dcrat | 9cd19cf01e1d8c64caa0dffcd07dfb3304fc7257a1c468c0f3d4df1ad696319f

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.19.exe
Size

3.1MB
MD5

c9d720a4200df5064f655adc3656056f
SHA1

0dc179cfc3cf564ea1e9c85e012ac9bda3b40464
SHA256

9cd19cf01e1d8c64caa0dffcd07dfb3304fc7257a1c468c0f3d4df1ad696319f
SHA512

f0628313d0bccdd94795d649f1f6eda194b97fe991fb1755d9525cf944b310569a6dc0a155caf17dc4e49fda4c5eaf42063443bb67abc19a079f934570136852
SSDEEP

49152:ivotkNjg/lhqZvGyBJa+U5kzXDFrO0iTb0bzveEX99h:i5ZvGko+U8XBgseE5

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	628	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	628	schtasks.exe	36

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1664	powershell.exe
604	powershell.exe
664	powershell.exe
2412	powershell.exe
1092	powershell.exe
980	powershell.exe
660	powershell.exe
2204	powershell.exe
1652	powershell.exe
1004	powershell.exe
1032	powershell.exe
896	powershell.exe
1740	powershell.exe
1940	powershell.exe
1744	powershell.exe
2488	powershell.exe
1788	powershell.exe
3060	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
540	Solaraexecutor.exe
2584	PerfNET.exe
2160	audiodg.exe
1088	audiodg.exe
2144	audiodg.exe
564	audiodg.exe
2900	audiodg.exe
2780	audiodg.exe
316	audiodg.exe
1496	audiodg.exe
2664	audiodg.exe
2968	audiodg.exe

Loads dropped DLL 3 IoCs

pid	Process
2848	BootstrapperV1.19.exe
2968	cmd.exe
2968	cmd.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\en-US\taskhost.exe	PerfNET.exe
File created	C:\Program Files\Windows Mail\en-US\b75386f1303e64	PerfNET.exe
File created	C:\Program Files\Windows Photo Viewer\audiodg.exe	PerfNET.exe
File created	C:\Program Files\Windows Photo Viewer\42af1c969fbb7b	PerfNET.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe	PerfNET.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\f3b6ecef712a24	PerfNET.exe
File created	C:\Program Files\Windows Mail\en-US\taskhost.exe	PerfNET.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solaraexecutor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2088	PING.EXE
2684	PING.EXE
2824	PING.EXE
2332	PING.EXE
2204	PING.EXE
2304	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2088	PING.EXE
2684	PING.EXE
2824	PING.EXE
2332	PING.EXE
2204	PING.EXE
2304	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1496	schtasks.exe
848	schtasks.exe
1344	schtasks.exe
2648	schtasks.exe
1252	schtasks.exe
2880	schtasks.exe
1704	schtasks.exe
2168	schtasks.exe
1020	schtasks.exe
2784	schtasks.exe
2884	schtasks.exe
2452	schtasks.exe
1640	schtasks.exe
1088	schtasks.exe
2640	schtasks.exe
2892	schtasks.exe
2776	schtasks.exe
2120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe
2584	PerfNET.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	PerfNET.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2160	audiodg.exe
Token: SeDebugPrivilege	1088	audiodg.exe
Token: SeDebugPrivilege	2144	audiodg.exe
Token: SeDebugPrivilege	564	audiodg.exe
Token: SeDebugPrivilege	2900	audiodg.exe
Token: SeDebugPrivilege	2780	audiodg.exe
Token: SeDebugPrivilege	316	audiodg.exe
Token: SeDebugPrivilege	1496	audiodg.exe
Token: SeDebugPrivilege	2664	audiodg.exe
Token: SeDebugPrivilege	2968	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 540	2848	BootstrapperV1.19.exe	31
PID 2848 wrote to memory of 540	2848	BootstrapperV1.19.exe	31
PID 2848 wrote to memory of 540	2848	BootstrapperV1.19.exe	31
PID 2848 wrote to memory of 540	2848	BootstrapperV1.19.exe	31
PID 540 wrote to memory of 2092	540	Solaraexecutor.exe	32
PID 540 wrote to memory of 2092	540	Solaraexecutor.exe	32
PID 540 wrote to memory of 2092	540	Solaraexecutor.exe	32
PID 540 wrote to memory of 2092	540	Solaraexecutor.exe	32
PID 2092 wrote to memory of 2968	2092	WScript.exe	33
PID 2092 wrote to memory of 2968	2092	WScript.exe	33
PID 2092 wrote to memory of 2968	2092	WScript.exe	33
PID 2092 wrote to memory of 2968	2092	WScript.exe	33
PID 2968 wrote to memory of 2584	2968	cmd.exe	35
PID 2968 wrote to memory of 2584	2968	cmd.exe	35
PID 2968 wrote to memory of 2584	2968	cmd.exe	35
PID 2968 wrote to memory of 2584	2968	cmd.exe	35
PID 2584 wrote to memory of 664	2584	PerfNET.exe	55
PID 2584 wrote to memory of 664	2584	PerfNET.exe	55
PID 2584 wrote to memory of 664	2584	PerfNET.exe	55
PID 2584 wrote to memory of 2412	2584	PerfNET.exe	56
PID 2584 wrote to memory of 2412	2584	PerfNET.exe	56
PID 2584 wrote to memory of 2412	2584	PerfNET.exe	56
PID 2584 wrote to memory of 1092	2584	PerfNET.exe	57
PID 2584 wrote to memory of 1092	2584	PerfNET.exe	57
PID 2584 wrote to memory of 1092	2584	PerfNET.exe	57
PID 2584 wrote to memory of 1744	2584	PerfNET.exe	58
PID 2584 wrote to memory of 1744	2584	PerfNET.exe	58
PID 2584 wrote to memory of 1744	2584	PerfNET.exe	58
PID 2584 wrote to memory of 1652	2584	PerfNET.exe	59
PID 2584 wrote to memory of 1652	2584	PerfNET.exe	59
PID 2584 wrote to memory of 1652	2584	PerfNET.exe	59
PID 2584 wrote to memory of 1004	2584	PerfNET.exe	60
PID 2584 wrote to memory of 1004	2584	PerfNET.exe	60
PID 2584 wrote to memory of 1004	2584	PerfNET.exe	60
PID 2584 wrote to memory of 1032	2584	PerfNET.exe	61
PID 2584 wrote to memory of 1032	2584	PerfNET.exe	61
PID 2584 wrote to memory of 1032	2584	PerfNET.exe	61
PID 2584 wrote to memory of 3060	2584	PerfNET.exe	62
PID 2584 wrote to memory of 3060	2584	PerfNET.exe	62
PID 2584 wrote to memory of 3060	2584	PerfNET.exe	62
PID 2584 wrote to memory of 604	2584	PerfNET.exe	63
PID 2584 wrote to memory of 604	2584	PerfNET.exe	63
PID 2584 wrote to memory of 604	2584	PerfNET.exe	63
PID 2584 wrote to memory of 980	2584	PerfNET.exe	64
PID 2584 wrote to memory of 980	2584	PerfNET.exe	64
PID 2584 wrote to memory of 980	2584	PerfNET.exe	64
PID 2584 wrote to memory of 896	2584	PerfNET.exe	65
PID 2584 wrote to memory of 896	2584	PerfNET.exe	65
PID 2584 wrote to memory of 896	2584	PerfNET.exe	65
PID 2584 wrote to memory of 660	2584	PerfNET.exe	66
PID 2584 wrote to memory of 660	2584	PerfNET.exe	66
PID 2584 wrote to memory of 660	2584	PerfNET.exe	66
PID 2584 wrote to memory of 1740	2584	PerfNET.exe	67
PID 2584 wrote to memory of 1740	2584	PerfNET.exe	67
PID 2584 wrote to memory of 1740	2584	PerfNET.exe	67
PID 2584 wrote to memory of 1940	2584	PerfNET.exe	68
PID 2584 wrote to memory of 1940	2584	PerfNET.exe	68
PID 2584 wrote to memory of 1940	2584	PerfNET.exe	68
PID 2584 wrote to memory of 2204	2584	PerfNET.exe	69
PID 2584 wrote to memory of 2204	2584	PerfNET.exe	69
PID 2584 wrote to memory of 2204	2584	PerfNET.exe	69
PID 2584 wrote to memory of 2488	2584	PerfNET.exe	70
PID 2584 wrote to memory of 2488	2584	PerfNET.exe	70
PID 2584 wrote to memory of 2488	2584	PerfNET.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe
  "C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\taskhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\audiodg.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\taskhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QGtGEogmBG.bat"
        6⤵
        
        PID:1492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2364
        
        C:\Program Files\Windows Photo Viewer\audiodg.exe
        
        "C:\Program Files\Windows Photo Viewer\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kJRy2Wx8TR.bat"
        8⤵
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2120
        
        C:\Program Files\Windows Photo Viewer\audiodg.exe
        
        "C:\Program Files\Windows Photo Viewer\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QmsWYasDZC.bat"
        10⤵
        
        PID:1864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Program Files\Windows Photo Viewer\audiodg.exe
        
        "C:\Program Files\Windows Photo Viewer\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcphCLUtxr.bat"
        12⤵
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2232
        
        C:\Program Files\Windows Photo Viewer\audiodg.exe
        
        "C:\Program Files\Windows Photo Viewer\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x6qvRCaXDp.bat"
        14⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2824
        
        C:\Program Files\Windows Photo Viewer\audiodg.exe
        
        "C:\Program Files\Windows Photo Viewer\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yPEeb07IgF.bat"
        16⤵
        
        PID:996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Program Files\Windows Photo Viewer\audiodg.exe
        
        "C:\Program Files\Windows Photo Viewer\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G684DP1YLF.bat"
        18⤵
        
        PID:1252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2204
        
        C:\Program Files\Windows Photo Viewer\audiodg.exe
        
        "C:\Program Files\Windows Photo Viewer\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PUr4LdF8J0.bat"
        20⤵
        
        PID:2940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2304
        
        C:\Program Files\Windows Photo Viewer\audiodg.exe
        
        "C:\Program Files\Windows Photo Viewer\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VkZKSVlIY6.bat"
        22⤵
        
        PID:1776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1536
        
        C:\Program Files\Windows Photo Viewer\audiodg.exe
        
        "C:\Program Files\Windows Photo Viewer\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat"
        24⤵
        
        PID:1984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1864
        
        C:\Program Files\Windows Photo Viewer\audiodg.exe
        
        "C:\Program Files\Windows Photo Viewer\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KduBpxWBgt.bat"
        26⤵
        
        PID:2652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\SendTo\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNET" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\G684DP1YLF.bat

Filesize
177B

MD5
723f3e54da010db6c8071f45c48f92c1

SHA1
000e6a4fee09f45b380365c773d3e2e25c449852

SHA256
c4f74e123f11264df7e33eb66956cf462bb4d05d455dc17c9b45db448a55c768

SHA512
7d71d7fecb3dc9018ee600543676b6b29647d9f23d5642731ced775618d2e9aae2a68f8d51b5257b75530e9202f0889193450c66d832f7edc8a554a30a7ff1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KduBpxWBgt.bat

Filesize
177B

MD5
deb5f56ade0a84412b6322157e8c3f5f

SHA1
2e47380c3518b0b27d4ac36864afc9751367df3f

SHA256
299874419062315d0b5c776c843dff01d691d1245adb9fcaa95de71e106ae42a

SHA512
b7411406150823dfc52dd8bd3f397e05d463ea8fce48e5f7d0ef991f5ace7ce6697977f675889a2abfeb0abdd4bfada9f988acbf50e1048047f0a74e65871f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat

Filesize
225B

MD5
4b2ed6eb74187471a00d40d16a56f7d1

SHA1
8df070f4456edf13e5114975504bd07ed8e3d6c2

SHA256
ac56e616910bcdd1b21d78c2332f88fe32a71f1ff5353bcc346e8d6d14fdba38

SHA512
5d2fe23313844fa1a1e97af68a263f8cf259810a32c491b8ac3bdd4bb8eaa38f71ded07ba3326a5a10bdd0629e58ca5fade9fa5cdab1e89179ce9b5e5b0bd5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUr4LdF8J0.bat

Filesize
177B

MD5
a8f2e5ddbbde284c8513b213e44faf84

SHA1
8d1ffb6db6dd5a3fd17235ee511dc90daf802da9

SHA256
1af05c0777b4956e98ba5db864b8f5695b8053508bab9b746655d5d30a134313

SHA512
b360597058fe61c885562a7b5535f1597e51c8d9b8b099d909f583334bfb25cdc5b9047261da93d7c907c2ff05ac83afe4c13340db83d70881284b5d25b5fc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGtGEogmBG.bat

Filesize
225B

MD5
362af5df3e5e3e0c24859884e3eafc8f

SHA1
a39c3d8e28b79675670211fae48b7b2e59b628a2

SHA256
963e793d72c4698d162c4ea4c1563bf1b436d34bc0c91b5c24a462d987d936e6

SHA512
2efe7f1ae8187cb783e3a1162bdb0fd97ac42b51361511bf66f4019d51918f9e52abe69b561421dabe1e45c0da0a92d4c3121242060152ea2a1a73f4277247b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QmsWYasDZC.bat

Filesize
177B

MD5
1e1d2e198daa909f4cfae9a81fb577fc

SHA1
44c62acc04d56301272f7e8a0bedfa310464f2d5

SHA256
b670b7f719a1a688bb1ee3141fcfe25bd60ef7cb565ea45c6f186d4b87fbf192

SHA512
98f863943c9918deae45df14d3cc75cbb0011b0542a900155fa445b5560b6af3558854b20c43db59727c2ea46e2fe83d0e051c2d09b2870b104e6652342d1b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkZKSVlIY6.bat

Filesize
225B

MD5
b047278626c7ba0ec59fe073b266aa71

SHA1
80da0a878324b455df4b58d36d344af46e9c08e4

SHA256
4c13364282abb8bd1d1be9a34cb4bffdf5e3e8b82561283d8d3110cf16b42beb

SHA512
142dca0d3ae28b08c9e3bb1ac5b6b38e156bf1067dd9fc92944d3f6ea88cec90c194d818da4bc4de86c103394b2abea51132e124753a0b3f439003953da96d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe

Filesize
211B

MD5
e30ec43c2cef82698f68268735844cc5

SHA1
2ad9967dd2d1087fbe3dc96d79c49f08a17d38f9

SHA256
f6e612f2aa1d27d9c070ea07a69c4c0c9bed6e308198857ee7a1335ad7aef48b

SHA512
94ec05a7ed4f1dc0a59c12e394c651290e31b12b37a0ea80e73c362c8d1aad6bfebb2c6a87790ee9e59164ef3a16f8282695ccf94effa6d4570989621e1caec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat

Filesize
82B

MD5
e76af187b94b636b1c61ac0419e5b8a8

SHA1
03a8761def6fab98121efc99256fef93b3391781

SHA256
ca364ab0bdcea783a389667f2b41ce4ff5ca304172422d398e947d5d6a4e5b20

SHA512
f2beaa0d4472eca942519f56aac4c0da1da13d7e9ced01493adec053b9abc4802fad8a60b7ca2627e2349f16e6f19ca034137c3322ca7167a126856cce1dacec

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe

Filesize
1.8MB

MD5
3c3b7d5864e9f151a77b33d4b9d15e3c

SHA1
d8a0c81c551da2c1e500eb2b56562a2ac0be2c81

SHA256
de07619885cbd439fa402a13cedf8edf1d67b2ae4fb078f8dc18ae7a662a7d23

SHA512
5204b39f1008093e95221b9a7ea14be6bba59a5a47d0447cfdc503c524fef9aa4001785ac0cd333f19817b6d428e2034772f6134bc84493a74f47cca2672d642

Download Submit
C:\Users\Admin\AppData\Local\Temp\kJRy2Wx8TR.bat

Filesize
225B

MD5
5c745164e6848a507f209267f0571098

SHA1
ca13eb167b6c6047b34c71e7f77e65a1b46bbf08

SHA256
1c58e66e2e73a75dc01f67fe68e290b12ccd404438f238c8eb3f3416ee70b454

SHA512
30d28f4bf0d046653e57a50f20676c4d9a7c653fd985bcbb15f594f12cd32585e574f98adc3ea685d3692a54966622fe453b01d8f017783ca7aab63ce79f8152

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcphCLUtxr.bat

Filesize
225B

MD5
2d8ad44ca07a82bc710a8b6fc323cc84

SHA1
c0f825627ac3b7c4bfc93840b932dc4caebf5387

SHA256
d02ceef7d81f103aeedebf106c8b36f5699f33253aae3ceee188edffa7110d57

SHA512
a67a22ab668743d36dd25818112880224ced75db8dea1c19548eb0cdf86574103e5809c013b25d0c4a240e6eb22d1358a2fcb64dc84cec47a23927f8c22d6d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x6qvRCaXDp.bat

Filesize
177B

MD5
c26a20576cd180b40fae395c2bc6b01f

SHA1
e77fdb9ba47f976bbf6b2cf901f6c5693cd07e7d

SHA256
14f6bf47af7eeba250f1a4e1a4271d0628a4d26a10e9f9b9dbb1c79d76566dfe

SHA512
a62fd424f75eac1c983aa41f670b824edfaa2941c83d155f80d8a27b62df2cf1e0590c472417bc52e3045e8f3de22e5a872d5ff9ce82386014e1f35d72fe3d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\yPEeb07IgF.bat

Filesize
177B

MD5
b82d43c46521927f496be6c6f16b7aa4

SHA1
b74ae9fa0ed374b9665039b6569ff69528c84bb4

SHA256
aafdd1e2243da7ffc963a4e8301f1ee697a4ee21cdc2306e9dcdaefa87cbb570

SHA512
43e32c9fa02cd0f417c08744258de47dc7ee6cdca2f130213b5e4d012a0df03f9cfbd80e419adc6139eb3b260db1dc823286be5cf5df14f15fb360e10e9af090

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8c2ee5de502f89702e277ad65cf9eba3

SHA1
8def93758d44f0886f0abb21672ebfe645330ead

SHA256
86badcadbabe0c6b48c72b845b6f1d324c3ad64a604456284f13903baa63943a

SHA512
63b4cf14705267517e121a957134152d6b5c9b09f8b85b88dda15a53302abf8ee74030c49f6234625bfb7741a8b1bcb9cb9146ce316286c09c18b7c2b8bc160a

Download Submit
\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe

Filesize
2.1MB

MD5
b444fec863c995ec2c4810fc308f08c2

SHA1
f8f8cb40daf8054a00fb7b3895babd68c6429161

SHA256
e7cccbe17462fba64687eddc141d99920ac3e890ed1464d17b6110fdca6be7de

SHA512
1472d2a9e95c949a67734af6849f827122a178df799c7c29252cc0221437fb8573bcff0a30e8f1d0e6ab1c39c8fe72c597f863bc192133a10cd6178becc17127

Download Submit
memory/316-205-0x0000000000AE0000-0x0000000000CBC000-memory.dmp

Filesize
1.9MB

Download
memory/564-172-0x00000000013C0000-0x000000000159C000-memory.dmp

Filesize
1.9MB

Download
memory/1088-150-0x0000000000C70000-0x0000000000E4C000-memory.dmp

Filesize
1.9MB

Download
memory/1496-216-0x0000000001230000-0x000000000140C000-memory.dmp

Filesize
1.9MB

Download
memory/2144-161-0x0000000000200000-0x00000000003DC000-memory.dmp

Filesize
1.9MB

Download
memory/2160-139-0x0000000000320000-0x00000000004FC000-memory.dmp

Filesize
1.9MB

Download
memory/2488-64-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2584-27-0x00000000005E0000-0x00000000005F8000-memory.dmp

Filesize
96KB

Download
memory/2584-29-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2584-25-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2584-23-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2584-21-0x0000000000CD0000-0x0000000000EAC000-memory.dmp

Filesize
1.9MB

Download
memory/2664-227-0x00000000012F0000-0x00000000014CC000-memory.dmp

Filesize
1.9MB

Download
memory/2780-194-0x00000000001D0000-0x00000000003AC000-memory.dmp

Filesize
1.9MB

Download
memory/2848-5-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2900-183-0x00000000003E0000-0x00000000005BC000-memory.dmp

Filesize
1.9MB

Download
memory/2968-238-0x0000000000290000-0x000000000046C000-memory.dmp

Filesize
1.9MB

Download
memory/3060-63-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download