeIncBasePriorityPrivilege	3184	powershell.exe
Token: SeCreatePagefilePrivilege	3184	powershell.exe
Token: SeBackupPrivilege	3184	powershell.exe
Token: SeRestorePrivilege	3184	powershell.exe
Token: SeShutdownPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeSystemEnvironmentPrivilege	3184	powershell.exe
Token: SeRemoteShutdownPrivilege	3184	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2984	2744	beadfeeaf9a0098d087b787fefe0d22e983a8d3cfa229b5b9a7e5d82dfec0c6d.exe	66
PID 2744 wrote to memory of 2984	2744	beadfeeaf9a0098d087b787fefe0d22e983a8d3cfa229b5b9a7e5d82dfec0c6d.exe	66
PID 2744 wrote to memory of 2984	2744	beadfeeaf9a0098d087b787fefe0d22e983a8d3cfa229b5b9a7e5d82dfec0c6d.exe	66
PID 2984 wrote to memory of 4292	2984	WScript.exe	67
PID 2984 wrote to memory of 4292	2984	WScript.exe	67
PID 2984 wrote to memory of 4292	2984	WScript.exe	67
PID 4292 wrote to memory of 3864	4292	cmd.exe	69
PID 4292 wrote to memory of 3864	4292	cmd.exe	69
PID 3864 wrote to memory of 3172	3864	DllCommonsvc.exe	83
PID 3864 wrote to memory of 3172	3864	DllCommonsvc.exe	83
PID 3864 wrote to memory of 3184	3864	DllCommonsvc.exe	84
PID 3864 wrote to memory of 3184	3864	DllCommonsvc.exe	84
PID 3864 wrote to memory of 4388	3864	DllCommonsvc.exe	89
PID 3864 wrote to memory of 4388	3864	DllCommonsvc.exe	89
PID 3864 wrote to memory of 4372	3864	DllCommonsvc.exe	86
PID 3864 wrote to memory of 4372	3864	DllCommonsvc.exe	86
PID 3864 wrote to memory of 4712	3864	DllCommonsvc.exe	87
PID 3864 wrote to memory of 4712	3864	DllCommonsvc.exe	87
PID 3864 wrote to memory of 384	3864	DllCommonsvc.exe	93
PID 3864 wrote to memory of 384	3864	DllCommonsvc.exe	93
PID 384 wrote to memory of 3736	384	taskhostw.exe	95
PID 384 wrote to memory of 3736	384	taskhostw.exe	95
PID 3736 wrote to memory of 1268	3736	cmd.exe	97
PID 3736 wrote to memory of 1268	3736	cmd.exe	97
PID 3736 wrote to memory of 4680	3736	cmd.exe	98
PID 3736 wrote to memory of 4680	3736	cmd.exe	98
PID 4680 wrote to memory of 4704	4680	taskhostw.exe	100
PID 4680 wrote to memory of 4704	4680	taskhostw.exe	100
PID 4704 wrote to memory of 392	4704	cmd.exe	101
PID 4704 wrote to memory of 392	4704	cmd.exe	101
PID 4704 wrote to memory of 1232	4704	cmd.exe	102
PID 4704 wrote to memory of 1232	4704	cmd.exe	102
PID 1232 wrote to memory of 4956	1232	taskhostw.exe	103
PID 1232 wrote to memory of 4956	1232	taskhostw.exe	103
PID 4956 wrote to memory of 540	4956	cmd.exe	105
PID 4956 wrote to memory of 540	4956	cmd.exe	105
PID 4956 wrote to memory of 688	4956	cmd.exe	106
PID 4956 wrote to memory of 688	4956	cmd.exe	106
PID 688 wrote to memory of 448	688	taskhostw.exe	107
PID 688 wrote to memory of 448	688	taskhostw.exe	107
PID 448 wrote to memory of 2772	448	cmd.exe	109
PID 448 wrote to memory of 2772	448	cmd.exe	109
PID 448 wrote to memory of 1732	448	cmd.exe	110
PID 448 wrote to memory of 1732	448	cmd.exe	110
PID 1732 wrote to memory of 4828	1732	taskhostw.exe	111
PID 1732 wrote to memory of 4828	1732	taskhostw.exe	111
PID 4828 wrote to memory of 3384	4828	cmd.exe	113
PID 4828 wrote to memory of 3384	4828	cmd.exe	113
PID 4828 wrote to memory of 1108	4828	cmd.exe	114
PID 4828 wrote to memory of 1108	4828	cmd.exe	114
PID 1108 wrote to memory of 1472	1108	taskhostw.exe	115
PID 1108 wrote to memory of 1472	1108	taskhostw.exe	115
PID 1472 wrote to memory of 4916	1472	cmd.exe	117
PID 1472 wrote to memory of 4916	1472	cmd.exe	117
PID 1472 wrote to memory of 4892	1472	cmd.exe	118
PID 1472 wrote to memory of 4892	1472	cmd.exe	118
PID 4892 wrote to memory of 4860	4892	taskhostw.exe	119
PID 4892 wrote to memory of 4860	4892	taskhostw.exe	119
PID 4860 wrote to memory of 4924	4860	cmd.exe	121
PID 4860 wrote to memory of 4924	4860	cmd.exe	121
PID 4860 wrote to memory of 2896	4860	cmd.exe	122
PID 4860 wrote to memory of 2896	4860	cmd.exe	122
PID 2896 wrote to memory of 2656	2896	taskhostw.exe	123
PID 2896 wrote to memory of 2656	2896	taskhostw.exe	123

C:\Users\Admin\AppData\Local\Temp\beadfeeaf9a0098d087b787fefe0d22e983a8d3cfa229b5b9a7e5d82dfec0c6d.exe
"C:\Users\Admin\AppData\Local\Temp\beadfeeaf9a0098d087b787fefe0d22e983a8d3cfa229b5b9a7e5d82dfec0c6d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1268
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:392
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:540
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2772
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3384
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4916
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4924
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"
        20⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:208
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
        22⤵
        
        PID:4304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2336
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
        24⤵
        
        PID:4844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1504
        
        C:\odt\taskhostw.exe
        
        "C:\odt\taskhostw.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\odt\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87b5b5a1788e57ba918df279c289baef

SHA1
4caac97a6a5a757a6b141c5bd9f7e82925b29e34

SHA256
86e02dc3a3d466d2c38e3274ca4e91149ab24fa99b06ddf89c53844bbae4243a

SHA512
62e046a87e810324a945844a31c00942a65a40abc06b158936a4b4d62df569671ad67062e3ad7f73c5a0d7e27219732d0de93effdcdbe9efd5fb0110bdf251c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87b5b5a1788e57ba918df279c289baef

SHA1
4caac97a6a5a757a6b141c5bd9f7e82925b29e34

SHA256
86e02dc3a3d466d2c38e3274ca4e91149ab24fa99b06ddf89c53844bbae4243a

SHA512
62e046a87e810324a945844a31c00942a65a40abc06b158936a4b4d62df569671ad67062e3ad7f73c5a0d7e27219732d0de93effdcdbe9efd5fb0110bdf251c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
80a70e00ded60ba3aa405515bb9ac122

SHA1
8ead0496111b822b275813256e74fda7d6658dcb

SHA256
c6748e30fabb8604b371964f7f013d3abd2e97a1815071299a6b0842d397dba9

SHA512
b18a371553055e4c7a10dacf2868701b5270df0d0e79d08ef16bda1b30e77b8d413e258daa0d881fcc3b6abc2111066ae319b6013608cb530278d9c7d8102e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
80a70e00ded60ba3aa405515bb9ac122

SHA1
8ead0496111b822b275813256e74fda7d6658dcb

SHA256
c6748e30fabb8604b371964f7f013d3abd2e97a1815071299a6b0842d397dba9

SHA512
b18a371553055e4c7a10dacf2868701b5270df0d0e79d08ef16bda1b30e77b8d413e258daa0d881fcc3b6abc2111066ae319b6013608cb530278d9c7d8102e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat

Filesize
185B

MD5
6b667b77dd851576f2e9405760885edc

SHA1
020c0f4ab11aac5c53f8888c11db8d1b318577fa

SHA256
be714d3f2e4058c6f5cda4f21205b2b7eb21d4a1358e9f1ffe7486623e29536c

SHA512
abc045c9dbc5938c3b07d00bedf5c4bddfbd2ec53e8cd9dec438915ac885577431cf385aa43cb9c33b0a28aee87b81c685630bbd769c202aa37b276f827479f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat

Filesize
185B

MD5
a1595692ea5aa8b0ee1a404acb9d9274

SHA1
717a2820d135e9ebe5d53dfc7f272ab222c1a4e9

SHA256
48f7d65eda685da9a6addd3ff08a4b330998a4efd22104109cb8583a704aecf1

SHA512
eaf2d52fba66f68dcbd6ffe650eeabf0c9842c8cb4b4982e54e047cf33cd3ee1e4572bffa8f28ca99d44704f7da8d0056ae88233914952391ee5eda874179872

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

Filesize
185B

MD5
c8d7ce79992424038c40dc948d7ae322

SHA1
423e128862f7d02fc960c9f5be037304530aaa3c

SHA256
fe2638cc9e6462e4b5396d5c9d37c48daa2761ab88872f5cafa84990d1453024

SHA512
2ba31deb1ab10b42e897dbc73d80e1447901091caed749326d0ebb1b407542d22e90b112ecd949c823d4bc652356148f0d1a0e698855085ae4c49c0f99e227a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

Filesize
185B

MD5
4132d764d76ca679ed47b8418821aed5

SHA1
1ce22901836551d332e99ec1c1e0b10751bc3675

SHA256
52628c3cd93df49a1e5a7c50a67b0cc76f9e8f6f20b0496ef0690faa274b22e0

SHA512
b8ca7c086e7b75d15367f76685fd4d666962da1383833b1f81834e6c1f44cd2aea750e5661bc4d17c50bb4e86b61a26b8a5ccd697a807a24ce228dc23f78f355

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

Filesize
185B

MD5
c4d8b4dafd74fd6fb7e058dece9e4e78

SHA1
f66f49b2e28a1cd0ddbc9edcba328cda17f8eebb

SHA256
d4480ad26d576e6340c4302f4ed7177c50e3d93294d1323ff1ebb31df651d5fc

SHA512
08dca53af3062a8ad600ef3f87063151d0bbc1e68094a2cbbc3f9b93e744a2b140e14678a5bc7256c4541e9803d616dd49c1d62855c46b9cf4ac0e44f1a29a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

Filesize
185B

MD5
06e2ff9718ca05cb1641b25627a07c16

SHA1
d6f366f041067b7aaf76192ac48c5c931f5753ce

SHA256
6a99c4ae04ebf2f4f96ea262072e11d075c93732858a7544462ec24a4e37429e

SHA512
dc9cb86b7abc4a555214d02d20223448158fc5d2ff3749da193e17f72f5d52412a83311bd6238d907b17309072a6ba6bfbd664ed27dbc38675409c3a4cfd3ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
185B

MD5
630535caae8ee1ad86647cad12b70fbe

SHA1
5aac237574cd8240a3ad588054f06e626786b9d7

SHA256
88aeb1c65a74179c0ed57689d162380913da48875483df98eb6848739c737c9c

SHA512
5ec9060aeddc1ae0d334a981d27e36bfa9beb488e595ae0ca087fb2a4866b2a8b6934ca0ff74a101c0f8160e1e1e38d911ea33b6c8ea83ee69977c9fe6db1b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

Filesize
185B

MD5
7fd31bc885225a3d6db249435f57e794

SHA1
07681de67fe4693289a24ff752cc3153f3c64ea6

SHA256
509edf3f14e42ed5ef9d6d10ac134c6f30a7d1557986466e40848a6b29477213

SHA512
3cc6fcf26836682fa67e7fc955caa53333c5c77826f44c51419e10dc3e6436137aca2a8d5c09957686414cf25c27626acfe656a11844d868045d1199766abbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
185B

MD5
1cdbfdd72fff792dcff83192bd89861f

SHA1
e5def40cbf53507b03f9079186a3e2e3d1f39bc2

SHA256
3742674f86ed06c543c50ea0dd562eea626730ef0b5a9307108d02c59c635c89

SHA512
ce2c672bfd22855f00074b090b75fc62fe5e61418626c7f46827b9efffcfa5f51f7c6452f7066be8d87ecbbeca826a89e40f9bb9a63b44e2309ee01ca785b427

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

Filesize
185B

MD5
719571591adf6fa1b8d960a6c87954bd

SHA1
932f768a5de7fc19330d9c88275dfaa9d4ba5676

SHA256
3309abd91da9d562dda32049b2fb85f24845ca002601207ac05a606836510827

SHA512
574953d164f2cdfa6e82de12b5d81115ab96f5e0e40cd0f9b671d575f7932d0e8af8fa492ec874ee6f6db3c3a8fec0b48c34cf57f2b4b259340450d52986ae7c

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1232-487-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/1732-498-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/2096-530-0x0000000002CE0000-0x0000000002CF2000-memory.dmp

Filesize
72KB

Download
memory/2744-158-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-166-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-175-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-176-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-177-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-178-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-179-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-180-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-181-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-182-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-183-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-138-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-136-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-140-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-172-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-173-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-121-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-122-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-170-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-171-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-123-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-125-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-126-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-174-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-128-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-141-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-129-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-130-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-143-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-131-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-169-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-168-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-167-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-144-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-132-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-139-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-165-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-164-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-163-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-162-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-137-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-161-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-160-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-133-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-159-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-120-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-134-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-157-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-156-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-155-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-154-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-142-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-135-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-151-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-153-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-152-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-150-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-149-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-148-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-145-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-147-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-146-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2984-186-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2984-185-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/3172-319-0x000001E9F08D0000-0x000001E9F08F2000-memory.dmp

Filesize
136KB

Download
memory/3864-289-0x0000000002650000-0x000000000265C000-memory.dmp

Filesize
48KB

Download
memory/3864-286-0x00000000004D0000-0x00000000005E0000-memory.dmp

Filesize
1.1MB

Download
memory/3864-288-0x0000000002640000-0x000000000264C000-memory.dmp

Filesize
48KB

Download
memory/3864-287-0x0000000002630000-0x0000000002642000-memory.dmp

Filesize
72KB

Download
memory/3864-290-0x0000000002660000-0x000000000266C000-memory.dmp

Filesize
48KB

Download
memory/4372-322-0x0000021F58C40000-0x0000021F58CB6000-memory.dmp

Filesize
472KB

Download
memory/4840-524-0x0000000001140000-0x0000000001152000-memory.dmp

Filesize
72KB

Download