dcrat | e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput(1).exe
Size

607KB
MD5

19d31479381cfda2c9878b427f51a0c2
SHA1

5b8774c60b71dd32e7325d0fbceb3434975ca7cc
SHA256

e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550
SHA512

14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2
SSDEEP

12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	taskhost.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2552	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2552	schtasks.exe	36

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000016dc8-6.dat	dcrat
behavioral1/files/0x00070000000173e4-20.dat	dcrat
behavioral1/memory/2592-23-0x0000000000350000-0x0000000000426000-memory.dmp	dcrat
behavioral1/memory/2952-58-0x00000000002E0000-0x00000000003B6000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
2456	kendalcp.exe
2592	reviewDll.exe
2952	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2800	cmd.exe
2800	cmd.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe	reviewDll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\886983d96e3d3e	reviewDll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe	reviewDll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\c5b4cb5e9653cc	reviewDll.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\OSPPSVC.exe	reviewDll.exe
File created	C:\Windows\LiveKernelReports\1610b97d3ab4a7	reviewDll.exe
File created	C:\Windows\Resources\Themes\Aero\en-US\sppsvc.exe	reviewDll.exe
File created	C:\Windows\Resources\Themes\Aero\en-US\0a1fd5f707cd16	reviewDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kendalcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1072	schtasks.exe
2644	schtasks.exe
2732	schtasks.exe
2220	schtasks.exe
1648	schtasks.exe
2172	schtasks.exe
564	schtasks.exe
3008	schtasks.exe
1208	schtasks.exe
2524	schtasks.exe
2072	schtasks.exe
668	schtasks.exe
1524	schtasks.exe
1492	schtasks.exe
2996	schtasks.exe
1508	schtasks.exe
1576	schtasks.exe
380	schtasks.exe
2976	schtasks.exe
1248	schtasks.exe
1568	schtasks.exe
2872	schtasks.exe
1536	schtasks.exe
2972	schtasks.exe
1912	schtasks.exe
948	schtasks.exe
2924	schtasks.exe
484	schtasks.exe
2440	schtasks.exe
1204	schtasks.exe
2436	schtasks.exe
1700	schtasks.exe
876	schtasks.exe
1848	schtasks.exe
2168	schtasks.exe
1544	schtasks.exe
1236	schtasks.exe
2116	schtasks.exe
1740	schtasks.exe
2132	schtasks.exe
2152	schtasks.exe
980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2592	reviewDll.exe
2952	taskhost.exe
2952	taskhost.exe
2952	taskhost.exe
2952	taskhost.exe
2952	taskhost.exe
2952	taskhost.exe
2952	taskhost.exe
2952	taskhost.exe
2952	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	reviewDll.exe
Token: SeDebugPrivilege	2952	taskhost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2456	1932	XBinderOutput(1).exe	31
PID 1932 wrote to memory of 2456	1932	XBinderOutput(1).exe	31
PID 1932 wrote to memory of 2456	1932	XBinderOutput(1).exe	31
PID 1932 wrote to memory of 2456	1932	XBinderOutput(1).exe	31
PID 2456 wrote to memory of 2776	2456	kendalcp.exe	32
PID 2456 wrote to memory of 2776	2456	kendalcp.exe	32
PID 2456 wrote to memory of 2776	2456	kendalcp.exe	32
PID 2456 wrote to memory of 2776	2456	kendalcp.exe	32
PID 2776 wrote to memory of 2800	2776	WScript.exe	33
PID 2776 wrote to memory of 2800	2776	WScript.exe	33
PID 2776 wrote to memory of 2800	2776	WScript.exe	33
PID 2776 wrote to memory of 2800	2776	WScript.exe	33
PID 2800 wrote to memory of 2592	2800	cmd.exe	35
PID 2800 wrote to memory of 2592	2800	cmd.exe	35
PID 2800 wrote to memory of 2592	2800	cmd.exe	35
PID 2800 wrote to memory of 2592	2800	cmd.exe	35
PID 2592 wrote to memory of 2952	2592	reviewDll.exe	79
PID 2592 wrote to memory of 2952	2592	reviewDll.exe	79
PID 2592 wrote to memory of 2952	2592	reviewDll.exe	79
PID 2952 wrote to memory of 2380	2952	taskhost.exe	112
PID 2952 wrote to memory of 2380	2952	taskhost.exe	112
PID 2952 wrote to memory of 2380	2952	taskhost.exe	112
PID 2380 wrote to memory of 2288	2380	cmd.exe	114
PID 2380 wrote to memory of 2288	2380	cmd.exe	114
PID 2380 wrote to memory of 2288	2380	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
  "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\blocksavesperfMonitorDll\taskhost.exe
        
        "C:\blocksavesperfMonitorDll\taskhost.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\blocksavesperfMonitorDll\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\blocksavesperfMonitorDll\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\blocksavesperfMonitorDll\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\blocksavesperfMonitorDll\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\Aero\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Themes\Aero\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\blocksavesperfMonitorDll\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\blocksavesperfMonitorDll\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\blocksavesperfMonitorDll\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\blocksavesperfMonitorDll\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDll" /f
1⤵
- Process spawned unexpected child process
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDllr" /f
1⤵
- Process spawned unexpected child process
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "spoolsv" /f
1⤵
- Process spawned unexpected child process
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "spoolsvs" /f
1⤵
- Process spawned unexpected child process
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrss" /f
1⤵
- Process spawned unexpected child process
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrssc" /f
1⤵
- Process spawned unexpected child process
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
- Process spawned unexpected child process
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
- Process spawned unexpected child process
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhost" /f
1⤵
- Process spawned unexpected child process
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostt" /f
1⤵
- Process spawned unexpected child process
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
- Process spawned unexpected child process
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
- Process spawned unexpected child process
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsass" /f
1⤵
- Process spawned unexpected child process
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsassl" /f
1⤵
- Process spawned unexpected child process
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "OSPPSVC" /f
1⤵
- Process spawned unexpected child process
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "OSPPSVCO" /f
1⤵
- Process spawned unexpected child process
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sppsvc" /f
1⤵
- Process spawned unexpected child process
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sppsvcs" /f
1⤵
- Process spawned unexpected child process
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "cmd" /f
1⤵
- Process spawned unexpected child process
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "cmdc" /f
1⤵
- Process spawned unexpected child process
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sppsvc" /f
1⤵
- Process spawned unexpected child process
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sppsvcs" /f
1⤵
- Process spawned unexpected child process
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "services" /f
1⤵
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "servicess" /f
1⤵
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "services" /f
1⤵
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "servicess" /f
1⤵
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrss" /f
1⤵
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrssc" /f
1⤵
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsass" /f
1⤵
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsassl" /f
1⤵
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhost" /f
1⤵
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostt" /f
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\6203df4a6bafc7

Filesize
881B

MD5
c9b3240d2f48963c42b0121421025839

SHA1
fbc3e90f71b9fef424912242f20025bbef7598a1

SHA256
4465fac41e2528cc735acea67c12658315c90e77395dedc9d8bb5094d77c14d3

SHA512
12ab9539798379de5495a631d791ac7347f683401df7652beb6498ad9dde3467bdf2c2a3e2424c53920e920232f534c18234d990a9e9f54aa9656cc48e1a0ee0

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\886983d96e3d3e

Filesize
432B

MD5
95a7575336391f55f6dcf97effc9ee30

SHA1
1fb44806899f613640b4ad09b1b383d0da7f695d

SHA256
18e8b0f28b1d009447c6736f3b5622e8d3cad4d96680c9a3a12e712f660de1ce

SHA512
ee7295a3b62540c4d28efbf3a2ca0151629f0bd2047ed1dc6820f0d4fd0a54dcc45056376e2717c5aa00dd4c0316d9dd798d3644ea42e9105f7cb5903c4231b4

Download Submit
C:\Program Files (x86)\Windows NT\Accessories\es-ES\c5b4cb5e9653cc

Filesize
634B

MD5
159c6734e5117aba571d4a2a967448ce

SHA1
bdbcc039304e0f3a477e1a548e1a301045851bfd

SHA256
9ffc7ed9632ca917fe4662afae219d769a2da0a323066221baa430d9bafe430c

SHA512
812d62fcd1d93c31f7f62a803398212d70024bd8d37eb752ea172581107fed823c104e301e0aeee65f7ed352ae08edf670722c610ab2a10b92e14dcdbde38413

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\886983d96e3d3e

Filesize
35B

MD5
12fb84b2ad17fdf2f9c8daf9be0866bf

SHA1
3253317923cad8826aa4852ed5d6bb7672e0aa94

SHA256
0a268e31c34fcd8e60224ecbb85ac5ed2a86ef7a5e4d589c3e77fc8bc2e8b914

SHA512
e8f8c4714bb4695701d68fc0e1ed6bb2ad827020ba3b7b5ded68cf1a94945345fd69d9c454ebefe858160a5b7f97d208cc46ab843dc3e7ed515f905fc8c9656a

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\ebf1f9fa8afd6d

Filesize
319B

MD5
85838e41d3f20eef386f085606982bb5

SHA1
b6d445c852b787988be57a772607591a616ee58c

SHA256
7e50ed20d4d483358fde6b2baf8a500e38eb8e3fb240fa7ea83b824ec45b3e9a

SHA512
d4f38e5636acb282aabb40b6672d8499eda3239ccb8d3ea72971454a489dc0b6c2d4706af9da75f6f6dc5af1293f3a7b5fd154099a25f47dcda79f63bfb562f4

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\f3b6ecef712a24

Filesize
394B

MD5
ff37198d02f9a1d39dcb9ad41bb2753e

SHA1
0b868a2c7b108b80bd8157085504fb35953d18c9

SHA256
974349f1d17663f0b01a231be4145b58c01a555da240eda826396a80803ccdf1

SHA512
8fa31df541c636d451fecf233304ef8e6e9407d8a990df7e174c83899864283a8bf745f450130db364f51e05107ede02edb4afc73208bc4cd194cd7fe20b9461

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

Filesize
268B

MD5
ce4e0e975d87376a761852e9b2c1c407

SHA1
eee3bfaa5a92856ab0956efcbdf54a45828fc3b7

SHA256
7dd76b13140676b829299c2b62431f7e5ba310c102c3618293e462f0c302e90c

SHA512
ed7d718ff0289bc088c48d7b414783a773ad33439e32a7d761566254b55be327644656f975ba51165e3fa842a62118ae6ee61562a51cc4ac78c645d45dbc0b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe

Filesize
1.1MB

MD5
0d015cc111d53a019e680b0bed11fcad

SHA1
3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

SHA256
2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

SHA512
c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

Download Submit
C:\Users\All Users\Application Data\6ccacd8608530f

Filesize
722B

MD5
13999ea4a68134bc5d917b41bb256b62

SHA1
0df9d0cbeb3ae9e6758f6dff8728346d55a26b5f

SHA256
b66c9a9c7ac9d30a99231d4e09067e02f1324a4ed65d7f542469136250492349

SHA512
85fada9a343412c0994fc4381cf572a615e63b88384ef23850261a5271db5f487e351e94dd3de7197ecf42b618fae0b53378b04e450ee75648ea27b0069c5979

Download Submit
C:\Users\Default User\6203df4a6bafc7

Filesize
367B

MD5
6ed14f111b2c3a0f681a01ba1874a88c

SHA1
ec2999866d9eed4c3f9ba61430ae479e24aa02fc

SHA256
2e6c3439e68660a3174ebd199f41bc9230ef98682ef592994111486068f76870

SHA512
633716a4b39a5b9bf8bc5de687c4596ee30813bd4dbed2c94af00b0e87f6ec954d5e583382e0761ae5bcd039b90cd90f8fd33074c5391c7c08281a7b5025a79c

Download Submit
C:\Windows\LiveKernelReports\1610b97d3ab4a7

Filesize
339B

MD5
5f662bdf97110a0ce6146f5534f6da3b

SHA1
a5e646583b73904969bd6659aa480c005c788800

SHA256
cd4b993de9da800c890601dae47ef794705df58266c9356b4fdc63bdba2e0c2f

SHA512
aa9e2c9daa70e32732775e0c8deb19aad57a043ff60307a499341772edde49a19e6b891fb93fe69dd8b5f483fe6cc4b5841d61a576f5f28bc9e19d36c624baaf

Download Submit
C:\Windows\Resources\Themes\Aero\en-US\0a1fd5f707cd16

Filesize
180B

MD5
1ebc9bea944f95d5d79d0eba8357dec3

SHA1
4c8e49267678a576920ccaea9280e86eabbaa6e3

SHA256
f873b722c61f4ef2d06b60e081836eaef9d4fc280748bec40ea72f1c72d61b8c

SHA512
68d97609c2501e4bd4c4a4be5d8978ba7a6e90798aa52044e923755fe4f00d0a1c456ede2289acf0b890e6f8326bd6975a614f9e7a48cc4653c1839cbb4a22c2

Download Submit
C:\blocksavesperfMonitorDll\0a1fd5f707cd16

Filesize
432B

MD5
c97fac0aba2d3cae3e3458921da48533

SHA1
c721c0efa4d1fa71068e41a22e2061c23fbf2440

SHA256
351bf33ac59338354a3923f6d1480f6e98342a33d2b740129827fa1309453a4c

SHA512
cae47698d357031a4a97747fc02dd6cdb00e3bb7ddc388db2db01588db94cdc394b511af1a8c022beeb4f02988f2ac14599ba669ac13c7be4c700dc0c236d15d

Download Submit
C:\blocksavesperfMonitorDll\6ccacd8608530f

Filesize
421B

MD5
51199a6f4a297ff478e0b6005e234dfa

SHA1
538dd985c6096ba90905b1fcb23625329d3946e2

SHA256
d02b4689f5052bc2d8d500d69a35275472e3466437997ab700151e87f863a813

SHA512
dcf555752cd104aaebcecf39e083bf8460664e7e86de5cf357788848bf3684cc9c947a33d704a8b4d1999102fed9ada97fd9afc531bb95e70f09fce45bedc76c

Download Submit
C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe

Filesize
222B

MD5
a6f295a2e58c722b5935cc905e81fd8b

SHA1
a2a30408197320a639e3e2f18a57fc8578c97b58

SHA256
8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

SHA512
839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

Download Submit
C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat

Filesize
43B

MD5
7c582abd8874b9cc60df72d62bd86440

SHA1
564e7b01338d08f657f2c02fa8fc5b8dadb92331

SHA256
c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

SHA512
444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

Download Submit
C:\blocksavesperfMonitorDll\b75386f1303e64

Filesize
803B

MD5
bfe1ae7a0b9c0e41b845381fe4f7ae39

SHA1
7fc79390d85624db207540fc13a0889f4098caf7

SHA256
08c5721580a35c09b2a7a8bd4d13569dfb40932847ddcbe4b3103a3bb38cb934

SHA512
de7130de58804a4aadd3712be59800994c218c5a4e30519deba37ce32c233a6ddb06c11236c46ca1bc5392c9c76f1b18c80f33fa3c9ee4ac42e9e459890b27a2

Download Submit
C:\blocksavesperfMonitorDll\c5b4cb5e9653cc

Filesize
724B

MD5
3b392b0e90fc95b25bffdcb683301a63

SHA1
16077b9107b666e7e5f0f501e14562164ce2ab0c

SHA256
99bd270b1203a01d7e3679bc6922d96bda4a5b345c161cb77c23b167a5d594bc

SHA512
4700e109fd2851f20c9458f53d4873268d5fbb60db80367fc6790da0fc74f1b6d8a80221aef28ca31f319be2fe450040b7cd6e30772602ffa16e0933dda5f0b1

Download Submit
C:\blocksavesperfMonitorDll\reviewDll.exe

Filesize
828KB

MD5
d9dac9e1d95e84e6aec084cf2ddb3f3a

SHA1
a231a41c7ad994879b15116dcea41fdc09bb5879

SHA256
0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

SHA512
c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

Download Submit
memory/1932-0-0x000007FEF5863000-0x000007FEF5864000-memory.dmp

Filesize
4KB

Download
memory/1932-9-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/1932-7-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/1932-1-0x0000000000C70000-0x0000000000D0E000-memory.dmp

Filesize
632KB

Download
memory/2592-23-0x0000000000350000-0x0000000000426000-memory.dmp

Filesize
856KB

Download
memory/2952-58-0x00000000002E0000-0x00000000003B6000-memory.dmp

Filesize
856KB

Download