dcrat | 4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe
Size

1.3MB
MD5

0b3349d9a879fe2f2e40dc2a1358be06
SHA1

b5debbababe208ce0523d6078080a616a738b4b3
SHA256

4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40
SHA512

04cbf123c194179c134e681ae70bfbcce3ec358cf66f057eed3fca561fbcc2fc36fa0f339a10e837b4d43c8452d828855ef1955227944786685efcd862b2c23f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	1420	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1420	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1420	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	1420	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	1420	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1420	schtasks.exe	91

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b88-10.dat	dcrat
behavioral2/memory/4392-13-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4400	powershell.exe
2632	powershell.exe
5084	powershell.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 17 IoCs

pid	Process
4392	DllCommonsvc.exe
5020	RuntimeBroker.exe
4348	RuntimeBroker.exe
2316	RuntimeBroker.exe
1680	RuntimeBroker.exe
2860	RuntimeBroker.exe
3400	RuntimeBroker.exe
1944	RuntimeBroker.exe
4708	RuntimeBroker.exe
3172	RuntimeBroker.exe
4692	RuntimeBroker.exe
312	RuntimeBroker.exe
4888	RuntimeBroker.exe
1520	RuntimeBroker.exe
2892	RuntimeBroker.exe
4976	RuntimeBroker.exe
4380	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
49	raw.githubusercontent.com
18	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com
16	raw.githubusercontent.com
33	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
58	raw.githubusercontent.com
45	raw.githubusercontent.com
48	raw.githubusercontent.com
57	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1344	schtasks.exe
1492	schtasks.exe
2276	schtasks.exe
4428	schtasks.exe
3448	schtasks.exe
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4392	DllCommonsvc.exe
2632	powershell.exe
5084	powershell.exe
2632	powershell.exe
4400	powershell.exe
4400	powershell.exe
5084	powershell.exe
5020	RuntimeBroker.exe
4348	RuntimeBroker.exe
2316	RuntimeBroker.exe
1680	RuntimeBroker.exe
2860	RuntimeBroker.exe
3400	RuntimeBroker.exe
1944	RuntimeBroker.exe
4708	RuntimeBroker.exe
3172	RuntimeBroker.exe
4692	RuntimeBroker.exe
312	RuntimeBroker.exe
4888	RuntimeBroker.exe
1520	RuntimeBroker.exe
2892	RuntimeBroker.exe
4976	RuntimeBroker.exe
4380	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4392	DllCommonsvc.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	5020	RuntimeBroker.exe
Token: SeDebugPrivilege	4348	RuntimeBroker.exe
Token: SeDebugPrivilege	2316	RuntimeBroker.exe
Token: SeDebugPrivilege	1680	RuntimeBroker.exe
Token: SeDebugPrivilege	2860	RuntimeBroker.exe
Token: SeDebugPrivilege	3400	RuntimeBroker.exe
Token: SeDebugPrivilege	1944	RuntimeBroker.exe
Token: SeDebugPrivilege	4708	RuntimeBroker.exe
Token: SeDebugPrivilege	3172	RuntimeBroker.exe
Token: SeDebugPrivilege	4692	RuntimeBroker.exe
Token: SeDebugPrivilege	312	RuntimeBroker.exe
Token: SeDebugPrivilege	4888	RuntimeBroker.exe
Token: SeDebugPrivilege	1520	RuntimeBroker.exe
Token: SeDebugPrivilege	2892	RuntimeBroker.exe
Token: SeDebugPrivilege	4976	RuntimeBroker.exe
Token: SeDebugPrivilege	4380	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4640	3192	JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe	86
PID 3192 wrote to memory of 4640	3192	JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe	86
PID 3192 wrote to memory of 4640	3192	JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe	86
PID 4640 wrote to memory of 4776	4640	WScript.exe	88
PID 4640 wrote to memory of 4776	4640	WScript.exe	88
PID 4640 wrote to memory of 4776	4640	WScript.exe	88
PID 4776 wrote to memory of 4392	4776	cmd.exe	90
PID 4776 wrote to memory of 4392	4776	cmd.exe	90
PID 4392 wrote to memory of 4400	4392	DllCommonsvc.exe	99
PID 4392 wrote to memory of 4400	4392	DllCommonsvc.exe	99
PID 4392 wrote to memory of 2632	4392	DllCommonsvc.exe	100
PID 4392 wrote to memory of 2632	4392	DllCommonsvc.exe	100
PID 4392 wrote to memory of 5084	4392	DllCommonsvc.exe	101
PID 4392 wrote to memory of 5084	4392	DllCommonsvc.exe	101
PID 4392 wrote to memory of 5020	4392	DllCommonsvc.exe	104
PID 4392 wrote to memory of 5020	4392	DllCommonsvc.exe	104
PID 5020 wrote to memory of 3144	5020	RuntimeBroker.exe	107
PID 5020 wrote to memory of 3144	5020	RuntimeBroker.exe	107
PID 3144 wrote to memory of 4172	3144	cmd.exe	109
PID 3144 wrote to memory of 4172	3144	cmd.exe	109
PID 3144 wrote to memory of 4348	3144	cmd.exe	111
PID 3144 wrote to memory of 4348	3144	cmd.exe	111
PID 4348 wrote to memory of 1612	4348	RuntimeBroker.exe	113
PID 4348 wrote to memory of 1612	4348	RuntimeBroker.exe	113
PID 1612 wrote to memory of 3424	1612	cmd.exe	115
PID 1612 wrote to memory of 3424	1612	cmd.exe	115
PID 1612 wrote to memory of 2316	1612	cmd.exe	117
PID 1612 wrote to memory of 2316	1612	cmd.exe	117
PID 2316 wrote to memory of 5112	2316	RuntimeBroker.exe	119
PID 2316 wrote to memory of 5112	2316	RuntimeBroker.exe	119
PID 5112 wrote to memory of 4016	5112	cmd.exe	121
PID 5112 wrote to memory of 4016	5112	cmd.exe	121
PID 5112 wrote to memory of 1680	5112	cmd.exe	125
PID 5112 wrote to memory of 1680	5112	cmd.exe	125
PID 1680 wrote to memory of 3952	1680	RuntimeBroker.exe	127
PID 1680 wrote to memory of 3952	1680	RuntimeBroker.exe	127
PID 3952 wrote to memory of 1656	3952	cmd.exe	129
PID 3952 wrote to memory of 1656	3952	cmd.exe	129
PID 3952 wrote to memory of 2860	3952	cmd.exe	138
PID 3952 wrote to memory of 2860	3952	cmd.exe	138
PID 2860 wrote to memory of 3116	2860	RuntimeBroker.exe	144
PID 2860 wrote to memory of 3116	2860	RuntimeBroker.exe	144
PID 3116 wrote to memory of 812	3116	cmd.exe	146
PID 3116 wrote to memory of 812	3116	cmd.exe	146
PID 3116 wrote to memory of 3400	3116	cmd.exe	148
PID 3116 wrote to memory of 3400	3116	cmd.exe	148
PID 3400 wrote to memory of 336	3400	RuntimeBroker.exe	150
PID 3400 wrote to memory of 336	3400	RuntimeBroker.exe	150
PID 336 wrote to memory of 5064	336	cmd.exe	152
PID 336 wrote to memory of 5064	336	cmd.exe	152
PID 336 wrote to memory of 1944	336	cmd.exe	155
PID 336 wrote to memory of 1944	336	cmd.exe	155
PID 1944 wrote to memory of 3804	1944	RuntimeBroker.exe	157
PID 1944 wrote to memory of 3804	1944	RuntimeBroker.exe	157
PID 3804 wrote to memory of 892	3804	cmd.exe	159
PID 3804 wrote to memory of 892	3804	cmd.exe	159
PID 3804 wrote to memory of 4708	3804	cmd.exe	161
PID 3804 wrote to memory of 4708	3804	cmd.exe	161
PID 4708 wrote to memory of 3608	4708	RuntimeBroker.exe	163
PID 4708 wrote to memory of 3608	4708	RuntimeBroker.exe	163
PID 3608 wrote to memory of 2372	3608	cmd.exe	165
PID 3608 wrote to memory of 2372	3608	cmd.exe	165
PID 3608 wrote to memory of 3172	3608	cmd.exe	167
PID 3608 wrote to memory of 3172	3608	cmd.exe	167

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
    - - C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4172
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3424
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4016
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1656
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:812
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:5064
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:892
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2372
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
        22⤵
        
        PID:908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3588
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"
        24⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4380
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat"
        26⤵
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2812
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"
        28⤵
        
        PID:4368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4832
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
        30⤵
        
        PID:4776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4392
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"
        32⤵
        
        PID:5072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:3224
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
        34⤵
        
        PID:3548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:2256
        
        C:\Users\Default\PrintHood\RuntimeBroker.exe
        
        "C:\Users\Default\PrintHood\RuntimeBroker.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
6c14b13b09ca3250b8c108b05aa1afb0

SHA1
18e50e6f1f445add8dbfd7441dba50b4d36f42f0

SHA256
a147f4fb3ba4dee9197d7192ce22385e2c5da6987ab044bd2d2d2b7adac71c4a

SHA512
feca9dd078055a76d09290c2e6ff9dae608bdff807fe7e742ea4961a4877f2b5eb3d9d171941dfd0f19cebd1cebed7d35b3d6cbbecfe7ddfda5daf2bb4f85f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat

Filesize
209B

MD5
2b126b72c9b4a9c14bd6a64080fc9627

SHA1
6766a46ab0d9530f8281220fbb264dd2bc48758b

SHA256
8deed79a1e85dd489c39c7446dee79e1f2810df2b1cdf805fc8ed6a88ab240d4

SHA512
9978abcd1e2b256bcd124474f6897de0d96513a3ca0e2b2983b60d63fbfd36877e4098f67ef5e32682404892bbdfe78f4293802b37381876bd3dcd7427fca1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

Filesize
209B

MD5
8553a1b5acf1f1553000f256c44a8b08

SHA1
7aaae4889380d0e7321f4d50f654d9e2ede76ec5

SHA256
012bead44817f6a1c806b13817de7ae4577ec05147f6eb1cc9b485540f779b10

SHA512
e130962a60d81c7654c357dbad96b2f42f3942d26313670c95568efb9471471d7d6ef89926bd7f8a460e020611e60d72edc636f4a6f8f18de133b8c0ddcb0c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

Filesize
209B

MD5
ca53a210fa2443a09b42eff89926426e

SHA1
c7aceeb56c4c7abc97e9c31926561e6f423b5323

SHA256
451826e658028b8a6f465f529e47f994202e22470f43ea482676356f9261bcf4

SHA512
1ab16fb0ff6f5c1180d525ce90a9f05a2ef3a20be1181c8ab1c4aa0f7a60736bc4302f16751a3eff55937e3bee44c0d4a97b6070ff931846663abaaa6986bb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

Filesize
209B

MD5
3e54ed484d650895af7a3ee9d89524db

SHA1
5732f792868364e5e539f4c9fa7e2456a15bdc13

SHA256
42050e5fc61210dbf22346c09d3e3f1d7490cc1ddb11ffd2f970045003f20e71

SHA512
51cc2e98a333e8027f6d6e4a7a09c392a3adb170cde56e2acf36cf1b0d476e82c33574b0d05e856e51aa1c41b707676192a9184fe9a95eecddf6b9dda10f3977

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat

Filesize
209B

MD5
097082cd1fcb406223acb072d34a0bcb

SHA1
7d09fda7110d758643c5a6f898d2a2934e0de952

SHA256
96e818034bb8acda91e5b2fbf31076c123137cd1bd41a789a3b454b2dabcf644

SHA512
ffcb7ed84d1874f20f809a647ff2052dddde0e50b43dce5b9b36cb5e48de6140a50eee4b3d6edc8b5e1cf598f4ab8edc11a8bf2b13aa0f4bc152b16d9d3edc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
209B

MD5
f67be7daed598ef982bb425d33653381

SHA1
753d227d10c49fdc7d15168e53a9d7864f2aa23c

SHA256
5ee9fa825c025e5781202256858df06a8b292323d153e855d38a07f2bd73955a

SHA512
399cf0e8c6b0f468ac48201552053d39098a241ce16d95f22e9eca27d9264fb7c54889243dcc40bb1a59d8af8d22fb05369ebc2d40708e042595ce2ca6d9d622

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

Filesize
209B

MD5
449428df9dbdaeefa7770933f378a6ea

SHA1
5ebb93b16a92c8a2d95594fc667cfc7f715a2d88

SHA256
2b4ca6b1178cc7ba3180bebaf26eb425cea50042b5fd14318b1d1fc4920792d5

SHA512
4c3f64dea05db3affd31ac0f08daddf502b5b20cd349764e2c2ed4c6035427592e971b9090e6e65b956dfc2939d62b82d7ce2b373a272d661a3b41200569a860

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4zdiwrkh.ivb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat

Filesize
209B

MD5
290de74fe383baa7d2cea855abfaa09b

SHA1
8571c10efd6891d870098f56142c6fcca3f0b32b

SHA256
b42a2c8e48b41b62ef2dbbae3c972ace920ff66de9119944ae7d563c7ab085b3

SHA512
ef898ca062b0f19b8fcc985837885c3d86984fde7480b4fa36b799c433d8aea899c5a5bb99243d27041f51d67d11a98cdb72be94bb55e96cd407725e95421ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat

Filesize
209B

MD5
c273fa3e96a81570a471030b87257f9c

SHA1
1a82bc5b08506e2cfae59d14aba5cdd4a1dfe5eb

SHA256
4761adc3e833c2d317c92d22145805964655637ea0980fc82ea9c730ce11c7a6

SHA512
e0cda6fbf871d02be6b7516b514d80961ad6bf50547514ce2a2546291e1622158b3dbce01be5c555d003c3a34d33abdc3654cacfb1f72c1b4d43a8ab11def28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat

Filesize
209B

MD5
2f61d9b6390a7d7798d49cee53a3734d

SHA1
6ef4abae43ce64d9890dcc0dc19ccb27c4eee2fd

SHA256
e63f2f73626bea5b53dd2d7816c6aa588f7b6451ea3fa283a196a35bf26df960

SHA512
2cbf1cf772b6daca65cdf5b3432674c737f5384873fdcfcc48735c5cd8237dfe5e18fa22aa1d4d98901de366b6ee4c11fff6bc6c4a8cca05be18c7b6a834f63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat

Filesize
209B

MD5
3ddc96d8b13be779c942ec489ffca063

SHA1
31e0a5ffa09100dfeef44372d9d5a469b0b4ad88

SHA256
e23509b127e865b71768ef383a180533d7c0373a017f9c2e2bcc6b202d1e6ac0

SHA512
cd8c628e3197582f9d09a4fd081345fd02cfd76938dc2d06dfb305f3304f410ecbea3831099d148b0b9261c88ae6e0643556a57ecaee94d82d4a28c1751cf25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

Filesize
209B

MD5
b80d4e5b233ed573091491df6767d631

SHA1
899d5fef745ba9ba57f8b0bee1e31a0ac9c304f4

SHA256
7bfb8a038efeab84159fd9a55fb903b9cbb5259bd5785d8c8621bc84cc623bf4

SHA512
4a81f2fb788f1c090dae7a9ccd9315db8c3c11d8bd1358b5e60c4a9cdd42660e7ab682dad3208b0a03638b2600de9331417b389b8ba7f7c905cf513d803ba83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat

Filesize
209B

MD5
ec2002c909af3cfd83e980fd85615b00

SHA1
2d9c656144902caada62f751ab99defee3612439

SHA256
31afe24ee5e7f4aabcffb2af1e13d563f0a02b0a61851bed6f58826eeaae7083

SHA512
9b565f71fe3ad34b43dcf83dc5b17178aa68780bb37c3964ff35f1ac19a9dde5b155ce083bc8ad6393b5eff644b2b81ca1fa312baa25fdb718c277b29606b422

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat

Filesize
209B

MD5
f8865d20b80732b301c86b43fafb587d

SHA1
7fce6a9f9bee2b4193c71075106395fedbc40d6b

SHA256
e655d8a256bfced6c4b7fa03fb8050912ab2e689ef632f7f67f550a448a153df

SHA512
ffa681eb2433c936d5ce330d0d2a043074444ec29c0ebf0581f13c2c186149c1900d5f49ff07b60f2d92807d28329156a4623cb0086223bad36f2c287028eeaa

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1944-110-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/2316-84-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/2632-39-0x000001E830010000-0x000001E830032000-memory.dmp

Filesize
136KB

Download
memory/3172-123-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download
memory/3400-103-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/4392-17-0x000000001BC60000-0x000000001BC6C000-memory.dmp

Filesize
48KB

Download
memory/4392-16-0x000000001BC50000-0x000000001BC5C000-memory.dmp

Filesize
48KB

Download
memory/4392-15-0x000000001BC70000-0x000000001BC7C000-memory.dmp

Filesize
48KB

Download
memory/4392-14-0x000000001BC40000-0x000000001BC52000-memory.dmp

Filesize
72KB

Download
memory/4392-13-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/4392-12-0x00007FFCFB383000-0x00007FFCFB385000-memory.dmp

Filesize
8KB

Download
memory/4888-142-0x000000001ADF0000-0x000000001AE02000-memory.dmp

Filesize
72KB

Download
memory/4976-161-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/5020-62-0x0000000000FF0000-0x0000000001002000-memory.dmp

Filesize
72KB

Download