dcrat | 27c19559712c6e96c0428aed6bc861c558de8e151b3e04533f3f0ce35fee972b

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_27c19559712c6e96c0428aed6bc861c558de8e151b3e04533f3f0ce35fee972b.exe
Size

1.3MB
MD5

e58d57a99b94073f53a65b4daccb4bdf
SHA1

a71dd67fcb52e302d1c8c1ef7921d920e025c052
SHA256

27c19559712c6e96c0428aed6bc861c558de8e151b3e04533f3f0ce35fee972b
SHA512

cce7e526e2aea3564f4ade20981a010856d4686f9350a9a79de02b5b053e44dfd0730f4324c7f052f37c8265042468de695893920205db20e7161183ab62d88d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2580	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001686c-9.dat	dcrat
behavioral1/memory/2872-13-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/memory/700-73-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat
behavioral1/memory/1476-133-0x0000000001140000-0x0000000001250000-memory.dmp	dcrat
behavioral1/memory/2372-429-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/2212-548-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/1720-608-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/2092-668-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
536	powershell.exe
776	powershell.exe
756	powershell.exe
320	powershell.exe
1500	powershell.exe
1944	powershell.exe
2372	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2872	DllCommonsvc.exe
700	services.exe
1476	services.exe
1672	services.exe
2112	services.exe
2408	services.exe
3024	services.exe
2372	services.exe
1608	services.exe
2212	services.exe
1720	services.exe
2092	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	cmd.exe
2704	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
32	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Icons\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\de-DE\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_27c19559712c6e96c0428aed6bc861c558de8e151b3e04533f3f0ce35fee972b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1992	schtasks.exe
1308	schtasks.exe
2360	schtasks.exe
692	schtasks.exe
1476	schtasks.exe
3028	schtasks.exe
1868	schtasks.exe
2884	schtasks.exe
1000	schtasks.exe
632	schtasks.exe
2888	schtasks.exe
2000	schtasks.exe
2020	schtasks.exe
2620	schtasks.exe
1232	schtasks.exe
2356	schtasks.exe
576	schtasks.exe
2028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2872	DllCommonsvc.exe
2872	DllCommonsvc.exe
2872	DllCommonsvc.exe
2872	DllCommonsvc.exe
2872	DllCommonsvc.exe
2372	powershell.exe
1500	powershell.exe
320	powershell.exe
756	powershell.exe
536	powershell.exe
1944	powershell.exe
776	powershell.exe
700	services.exe
1476	services.exe
1672	services.exe
2112	services.exe
2408	services.exe
3024	services.exe
2372	services.exe
1608	services.exe
2212	services.exe
1720	services.exe
2092	services.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	DllCommonsvc.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	700	services.exe
Token: SeDebugPrivilege	1476	services.exe
Token: SeDebugPrivilege	1672	services.exe
Token: SeDebugPrivilege	2112	services.exe
Token: SeDebugPrivilege	2408	services.exe
Token: SeDebugPrivilege	3024	services.exe
Token: SeDebugPrivilege	2372	services.exe
Token: SeDebugPrivilege	1608	services.exe
Token: SeDebugPrivilege	2212	services.exe
Token: SeDebugPrivilege	1720	services.exe
Token: SeDebugPrivilege	2092	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2848	2260	JaffaCakes118_27c19559712c6e96c0428aed6bc861c558de8e151b3e04533f3f0ce35fee972b.exe	30
PID 2260 wrote to memory of 2848	2260	JaffaCakes118_27c19559712c6e96c0428aed6bc861c558de8e151b3e04533f3f0ce35fee972b.exe	30
PID 2260 wrote to memory of 2848	2260	JaffaCakes118_27c19559712c6e96c0428aed6bc861c558de8e151b3e04533f3f0ce35fee972b.exe	30
PID 2260 wrote to memory of 2848	2260	JaffaCakes118_27c19559712c6e96c0428aed6bc861c558de8e151b3e04533f3f0ce35fee972b.exe	30
PID 2848 wrote to memory of 2704	2848	WScript.exe	31
PID 2848 wrote to memory of 2704	2848	WScript.exe	31
PID 2848 wrote to memory of 2704	2848	WScript.exe	31
PID 2848 wrote to memory of 2704	2848	WScript.exe	31
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2872 wrote to memory of 536	2872	DllCommonsvc.exe	53
PID 2872 wrote to memory of 536	2872	DllCommonsvc.exe	53
PID 2872 wrote to memory of 536	2872	DllCommonsvc.exe	53
PID 2872 wrote to memory of 776	2872	DllCommonsvc.exe	54
PID 2872 wrote to memory of 776	2872	DllCommonsvc.exe	54
PID 2872 wrote to memory of 776	2872	DllCommonsvc.exe	54
PID 2872 wrote to memory of 756	2872	DllCommonsvc.exe	55
PID 2872 wrote to memory of 756	2872	DllCommonsvc.exe	55
PID 2872 wrote to memory of 756	2872	DllCommonsvc.exe	55
PID 2872 wrote to memory of 320	2872	DllCommonsvc.exe	56
PID 2872 wrote to memory of 320	2872	DllCommonsvc.exe	56
PID 2872 wrote to memory of 320	2872	DllCommonsvc.exe	56
PID 2872 wrote to memory of 1500	2872	DllCommonsvc.exe	57
PID 2872 wrote to memory of 1500	2872	DllCommonsvc.exe	57
PID 2872 wrote to memory of 1500	2872	DllCommonsvc.exe	57
PID 2872 wrote to memory of 1944	2872	DllCommonsvc.exe	58
PID 2872 wrote to memory of 1944	2872	DllCommonsvc.exe	58
PID 2872 wrote to memory of 1944	2872	DllCommonsvc.exe	58
PID 2872 wrote to memory of 2372	2872	DllCommonsvc.exe	59
PID 2872 wrote to memory of 2372	2872	DllCommonsvc.exe	59
PID 2872 wrote to memory of 2372	2872	DllCommonsvc.exe	59
PID 2872 wrote to memory of 2148	2872	DllCommonsvc.exe	67
PID 2872 wrote to memory of 2148	2872	DllCommonsvc.exe	67
PID 2872 wrote to memory of 2148	2872	DllCommonsvc.exe	67
PID 2148 wrote to memory of 1676	2148	cmd.exe	69
PID 2148 wrote to memory of 1676	2148	cmd.exe	69
PID 2148 wrote to memory of 1676	2148	cmd.exe	69
PID 2148 wrote to memory of 700	2148	cmd.exe	70
PID 2148 wrote to memory of 700	2148	cmd.exe	70
PID 2148 wrote to memory of 700	2148	cmd.exe	70
PID 700 wrote to memory of 372	700	services.exe	71
PID 700 wrote to memory of 372	700	services.exe	71
PID 700 wrote to memory of 372	700	services.exe	71
PID 372 wrote to memory of 2064	372	cmd.exe	73
PID 372 wrote to memory of 2064	372	cmd.exe	73
PID 372 wrote to memory of 2064	372	cmd.exe	73
PID 372 wrote to memory of 1476	372	cmd.exe	74
PID 372 wrote to memory of 1476	372	cmd.exe	74
PID 372 wrote to memory of 1476	372	cmd.exe	74
PID 1476 wrote to memory of 2764	1476	services.exe	75
PID 1476 wrote to memory of 2764	1476	services.exe	75
PID 1476 wrote to memory of 2764	1476	services.exe	75
PID 2764 wrote to memory of 1300	2764	cmd.exe	77
PID 2764 wrote to memory of 1300	2764	cmd.exe	77
PID 2764 wrote to memory of 1300	2764	cmd.exe	77
PID 2764 wrote to memory of 1672	2764	cmd.exe	78
PID 2764 wrote to memory of 1672	2764	cmd.exe	78
PID 2764 wrote to memory of 1672	2764	cmd.exe	78
PID 1672 wrote to memory of 756	1672	services.exe	79
PID 1672 wrote to memory of 756	1672	services.exe	79
PID 1672 wrote to memory of 756	1672	services.exe	79
PID 756 wrote to memory of 2308	756	cmd.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27c19559712c6e96c0428aed6bc861c558de8e151b3e04533f3f0ce35fee972b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27c19559712c6e96c0428aed6bc861c558de8e151b3e04533f3f0ce35fee972b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCuTeOCW71.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1676
      - C:\MSOCache\All Users\services.exe
        
        "C:\MSOCache\All Users\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2064
        
        C:\MSOCache\All Users\services.exe
        
        "C:\MSOCache\All Users\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1300
        
        C:\MSOCache\All Users\services.exe
        
        "C:\MSOCache\All Users\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2308
        
        C:\MSOCache\All Users\services.exe
        
        "C:\MSOCache\All Users\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        13⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2156
        
        C:\MSOCache\All Users\services.exe
        
        "C:\MSOCache\All Users\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"
        15⤵
        
        PID:808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1392
        
        C:\MSOCache\All Users\services.exe
        
        "C:\MSOCache\All Users\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
        17⤵
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2796
        
        C:\MSOCache\All Users\services.exe
        
        "C:\MSOCache\All Users\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
        19⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2508
        
        C:\MSOCache\All Users\services.exe
        
        "C:\MSOCache\All Users\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
        21⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2456
        
        C:\MSOCache\All Users\services.exe
        
        "C:\MSOCache\All Users\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        23⤵
        
        PID:1096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:316
        
        C:\MSOCache\All Users\services.exe
        
        "C:\MSOCache\All Users\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat"
        25⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1568
        
        C:\MSOCache\All Users\services.exe
        
        "C:\MSOCache\All Users\services.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9809d479266f1e8fe7fbe87b23320787

SHA1
65b1c72ff8335d97c3aacfd2ffa965eef214650c

SHA256
9578ef445426e8ba99cb4c470ad8c54b435889743e6998e3504b13aeca075083

SHA512
f42ae719d6506255d4afe8a858ee97bad350a26f4dd28893eeec3756196f47ffd5a249a5ca73fe44a9b542d969f7cdfaf66b6e47158c7ca472d869fa34e154b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
137baf99c04a5daa554392db5896cf75

SHA1
e4a52299825f7eb0426eac30f0042b80985bfcd6

SHA256
d4efbe82c5b03e53619e22a29b10d5a13797ef2192edcabbc4b392d6df0e173d

SHA512
a5716c3010f6eace1c860b858ef42bb38cd989ed611edc1b0907e55e2593159271f7ef91de77c55d63b0b8f1514c7c68b466850b8ffa80a2ec42afb9db7f8ba9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6356a9df42a36a0f0d2364e05842ab85

SHA1
7800d24694a1e4fd97c5e72f50cb7e45063c3ac3

SHA256
5c24e82a8d261ef546c9bbd0fc7795e08eab662cc2d8a2631184eb78909cb8a1

SHA512
63a17039a6fc7fb1087459193fd05f60e740774a485d1f7578c9104df821fd75fab34a3510fc74a6fef566adfcb72c05f65b4a0dd170d55819dee127124b69f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
365b56d7caabd537d365240deaa6a9ca

SHA1
dcf4fe6bc494e4584aa328a874083075e92cd5bf

SHA256
d01a67112ec2049652c79d346b30e43c4322ef8162e0c444b075c93d4221cac1

SHA512
397e97666b2cd2617719a6dafe01b12c9908d541aebed2cf77c0ab6d27372ef189611cf5a6ef2e1bf95581afa2f6a3c899f2d6671c68d7da86cc70ebaa9edb60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb151240157324df86d63bc03e9dbb30

SHA1
c8c29332237d800bf8d4c14649160de49f0623c7

SHA256
2bdd845e2976d61b85bf9909f178489fbf77c86003eddcaf25d451bdb62a8322

SHA512
ff939cd82eef78c0a7297bbf0e49e7897b19a8d158eaea6c71e210add472380725b5a8597a6c4220ca75b537739bbe73acf10c524ff8c1f722cad61663ecffd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
575c5a2b84440fab272ab3cf761cff65

SHA1
eda1bdb2f53576f6e2ef6f69cf1aad074f462f8a

SHA256
5ee341bfa1b47543dc7596be67a2055ecdf5949e72d339eca753cf385bb7b450

SHA512
c6fedfb48383a69ea368270540bbde54fcf2872fcc84c05784a74edeadcd971a4940018969dd436d157d439a44b7d300562c7a29464d11b7405633e9fd39d4bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53ec64b880c4298f76166648bb450e98

SHA1
1d4d1a90e5db6c2bff60a1d670641757f5001570

SHA256
4981e21e45208483df885009fef0e34ad52c60c3881519dc82ce116723a79787

SHA512
38599053917e80569391d28f71aee630f6187f896bac9a421932f7680772ce45d7e2f80508dddeb99f4fad9b97247aee8c04e7d27a07bcfb201cc519c46ad058

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2afac023e006b1445f6c2112b35a6386

SHA1
141510337b2bc6ccb15c884e902b75b9d72f6cf4

SHA256
a5cd95d9fcd7e19764beddeaabc5e06bff3bd9ce1d99156ee0929f87614e451c

SHA512
9f6000869771a05a039e24d472a8f3360aee5b40b40988171950cc25e9cdf7ac229b7cde2e7f148399381bd8df60094c3737effc4691eda692ebc714099ff167

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7f44214f6466ccc7bc7e66db0407479

SHA1
a6e8465dee027275a9842abd9831b9dc48262f07

SHA256
8b48eb95cb19552ab627563f4f3ca55aad5e135e7170cdf211aefc292b98213b

SHA512
c0e07e3f6eb4f809ff1a02f47a15b7bb6eac5b46d2e0a4b8ab590040bcb6486b76323c1c55442d16815ce68ee36210ea45544fde17070ff4aff48d3f52a07fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

Filesize
199B

MD5
b3767249f0caacf51243a672523a549f

SHA1
0992564c97a629a0d910d15ac32924b0af47ca0c

SHA256
2e9c2a8811d1121a6812bdc5736cb3da96a160953b79a9b8a0785c6bf65f7170

SHA512
e2db79ee57f547534eba4b8cc5a3f8c2f6912326132a12d4512c6ca4b698eaee94f7d1d29b96db1bc5640dac00606766e4c34eb89b42b18f760e57cf989d5b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5EC5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
199B

MD5
22734a9a9b9335e2a71b1ee4c37b7f35

SHA1
33e7218d033613dbc197212a7b0c46aff73cf135

SHA256
44cffb5f4dab0c074474dd6258ab4cccaff7e23deb3ac57818c9ca957930c1f5

SHA512
94fa93623472e3897b41951b6ba7ea15c807933560a343650935cac9bd793eafc56efc793cb5bc61af086a26e0088e45f49bfe2163fc571b019f807fb9144087

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat

Filesize
199B

MD5
7d53ff751c347327ebd81162d3044088

SHA1
461a79819b43fba03ef54ed6c300343f237dcb73

SHA256
1f864b412c9a8486452e65d1dfd942abdea1a85d0165d1df853861017a94964f

SHA512
6507a1411b5d9c9f4ae1ab38508c4fcccac1e07ee2cdc28d6c2fdabe7654de020fd9878295ecb7fab9ca0f6229a0aa9551e4b8e51a648976058b7d9e234889a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat

Filesize
199B

MD5
1c7c6c7f293a90d8c89bab7ba7f3f5fd

SHA1
3fa940921120bbfd76b2bf2c0dd3fe3a0aecec39

SHA256
f86871abd6681505a35d86a11a465c8cdc2e70aae91f7f6eeac0de0ac7a44208

SHA512
f44f2f8109dfa8e615518fcfb2862dbff01d0e3ce97958f930fb7324fb933bf96bd8cb17f2a195979098a5b65c3e387ecab26bcf2f925985276561f07cabae61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat

Filesize
199B

MD5
118332ddc7988a6a6371235753301b66

SHA1
155187a3537dedbea1c7206e662eefacea4d760c

SHA256
5e8ea699d48074adc099186893415a33b058ad11deffbcaade06a3a33949224b

SHA512
d4a0787abe15f4ec10fa07b23cb078778f3c6a8e2712518b99480f68347066ad7119511d7377997ae86e3485067792b68968bb813c206fa9c096c9a11c0770ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5ED8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
199B

MD5
0b8781f8c9aba93024ac3381eff982cd

SHA1
62c66c3a17aa9ae84fd46934d38b50154d7028b3

SHA256
d06f54ad4418f1b208f3ad6a3d969ff6bfad68e8c241eecea08aa232156025c6

SHA512
f84ef0c97011df63a34f3bedc65b9f356edaf3538dc913866d37973e060143636e6bd684826bfc2d76958a820efcf67fd5f5a2826d6aad2f799ffe8178ca5dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

Filesize
199B

MD5
ad20fa1fe14266c5238bf7dc55fdb0bf

SHA1
b49ae393e547f75bd7b9e1e72ae60ec481237782

SHA256
dfcd3beb7b60c95a4bc092ae1756947f61a0d151bbd0d31df4489441f554f248

SHA512
7cefd21b3061f6f80b59240c7cc89c290dcc5421fdb75093026a3a9b26f31b69d6884c15ddf9fe48a45ac173e48c33453ace4f0d58280dc7ff5772e2cf9c2b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCuTeOCW71.bat

Filesize
199B

MD5
a84c898ab8958b97938b9b1225a16672

SHA1
282bb663816df2461358a05e3470b9b01c3d8e83

SHA256
8a89c35d44c40fe1e48dd55835f2df39709704ab74a6d59677910e18e246c811

SHA512
f4df34e5795440a0cec215c5033e60467353c1485747f402bfd5393b15389db80ac16ca6dc93ff822bbadf1d35a632cd83ba6b1ebf9f08485a621f4d7a527a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
199B

MD5
c967d8c0fcdfd8a38c4bb1487a9cc7b7

SHA1
59b418dfc4b017580b57ae5e2c9454548b8ae263

SHA256
dde2e0605d1dc6f369758d5ba8ef60a8ee572754db56d382371d17672da445bf

SHA512
82ba79f740189c6873aa0fb18a380ecc750ae9e5eef05376708586f47619ca3ab068d4b4f756a004671a93c23415b1e62f165d9b67d7b5060cbcb5044c769186

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat

Filesize
199B

MD5
fd730d7c7fb02537964f48957094b869

SHA1
24b9aee4c2fa6232d8c81dfeb73f86ae8cf38343

SHA256
a16a0c333d400f7a6568b92ece19d4d94ff76a1c8bbb840050182ac130fd253a

SHA512
100387f0f78d4690e20072862faef90d4a4a956faac8a8a52fb41b88feec55f81d64259ba5b6442229ac6050987d92be8176073bdf835997d0dfb27dcb308816

Download Submit
C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat

Filesize
199B

MD5
f1819a471e7446f6261353c51edb6ac9

SHA1
a47b1517215c8f5adca0f90d6c386c9130d2b288

SHA256
9bc5c90a7bf7e0ec97732c54308d2e86cb2d00589b8ad1ef30113009c7ec9563

SHA512
e63aab1281f286164099238abf81d36d6b52e618a910bc30766082f5c829404bebe8c16a499c70eb07453ccc2b2b6e7579950dbaa2515fd67099d7e9591ed597

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bb12623f25b75198374b5b02620c3157

SHA1
334895d708332b1c07c5c5172675f6357e9bcb98

SHA256
d7f2925bf59b66b99819c548025e32d3c6108b0cd5dda202b364dc17942f4ad1

SHA512
d5f34048989960ce410cbb227c3e1cbecc4c872088c9ca94211417715b879aa4b1f3cc81e405368b241107ca77df9df8a92b4ebddf92122d86d1eae662ae84ff

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/700-74-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/700-73-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/1476-133-0x0000000001140000-0x0000000001250000-memory.dmp

Filesize
1.1MB

Download
memory/1720-608-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download
memory/2092-668-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/2212-548-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2372-48-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/2372-429-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2372-49-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2872-15-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2872-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2872-13-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/2872-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2872-17-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download