dcrat | 00d57c82d489efd105804faa3d6b5b5b70ab35502f2d75db07ccc63e113a86aa

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d57c82d489efd105804faa3d6b5b5b70ab35502f2d75db07ccc63e113a86aa.exe
Size

1.3MB
MD5

5e1b55b0e7169925005a58ed0e1dd601
SHA1

500bf0dc6a8304e15013b3c0257f116a2296c7a3
SHA256

00d57c82d489efd105804faa3d6b5b5b70ab35502f2d75db07ccc63e113a86aa
SHA512

1d7798fbdc5454a5b17e6a88612f27a792f466f7893b13b370206d6695300177beda41dc16501a10434e326e19e23781ccad3577f6e13a74ccf34e8a2456c61f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2096	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2096	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d30-9.dat	dcrat
behavioral1/memory/1236-13-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2772-80-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/2580-140-0x0000000000850000-0x0000000000960000-memory.dmp	dcrat
behavioral1/memory/2444-200-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/3004-260-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/2776-320-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/1324-439-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
408	powershell.exe
2284	powershell.exe
1088	powershell.exe
1876	powershell.exe
2392	powershell.exe
2124	powershell.exe
2228	powershell.exe
2112	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1236	DllCommonsvc.exe
2772	csrss.exe
2580	csrss.exe
2444	csrss.exe
3004	csrss.exe
2776	csrss.exe
1464	csrss.exe
1324	csrss.exe
2184	csrss.exe
2592	csrss.exe
2272	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2576	cmd.exe
2576	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
31	raw.githubusercontent.com
9	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\services.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\System.exe	DllCommonsvc.exe
File created	C:\Windows\twain_32\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00d57c82d489efd105804faa3d6b5b5b70ab35502f2d75db07ccc63e113a86aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2200	schtasks.exe
644	schtasks.exe
2608	schtasks.exe
2908	schtasks.exe
2144	schtasks.exe
2204	schtasks.exe
2216	schtasks.exe
788	schtasks.exe
2884	schtasks.exe
2060	schtasks.exe
2384	schtasks.exe
2648	schtasks.exe
2888	schtasks.exe
2792	schtasks.exe
1760	schtasks.exe
1060	schtasks.exe
1156	schtasks.exe
2976	schtasks.exe
3056	schtasks.exe
1968	schtasks.exe
1408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1236	DllCommonsvc.exe
1088	powershell.exe
2228	powershell.exe
1876	powershell.exe
408	powershell.exe
2112	powershell.exe
2392	powershell.exe
2284	powershell.exe
2124	powershell.exe
2772	csrss.exe
2580	csrss.exe
2444	csrss.exe
3004	csrss.exe
2776	csrss.exe
1464	csrss.exe
1324	csrss.exe
2184	csrss.exe
2592	csrss.exe
2272	csrss.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	DllCommonsvc.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2772	csrss.exe
Token: SeDebugPrivilege	2580	csrss.exe
Token: SeDebugPrivilege	2444	csrss.exe
Token: SeDebugPrivilege	3004	csrss.exe
Token: SeDebugPrivilege	2776	csrss.exe
Token: SeDebugPrivilege	1464	csrss.exe
Token: SeDebugPrivilege	1324	csrss.exe
Token: SeDebugPrivilege	2184	csrss.exe
Token: SeDebugPrivilege	2592	csrss.exe
Token: SeDebugPrivilege	2272	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2676	2776	00d57c82d489efd105804faa3d6b5b5b70ab35502f2d75db07ccc63e113a86aa.exe	30
PID 2776 wrote to memory of 2676	2776	00d57c82d489efd105804faa3d6b5b5b70ab35502f2d75db07ccc63e113a86aa.exe	30
PID 2776 wrote to memory of 2676	2776	00d57c82d489efd105804faa3d6b5b5b70ab35502f2d75db07ccc63e113a86aa.exe	30
PID 2776 wrote to memory of 2676	2776	00d57c82d489efd105804faa3d6b5b5b70ab35502f2d75db07ccc63e113a86aa.exe	30
PID 2676 wrote to memory of 2576	2676	WScript.exe	31
PID 2676 wrote to memory of 2576	2676	WScript.exe	31
PID 2676 wrote to memory of 2576	2676	WScript.exe	31
PID 2676 wrote to memory of 2576	2676	WScript.exe	31
PID 2576 wrote to memory of 1236	2576	cmd.exe	33
PID 2576 wrote to memory of 1236	2576	cmd.exe	33
PID 2576 wrote to memory of 1236	2576	cmd.exe	33
PID 2576 wrote to memory of 1236	2576	cmd.exe	33
PID 1236 wrote to memory of 1876	1236	DllCommonsvc.exe	56
PID 1236 wrote to memory of 1876	1236	DllCommonsvc.exe	56
PID 1236 wrote to memory of 1876	1236	DllCommonsvc.exe	56
PID 1236 wrote to memory of 2392	1236	DllCommonsvc.exe	57
PID 1236 wrote to memory of 2392	1236	DllCommonsvc.exe	57
PID 1236 wrote to memory of 2392	1236	DllCommonsvc.exe	57
PID 1236 wrote to memory of 2124	1236	DllCommonsvc.exe	58
PID 1236 wrote to memory of 2124	1236	DllCommonsvc.exe	58
PID 1236 wrote to memory of 2124	1236	DllCommonsvc.exe	58
PID 1236 wrote to memory of 2228	1236	DllCommonsvc.exe	59
PID 1236 wrote to memory of 2228	1236	DllCommonsvc.exe	59
PID 1236 wrote to memory of 2228	1236	DllCommonsvc.exe	59
PID 1236 wrote to memory of 2112	1236	DllCommonsvc.exe	60
PID 1236 wrote to memory of 2112	1236	DllCommonsvc.exe	60
PID 1236 wrote to memory of 2112	1236	DllCommonsvc.exe	60
PID 1236 wrote to memory of 408	1236	DllCommonsvc.exe	61
PID 1236 wrote to memory of 408	1236	DllCommonsvc.exe	61
PID 1236 wrote to memory of 408	1236	DllCommonsvc.exe	61
PID 1236 wrote to memory of 2284	1236	DllCommonsvc.exe	62
PID 1236 wrote to memory of 2284	1236	DllCommonsvc.exe	62
PID 1236 wrote to memory of 2284	1236	DllCommonsvc.exe	62
PID 1236 wrote to memory of 1088	1236	DllCommonsvc.exe	63
PID 1236 wrote to memory of 1088	1236	DllCommonsvc.exe	63
PID 1236 wrote to memory of 1088	1236	DllCommonsvc.exe	63
PID 1236 wrote to memory of 1256	1236	DllCommonsvc.exe	68
PID 1236 wrote to memory of 1256	1236	DllCommonsvc.exe	68
PID 1236 wrote to memory of 1256	1236	DllCommonsvc.exe	68
PID 1256 wrote to memory of 1776	1256	cmd.exe	74
PID 1256 wrote to memory of 1776	1256	cmd.exe	74
PID 1256 wrote to memory of 1776	1256	cmd.exe	74
PID 1256 wrote to memory of 2772	1256	cmd.exe	75
PID 1256 wrote to memory of 2772	1256	cmd.exe	75
PID 1256 wrote to memory of 2772	1256	cmd.exe	75
PID 2772 wrote to memory of 2224	2772	csrss.exe	76
PID 2772 wrote to memory of 2224	2772	csrss.exe	76
PID 2772 wrote to memory of 2224	2772	csrss.exe	76
PID 2224 wrote to memory of 868	2224	cmd.exe	78
PID 2224 wrote to memory of 868	2224	cmd.exe	78
PID 2224 wrote to memory of 868	2224	cmd.exe	78
PID 2224 wrote to memory of 2580	2224	cmd.exe	79
PID 2224 wrote to memory of 2580	2224	cmd.exe	79
PID 2224 wrote to memory of 2580	2224	cmd.exe	79
PID 2580 wrote to memory of 3016	2580	csrss.exe	80
PID 2580 wrote to memory of 3016	2580	csrss.exe	80
PID 2580 wrote to memory of 3016	2580	csrss.exe	80
PID 3016 wrote to memory of 2640	3016	cmd.exe	82
PID 3016 wrote to memory of 2640	3016	cmd.exe	82
PID 3016 wrote to memory of 2640	3016	cmd.exe	82
PID 3016 wrote to memory of 2444	3016	cmd.exe	83
PID 3016 wrote to memory of 2444	3016	cmd.exe	83
PID 3016 wrote to memory of 2444	3016	cmd.exe	83
PID 2444 wrote to memory of 532	2444	csrss.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\00d57c82d489efd105804faa3d6b5b5b70ab35502f2d75db07ccc63e113a86aa.exe
"C:\Users\Admin\AppData\Local\Temp\00d57c82d489efd105804faa3d6b5b5b70ab35502f2d75db07ccc63e113a86aa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cmuU0FriZC.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1776
      - C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:868
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2640
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        11⤵
        
        PID:532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1324
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        13⤵
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2996
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat"
        15⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1368
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        17⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2444
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"
        19⤵
        
        PID:3004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1716
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"
        21⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2344
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
        23⤵
        
        PID:964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2768
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\twain_32\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90e1ac47e7ed952e8affe19a911334d4

SHA1
c31d9381e4e6605a3afa01beae193a0feb4030dc

SHA256
5fb48d69c7c771ad2b861177e55af355ea08c71ee63b7f273644fd241afb0cbe

SHA512
6cd957c212fc699cf18ea25d452ac5fcb9f01e6640599ebb8ce6805542918267ba6e9ebe285b3f401470a815af32d2885eaa46bc02e64881bc1dd7f776d3ba84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb7a824ea97e6743b11860717953ec38

SHA1
d53c91007dcecb3ecacd6d6f7fa4368b221035d1

SHA256
040c4e9487fd8283d22b0872477643dd691e1767d4ab3c7240e666febd91686d

SHA512
bd49f200fedf1b25195c92d2100643cef57ff3ff7ba1eb331231cd5a7399e18ee6946ffe26f0ed0e1dab90efdca0fc71f64b81f4d6936f45415ba038e74f174d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f0a49f44ae1bb4525be32369170e885

SHA1
f390b952817fcf985064e7ec394878aae67d0b36

SHA256
0d94700af0a096972f9ad8d698097a1547cc73a64b45f79474ed9ab584c19f45

SHA512
b11173292ac159a9a281c2a8cf48f6690b94f07eeeb6cf3ac4499e684fbeba4c8696ee4e41786d6095cfb92acf12e7c631c20249f019fda506e00047300918ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a44689cda9d829e4b18d8b05c21c0ed1

SHA1
bc83d511b73b5aaa479cda9984b7e754c03c6205

SHA256
d5f68a023d1faa978ae75d81e3b25e8f4186cc4a5a391b87c9c81f782d475e16

SHA512
d2a94a173ca7c6bfb1fe3ef794f563b3d595ecb874e1da1fa13b5d66a608e04b6dd3b48a34a126d0b5aa4da396cdfc632f9ab7188d47a510d410daf05a36b2a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d048a9d7928c8e6b25197bf251112cd

SHA1
ce7476bdbd3dc69bfc80cb1c872fb06f22ca58ea

SHA256
d913fb22706b833bea2559104d01b6dda33b59683955a316fa9d1f3add05f339

SHA512
d4cbb854ff6dee7da90a0abe2a1b690263af4ef0089f96b839eda96f7bd0bb1696b3f156de539ca53b159db6dbedc47ce648d5101423b5e93bd6e6fb8dac8dff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a68eb4099faa44ee47be6f7e857cbd6b

SHA1
0a5a9b90dd59b61286b48f978397df660c589f28

SHA256
50bb573053ee854ff7e493be3b92930e5af53696cc3d3a51aeb72c8ddce2ea97

SHA512
62de7a9feab871709ce05f32d8fe1c334972af82ca0ecb4b92d3654801d87cf17a4af7dea8596e11f1445943babe5481bf7209a8c1cd7ad22b3b1b05dc8147cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef36cf2b1405f8ec11488f4691c70418

SHA1
4b91c7156d3a444405da94af37f31b0f1d67e064

SHA256
98bbd583f64701e80c16df59c93a07d317c2ad87a7b47b0ed2613cfbcc9a2e1a

SHA512
c9b81ec19532b00c68bb82e98d69e738f5604d96f84b6664fcd921d16befae1b5e707795c0cc8a5080c18bcce48ae755199fa302621ac090375a422743daa206

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d49f446943a8976753e3faa7586713c

SHA1
c2043fb2245063dee3dcda33472d2d00ce0487a8

SHA256
85fa252477e1208552df4b0c045d4531388c0486f9a819e2911fee3d08650f0b

SHA512
f0f999e07e8079d8d9aa0987da0d1a62c2fdd16eeb5142478d7e0932014b9c110a403cee30169670a5442a52ef8a7830cce597a0e191667a9b791e4f9e246443

Download Submit
C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat

Filesize
193B

MD5
eb560731bcb6d2c90a6762881f1a607c

SHA1
20849476b58e962859b3cf1c9a93ff2d97c9f01f

SHA256
9ce5e0ad62d7cd7f2e4b3009435821fa50385093c5278dac4709f67210ce6c40

SHA512
4a99cd1ea9dc9cfaa41dee922c56db48e46c3a46cec274c5b19b2e2ad367a8a058c3dc9ffdb6ba2b2d9ccc43d5ffff8051c17f4493476b4fc520ed955702dcd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat

Filesize
193B

MD5
ec701b6fcde64b095bf0458161f86117

SHA1
62a889ded1867ba08313d3b65df27137389ba4c2

SHA256
7d88e4a74a8a8ceaf2fe0eae8099a222ff76b9784b11d805dca8c2dc6d8c012d

SHA512
a6218b69c064c654414fbe264bc88d21a13f07e829027bf0610ee4ed9843d1784840327b89a6c39765480fc5cd4259936813487279aefb916169dff271a40265

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2DC6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat

Filesize
193B

MD5
216398ccbf5ce981bf1ae36411d541b2

SHA1
236da1bb8b28d29c565d24df20b7886d76d53e16

SHA256
f022500c5eac630cc448fa238c6f9e37a7edb1a5b74208c82dcf5c12f89bf449

SHA512
82c1b6e0b02b59f5b8d3c16fa661ca75f140a4ceda34d2cdbf734db3800e533f63fe006a11a5474f27e745256df8feb52899ac0f94a6908dc10447df19c352ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
193B

MD5
158e21e1cb1940a12cef7e57c558416f

SHA1
5ad46fdb341beb21472dfc45a725f664bcf04863

SHA256
be6f1273722f9bf010f12000c3a85ae2625c525da982866b23b004576e13943b

SHA512
fd890feaa094a1e763d33e3b35b1302ee7d69e70fcbe14968f45f73c712515858b7bd9d5ded4acaaa2379bc950599e5549b596bd53a2daf5b4eb3a0bfb61fbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
193B

MD5
bbbfb5c20e9f06bfbe2fc1cded3a5fbf

SHA1
7a65d81ab989fcea4e429e3bae33271fbd25f8c6

SHA256
b4bac3061577efb368c1de9ab63547ad977005173fdabe82098ea413e58d8f24

SHA512
42c44fb9dcdcdef2c637aa9e21d2d0649fb3b94f2ceee68600768704479307822ced24dd3e0a858f74dafc78d7b8f34cc9ccde3c046428b990186c69f32760a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2DC9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
193B

MD5
79219b810849f5130037366312f701d6

SHA1
e8026f7ca973613c2480d359c7f245bbdce18d5d

SHA256
60dd181d384576b5a13e72117f32f5e45e795bdec0baba15bb93c712c2be86e2

SHA512
33c80672cbf52735634dcf3037ac4aa2a677cb62285dd68918d1ac0888110863f9f827136a0719e0bcace7e349c86c8a445a5d45746fbddff50f74137265010b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat

Filesize
193B

MD5
399e2f4d2fd720da9e884b3a781a1afa

SHA1
c0b5d40107368301a899113b6fd5f25999a5fd23

SHA256
521a26edd7c977f1d0e533d97a2ec2c57d61d237c59ea1758427413397bbe702

SHA512
2db5c4b3dc29af2cca69da7126d4a8f98f7178cd2d020408644c35ed2d1093257b73c31ef96bf11fa6400cbce436d764773c19932beb19c5e8fcc7bac5a88a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmuU0FriZC.bat

Filesize
193B

MD5
e5d8a597be8900d2b5ba968a5fd1e34b

SHA1
14c8875f7c602d4cce4e24c2d924d8df16395e97

SHA256
175172a74a0cfbab58de2fb1e715b89316c52e339b100258708347a0125d637b

SHA512
5c6efd6bbaf6c11edba2cbee16f6b9b7843fe470646d134e3ed77b2137865ea13d0a431c84988e38f52e183534b57acc08a3beb966f25708d1db3dc89ec436de

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

Filesize
193B

MD5
979435e45bc482619280e1efa6641abf

SHA1
2de3652cf9361100fef135d2144f44a37bb706b0

SHA256
b685572e145cf085577e3d6598f801081db605f8824b08082342d84b38ae0e72

SHA512
daf2df3f8f26d0e2c0a7fb242789d747091f9ee9bd4b884b65030100f3f50188bc34538fb034feb5f73c9d92e9c1890d25f1dcc210f1f21c78d05f3c059627d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
193B

MD5
1ee85c15bd7f61b2f290bb5f685242b3

SHA1
11f255114cddbbb7bffdc59d5ce6a3c3b7bccacf

SHA256
f4062ab4eb6f60e2f6d40b58cb06ac40010a1f2f4d8e252adb7df9408550a195

SHA512
b4c6056abc9c9ae7f9307522cc1d1375c3a6fd5cfeec0608ae500483a2c06837612c062c3eb8727d75a9ecd87aae276ce133345820e33e39c5133e3c297a36d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f42e4258b7f9e85ec4a1b81c50ff1eba

SHA1
30b58dff04a3e9ed9f28c0d80e51852c51fb6c07

SHA256
a28ebddb6819a1ef824450f8cdf587293e997f1db5ad496e6f3dcad052592ada

SHA512
dde8ae8d34d874f33cf69981102d185cb99c2a881c99fbccd8657e05ea9e75ac8efe8156112da5b8283479583c368533067e8b74797d7b0c168ffdafe580b4c8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1088-51-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1236-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/1236-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1236-13-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/1236-17-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/1236-15-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/1324-439-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/1876-50-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2444-200-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/2580-140-0x0000000000850000-0x0000000000960000-memory.dmp

Filesize
1.1MB

Download
memory/2772-81-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2772-80-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/2776-320-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/3004-260-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download