dcrat | 8cf65aae79c9cf7ccf9a19c7ce0ec303dd6f4a9a8bbf20b7e403045947cbfb10

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8cf65aae79c9cf7ccf9a19c7ce0ec303dd6f4a9a8bbf20b7e403045947cbfb10.exe
Size

1.3MB
MD5

5640397c2dc4126d8af56d4832b5f2b4
SHA1

e302ef6e8f2cb2c4529007f54a983e35a617bfdb
SHA256

8cf65aae79c9cf7ccf9a19c7ce0ec303dd6f4a9a8bbf20b7e403045947cbfb10
SHA512

5e85460d4f8d2419c64d88d57e1c0c44f0f7a7262b2d355cf8daeda42833e889ea87a633ba8972df081030ca5386adced61a0c8bc84fc2ae79c9f1d5d876b282
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2748	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193b8-11.dat	dcrat
behavioral1/memory/2756-13-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/2272-40-0x0000000000B60000-0x0000000000C70000-memory.dmp	dcrat
behavioral1/memory/592-119-0x0000000000160000-0x0000000000270000-memory.dmp	dcrat
behavioral1/memory/2916-179-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/2528-239-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/memory/1068-300-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/3036-360-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2144-420-0x0000000000DA0000-0x0000000000EB0000-memory.dmp	dcrat
behavioral1/memory/2220-480-0x0000000000FB0000-0x00000000010C0000-memory.dmp	dcrat
behavioral1/memory/2412-599-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2956-659-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
324	powershell.exe
612	powershell.exe
1932	powershell.exe
1588	powershell.exe
2220	powershell.exe
2308	powershell.exe
692	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2756	DllCommonsvc.exe
2272	OSPPSVC.exe
592	OSPPSVC.exe
2916	OSPPSVC.exe
2528	OSPPSVC.exe
1068	OSPPSVC.exe
3036	OSPPSVC.exe
2144	OSPPSVC.exe
2220	OSPPSVC.exe
2920	OSPPSVC.exe
2412	OSPPSVC.exe
2956	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	cmd.exe
2324	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
22	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Common Files\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\1610b97d3ab4a7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8cf65aae79c9cf7ccf9a19c7ce0ec303dd6f4a9a8bbf20b7e403045947cbfb10.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2624	schtasks.exe
2928	schtasks.exe
1172	schtasks.exe
1532	schtasks.exe
2816	schtasks.exe
2408	schtasks.exe
1468	schtasks.exe
2820	schtasks.exe
940	schtasks.exe
2368	schtasks.exe
1660	schtasks.exe
1692	schtasks.exe
2024	schtasks.exe
2808	schtasks.exe
2528	schtasks.exe
2256	schtasks.exe
3028	schtasks.exe
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2756	DllCommonsvc.exe
324	powershell.exe
1588	powershell.exe
1932	powershell.exe
692	powershell.exe
612	powershell.exe
2308	powershell.exe
2220	powershell.exe
2272	OSPPSVC.exe
592	OSPPSVC.exe
2916	OSPPSVC.exe
2528	OSPPSVC.exe
1068	OSPPSVC.exe
3036	OSPPSVC.exe
2144	OSPPSVC.exe
2220	OSPPSVC.exe
2920	OSPPSVC.exe
2412	OSPPSVC.exe
2956	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	DllCommonsvc.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2272	OSPPSVC.exe
Token: SeDebugPrivilege	592	OSPPSVC.exe
Token: SeDebugPrivilege	2916	OSPPSVC.exe
Token: SeDebugPrivilege	2528	OSPPSVC.exe
Token: SeDebugPrivilege	1068	OSPPSVC.exe
Token: SeDebugPrivilege	3036	OSPPSVC.exe
Token: SeDebugPrivilege	2144	OSPPSVC.exe
Token: SeDebugPrivilege	2220	OSPPSVC.exe
Token: SeDebugPrivilege	2920	OSPPSVC.exe
Token: SeDebugPrivilege	2412	OSPPSVC.exe
Token: SeDebugPrivilege	2956	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2876	2244	JaffaCakes118_8cf65aae79c9cf7ccf9a19c7ce0ec303dd6f4a9a8bbf20b7e403045947cbfb10.exe	30
PID 2244 wrote to memory of 2876	2244	JaffaCakes118_8cf65aae79c9cf7ccf9a19c7ce0ec303dd6f4a9a8bbf20b7e403045947cbfb10.exe	30
PID 2244 wrote to memory of 2876	2244	JaffaCakes118_8cf65aae79c9cf7ccf9a19c7ce0ec303dd6f4a9a8bbf20b7e403045947cbfb10.exe	30
PID 2244 wrote to memory of 2876	2244	JaffaCakes118_8cf65aae79c9cf7ccf9a19c7ce0ec303dd6f4a9a8bbf20b7e403045947cbfb10.exe	30
PID 2876 wrote to memory of 2324	2876	WScript.exe	31
PID 2876 wrote to memory of 2324	2876	WScript.exe	31
PID 2876 wrote to memory of 2324	2876	WScript.exe	31
PID 2876 wrote to memory of 2324	2876	WScript.exe	31
PID 2324 wrote to memory of 2756	2324	cmd.exe	33
PID 2324 wrote to memory of 2756	2324	cmd.exe	33
PID 2324 wrote to memory of 2756	2324	cmd.exe	33
PID 2324 wrote to memory of 2756	2324	cmd.exe	33
PID 2756 wrote to memory of 692	2756	DllCommonsvc.exe	53
PID 2756 wrote to memory of 692	2756	DllCommonsvc.exe	53
PID 2756 wrote to memory of 692	2756	DllCommonsvc.exe	53
PID 2756 wrote to memory of 324	2756	DllCommonsvc.exe	54
PID 2756 wrote to memory of 324	2756	DllCommonsvc.exe	54
PID 2756 wrote to memory of 324	2756	DllCommonsvc.exe	54
PID 2756 wrote to memory of 1932	2756	DllCommonsvc.exe	55
PID 2756 wrote to memory of 1932	2756	DllCommonsvc.exe	55
PID 2756 wrote to memory of 1932	2756	DllCommonsvc.exe	55
PID 2756 wrote to memory of 612	2756	DllCommonsvc.exe	56
PID 2756 wrote to memory of 612	2756	DllCommonsvc.exe	56
PID 2756 wrote to memory of 612	2756	DllCommonsvc.exe	56
PID 2756 wrote to memory of 1588	2756	DllCommonsvc.exe	57
PID 2756 wrote to memory of 1588	2756	DllCommonsvc.exe	57
PID 2756 wrote to memory of 1588	2756	DllCommonsvc.exe	57
PID 2756 wrote to memory of 2220	2756	DllCommonsvc.exe	58
PID 2756 wrote to memory of 2220	2756	DllCommonsvc.exe	58
PID 2756 wrote to memory of 2220	2756	DllCommonsvc.exe	58
PID 2756 wrote to memory of 2308	2756	DllCommonsvc.exe	59
PID 2756 wrote to memory of 2308	2756	DllCommonsvc.exe	59
PID 2756 wrote to memory of 2308	2756	DllCommonsvc.exe	59
PID 2756 wrote to memory of 2272	2756	DllCommonsvc.exe	67
PID 2756 wrote to memory of 2272	2756	DllCommonsvc.exe	67
PID 2756 wrote to memory of 2272	2756	DllCommonsvc.exe	67
PID 2272 wrote to memory of 2176	2272	OSPPSVC.exe	68
PID 2272 wrote to memory of 2176	2272	OSPPSVC.exe	68
PID 2272 wrote to memory of 2176	2272	OSPPSVC.exe	68
PID 2176 wrote to memory of 2612	2176	cmd.exe	70
PID 2176 wrote to memory of 2612	2176	cmd.exe	70
PID 2176 wrote to memory of 2612	2176	cmd.exe	70
PID 2176 wrote to memory of 592	2176	cmd.exe	71
PID 2176 wrote to memory of 592	2176	cmd.exe	71
PID 2176 wrote to memory of 592	2176	cmd.exe	71
PID 592 wrote to memory of 2168	592	OSPPSVC.exe	72
PID 592 wrote to memory of 2168	592	OSPPSVC.exe	72
PID 592 wrote to memory of 2168	592	OSPPSVC.exe	72
PID 2168 wrote to memory of 2996	2168	cmd.exe	74
PID 2168 wrote to memory of 2996	2168	cmd.exe	74
PID 2168 wrote to memory of 2996	2168	cmd.exe	74
PID 2168 wrote to memory of 2916	2168	cmd.exe	75
PID 2168 wrote to memory of 2916	2168	cmd.exe	75
PID 2168 wrote to memory of 2916	2168	cmd.exe	75
PID 2916 wrote to memory of 2520	2916	OSPPSVC.exe	76
PID 2916 wrote to memory of 2520	2916	OSPPSVC.exe	76
PID 2916 wrote to memory of 2520	2916	OSPPSVC.exe	76
PID 2520 wrote to memory of 1076	2520	cmd.exe	78
PID 2520 wrote to memory of 1076	2520	cmd.exe	78
PID 2520 wrote to memory of 1076	2520	cmd.exe	78
PID 2520 wrote to memory of 2528	2520	cmd.exe	79
PID 2520 wrote to memory of 2528	2520	cmd.exe	79
PID 2520 wrote to memory of 2528	2520	cmd.exe	79
PID 2528 wrote to memory of 2864	2528	OSPPSVC.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8cf65aae79c9cf7ccf9a19c7ce0ec303dd6f4a9a8bbf20b7e403045947cbfb10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8cf65aae79c9cf7ccf9a19c7ce0ec303dd6f4a9a8bbf20b7e403045947cbfb10.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Program Files\Common Files\OSPPSVC.exe
        
        "C:\Program Files\Common Files\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2612
        
        C:\Program Files\Common Files\OSPPSVC.exe
        
        "C:\Program Files\Common Files\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2996
        
        C:\Program Files\Common Files\OSPPSVC.exe
        
        "C:\Program Files\Common Files\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1076
        
        C:\Program Files\Common Files\OSPPSVC.exe
        
        "C:\Program Files\Common Files\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        12⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2208
        
        C:\Program Files\Common Files\OSPPSVC.exe
        
        "C:\Program Files\Common Files\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"
        14⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2772
        
        C:\Program Files\Common Files\OSPPSVC.exe
        
        "C:\Program Files\Common Files\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
        16⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3028
        
        C:\Program Files\Common Files\OSPPSVC.exe
        
        "C:\Program Files\Common Files\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"
        18⤵
        
        PID:1544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2096
        
        C:\Program Files\Common Files\OSPPSVC.exe
        
        "C:\Program Files\Common Files\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
        20⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2152
        
        C:\Program Files\Common Files\OSPPSVC.exe
        
        "C:\Program Files\Common Files\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
        22⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1932
        
        C:\Program Files\Common Files\OSPPSVC.exe
        
        "C:\Program Files\Common Files\OSPPSVC.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"
        24⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2904
        
        C:\Program Files\Common Files\OSPPSVC.exe
        
        "C:\Program Files\Common Files\OSPPSVC.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
325a001c630f865ee8c4787454c9556a

SHA1
b5c1b3075bf68ef402368da9c1f4fb84baa7e873

SHA256
32a8e18300812205d1a5c846cc1557b98f24d327f639cffb79fef871def17872

SHA512
06b9ea85fa360f3a5cb2e40ed11362cc698cfc15176026a67dc8bf5278a87c2605c6179e8009828d7923a045249b5ce3adac82e8c7cb23cb48be9bc82964b922

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
884a3bef90ea9f0ec61652f4a55d38d4

SHA1
364f3938dd12a020f6beb9b875ae3aaf56abf49e

SHA256
1913ab2e85afb3e69afb950177aa6a09f972ff5d52909b29d1718b5d6ed2e3be

SHA512
916498db5a5c5f852f5f6d1cb5a4dfc60d1077d7aee60edb2ddbd274e7de7a5c440bb1e7343ccdfa6a1a5743fbed37847d4a006867bd7fb0d285010bc5330d52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e66572ee1c843ca7cfd91e831e1c7673

SHA1
4b951edef4428889759d01c152c85ad4549af555

SHA256
cda3ad66bc0cfc9f47bdd9945db1a3eff9d5adaab347e2fabf47a6e6dcee140e

SHA512
80fd462de349f2386fdb00ac4007db107aec8041eec56ac48e85b674a67f7d194ab5430d16a5967458377e5a9f146b8e46e150b353f832701046fd87166dc0f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f3dd861d47f74ee87dba98b3de31570

SHA1
5e544985bd0e92e6a436dc873c47620b0fea1902

SHA256
d6f7e8b920440268c496dc38a4df811d480fb64c43ae48e243b3804f6f98a128

SHA512
6dbccb6e4b7e41f167d9d408bcd50d4328da41b82efee0a47a6a7eb90753a4646b4387a805869e433885b02a106519fd61528c6100ad4a78428b33329303cbac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc829d015e383a940ae14a23fe5aa1d7

SHA1
b9f0df6b5c1aea499fb88244933d54fce4a4d1f6

SHA256
f9d1efad222605efb4f7c996d58f7986ab1188f90bfb73bef8bc558090d6043d

SHA512
0bd20b342483d3d184684da23b58061155d5a7c1b4578b08ca0761df230a7d59148c74dacd6c36a10b239e6358d056bfbcc4ff78d33b2d91a6b010684b72f10e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
617b770172bdee0d8a9b50c4ee9155ca

SHA1
6733d59e85ee6cd6eda93dbbc40b98d5d103712f

SHA256
471dbc15ca3858c94faa06a5e7d2137802b751046b36268a03c48b7447e0a2e0

SHA512
0dc0a674e18af4b644e0cf7c57a87b724516362c2e3ed1175b6a433641b99edf1dc2f5f9b1998916f9d976542c680e16e42bda1218e01cbeebfedeb9a833508f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e6f54a2b59da6ab0b77488f8f024e6e

SHA1
bff5a990b4aba273a5175fbac00347721559fa46

SHA256
f9403bcf6351b11769df7bb4f2be1b89c3fe73a822a504c0a319801854edd72e

SHA512
1c2a3b6c5f7e0ab7ca3f0438c848f95eb80c45a515f54ff40373b614846a9d38f6c60209b431b652ae633fcb698efe90719ab04495fd4695eb6af41e1d16b42d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f42d93462efe1d528b07d9af73bd4cf5

SHA1
33e176de482bd112279312ba69a60544936a4f27

SHA256
1d9ea6e76244c74648d9adf3f32c0fc89525856a65a69e3bc50306eade963402

SHA512
0e755321159baa4a46b03930d241421389ff6b2b72a711f45c361d60c0db17a89716b56924225009f7b7df44ef52838411848274e971f67b6bc8896628d9685b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1055481116de3cdbfc738d5ccfdc146

SHA1
87ea497743d39fe9a2dfadeb8c7b8bc5744cb9f3

SHA256
82672b18d465fb0d758881aa25d24c9247288f1d89879c80b1d271a296ead4a3

SHA512
85ba3814bc9fea1611c171a836a6c2a90fb0e87d5f49289554e2c6c531aeb0198317387f9be03d412937ce107b2e21536d9b0d821c2862af75469f6e1505e744

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

Filesize
206B

MD5
1e046da858253269dfc43e74bd8a0a8b

SHA1
b74cc3ab09cda51e2976b0f6211db26a7d609b79

SHA256
983973182806754a312e9ec4ee00bcd0a985fc6a2b606323ec72b1c9e0e7119e

SHA512
0e01f211ea4c5c9dbebc0807608d9f191a1b213e27ba0b7cfd74e061b641256b332d6f9e601108aefe4300b9c744ab2df1e4cfdc719f82c971053318c9ca0340

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat

Filesize
206B

MD5
30a2c4593ee7d8fde7f9054c244c1b7a

SHA1
df99bb0da9ae7fb27c7384d34a1d9b973282a08e

SHA256
b8478b4c874a4f3d43d69ceb28b7e4cdda3b7fcae60ce60c809abd5654864aaf

SHA512
7526753f86b8ebe3588d08a23f86188c9f79b26025432af8cac5f5c93d926fa31ef84b992fad6d36b8836b6e2cb33b4d8599484483ddcdd85145d2859f3dba05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab284A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
206B

MD5
440e762295012399b4d4a1c056299493

SHA1
146dca43fdecbf3bc30aaee3d3c848ea58881e25

SHA256
ab6377578e9269e59c08825d55bb65b3d2b1721f3215f9d4ab24b37e4c6479f2

SHA512
cbc3e6ea84c868c20efadc61d695a938c0f7fa1ee06dcb4823bb717c5808f37761ac65caa0ff28bead01adb51c8078ae8cba77d01e3151b50ea627cd90746308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat

Filesize
206B

MD5
5f9d6fcbba0d152cbe50994ec4163810

SHA1
e59f76bd880de386e96928093ef481e6f8a4f569

SHA256
0d1092103788a80e5bfb602634a2aac79998ff81f060d68571d254dd2c599c4f

SHA512
60fc241efcb7b9cad1db572c60e62a24772eaae8b837cf2075efbb25a48bdedaa7692df611769ec35b12dbced6a3a3b4069503daf45ecd9ba26ce1607416cee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar288C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat

Filesize
206B

MD5
309e1e087c163e8bebf15989b349252b

SHA1
3d226cd95cdcb4e203672ced49c67f8c424cda5e

SHA256
916efca4446146c0cb6fbee6b99bbef37c7a80f3ef252343ae9eb1560a42b23b

SHA512
943767ede79bea92336eb0c2c710f79a404d40bb285af82ff1ee9b92bcf2a083456c88de2dd7a059a8729c9d6362849908c14a0d8e5aa5faf87f64953e4d4a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat

Filesize
206B

MD5
38c58276e1b1bd08df81222f43f184ae

SHA1
14b57a10aa32f9af8bdb1f2e90ecc9e008eec104

SHA256
3db4fd066611e29b859ca834b160948818323478abab761a01add9899fe78ca2

SHA512
ff65364024b0a0ede378c4bf91b14635e296ddd37db5754bc2410d3fffbf113d6f5c6662a93d2fca6f78693662fbcab11db7cde5e498c15f845723573603900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

Filesize
206B

MD5
b0aceca914cab2f88640e9504f1d8d7d

SHA1
cc844ff0a804447724d6a7e46f8b7354240da1b1

SHA256
d1fe164a9e6cbc1e365ed3ad96fda902e08b6dc2ee9bb7d13a1922dbee051406

SHA512
845cee0c171894d31fa73c37f1572d93f09d83d5177ecddeb2aae5416916a98d0a793c968cfddbf99256d0790cab74fd778168a9c93c4eebd3a1e4bbfb4ab949

Download Submit
C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat

Filesize
206B

MD5
c17c5b130761befef79fc1b2101bb722

SHA1
ac51383108e3f8e7c6e7a31913faef20ba161119

SHA256
ed7a152985a4f83b5dd2e8639b7d902e5db061e4fbdda9bec079f95a3e7400d7

SHA512
7df5fd726d404510370ace5a0b1b7716c490f333055d245c7cd4e26afae10e18412023b2828fa9f66a7405f70109d47bc6625fd0bf040e9324fd40517b8c5413

Download Submit
C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat

Filesize
206B

MD5
5990f0a65f493f8f3aed32d5b60aeed8

SHA1
c336f9c39210d9b3296eebe832ef76e14a706fc6

SHA256
2464f59d6c233e67d28f5bbd13f2f975c1e590d36afbcc56b3341c4cb44d1a1b

SHA512
220d7bdac0494d96a1545de85b4cc5e48a84c72a27a186ab31fe64c577ea51f516a81ec0164b6ee014b948261e96f19d0ef0d93f5b90ee611350ca6c75d25535

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a84f78b8bec1df75e7e19e0bb5cb2b16

SHA1
588ecf29321f7d88ea5a8b740798c32cf61ec466

SHA256
0528b82b3d78212fb1d6759c4efd4771d0ad7e5c3a6b709adf7057a46c47ff94

SHA512
127f1113cbd482870a9121a0ac49c6a32366adf29eb68233bc9f304caaaae44ffff806d5467646925d969d13d2b3d565876f8bcadde16c7bca0e3566f75f8611

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/324-56-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/592-119-0x0000000000160000-0x0000000000270000-memory.dmp

Filesize
1.1MB

Download
memory/1068-300-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/1588-55-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2144-420-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-480-0x0000000000FB0000-0x00000000010C0000-memory.dmp

Filesize
1.1MB

Download
memory/2272-40-0x0000000000B60000-0x0000000000C70000-memory.dmp

Filesize
1.1MB

Download
memory/2412-599-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2528-239-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/2528-240-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2756-17-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2756-16-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2756-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2756-14-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2756-13-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/2916-179-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/2956-659-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/3036-360-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download